Virus and Spyware Removal Guides, uninstall instructions

What is EMPg296LCK ransomware?

While looking through new malware submissions to VirusTotal, our researchers found the EMPg296LCK malicious program that is classified as ransomware. We determined that this program is part of the MedusaLocker ransomware family, and we acquired a sample of it for testing.

On our test machine, EMPg296LCK encrypted files and appended their filenames with a ".EMPg296LCK" extension. For example, a file initially named "1.jpg" appeared as "1.jpg.EMPg296LCK", "2.png" as "2.png.EMPg296LCK", and so forth.

Once the encryption process was finished, a ransom note - "!_HOW_RECOVERY_FILES_!.HTML" - was dropped onto the desktop.

What is IndexerSource?

IndexerSource is an application that our researchers discovered while inspecting new submissions to VirusTotal. After analyzing this piece of software, we learned that it operates as adware and is part of the AdLoad malware family.

What kind of page is hehighursoo[.]com?

Our researchers discovered the hehighursoo[.]com rogue webpage while inspecting untrustworthy websites. This page is designed to promote spam browser notifications and redirect visitors to different (likely questionable or malicious) sites.

Most users enter hehighursoo[.]com and pages akin to it via redirects caused by websites that use rogue advertising networks.

What kind of malware is SVCReady?

SVCReady is the name of a malware loader that can collect information about the infected system and communicate with a command and control (C2) server. We have discovered this loader while examining an email containing a malicious MS Word document.

One of the known payloads delivered using the SVCReady loader is an information stealer called RedLine Stealer.

What is "ARK Invest Crypto Giveaway"?

While inspecting dubious advertisements, our researchers discovered "ARK Invest Crypto Giveaway". It follows the classical model of cryptocurrency giveaway scams. "ARK Invest Crypto Giveaway" promises double the return on the Bitcoin and/or Ethereum cryptocurrencies that users contribute to it. It must be emphasized that taking part in this scam will result in victims losing all the transferred digital currency.

This scam is presented as a giveaway created by Cathie Wood - an American investor and the founder, CEO, and CIO of Ark Invest. However, this deceptive content is in no way associated with either Cathie Wood or Ark Invest.

What is Ryuk (Chaos) ransomware?

While inspecting new malware submissions to VirusTotal, our research team discovered a ransomware called Ryuk. We determined that this program is part of the Chaos ransomware family.

After executing a sample of it on our test system, we learned that it encrypts files and appends their filenames with a ".ryuk" extension. For example, a file originally titled "1.jpg" appeared as "1.jpg.ryuk", "2.png" as "2.png.ryuk", and so forth. Following the completion of the encryption, a ransom note named "read_it.txt" was created.

What kind of page is victorysweepstakes[.]com?

Victorysweepstakes[.]com is a deceptive page designed to trick visitors into providing information and allowing it to show notifications. We have discovered the victorysweepstakes[.]com page while examining other pages that use rogue advertising networks. It is uncommon for pages like victorysweepstakes[.]com to be visited intentionally.

What is Web Ad Block?

Web Ad Block is a browser extension that our research team discovered while inspecting dubious download webpages. This piece of software promises to block advertisements on the YouTube video-hosting platform.

However, our analysis revealed that instead of removing ads, this extension displays them (i.e., operates as adware). Additionally, Web Ad Block spies on browsing activity.

What kind of page is win-scan[.]com?

Win-scan[.]com is a rogue webpage that our researchers discovered while inspecting dubious sites. It promotes scams, pushes browser notification spam, and redirects visitors to different (likely untrustworthy/dangerous) websites. Users typically access sites like win-scan[.]com via redirects caused by pages using rogue advertising networks.

What is WheelInstant?

WheelInstant is a rogue application that our researchers found while inspecting new submissions to VirusTotal. Our analysis of this app revealed that it operates as advertising-supported software (adware) and belongs to the AdLoad malware family.