Virus and Spyware Removal Guides, uninstall instructions

What is NoMercy Stealer?

NoMercy is a piece of malicious software classified as a stealer. Malware within this classification operates by extracting a wide variety of sensitive information from infected machines. These programs can have a broad range of abilities for stealing data.

What is Brute Ratel?

Brute Ratel is a penetration testing tool created after reverse engineering multiple highest quality Endpoint Detection and Response (EDR) and antivirus dynamic-link libraries (DLLs). It is a post-exploitation toolkit designed to avoid detection by EDR and antivirus capabilities. Its license costs $2500 per year for one user.

What is HelperProtocol?

While inspecting new submissions to VirusTotal, we discovered the HelperProtocol rogue application. After analyzing this piece of software, we learned that it operates as adware and belongs to the AdLoad malware family.

What kind of page is now-scan[.]com?

While examining websites that use rogue advertising networks, our team came across the now-scan[.]com website. It is a deceptive page running the "McAfee - Your PC is infected with 5 viruses!" scam. Also, now-scan[.]com asks for permission to show notifications. It is an untrustworthy page that should be ignored.

What kind of page is remindexpert[.]xyz?

Remindexpert[.]xyz is a rogue page that our researchers found while inspecting untrustworthy websites. This webpage operates by hosting scams, promoting spam browser notifications, and redirecting visitors to other (likely dubious/malicious) sites.

Most users enter websites like remindexpert[.]xyz through redirects caused by pages that use rogue advertising networks.

What kind of application is Quick Site?

While examining deceptive pages, our team has discovered a browser extension called Quick Site. After adding it to a browser, we found that it makes certain changes in the settings. Quick Site hijacks a web browser to promote quicknewtab.com, a fake search engine.

What kind of page is pcprotect[.]name?

While looking through dubious webpages, our research team found the pcprotect[.]name rogue site. It promotes scams, pushes browser notification spam, and redirects visitors to other (potentially unreliable/harmful) pages.

Users typically enter sites like pcprotect[.]name through redirects caused by webpages that use rogue advertising networks.

What kind of application is Video Player?

While inspecting a shady page, our team discovered a browser extension called Video Player. After testing the app, we found that it generates advertisements (it is an advertising-supported application). It is not recommended to have any adware added to a browser, especially if it was downloaded from an untrustworthy source.

What is Washedback ransomware?

Washedback is a piece of malicious software categorized as ransomware. Malware within this category encrypts data and demands ransoms for the decryption. Washedback is part of the Sojusz ransomware family.

On our test system, the Washedback program encrypted files and altered their filenames. To elaborate, the filenames were appended with a unique ID assigned to the victim, the cyber criminals' contact name, and a ".Washedback" extension. For example, a file initially named "1.jpg" appeared as "1.jpg.[a3470ab7d0].[RicardoMilos].Washedback".

Once this process was finished, a text file titled "#HOW_TO_DECRYPT#.txt" was dropped onto the desktop. This file contained the ransom-demanding message.

What kind of malware is DARKY LOCK?

While analyzing the recently submitted samples to the VirusTotal site, our team discovered DARKY LOCK, which is ransomware. DARKY LOCK encrypts files, appends the ".darky" extension to filenames, and creates a ransom note (the "Restore-My-Files.txt" file). We also found that this ransomware is part of the Babuk family.

An example of how files encrypted by DARKY LOCK are renamed: "1.jpg" is renamed to "1.jpg.darky", "2.png" is renamed to "2.png.darky", "3.exe" is renamed to "3.exe.darky", and so forth.