The Cerber Ransomware is a ransomware infection that is used to encrypt the victims' files. The Cerber Ransomware adds the extension CERBER to every file that the Cerber Ransomware encrypts. After the Cerber Ransomware has encrypted some of the files of the victim, the Cerber Ransomware demands the payment of a ransom in exchange for the decryption key. According to Cerber Ransomware's ransom note, computer users have one week to pay the ransom amount before this amount is doubled. The Cerber Ransomware Contains an Audio Message As the Cerber Ransomware encrypts the victim's files, it creates TXT, HTML, and VBS files named 'DECRYPT MY FILES' with instructions on how to pay the Cerber Ransomware's ransom. These files are dropped on every folder that contains files that were encrypted by Cerber Ransomware. According to these ransom...

The WanaCrypt0r Ransomware is an encryption Trojan that features a worm-like attack tactic. The WanaCrypt0r Ransomware is recognized as one of the most threatening and widespread encryption Trojans up until May 12th, 2017. The WanaCrypt0r Ransomware managed to compromise more than hundreds of thousand systems across one hundred and forty countries on its first release to the real world. The brunt of the attack was taken by PC users in Russia and the National Healthcare System in Great Britain. The Trojan managed to block access to most of the computers connected to the National Healthcare System and nearly 70% of the cases that involve the WanaCrypt0r Ransomware are recorded in Russia....

The CryptoLocker Trojan is a ransomware infection that encrypts the victim's files. CryptoLocker may typically be installed by another threat such as a Trojan downloader or a worm. Once CryptoLocker is installed, CryptoLocker will search for sensitive files on the victim's computer and encrypt them. Essentially, CryptoLocker takes the infected computer hostage by preventing access to any of the computer user's files. CryptoLocker then demands payment of a ransom to decrypt the infected files. CryptoLocker is quite harmful, and ESG security analysts strongly advise computer users to use an efficient, proven and updated anti-malware program to protect their computer from these types of...

The Play-bar.net search aggregator is similar to Ultimate-search.net, and it is a questionable service that is promoted by a browser hijacker. The Play-bar.net site is operated by Blisbury LLP and features a small search bar, a weather forecast in the top right corner and a clock widget in the top left corner. Additionally, the Play-bar.net site may offer users to play Adobe Flash games on online gaming platforms likePrincess Games, GamesRockit and TikiArcade. The browser hijacker related to Play-bar.net is written with the purpose of diverting the Internet traffic of infected users to Play-bar.net and earn affiliate revenue. The Play-bar.net browser hijacker may modify your DNS settings and change your default search aggregator, homepage and a new tab to Play-bar.net. The Play-bar.net browser hijacker might edit your Windows Registry...

The Cerber3 Ransomware is a new version of a well-known ransomware Trojan. The Cerber Ransomware Trojan now uses a slightly different method during its attack. The main difference is that the files infected by the Cerber3 Ransomware can be identified through the use of .CERBER3 as the extension that identifies the files that have been encrypted in the attack. PC security analysts had observed a Cerber2 variant of this attack previously. This numbering system may indicate new versions of software, and threats are no exception. The appearance of the Cerber3 Ransomware indicates that the Cerber ransomware family is being developed and updated currently. The Cerber3 Ransomware and Possible Updates to this Threat The Cerber3 Ransomware was discovered recently, around the end of August of 2016. The Cerber3 Ransomware presents minor...

The DNS Unlocker is adware that has caught the attention of PC security researchers. Many computer users have been using programs like the DNS Unlocker to bypass region-locking components in online applications. The DNS Unlocker, in particular, has been advertised as a way for computer users to access Netflix for regions outside of their location. PC security analysts strongly recommend against this approach. There are numerous applications available that supposedly allow computer users to modify their IP or connect to certain websites that are blocked for certain regions. However, this is a common way for adware developers to distribute their low-level and mid-level threats. In several situations, it may be better to avoid using these types of components or looking for reputable options even if they are slightly more expensive than...

Tavanero.info is a bogus search engine that is associated with a PUP (Potentially Unwanted Program). Tavanero.info attempts to mimic the look and feel of the Google search engine to mislead computer users. Tavanero.info uses the Google logo colors in its layout and even includes the term 'GoogleTM Custom Search,' despite the fact that Tavanero.info has no affiliations with Google. Tavanero.info should be considered for what it is, a bogus search engine that may be used to expose computer users to potentially harmful online advertisements and content. There is no legitimate connection between Tavanero.info and Google, despite this fake search engine's claims. The Activities of Tavanero.info and Its Associated PUP Tavanero.info is linked to a type of PUP known as a browser hijacker, mainly because these components may be used to hijack...

