Virus and Spyware Removal Guides, uninstall instructions

What kind of page is antivirus-stability[.]com?

During a routine investigation of suspicious websites, our researchers discovered the antivirus-stability[.]com rogue page. It is designed to promote deceptive content; when we inspected antivirus-stability[.]com, it ran the "You've visited illegal infected website" scam. Additionally, this site pushes browser notification spam and can redirect visitors to other (likely untrustworthy/hazardous) sites.

Users typically access webpages like antivirus-stability[.]com via redirects caused by websites using rogue advertising networks.

What is EmailCheckToday?

While inspecting dubious software-promoting sites, our researchers discovered one advertising the EmailCheckToday browser extension. This piece of software is endorsed as an easy-access tool for email services.

Instead, we determined that EmailCheckToday operates as a browser hijacker - it modifies browser settings to promote fake search engines, and it spies on users' browsing activity.

What is No-Light?

While inspecting deceptive software-promoting websites, we discovered the No-Light browser extension. This piece of software is presented as a tool capable of creating a dark mode for simple design websites. However, our analysis revealed that No-Light operates as advertising-supported software (adware) instead.

What kind of page is securityservice-pc[.]com?

After inspecting the securityservice-pc[.]com page, we discovered that it runs the "McAfee - Your PC is infected with 5 viruses!" scam and asks for permission to deliver notifications. Our team encountered this site while examining pages that use rogue advertising networks. It is very uncommon for sites like securityservice-pc[.]com to be visited on purpose.

What kind of application is Shiny Searches?

Shiny Searches is the name of a browser extension that our team discovered on a website offering fast Internet search results. After downloading and adding Shiny Searches to a web browser, we noticed certain changes in its settings. Shiny Searches hijacks a web browser to promote search.shiny-searches.com, a fake search engine.

What is Streamlink-twitch-gui?

While inspecting deceptive software-promoting websites, our research team discovered an ISO file containing the Streamlink-twitch-gui adware. Software within this classification is designed to run intrusive advertisement campaigns. However, Streamlink-twitch-gui is part of the ChromeLoader malware family; hence, it may also cause chain infections.

What kind of application is Easy-Eye?

After analyzing the Easy-Eye browser extension, we found that it shows annoying advertisements and is supposed to provide a dark mode for simple pages. Apps that display unwanted ads are classified as adware. Our team discovered Easy-Eye on a deceptive page claiming that adding this app to a web browser might be required.

What is Light-Free?

Light-Free is a rogue browser extension that promises to enable dark mode for simple design websites. Our research team discovered this piece of software while inspecting suspicious download webpages. After analyzing this browser extension, we learned that it operates as adware (i.e., runs intrusive advertisement campaigns).

What kind of malware is BlackBit?

BlackBit is ransomware identical to another ransomware called Loki Locker. Our team discovered BlackBit while inspecting malware samples submitted to VirusTotal. BlackBit encrypts files (makes them inaccessible), modifies filenames, changes the desktop wallpaper, displays a pop-up window, and creates the "Restore-My-Files.txt" file.

BlackBit's pop-up window and text file contain a ransom note. This ransomware modifies filenames by prepending spystar@onionmail.org email address, victim's ID, and appending the ".BlackBit" extension to filenames.

For example, it renames "1.jpg" to "[spystar@onionmail.org][9ECFA84E]1.jpg.BlackBit", "2.png" to "[spystar@onionmail.org][9ECFA84E]2.png.BlackBit", and so forth.

What is Polis ransomware?

While investigating new malware submissions to VirusTotal, our researchers discovered the Polis malicious program. It is categorized as ransomware - a type of malware that encrypts data and makes ransom demands for the decryption.

Once we executed a sample of Polis on our test system, it encrypted files and appended their names with a ".polis" extension. For example, a file initially titled "1.jpg" appeared as "1.jpg.polis", "2.png" as "2.png.polis", and so on. Afterwards, a ransom note - "Restore.txt" - was created. It is worth mentioning that Polis ransomware uses double extortion tactics.