Virus and Spyware Removal Guides, uninstall instructions

What kind of malware is Bbbr?

Bbbr is the name of ransomware that our team has discovered while inspecting the malware samples recently submitted to VirusTotal. We have found that Bbbr is part of the Djvu ransomware family. It is designed to encrypt files, append the ".bbbr" extension to filenames, and create the "_readme.txt" file containing a ransom note.

We have checked the encrypted files and noticed that Bbbr renames them in this manner: it changes a file named "1.jpg" to "1.jpg.bbbr", "document.txt" to "document.txt.bbbr", "file.exe" to "file.exe.bbbr", and so forth.

What is SearchGamesOnline?

SearchGamesOnline is a rogue browser extension. After analyzing it, our researchers determined that it is a browser hijacker that promotes the searchgamesonline.com fake search engine.

What kind of malware is Kings?

We have discovered the Kings ransomware while checking VirusTotal for recently submitted malware samples. While analyzing the Kings ransomware, we have learned that it encrypts files and appends the ".kings" extension to filenames (for example, renames "1.jpg" to "1.jpg.kings", "2.jpg" to "2.jpg.kings").

We also found that Kings creates the "RestoreFiles.txt" text file. This file contains a ransom note. Our additional finding is that Kings is part of the Babuk ransomware family.

What kind of malware is PENTAGON?

PENTAGON is a Remote Access Trojan (RAT), malware designed to allow stealthy remote access/control over infected systems. Our researchers obtained PENTAGON's sample when its developers promoted and shared it on Reddit and Twitter.

What kind of scam is "You have sent the payment - PayPal"?

We have examined this email and concluded that it is a phishing scam used to trick unsuspecting recipients into opening a deceptive website and providing their PayPal login credentials. In order to make this phishing email legitimate, scammers use the real PayPal logo in it.

What kind of page is b-cdn[.]net?

Our researchers periodically inspect suspicious websites, and b-cdn[.]net is a new find from one of these inspections. B-cdn[.]net is a rogue page that loads dubious content (e.g., "Your McAfee Subscription Has Expired" scam), pushes its browser notifications, and redirects visitors to other untrustworthy/dangerous sites.

Most visitors to webpages like b-cdn[.]net access them via websites using rogue advertising networks. However, these pages can also be entered through mistyped URLs or redirects caused by deceptive browser notifications/ intrusive ads, or installed adware.

What kind of scam is "Your computer is disabled. Please call Microsoft."?

We have encountered this scam while clicking on shady ads and visiting untrustworthy pages that use rogue advertising networks. After examining this pop-up scam, we learned that its purpose is to trick visitors into calling scammers. We also found that this page is hosted using the AmazonAWS service.

What is "Alert! Windows-11 Can Not Update"?

Discovered by our research team during a routine inspection of shady websites, "Alert! Windows-11 Can Not Update" is a technical support scam promoted on rogue websites. Like most deceptive pages of this type, it makes various fake claims about viruses, hackers, blocked computers, etc. - to scare users into calling bogus helplines, thus triggering an elaborate scam process.

What kind of page is blinkweb[.]net?

We have discovered the blinkweb[.]net page while inspecting websites using questionable advertising networks (mainly illegal streaming, adult dating, torrent, and similar sites). We have examined blinkweb[.]net and learned that it uses a clickbait technique to trick visitors into allowing it to show notifications.

What kind of malware is Blender?

We have discovered the Blender ransomware while checking the malware samples submitted to VirusTotal. We found that it is part of the VoidCrypt ransomware family. After testing the ransomware, we learned that it encrypts files, modifies their filenames, and provides ransom notes in a pop-up window ("DeCryption-Guide.hta") and the "DeCryption-Guide.txt" text file.

While checking how the Blender ransomware affects filenames, we learned that it appends a string of random characters, dechelper@yandex.com email address, and the ".blender" extension to them. For example, it renames "1.jpg" to "1.jpg.(MJ-BQ5418026973)(DecHelper@yandex.com).blender", "2.jpg" to "2.jpg.(MJ-BQ5418026973)(DecHelper@yandex.com).blender".