Virus and Spyware Removal Guides, uninstall instructions

What is OpenSubtitles Uploader?

OpenSubtitles Uploader is a rogue application. After analyzing this app, we determined that it operates as advertising-supported software (adware). In other words, it enables the placement of third-party graphical content on various interfaces. OpenSubtitles Uploader may have additional undesirable/harmful abilities, such as data collecting.

What is Extension Settings?

While inspecting scam sites, our research team discovered a rogue installer containing the Extension Settings browser extension. After analyzing this piece of software, we determined that it is a browser hijacker that promotes the ardslediana.com fake search engine.

What is ZZZZZ (Scarab) ransomware?

Our research team found yet another program belonging to the Scarab ransomware family named ZZZZZ. Malware within the ransomware classification is designed to encrypt files and demand ransoms for the decryption.

After we launched a sample of ZZZZZ (Scarab) ransomware on our test system, it encrypted files and appended their filenames with a ".ZZZZZ" extension. For example, a file titled "1.jpg" appeared as "1.jpg.ZZZZZ", "2.png" as "2.png.ZZZZZ", and so forth.

Once this process was finished, a ransom-demanding message named "Инструкция.txt" was created on the desktop. The note within this text file was in Russian.

What kind of malware is DONKEYHOT?

DONKEYHOT is ransomware used to blackmail victims. It encrypts files and keeps them inaccessible until a ransom is paid. We discovered DONKEYHOT while checking VirusTotal for recently submitted malware samples. In addition to encrypting files, this ransomware modifies filenames and generates the "#HOW_TO_DECRYPT#.txt" file containing a ransom note.

DONKEYHOT appends a string of random characters, ICQ username, and the ".DONKEYHOT" extension to filenames. For example, it renames "1.jpg" to "1.jpg.[5deecd3145].[ICQ_DONKEYHOT].DONKEYHOT", "2.png" to "2.png.[5deecd3145].[ICQ_DONKEYHOT].DONKEYHOT", and so forth.

What kind of page is emyresumef[.]hair?

While examining emyresumef[.]hair, we found that it can show deceptive notifications (if allowed) and redirect visitors to other shady pages. It uses a clickbait technique to trick visitors into agreeing to receive notifications. Our team discovered emyresumef[.]hair while inspecting sites that use rogue advertising networks.

What kind of page is tpnwslnd[.]com?

While inspecting dubious websites, our researchers discovered the tpnwslnd[.]com rogue page. It promotes spam browser notifications and redirects users to other (likely untrustworthy/harmful) webpages. Most visitors to tpnwslnd[.]com and similar sites enter them via redirects caused by pages that use rogue advertising networks.

What is "ACHIVA email virus"?

After analyzing this email, we learned that threat actors use it to trick people into believing that they have received an email from the sales department of a company located in Vietnam. Their goal is to trick recipients into opening a malicious attachment. That attachment is used to distribute GuLoader malware.

What kind of malware is Qqpp?

While examining malware samples submitted to VirusTotal, our researchers discovered a new Djvu ransomware variant called Qqpp. This ransomware encrypts files and appends the ".qqpp" extension to filenames. It also drops a ransom note (a text file named "_readme.txt") on the desktop.

An example of how Qqpp renames files: it changes "1.jpg" to "1.jpg.qqpp", "2.png" to "2.png.qqpp", and so forth.

What is Power Colors?

Our research team discovered the Power Colors rogue browser extension while inspecting dubious download webpages. We analyzed this extension and determined that it operates as advertising-supported software (adware).

What kind of email is "Webmail Center"?

After inspecting this "Webmail Center" spam email, we determined that it operates as a phishing scam. The letter claims that due to a system upgrade, messages failed to reach the inbox. Hence, the recipient must verify their email account to receive the letters and prevent it from being blocked.

However, by attempting to complete the verification - users will inadvertently reveal their log-in credentials (passwords) to the scammers behind this spam campaign.