Virus and Spyware Removal Guides, uninstall instructions

What is K1ng ransomware?

During a routine inspection of new malware submissions, our researchers found a ransomware-type program named K1ng. It belongs to the Dharma ransomware family.

After we executed a sample of K1ng on our test system, it encrypted files and appended their filenames with a unique ID assigned to the victim, the cyber criminals' email address, and a ".k1ng" extension. For example, a file originally titled "1.jpg" appeared as "1.jpg.id-9ECFA84E.[king2022@tutanota.com].k1ng".

Once the encryption was finished, the ransomware created two ransom notes: one was displayed as a pop-up window, and the other - a text file named "info.txt" was dropped onto the desktop.

What is Playless videos?

Our research team discovered the "Playless videos" browser extension while inspecting dubious software-promoting webpages. It is presented as a tool capable of disabling/auto-skipping ads on YouTube. However, our analysis revealed that Playless videos works as adware. Hence, instead of removing advertisements - this browser extension displays them.

What is Fopra ransomware?

While investigating new malware submissions to VirusTotal, our research team discovered another malicious program belonging to the Phobos ransomware family - called Fopra.

We executed a sample of Fopra on our test machine, and it encrypted files and altered their titles. Original filenames were appended with a unique ID assigned to the victim, the cyber criminals' email address, and a ".fopra" extension. For example, a file initially named "1.jpg" appeared as "1.jpg.id[9ECFA84E-3388].[poshix@tfwno.gf].fopra", etc.

After the encryption was completed, this ransomware created two ransom notes - "info.hta" (pop-up) and "info.txt" - and dropped them onto the desktop.

What is Moisha ransomware?

Moisha is a ransomware-type program designed to encrypt victims' data, delete Volume Shadow Copies, and demand payment for the decryption tools.

Typically, ransomware appends the filenames of encrypted files with an extension; however, after releasing a sample of Moisha on our test system - we learned that it does not alter filenames.

After the encryption process was completed, Moisha created a ransom note titled "!!!READ TO RECOVER YOUR DATA!!!.txt" and dropped it onto the desktop. The text in this file makes it evident that this ransomware targets companies rather than home users.

What is kind of email is "Your Password Is Set To Expire"?

After inspecting the "Your Password Is Set To Expire" email, we determined that it is spam. The letter claims that recipients' email account passwords will expire in two days and urges them to prevent it by logging in through the promoted site.

It must be emphasized that this is a phishing scam; this fake letter targets users' log-in credentials in order to steal their email accounts.

What is GetItDark?

Our research team discovered the GetItDark browser extension while inspecting deceptive software promoting webpages. This piece of software promises to create a dark mode for simple design websites. However, our analysis of this rogue extension revealed that it operates as adware instead.

What is "Adobe Reader File email scam"?

"Adobe Reader File email scam" refers to spam campaigns that proliferate PDF documents containing links to phishing websites.

After inspecting a fake "Focke & Co" letter with the subject "Bill of landing", we determined that it is an instance of the "Adobe Reader File email scam". This letter had a PDF attachment that redirected to a phishing site targeting email account log-in credentials.

What kind of email is "I Know That You Cheat On Your Partner"?

Our inspection of the "I Know That You Cheat On Your Partner" email revealed that it is spam, which operates as a variation of the sextortion scam. The scammers behind this spam campaign claim to have proof of the recipients' infidelity and threaten to leak it - unless they pay a ransom.

It must be emphasized that none of the claims made by this email are true - hence, it poses no threats to anyone who has received it.

What is Baro box?

While inspecting dubious software promoting websites, our researchers discovered one endorsing the Baro box browser extension. Our analysis of this extension revealed that it operates as a browser hijacker - changes browser settings to cause redirects to the barosearch.com fake search engine. Baro box also spies on users' browsing activity.

What kind of page is takeekatthree[.]xyz?

Our researchers discovered the takeekatthree[.]xyz rogue page during a routine investigation into untrustworthy websites. This webpage promotes online scams, pushes spam browser notifications, and redirects visitors' to different (likely unreliable/dangerous) sites.

Users typically enter takeekatthree[.]xyz and similar webpages through redirects caused by websites that use rogue advertising networks.