Virus and Spyware Removal Guides, uninstall instructions

What is Jester Stealer?

Jester Stealer was first analyzed by Cyble Research Labs when it surfaced on hacker forums back in July 2021. This piece of malicious software is designed to extract a wide variety of sensitive information from infected devices. Jester targets account credentials, browsing data, and financial/banking information.

What kind of malware is Xgpr?

We have discovered the Xgpr while checking VirusTotal for recently submitted malware samples. Xgpr is ransomware that encrypts files and provides instructions on how to contact the attackers for decryption. It generates two ransom notes: one in a pop-up window and another in the "FILES ENCRYPTED.txt" file.

Also, Xgpr appends the ".xgpr" extension to filenames. For example, it renames "1.jpg" to "1.jpg.xgpr", "2.jpg" to "2.jpg.xgpr". One more detail about Xgpr is that it belongs to the Dharma ransomware family.

What is Fgnh ransomware?

Fgnh is a piece of malicious software categorized as ransomware. Our researchers found and sampled this malware from VirusTotal. We have also determined that Fgnh is part of the Djvu ransomware family.

After being launched onto our test system, this ransomware encrypted files and appended their filenames with a ".fgnh" extension. For example, a file initially titled "1.jpg" appeared as "1.jpg.fgnh", "2.jpg" as "2.jpg.fgnh", and so forth. Once this process was completed, a ransom note - "_readme.txt" - was created.

What kind of malware is Fgui?

Our malware researchers have discovered Fgui ransomware while analyzing the samples submitted to VirusTotal. It was found that Fgui belongs to a ransomware family called Djvu. Also, it renames encrypted files and creates the "_readme.txt" file, which contains information regarding data recovery.

An example of how Fgui ransomware changes the filenames: it renames "1.jpg" to "1.jpg.fgui", "2.exe" to "2.jpg.exe", and so forth.

What kind of page is hotnews1[.]me?

During a routine inspection of untrustworthy sites, our researchers discovered the hotnews1[.]me webpage. It is designed to load dubious content, promote browser notification spam, and redirect visitors to other unreliable/harmful websites.

Rogue pages like hotnews1[.]me are typically accessed inadvertently; most users enter them via redirects caused by sites that use rogue advertising networks.

What is 7afuy ransomware?

7afuy is a piece of malicious software categorized as ransomware. Our research found this malware and sampled it from VirusTotal.

Once launched onto our test system, this ransomware encrypted files and appended their filenames with a random character string and the ".7afuy" extension. For example, a file originally titled "1.jpg" appeared as "1.jpg.SzJEhM-3usN9k_YOcqPG4XXwmB6fjFDYQahgDsdWuvL_OgAAADoAAAA0.7afuy".

Following the completion of this process, a ransom note named "b5T2_HOW_TO_DECRYPT.txt" was created. Based on the information provided by 7afuy, we can surmise that it targets companies rather than home users. It is noteworthy that ransomware leveraged against enterprises can be highly customized according to the specific target.

What is NavigateSystem?

NavigateSystem is a rogue app that we discovered while inspecting new submissions to VirusTotal. After analyzing it, we have determined that this application operates as advertising-supported software (adware). We also found that NavigateSystem belongs to the AdLoad malware family.

What kind of page is gobrowser.xyz?

Gobrowser.xyz is the address of a fake search engine. We discovered this website while analyzing browser hijackers, which promote (by causing redirects to) such search engines.

What is CommonAnalyser?

CommonAnalyser is an adware-type application that our research team discovered while inspecting new submissions to VirusTotal. This piece of software operates by running intrusive advertisement campaigns. We also determined that it belongs to the AdLoad malware family.

What is the "New Contract Documents Received" email?

"New Contract Documents Received" is a spam email that we inspected and classified as a phishing scam. This letter attempts to trick the recipient into disclosing their email account log-in credentials by claiming they have been sent documents concerning a new contract.