If Tech-connect.biz start appearing as your homepage and search engine, this means that your computer is housing a browser hijacker. Then you wonder how it could have happened if wasn't you who introduced Tech-connect.biz on your machine. The answer is very simple; browser hijackers may be part of the installation of a free software you downloaded from the Web recently. This is a well-used method since the computer users may be in a hurry when installing the free program they need and instead of choosing 'Advanced' or 'Custom,' used the quickest installation method, skipping its EULA and additional details, giving the browser hijacker, adware, and PUPs, the permission to be installed unknowingly. Although not threatening, Tech-connect.biz may cause a series of inconveniences to the computer users, such as appending the argument...

The Zepto Ransomware is a variant of the Trojan Locky Ransomware. The Zepto Ransomware is designed to infect all versions of the Windows operating system, from Windows XP all the way to Windows 10. Ransomware Trojans like the Zepto Ransomware are especially threatening because, even if removed, the victim's files will still be inaccessible. Essentially, the Zepto Ransomware takes the victim's files hostage, encrypting them and demanding the payment of a ransom to decrypt them. Since the files encrypted by the Zepto Ransomware are impossible to recover without access to the decryption key, PC security analysts advise that computer users take immediate preventive measures to avoid becoming victims of this and similar ransomware Trojan attacks. The Files Encrypted by the Zepto Ransomware may be Lost Forever When the Zepto Ransomware is...

The CryptoWall Ransomware is a ransomware Trojan that carries the same strategy as a number of other encryption ransomware infections such as Cryptorbit Ransomware or CryptoLocker Ransomware. The CryptoWall Ransomware is designed to infect all versions of Windows, including Windows XP, Windows Vista, Windows 7 and Windows 8. As soon as the CryptoWall Ransomware infects a computer, the CryptoWall Ransomware uses the RSA2048 encryption to encrypt crucial files. Effectively, the CryptoWall Ransomware prevents computer users from accessing their data, which will be encrypted and out of reach. The CryptoWall Ransomware claims that it is necessary to pay $500 USD to recover the encrypted data....

RelevantKnowledge is software that exists in a moral grey area. RelevantKnowledge is widely considered spyware, because RelevantKnowledge will collect huge amounts of information about your Internet usage, and then use that information to put together even more information about you. That information is then sold, anonymously, either individually or as part of aggregate data. Given the way that RelevantKnowledge is installed on most computers, it is unlikely that most of those users are fully aware of the facts about RelevantKnowledge. What RelevantKnowledge is, and Where it Comes From RelevantKnowledge is a product of the company MarketScore, formerly called Netsetter. MarketScore...

DarkComet is a malware threat that has started to proliferate since the beginning of 2012. ESG security researchers have found that DarkComet is strongly associated with the conflict between political dissidents and the Syrian government. Basically, DarkComet is a full-fledged remote access Trojan (RAT), which allows a remote party to connect to the infected computer system and use it from afar. With full access to the victim's computer system, hackers can basically steal any information on the infected computer or use it for their own means. DarkComet uses a vulnerability in Skype, the popular online chat application, in order to spread. Whenever DarkComet's executable file runs, it connects to a server located in Syria from which DarkComet receives updates, instructions and the files DarkComet needs to take over the victim's computer...

There's a variant of the Zeus Trojan that has targeted banks and credit unions in the United States in October of 2012. This malware infection, known as the Gozi Trojan, has managed to steal sensitive data belonging to customers of important credit unions all around the United States. The Gozi Trojan attacks the targeted financial institutions' websites by inserting fields into the website in order to trick visitors into handing over their private information. The Gozi Trojan has affected at least thirty banks in the United States, often using fraudulent signatures in order to infiltrate secure networks. ESG security researchers have also observed the involvement of more than one hundred botnets in an effort to steal money using information stolen with the Gozi Trojan and transfer that money to offshore accounts. The criminals...

OnlineMapFinder is a potentially unwanted program (PUP) that is advertised at Free.onlinemapfinder.com/index.jhtml as a premium Web-app. The OnlineMapFinder application is developed by Mindspark Interactive Network, Inc. and is described at Free.onlinemapfinder.com/index.jhtml as "Maps, Driving Directions and more in one Chrome New Tab" briefly. The OnlineMapFinder application works as a browser extension/add-on that you can attach to Internet Explorer, Google Chrome, and Mozilla Firefox. You may find the OnlineMapFinder useful if you are traveling around the world with a laptop on your back. The OnlineMapFinder app may load exciting content from sources like Maps.nationalgeographic.com, Historicaerials.com, and Mapquest.com. OnlineMapFinder may be eliminated by going through the web browser add-ons and extensions menu to find and...

