Virus and Spyware Removal Guides, uninstall instructions

What kind of software is ActiveProcess?

ActiveProcess is the name of an adware-type application that our team has discovered while inspecting deceptive websites. The purpose of this application is to generate advertisements. Typically, software of this type is disguised as legitimate software. Also, it is promoted and distributed mainly via shady websites.

What is Black Basta ransomware?

While inspecting new malware submissions to VirusTotal, our researchers found the Black Basta ransomware.

After launching a sample on our test system, we learned that this malicious program encrypts files and appends their filenames with a ".basta" extension. For example, a file initially titled "1.jpg" appeared as "1.jpg.basta", "2.png" as "2.png.basta", and so on for all of the affected files.

Once this process was complete, Black Basta changed the desktop wallpaper and created a ransom note named "readme.txt". Based on the text presented in this file, it is evident that this ransomware targets companies rather than home users.

What kind of malware is AID?

AID is malware that functions as a loader and a clipper. It is written in C++ programming language. AID is promoted on a hacker forum. It is sold for $75 (at the moment, its developer uses a sales promotion and sells AID for $50).

What is Jhbg ransomware?

While inspecting new submissions to VirusTotal, our research team found the Jhbg ransomware-type program. We determined that this program belongs to the Djvu ransomware family.

After being launched onto our test machine, Jhbg encrypted files and appended their filenames with a ".jhbg" extension. For example, a file originally named "1.jpg" appeared as "1.jpg.jhbg", "2.png" as "2.png.jhbg", and so on for all of the affected files. Once this process was completed, a ransom note - "_readme.txt" - was created.

What kind of malware is Locked?

Locked is ransomware belonging to the Phobos family. We have discovered this variant on VirusTotal (while checking the page for recently submitted malware samples). Locked ransomware encrypts files and appends the victim's ID, robertopaulick@mail.ee email address, and ".locked" extension to filenames. Also, it creates "info.hta" and "info.txt" files (both contain ransom notes).

An example of how Locked renames files: it renames "1.jpg" to "1.jpg.id[9ECFA84E-3277].[robertopaulick@mail.ee].locked", "2.png" to "2.png.id[9ECFA84E-3277].[robertopaulick@mail.ee].locked", and so forth.

What kind of malware is Dewd?

We have discovered a new Djvu ransomware variant called Dewd. It was discovered while analyzing the samples submitted to VirusTotal. After testing this ransomware, we found that it encrypts files and appends the ".dewd" extension to filenames. Also, it creates a text file named "_readme.txt". This file contains a ransom note.

An example of how files encrypted by Dewd are renamed: "1.jpg" is renamed to "1.jpg.dewd", "2.png" to "2.png.dewd", "3.exe" to "3.exe.dwed", and so forth.

What kind of page is thefreeadv[.]com?

Thefreeadv[.]com is a rogue site that our researchers discovered while inspecting shady websites. It operates by promoting spam browser notifications through deception, and this page can also redirect visitors to others (likely harmful/malicious ones).

Users typically access webpages like thefreeadv[.]com through redirects caused by sites using rogue advertising networks.

What is "Keep Your PC Updated With Norton!"?

While inspecting rogue webpages, we discovered the "Keep Your PC Updated With Norton!" scam. This scheme implies that the user's system may be infected and is at risk, and urges them to keep their Norton anti-virus subscription up-to-date.

At the time of research, this scam redirected to the official website of Norton. However, it must be emphasized that this promotion via "Keep Your PC Updated With Norton!" is not undertaken or approved by NortonLifeLock Inc.

What is LokiLok ransomware?

LokiLok is a piece of malicious software classified as ransomware, which our researchers discovered while inspecting new submissions to VirusTotal. After analyzing LokiLok, we determined that it is based on a ransomware-type program called Chaos.

Once launched onto our test machine, LokiLok encrypted files and appended their filenames with a ".LokiLok" extension. For example, a file originally named "1.jpg" appeared as "1.jpg.LokiLok", "2.png" as "2.png.LokiLok", etc. Afterwards, this ransomware changed the desktop wallpaper and created the "read_me.txt" ransom note.

What kind of website is star-search.xyz?

Star-search.xyz is a fake search engine that shows results generated by Bing. It does not generate any unique search results. Typically, fake search engines are promoted through browser hijackers. Most apps of this type are promoted/distributed using questionable methods. We have discovered star-search.xyz while inspecting shady websites.