Virus and Spyware Removal Guides, uninstall instructions

What kind of scam is "Ukrainian government is embracing digital assets"?

After examining this email, our team has found that scammers behind it are pretending to raise money for Ukraine - they are taking advantage of the crisis to trick recipients into sending them money. This is not the first time scammers are exploiting the situation. Recently, lots of scammers were (and still are) taking advantage of the coronavirus outbreak.

What kind of page is babesroulette[.]com?

Babesroulette[.]com is a rogue webpage designed to promote questionable content, push browser notification spam, and redirect visitors to other (likely untrustworthy/harmful) sites. Our research team discovered this page during a routine inspection of shady websites.

Visitors to babesroulette[.]com and similar websites typically enter them via redirects caused by pages that use rogue advertising networks.

What kind of page is emicalcove[.]xyz?

Discovered by our researchers while inspecting shady websites, emicalcove[.]xyz is a rogue page designed to push browser notification spam and redirect visitors to untrustworthy/malicious sites. Most users enter emicalcove[.]xyz and similar webpages via others that use rogue advertising networks.

What is Anime ransomware?

Anime is the name of a ransomware-type program our research team discovered while checking out new submissions to VirusTotal.

After launching a sample onto our test system, we learned that this ransomware appends the filenames of encrypted files with a ".anime" extension. For example, a file initially named "1.jpg" appeared as "1.jpg.anime", "2.png" as "2.png.anime", etc. Once the encryption was completed, a ransom note titled "I_LOVE_ANIME.txt" was created.

What kind of page is satunians[.]com?

Satunians[.]com is a website that our team has discovered while analyzing various illegal movie streaming, torrent sites, and similar pages that use shady advertising networks. It was found that satunians[.]com displays deceptive content to get permission to show notifications and opens untrustworthy pages.

What is the "Validate Now" email?

After analyzing the "Validate Now" email, we determined that it is a phishing email. This letter attempts to lure recipients into providing their email log-in credentials by claiming that their email accounts will be closed.

What kind of application is SearchTab Default Search?

Our malware researchers have discovered the SearchTab Default Search browser extension while examining questionable websites that use advertising networks. They found that this app promotes searchtab.xyz (a fake search engine) by changing the settings of a browser. Thus, it was concluded that SearchTab Default Search is a browser hijacker.

What kind of malware is ZEON?

ZEON was discovered by dnwls0719. After doing our research, we learned that ZEON is ransomware written in the Python programming language. It encrypts files, changes the desktop wallpaper, and appends the ".zeon" extension to filenames.

For instance, it renames "1.jpg" to "1.jpg.zeon", "2.png" to "2.png.zeon". A ransom note is provided in the "re_ad_me.txt" file.

What is Pro Dark?

Our researchers discovered the Pro Dark browser extension while inspecting content promoted by deceptive download webpages. This piece of software promises to enable dark mode for websites. However, after analyzing Pro Dark, we determined that it operates as adware.

What is NOKOYAWA ransomware?

NOKOYAWA is a piece of malicious software classified as ransomware, which our research team found and sampled from VirusTotal. It is designed to encrypt data and demand payment for the decryption.

On our test machine, this ransomware encrypted files and appended their filenames with a ".NOKOYAWA" extension. For example, a file initially titled "1.jpg" appeared as "1.jpg.NOKOYAWA", and so on for all of the affected files. Once this process was completed, a ransom note - "NOKOYAWA_readme.txt" - was created on the desktop.

Research done by Trend Micro suggests that NOKOYAWA may be related to the Hive ransomware family.