Virus and Spyware Removal Guides, uninstall instructions

What is Arai ransomware?

Arai is a ransomware-type program that our research team discovered while inspecting new malware submissions to VirusTotal. After launching a sample of this ransomware on our test machine, Arai encrypted data and created a note demanding a ransom for the decryption.

The names of the encrypted files were appended with a ".araicrypt" extension. For example, a file originally titled "1.jpg" appeared as "1.jpg.araicrypt", "2.png" as "2.png.araicrypt", etc.

Once this process was completed, a ransom-demanding message - "READ_TO_RESTORE_YOUR_FILES.txt" - was dropped onto the desktop. This note clearly indicated that Arai targets companies rather than home users.

What kind of page is politicosta[.]biz?

Politicosta[.]biz is one of the many websites that use clickbait techniques to trick visitors into allowing them to show notifications. We encountered this site while inspecting other pages that use rogue advertising networks. One more reason not to visit/trust politicosta[.]biz is that it can redirect to other untrustworthy pages.

What kind of application is Good Blocker?

Good Blocker is described as a browser extension that blocks online advertisements. We discovered this app while examining a technical support scam website. After downloading and adding Good Blocker, we learned that it is an advertising-supported application - it shows annoying advertisements.

What kind of malware is Kamikizu?

We discovered malware named Kamikizu while examining the samples submitted to the VirusTotal website. After inspecting Kamikizu, we learned that it is ransomware that encrypts files, modifies filenames, and drops the "!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT" file (a ransom note). We also found that Kamikizu is part of the ZEPPELIN ransomware family.

An example of how Kamikizu renames files: it changes "1.jpg" to "1.jpg.kizu.1A1-D65-742", "2.png" to "2.png.kizu.1A1-D65-742", and so forth. It appends ".kizu.[victim's_ID]" to filenames.

What is TaskPost?

While inspecting new submissions to VirusTotal, our research team found the TaskPost application. After analyzing this rogue app, we learned that it is adware. Additionally, this piece of software belongs to the AdLoad malware family.

What kind of software is TwinValley?

TwinValley is an application designed to bombard users with intrusive advertisements. It has no useful features and can cause certain problems. Our malware researchers discovered TwinValley while inspecting deceptive pages promoting fake installers. Since TwinValley displays unwanted ads, we classified it as adware.

What is 69 ransomware?

69 is the name of a ransomware-type program. Malware within this classification is designed to encrypt data and demand payment for the decryption.

We obtained a sample of this ransomware and executed it on our test machine. The malware encrypted files and appended their filenames with a ".69" extension. For example, a file initially titled "1.jpg" appeared as "1.jpg.69", "2.png" as "2.png.69", etc.

After the encryption process was completed, a text file named "Readme_now.txt" was created. This file contained the ransom-demanding message.

What kind of malware is Hhyu?

While checking the VirusTotal page for recently submitted malware samples, we found a new Djvu ransomware called Hhyu. This ransomware encrypts files and appends the ".hhyu" extension to their filenames (e.g., it renames "1.jpg" to "1.jpg.hhyu", "2.png" to "2.png.hhyu", and so forth). It also drops a ransom note (the "_readme.txt" file).

What kind of page is licktaughigme[.]com?

Licktaughigme[.]com is a website that displays deceptive content to get permission to deliver notifications. Also, it redirects to untrustworthy websites. We encountered this page while inspecting other sites that use rogue advertising networks. It is very uncommon for sites like licktaughigme[.]com to be visited intentionally.

What kind of page is news-kezana[.]cc?

News-kezana[.]cc is a rogue webpage that promotes browser notification spam and causes redirects to other (likely unreliable/harmful) websites.

Our researchers discovered news-kezana[.]cc while inspecting sites that use rogue advertising networks. Additionally, redirects caused by the latter are primarily how users access pages like news-kezana[.]cc.