The TrackAPackage software may claim to offer you tools to track parcels you send and allow you to use express mail and web surfers may be attracted to install it. The TrackAPackage toolbar is deemed by security researchers as a Potentially Unwanted Program (PUP) because it may change the home page or open a new tab to Myway.com. The TrackAPackage toolbar is developed by Mindspark Interactive Network Inc. that may have a partnership with Ask.com. The TrackAPackage toolbar is cross-compatible, and you may expect changes in Internet Explorer, Google Chrome, and Mozilla Firefox. The behavior of the TrackAPackage toolbar is similar to the activities of the Video Download Converter Toolbar and the InstantRadioPlay, which some users may not be satisfied with its actions. You should take into consideration that the removal of TrackAPackage...

The Counterflix software is advertised as an application that can allow users to load geo-restricted content from services like Hulu, Pandora and Netflix. PC users that live in countries like India, China, and Russia, where Internet censorship applies may be interested in installing Counterflix. The services provided by Counterflix are available through the app and the modification of your DNS configuration. The setup page for Counterflix can be found at Counterflix.com and users will need to edit their system settings to install the Counterflix correctly. You should note that the Counterflix software is provided on an “As-Is” basis and you will not receive support from its developers. Unfortunately, the makers of Counterflix do not provide contact information like a Facebook page or a Twitter account, which you may need in case of...

The Yeadesktop.com domain is presented to Web surfers as a search service that includes links to third-party service like LinkedIn, Netflix, Yahoo, YouTube and Facebook. Yeadesktop.com offers visitors access to curated collection of Web-based mini-games as well. The site may appeal to users of all ages, but you should take into consideration that Yeadesktop.com is supported by intrusive advertisements. Additionally, Yeadesktop.may be associated with a program with the same name ('Yeadesktop') that is mentioned in cases of browser hijacking. Computer users that are affected by the Yeadesktop browser hijacker have reported that their Internet browser loads Yeadesktop.com as the default start page and new tab. We have detected that a program with the name 'Yeadesktop' may be delivered to PC users via free software bundles and make...

The 'Checking visitor' detection name refers to a pop-up window that is generated when a compromised user opens the browser, slides to a new tab and clicks on a hyperlinked text. The 'Checking visitor' pop-ups are generated by adware, which is reported to use a custom URL like 'imwhite.ru/cs?wsa=59170dc59dd2938574025' and load marketing materials from untrusted advertisers. Network analysis showed that the domains related to the 'Checking visitor' pop-ups are registered to the 46.4.70.113 IP address. There are many clones of 'imwhite.ru' and most of them appear to function as a redirect-gateways to Russian sites. Some computer security researchers may refer to the 'Checking visitor' redirects simply as "Russian Ads." Some of the domains used to redirect users infected with the 'Checking visitor' adware are the following:...

The 'Your Windows Is Infected' notifications that are loaded in a new tab named 'WARNING: CPU VIRUS ALERT' should not be trusted. Websites that suggest your system is compromised and prevent you from switching to another tab are more than likely to offer misleading information and lure you to call fake computer support agents. The 'Your Windows Is Infected' warnings are known to be hosted on pages with random names and aim to convince the users that their PCs are infected with cyber parasites under the names of 'Rootkit.Siref.Spy' and 'Trojan.FakeAV-Download.' You would see that 'Rootkit.Siref.Spy' and 'Trojan.FakeAV-Download' are legitimate detection names if you search it online. However, the threats listed on the 'Your Windows Is Infected' warnings are not likely to be on your system. The goal of the 'Your Windows Is Infected'...

The iSpinner Search browser extension is an ad-supported program that is promoted at ispinner.online as the virtual alternative to the fidget spinners you can buy on Amazon. The iSpinner Search browser extension appears to support the major Internet browsers and change several browser settings. The iSpinner Search software requires the following privileges to function correctly: Read and change all your data on the websites you visit. Communicate with cooperating sites. Display notifications. Change your search settings to: feed.ispinner.online. The iSpinner Search extension is reported to add a new icon to the navigation panel of the browser and show an animation of a fidget spinner, which you can customize by choosing various models from Feed.ispinner.online You may want to take into consideration that installing the iSpinner Search...

The DarkKomet Ransomware is an encryption Trojan based on the HiddenTear project published by Utku Sen in August 2015 as an "educational ransomware." The DarkKomet Ransomware Trojan is named after the DarkComet Remote Access Trojan, which comes bundled with the ransomware engine. Cyber security researchers alert that the DarkKomet Ransomware is distributed to users via spam emails, links to compromised sites, fake software updates to Adobe Flash and macro-enabled documents. The DarkKomet Ransomware is believed to be one of the few crypto-threats to record, video, audio and collect files for doxxing attacks. Initial threat analysis showed that the DarkKomet Ransomware is similar to the

The ViACrypt Ransomware is a file encoder Trojan that is believed to be the work of threat actors based in Norway. The ViACrypt Ransomware is reported to target PC users in Latvia that run the latest versions of the Windows OS. The ViACrypt Ransomware may be installed on systems when the user opens a weaponized Microsoft Word document and runs a corrupted script. At the time of writing, most victims of the ViACrypt Ransomware are based in Latvia, but it is possible that the campaign to distribute the Trojan will be expanded to countries like Lithuania, Poland, Belarus, Estonia and Russia. Malware researchers note that the ViACrypt Ransomware appears to be the work of an independent team of programmers since the code of ViACrypt does not share similarities with recorded crypto-threat signatures. How an Attack by ViaCrypt Works The...

