Virus and Spyware Removal Guides, uninstall instructions

What is Polis ransomware?

While investigating new malware submissions to VirusTotal, our researchers discovered the Polis malicious program. It is categorized as ransomware - a type of malware that encrypts data and makes ransom demands for the decryption.

Once we executed a sample of Polis on our test system, it encrypted files and appended their names with a ".polis" extension. For example, a file initially titled "1.jpg" appeared as "1.jpg.polis", "2.png" as "2.png.polis", and so on. Afterwards, a ransom note - "Restore.txt" - was created. It is worth mentioning that Polis ransomware uses double extortion tactics.

What kind of malware is LOCKEDFILECR?

LOCKEDFILECR is the name of ransomware that our team discovered while inspecting malware samples submitted to the VirusTotal website. Ransomware is malware that encrypts files to prevent victims from accessing them. Threat actors behind ransomware attacks demand payment in return for a decryption tool.

In addition to encrypting files, LOCKEDFILECR appends the ".LOCKEDFILECR" extension to filenames (e.g., it renames "1.jpg" to "1.jpg.LOCKEDFILECR", "2.png" to "2.png.LOCKEDFILECR"). It also creates a ransom note (the "ReadMe.LOCKEDFILECR.txt" file).

What kind of application is Find My Package For Free?

Our team discovered Find My Package For Free after downloading it from a website offering to quickly track packages online. While inspecting this app, we found that it shows annoying advertisements. For this reason, we classified Find My Package For Free as adware (advertising-supported software).

What is Audio Player?

Audio Player is a rogue browser extension that our researchers discovered while inspecting dubious software-promoting websites. This extension is endorsed as a tool capable of reading text in multiple languages and voices. However, our analysis revealed that Audio Player operates as adware instead.

What is Joker ransomware?

While inspecting new submissions to VirusTotal, our researchers discovered the Joker ransomware. This malicious program is part of the VoidCrypt ransomware family.

After we executed a sample of Joker on our test machine, it encrypted files and modified their filenames. Original titles were appended with a unique ID assigned to the victim, the cyber criminals' email address, and a ".Joker" extension. For example, a file initially titled "1.jpg" appeared as "1.jpg.(MJ-CQ7083154692)(suppransomeware@tutanota.com).Joker".

Once the encryption process was completed, Joker created and displayed ransom notes in a pop-up window ("Decryption-Guide.HTA") and a text file ("Decryption-Guide.txt"). The messages in both were identical.

What is "Mobile" adware?

While inspecting suspicious software-promoting websites, our research team found an adware-type application called Mobile. This app is designed to run intrusive advertisement campaigns. Additionally, Mobile might have data tracking functionalities.

What kind of application is UpSearches?

While examining the UpSearches browser extension, we discovered that it is a browser hijacker that promotes upsearches.com - a fake search engine. It hijacks a web browser by changing its settings. Typically, users download and add browser-hijacking apps to browsers inadvertently.

What kind of application is Webpage Text Reader?

We discovered the Webpage Text Reader browser extension While inspecting a deceptive web page offering to update a browser. After downloading and adding Webpage Text Reader, we found that it generates annoying advertisements. Therefore, we classified this app as adware. Also, we learned that Webpage Text Reader can read and change data on all pages.

What is findhealthinfonow.com?

Findhealthinfonow.com is the address of a fake search engine. Websites of this kind are typically promoted by software classified as browser hijackers. They modify browser settings in order to cause redirects to illegitimate search engines. Additionally, both these websites and the software promoting them typically collect sensitive information.

What kinf of malware is Winxvykljw?

Winxvykljw is ransomware that encrypts files to make them inaccessible/unusable. Winxvykljw is part of the Snatch ransomware family. We discovered it while analyzing malware samples submitted to VirusTotal. We also found that Winxvykljw appends its extension (".winxvykljw") to filenames and creates the "HOW TO RESTORE YOUR FILES.TXT" file (a ransom note).

An example of how Winxvykljw modifies filenames: it renames "1.jpg" to "1.jpg.winxvykljw", "2.png" to "2.png.winxvykljw", and so forth.