Virus and Spyware Removal Guides, uninstall instructions

What kind of malware is Demon?

Demon is a type of malware (ransomware) that encrypts files. We discovered it while examining malware samples submitted to the VirusTotal site. Threat actors behind it demand payment in return for decryption tools. Additionally, Demon ransomware appends ".demon" extension to filenames and creates the "How To Recover Your Files.txt" file that contains a ransom note.

An example of how Demon ransomware modifies filenames: it renames "1.jpg" to "1.jpg.demon", "2.png" to "2.png.demon", "3.exe" to "3.exe.demon", and so forth.

What is ProgressBoost?

While inspecting new submissions to VirusTotal, our researchers found the ProgressBoost application. The analysis of this software revealed that it operates as adware and belongs to the AdLoad malware family.

What is ProgramOpen?

ProgramOpen is a rogue application that our research team discovered while investigating new submissions to VirusTotal. After analyzing this piece of software, we learned that ProgramOpen is adware. Additionally, this app is part of the AdLoad malware family.

What is ModernLoader?

ModernLoader, also known as Avatar Bot and AvatarLoader, is a malicious program that has minimalistic loader and RAT (Remote Access Trojan) functionalities.

Loader-type malware is designed to infect devices with additional malicious programs, while RATs enable remote access/control over infected machines. ModernLoader is capable of executing basic commands and injecting malicious modules into systems.

What kind of application is refresh color?

refresh color is the name of a browser extension we discovered on a deceptive website. After downloading and adding it, we learned that it shows annoying advertisements. Apps of this type are classified as advertising-supported apps (adware).

What is "Norton Order Confirmation" email scam?

After examining this email, we found that it is sent by scammers who aim to trick recipients into contacting (calling) them. The email is disguised as a letter from NortonLifeLock (a legitimate software company) regarding order confirmation. This letter must be ignored.

What kind of malware is NominatusCrypt?

NominatusCrypt is the name of ransomware (a variant of the EvilNominatus ransomware). We discovered this ransomware while inspecting malware samples submitted to the VirusTotal website. Unlike most ransomware, NominatusCrypt does not rename files. It provides a ransom note by displaying instructions in a pop-up window.

What kind of page is nonadvertised[.]com?

Our researchers found the nonadvertised[.]com rogue page during a routine inspection of suspicious websites. It is designed to push scams, promote browser notification spam, and redirects visitors to other (likely unreliable/malicious) sites. Users typically access such webpages via redirects caused by sites that use rogue advertising networks.

What kind of application is OnlineProgram?

Our team discovered an untrustworthy application called OnlineProgram while examining various deceptive pages (e.g., web pages offering to download updates for supposedly outdated software). After installing OnlineProgram, we noticed that it shows unwanted advertisements. Thus, we categorized this app as adware.

What is DoyUk 7.1 ransomware?

While inspecting new submissions to VirusTotal, our researchers discovered the DoyUk 7.1 ransomware. This is not our first encounter with this malware, as we have previously analyzed the DoyUk 2.0 and DoyUk 5.0 variants.

After we executed this latest version on our test machine, it encrypted files and appended their names with a ".doyuk" extension. For example, a filename like "1.jpg" appeared as "1.jpg.doyuk", "2.png" as "2.png.doyuk", etc. Once this process was completed, the ransomware dropped a text file titled "Restore Your Files.txt" onto the desktop. This file contained a ransom note in Portuguese.