Virus and Spyware Removal Guides, uninstall instructions

What is ExpressDefault?

After downloading and launching ExpressDefault's sample, our researchers found it to be an adware-type app. In other words, it runs intrusive advertisement campaigns (displays various ads).

We also determined that ExpressDefault belongs to the AdLoad malware family. Furthermore, it may exhibit browser hijacker behavior (as is common for AdLoad applications), although it did not - when we analyzed it.

What kind of application is Easy-Search?

After installing the Easy-Search application, we have noticed that it has changed the web browser's settings (and did not allow to modify them) to easysearch.club - a search engine that shows results generated by Bing (bing.com). Thus, it can be stated with certainty that Easy-Search is a browser hijacker promoting a fake search engine.

What is PDFConverterSearchNow?

PDFConverterSearchNow is a rogue browser extension. After analyzing it, our researchers have concluded that this piece of software operates as a browser hijacker. PDFConverterSearchNow changes browser settings and promotes the pdfconvertersearchnow.com fake search engine.

What kind of malware is AMC?

We discovered AMC ransomware while inspecting ransomware samples submitted to VirusTotal. While analyzing the AMC ransomware sample, we saw that it encrypts files and appends a different extension (containing four random characters) to filenames.

For example, AMC has renamed "1.jpg" file to "1.jpg.7d7x", "2.exe" to "2.exe.v6w8", and so on. It has also created the "ransom_read_it.txt" file containing a ransom note.

What is 4ywda ransomware?

When inspecting recently submitted ransomware samples to VirusTotal, we discovered and analyzed a new variant named 4ywda. This malicious program is designed to encrypt data (lock files) and demand payment for the decryption.

During our analysis, it appended affected files with a random character string and the ".4ywda" extension. For example, a file titled "1.jpg" appeared as "1.jpg._wWXcd2bLfM8-mexFrgHIuxq2Z4kwTeZ1rpEQpBOoCX_IgAAACIAAAA0.4ywda". Afterward, a ransom note named "MJZ1_HOW_TO_DECRYPT.txt" was created.

What kind of page is security-defender[.]xyz?

Security-defender[.]xyz is a website that our malware researchers have discovered while looking for pages designed to trick visitors into agreeing to receive deceptive notifications. It is an untrustworthy page asking for permission to deliver notifications and displaying deceptive content.

What is DigitalProgram?

Our researchers have found yet another adware-type application called DigitalProgram. We have concluded that this piece of software operates as adware.

It also belongs to the AdLoad malware family. We have researched many samples from said group, and while during our testing - we did not observe DigitalProgram exhibiting browser hijacker traits - they are common for AdLoad adware. Another potential ability of these applications is data tracking.

What kind of malware is PseudoManuscrypt?

PseudoManuscrypt is the name of the malware that spies on victims. It is similar to another malware called Manuscrypt. We have discovered PseudoManuscrypt while checking installers for pirated software (one of the examples is a fake pirated installer for SolarWinds - a network monitoring software).

What kind of application is KeyWright?

KeyWright displays advertisements and promotes a fake search engine. It is advertising-supported software that has traits of a browser hijacker. Additionally, KeyWright can read sensitive information from websites. Usually, apps of this kind are promoted and distributed using questionable (often deceptive) methods.

What kind of software is GlobalProcesser?

GlobalProcesser is advertising-supported software, which means it generates advertisements. Also, this app hijacks a web browser (changes its settings) to promote a fake search engine. GlobalProcesser is distributed using a fake Adobe Flash Player installer.