Virus and Spyware Removal Guides, uninstall instructions

What is EllipseChoice?

EllipseChoice is a rogue application that we discovered during a routine inspection of new submissions to VirusTotal. Our analysis of this app revealed that it operates as advertising-supported software (adware). Additionally, it is worth mentioning that EllipseChoice is part of the AdLoad malware family.

What is BianLian ransomware?

BianLian is a malicious program classified as ransomware. It is written in the Go programming language. After we executed a sample of BianLian on our test machine, it encrypted files and appended their filenames with a ".bianlian" extension.

To elaborate, a file initially titled "1.jpg" appeared as "1.jpg.bianlian", "2.png" as "2.png.bianlian", etc. Once this process was finished, a ransom note - "Look at this instruction.txt" was dropped onto the desktop. The text therein makes it evident that this ransomware uses double extortion tactics and targets companies rather than home users. After its operations were completed, BianLian deleted itself.

Researchers at Cyble have found that the BianLian ransomware has been used in attacks against well-known organizations operating in the BFSI (Banking, Financial Services and Insurance), Education, Healthcare, Media and Entertainment, Manufacturing, and other spheres.

What kind of page is totaldatadefencereport[.]com?

While inspecting totaldatadefencereport[.]com, we found that it is running the "Norton Security - Your PC Might Be Infected With Viruses!" scam. Additionally, we learned that totaldatadefencereport[.]com wants to show notifications. Our team discovered this page while examining other pages that use rogue advertising networks.

What kind of application is LightSurf?

After testing the LightSurf, our team concluded that it is an advertising-supported app. It displays intrusive advertisements. Additionally, it can read and change data on visited websites. We discovered this site on a deceptive web page claiming that it might be required to add LightSurf to a web browser.

What is "Norton Security - Your PC Might Be Infected With Viruses!"?

Our research team discovered the "Norton Security - Your PC Might Be Infected With Viruses!" scam while inspecting rogue webpages. This scheme claims that the device might be infected since the Norton AntiVirus subscription has expired.

However, these statements are false, as no website can detect threats/issues present on visitors' computers. Furthermore, it must be stressed that this scam is in no way associated with Norton AntiVirus or NortonLifeLock Inc.

What kind of malware is Zxcvb?

Zxcvb is ransomware belonging to the Dharma family. We discovered Zxcvb while analyzing malware samples submitted to the VirusTotal website. This ransomware encrypts files and appends the victim's ID, paymoney@onionmail.org email address, and the ".zxcvb" extension to filenames.

Also, Zxcvb displays a ransom note in a pop-up window and creates a text file named "FILES ENCRYPTED.txt" containing another ransom note. An example of how Zxcvb renames files: it changes "1.jpg" to "1.jpg.id-9ECFA84E.[paymoney@onionmail.org].zxcvb", "2.png" to "2.png.id-9ECFA84E.[paymoney@onionmail.org].zxcvb", and so forth.

What kind of malware is Qqkk?

Qqkk is ransomware that our team discovered while examining malware samples submitted to VirusTotal. We learned that Qqkk belongs to the Djvu ransomware family. It prevents victims from accessing files by encrypting them, appends the ".qqkk" extension to filenames, and drops the "_readme.txt" file containing a ransom note.

An example of how Qqkk modifies filenames: it changes "1.jpg" to "1.jpg.qqkk", "2.png" to "2.png.qqkk", "3.exe" to "3.exe.qqkk", and so forth.

What is CoordinatorOptimization?

Our researchers found the CoordinatorOptimization application during a routine investigation of new submissions to VirusTotal. After analyzing this piece of software, we determined that it operates as adware.

In other words, CoordinatorOptimization runs intrusive advertisement campaigns and may have additional abilities as well. It is pertinent to mention that this rogue app is part of the AdLoad malware family.

What is KOPYTZEMPEREEBET ransomware?

While inspecting new submissions to VirusTotal, our research team discovered the KOPYTZEMPEREEBET ransomware.

We executed a sample of this malware on our test machine, and it encrypted files and appended their filenames with a ".KOPYTZEMPEREEBET" extension. For example, a file named "1.jpg" appeared as "1.jpg.KOPYTZEMPEREEBET", "2.png" as "2.png.KOPYTZEMPEREEBET", and so forth.

Once the encryption process was finished KOPYTZEMPEREEBET dropped a text file titled "#Decrypt_files#.txt" onto the desktop. This file contained the ransom-demanding message, which made it evident that this ransomware targets companies rather than home users.

What is kind of malware is Aurora?

Our research team discovered the Aurora malware while looking through hacker forums. Its developers advertise Aurora as a multifunctional piece of malicious software. The program's promotional material states that it operates as a RAT (Remote Access Trojan), botnet, stealer, clipper, and data-encrypting ransomware.