Virus and Spyware Removal Guides, uninstall instructions

What kind of software is IndexerClient?

After downloading and installing the IndexerClient application, we found that it has specifications of adware - it displays annoying advertisements. We discovered IndexerClient on a deceptive website claiming that Adobe Flash Player needs to be updated. It is worth mentioning that most users install adware inadvertently.

What kind of page is protectwatch[.]xyz?

While examining untrustworthy websites, our research team discovered the protectwatch[.]xyz page. It operates by promoting scams, pushing browser notification spam, and redirecting users to different (likely dubious or malicious) sites.

Most visitors to protectwatch[.]xyz and webpages akin to it - enter them via redirects caused by sites using rogue advertising networks.

What is "Dark Screen"?

Dark Screen is a browser extension our researchers discovered while inspecting questionable download webpages. It is promoted as a dark mode tool for browsers. However, our analysis of this piece of software revealed that it operates as adware. Hence, Dark Screen displays ads and spies on users' browsing activity.

What kind of page is fsmevh[.]com?

Fsmevh[.]com uses a clickbait technique to trick visitors into agreeing to receive notifications. Also, this page can redirect visitors to a similar website. We discovered fsmevh[.]com while examining other sites that use rogue advertising networks. It is uncommon for pages like fsmevh[.]com to be visited intentionally.

What is Redeemer 2.0 ransomware?

Redeemer 2.0 is an updated variant of the Redeemer ransomware-type program. Ransomware is designed to encrypt data and demand payment for the decryption.

Redeemer 2.0 ransomware differs from its older variants in a number of ways, such as it is capable of infecting Windows 11 Operating Systems (OS), avoiding unintentional damage to the OS, changing the icons of encrypted files, and so on.

We acquired a sample of this ransomware and executed it on our testing system. Redeemer 2.0 encrypted files, changed their icons, and appended the filenames with a ".redeem" extension. For example, a file titled "1.jpg" appeared as "1.jpg.redeem", "2.png" as "2.png.redeem", etc.

Following this process's completion, Redeemer 2.0 displayed a ransom note preceding the log-in screen and created one in the form of a text file titled "Read Me.TXT", both contained identical messages.

What kind of malware is 1more?

Our malware researchers discovered ransomware from the VoidCrypt family called 1more while analyzing samples submitted to the VirusTotal website. 1more encrypts files, appends the victim's ID, 1moredec@gmail.com email address, and the ".1more" extension to filenames, and drops a ransom note (the "unlock-info.txt" file).

An example of how 1more renames files: it changes "1.jpg" to "1.jpg.(CW-WA1527930648)(1moredec@gmail.com).1more", "2.png" to "2.png.(CW-WA1527930648)(1moredec@gmail.com).1more", "3.exe" to "3.exe.(CW-WA1527930648)(1moredec@gmail.com).1more", and so forth.

What is HiddenAds?

Discovered by Dr. Web researchers, HiddenAds is a malware family targeting Android operating systems. This group comprises numerous malicious applications; most operate as adware (display ads), but some are also capable of stealthily subscribing victims to premium-rate services and stealing their social networking accounts.

At the time of research, HiddenAds apps were actively spread through the Google Play Store - with over ten million downloads to their name. This software bears various disguises, e.g., gaming, calling/messaging, system protection/cleaning, image/photo editing, virtual keyboard, wallpaper, and other applications (list of applications associated with HiddenAds can be found below).

What is Nitro Stealer?

While checking the VirusTotal page for recently submitted samples, we discovered an information stealer called Nitro Stealer. This malware is designed to gather information from a system. It sends obtained information to threat actors. Usually, information stealers stealthily infiltrate computers and remain silent.

What is DigitGuild?

Our research team discovered the DigitGuild application while looking through new submissions to VirusTotal. We obtained a sample of DigitGuild and installed it onto a test system. Our analysis of this app revealed that it operates as advertising-supported software (adware) that belongs to the AdLoad malware family.

What is antivirus-here[.]com?

While inspecting sites that use rogue advertising networks, we discovered antivirus-here[.]com. We learned that antivirus-here[.]com is an untrustworthy website that runs the "McAfee - Your PC is infected with 5 viruses!" scam and asks for permission to show notifications. This website (and its notifications) cannot be trusted.