Virus and Spyware Removal Guides, uninstall instructions

What kind of application is ProTabs New Tab?

We have tested the ProTabs New Tab application/browser extension and found that it operates as a browser hijacker. It changes the settings of a web browser and does not allow to modify them. The purpose of changes that ProTabs New Tab makes in settings is to promote a fake search engine, the protabs.xyz address.

What is Monochrome Tab?

Our researcher discovered the Monochrome Tab browser extension while inspecting dubious download pages. This piece of software is advertised vaguely as a "work optimization" and "productivity maximizing" tool for browsers - without any specific features listed.

Instead, this extension hijacks browsers, modifies their settings, promotes the search.monochrometab.com illegitimate search engine, and spies on users' browsing activity. This behavior classifies Monochrome Tab as a browser hijacker.

What kind of malware is xSpace?

xSpace is the name of ransomware that belongs to the VoidCrypt ransomware family. We have discovered this ransomware variant while analyzing the samples submitted to VirusTotal. After examining the sample, we learned that xSpace encrypts files and appends the victim's ID, HelpMe@mailfence.com email address, and the ".xSpace" extension to filenames.

For instance, it renames "1.jpg" to "1.jpg.(MJ-JE2360897415)(HelpMe@mailfence.com).xSpace", "2.png" to "2.png.(MJ-JE2360897415)(HelpMe@mailfence.com).xSpace". It also generates "Decryption-Guide.txt" and "Decryption-Guide.hta" files. Both of them contain ransom notes.

What is Raf ransomware?

While inspecting new malware submissions to VirusTotal, our research team found a new ransomware belonging to the Makop family - called Raf.

Once launched onto our test machine, Raf began encrypting files and appending their filenames with a unique ID, the attackers' email address, and a ".Raf" extension. To elaborate, a file originally named "1.jpg" appeared as "1.jpg.[87C29B86].[khakuta@msgsafe.io].Raf", and so on for all of the affected files.

Afterwards, this ransomware dropped a ransom note - "readme-warning.txt" - onto the desktop.

What kind of page is totaldatadefence[.]com?

During a routine inspection of untrustworthy websites, our researchers discovered the totaldatadefence[.]com page. It hosts deceptive content, promotes browser notification spam, and redirects visitors to other (likely unreliable/dangerous) sites. Most users enter totaldatadefence[.]com and webpages akin to it through sites that use rogue advertising networks.

What kind of site is mysecuresoftware[.]com?

Our team has discovered the mysecuresoftware[.]com page while inspecting illegal movie streaming, torrent, and other sites that use questionable advertising networks. We have examined mysecuresoftware[.]com and found that it runs the "Norton Security - Your Pc Is Infected With 5 Viruses!" scam and asks for permission to show notifications.

What is Hfgd ransomware?

Our research team found the Hfgd ransomware while inspecting new submissions to VirusTotal. We sampled it and determined that this malicious program belongs to the Djvu ransomware family.

After being launched onto our test machine, Hfgd began encrypting files and appended their filenames with a ".hfgd" extension. For example, a file initially titled "1.jpg" appeared as "1.jpg.hfgd", "2.png" as "2.png.hfgd", etc. Once this process was completed, a ransom-demanding message "_readme.txt" was created.

What kind of website is news-dovode[.]cc?

We have discovered the news-dovode[.]cc website while examining sites that use shady advertising networks (such as illegal movie streaming, torrent, and similar sites). The purpose of news-dovode[.]cc is to trick visitors into agreeing to receive website notifications and redirect them to similar pages.

What kind of malware is Mmuz?

Mmuz is the name of ransomware that encrypts and renames files (by appending its extension to filenames). It also creates a ransom note (the "_readme.txt" file). We have discovered Mmuz ransomware while examining malware samples submitted to VirusTotal. Additionally, we learned that Mmuz is part of the Djvu ransomware family.

An example of how Mmuz ransomware modifies filenames: it renames "1.jpg" to "1.jpg.mmuz", "2.jpg" to "2.jpg.mmuz", and so forth.

What kind of malware is Rguy?

Our team has discovered Rguy while analyzing samples submitted to VirusTotal. It was found that Rguy is ransomware that encrypts files and appends the ".rguy" extension to filenames. Also, it provides instructions on how to contact the attackers and the prices of decryption tools (they are provided in the "_readme.txt" file, a ransom note).

An example of how the encrypted files get renamed by Rguy during the encryption process: "1.jpg" gets renamed to "1.jpg.xxx", "2.png" to "2.png.rguy", "3.exe" to "3.exe.rguy". Rguy is part of the ransomware family called Djvu.