Virus and Spyware Removal Guides, uninstall instructions

What is Snowy Tab?

Discovered by our research team while inspecting dubious software-endorsing webpages, Snowy Tab is a browser extension. It is advertised as a tool that allows users to change their browser background/wallpaper and use other handy features.

Having analyzed Snowy Tab, we can conclude that it is a browser hijacker. This extension modifies browser settings, promotes the search.snowytab.com illegitimate search engine, and spies on users' browsing activity.

What kind of application is Daily Tab?

We have discovered the Daily Tab application/browser extension while examining pages that use questionable advertising networks and other suspicious pages. It was found that Daily Tab is a browser hijacker that changes the settings of the affected web browser to promote search.daily-stop.com (a fake search engine).

What is Spin Dark?

Spin Dark is a browser extension discovered by our research team while inspecting untrustworthy download webpages. This piece of software is advertised as a tool capable of enabling dark mode for simple design websites.

After analyzing Spin Dark, we determined that it behaves like a browser hijacker. It modifies browser settings and promotes the getsins.com fake search engine.

What is Electron Bot?

Electron Bot is the name of the malware that has been discovered by Check Point Research. We have learned that Electron Bot is used to gain remote access to computers and execute various commands. It is distributed via various applications on the Microsoft Store (Electron Bot targets Windows devices).

What is Vote2024 ransomware?

Vote2024 (also known as HermeticRansom and PartyTicket) is the name of a malicious program that was discovered during geopolitically-motivated malware attacks against Ukraine and its surrounding territories, which occurred during the onset of war in Ukraine.

Vote2024 is a ransomware-type program. It is designed to encrypt files to demand ransoms for the decryption. The compromised files are appended with the ".[vote2024forjb@protonmail.com].encryptedJB" extension. For example, a file initially titled "1.jpg" would appear as "1.jpg.[vote2024forjb@protonmail.com].encryptedJB".

However, generating revenue through such payments is unlikely to be the primary goal of Vote2024 - since we have observed its infection being followed by the execution of HermeticWiper. This malicious program deletes data and renders the compromised device inoperable.

Fortunately, the files encrypted by Vote2024 can be decrypted for free. Avast Software has developed a decryptor for this ransomware. You can find instructions on how to use this tool in an article on the decoded.avast.io website.

What kind of application is CleanTextSize?

We have discovered the CleanTextSize application while analyzing various cracked software download sites. After testing the app, we learned that it is adware - software that generates unwanted advertisements. Although, it is promoted as a tool allowing to change the text size on the Edge browser.

What kinf of malware is Rg116?

Rg116 is the name of typical ransomware - malware that encrypts files. Our team has discovered it while analyzing the malware samples submitted to VirusTotal. It was found that Rg116 also renames encrypted files by appending a string of random characters and the ".rg116" extension to filenames, and creates the "7jKF_HOW_TO_DECRYPT.txt" text file.

An example of how Rg116 modifies filenames: it renames "1.jpg" to "1.jpg.Mcmi69IYdN_O_O-2gAK9KeM38NnsEYO_G-FNYJDLMJf_AAAAAAAAAAA0.rg116", "2.png" to "2.png.Mcmi69IYdN_O_O-2gAK9KeM38NnsEYO_G-FNYJDLMJf_AAAAAAAAAAA0.rg116". The "7jKF_HOW_TO_DECRYPT.txt" file contains a ransom note.

What is Scorp ransomware?

Discovered by our researchers while inspecting new malware submissions to VirusTotal, Scorp is a piece of malicious software classified as ransomware. After analyzing this program, we found that it is part of the VoidCrypt ransomware family.

On our testing system, Scorp encrypted files and appended their filenames with the cyber criminals' email address, a unique ID, and the ".scorp" extension. For example, a file initially titled "1.jpg" appeared as "1.jpg.[sc0rpio@mailfence.com][MJ-YA9348065721].scorp". Afterwards, a ransom-demanding message - "Decrypt-me.txt" - was dropped onto the desktop.

What is Neptun Tab?

Neptun Tab is a rogue browser extension, which our research team discovered while analyzing fake Google Chrome updates. This piece of software is endorsed as a tool capable of allowing users to customize their browsers' homepage and new tab appearance - including such widgets as weather, time, reminders, etc.

Our researchers determined that the Neptun Tab extension is a browser hijacker that promotes the search.neptuntab.com illegitimate search engine.

What is Vsbnw ransomware?

Vsbnw is a piece of malicious software categorized as ransomware, which our researchers found while inspecting new malware submissions on VirusTotal.

Once launched onto our test machine, this ransomware began encrypting files and appending their filenames with a random character string and the ".vsbnw" extension. For example, a file originally named "1.jpg" appeared as "1.jpg.cwO-rUVietD16B-n8DFjWy0gaJStKSeRJ3D_-F71iIP_NAAAADQAAAA0.vsbnw" afterwards.

Following the completion of this process, Vsbnw created a ransom note titled "yxjL_HOW_TO_DECRYPT.txt". The message in this file indicates that this ransomware targets companies rather than home users. It is noteworthy that such attacks can be heavily customized; hence, the information provided by their notes and websites may vary.