Today, an unknown number of high profile companies have come under attack from a vicious malware threat known as Petya Ransomware. The data-encrypting malware has reached a global scale quickly spreading to hit and disrupt computers across Europe with a strong focus on Ukraine. So far, from many reports coming out of Europe, the attack is affecting websites based out of the UK, in addition to Norway, India, and Spain. Many of the attacked companies have reached out to their followers through social media to confirm that many or their networks have been compromised as part of a global hack. At least one major U.S. company, the Merck & Co. pharmaceutical company out of New Jersey, said on its Twitter account that it was affected as well. What we suspect is fresh off of the heels of the famous and widespread WannaCry Ransomware attack a...

The iPlay Search browser extension by bettersearchtools.com is promoted as a tool that can be incorporated into Google Chrome and allow Web surfers to play games for free at better.cantstopplaying.com. When the iPlay Search browser extension is installed, you will notice a small icon of a gamepad show up in the navigation panel on the top left corner next to the browser menu (the tree dots). The iPlay Search panel is displayed as an expanded menu below the gamepad icon and offers a selection of links to games at better.cantstopplaying.com. The same functionality was presented with the GoPlay Search extension from bettersearchtools.com a week before iPlay Search was published on the Chrome Web Store. You may want to know that iPlay Search is an ad-supported program that changes your default search provider to games.eanswers.com. The...

The Search.shouxiaoti.info domain is associated with a browser hijacker program. PC users have reported redirects to Search.shouxiaoti.info and search hijacks when they load sites like Google.com, Bing.com and Yahoo.com. The Search.shouxiaoti.info browser hijacker may modify the settings in browsers like Google Chrome, Internet Explorer, and Mozilla Firefox to load commercials from sponsors of Search.shouxiaoti.info. Web surfers are advised to avoid content generated via Search.shouxiaoti.info because it may include links to phishing pages and riskware like GreatZip and MyTelevisionHQ Toolbar. A network analysis revealed that the Search.shouxiaoti.info site is registered to the 104.27.178.101 IP address, which we have seen before in cases that involve the EverSave and Dealz adware. The Search.shouxiaoti.info browser hijacker is...

The Searchtab.win domain is reported to be connected to a browser hijacker. PC users that like to try out free programs have reported that the Searchtab.win site hijacked their browser's new tab page. It is possible that a Potentially Unwanted Program (PUP) might have installed a browser extension related to Searchtab.win that is responsible for the new tab page layout. The Searchtab.win site appears to feature an embedded custom Google search engine. The engine at Searchtab.win is not available directly, and Web surfers stated the address bar contained the string 'searchtab.win/search.html.' A closer look at the source code revealed that the custom Google search is based on cse.google.com/cse/home?cx=004193831143085524486:gqjd2iili5c which features the generic name 'Test.' Computer users that experience redirects to Searchtab.win and...

The EyLamo Ransomware is an encryption Trojan that was unveiled in the last week of June 2017. The EyLamo Ransomware Trojan is a program that is installed on your PC without your consent, applies cryptographic algorithms to your data, and it is required a decryptor to convert your files back to normal. The threat actors behind the EyLamo Ransomware attacks send out waves of spam emails to users in the hope that some of them might open the attached macro-enabled Microsoft Word file. The DOCX file includes a script, which handles the installation of the EyLamo Ransomware to the local disk. In-depth research into the cases involving the EyLamo Ransomware has been initiated to reveal its creators and associated servers. However, traceback operations are difficult to complete because threats like the EyLamo Ransomware are developed in...

The Reetner Ransomware is a Trojan that is reported to drop ransom notes on the user's computer and lacks an encryption component. The Reetner Ransomware was discovered in the last week of June 2017 and appears to be distributed via spam emails and corrupted notes taking software. Computer security researchers that had the opportunity to work with samples of the Reetner Ransomware stated that the Reetner Ransomware might be still under development and they are searching for connected encryption engines. The programmer behind the Reetner Ransomware might have uploaded a test version of the complete Reetner Ransomware to an online security platform and check if AV engines are able to block the threatening program. Cyber security experts note that might be a customized version of the HiddenTear open-source ransomware given the...

The Kuntzware Ransomware is a file encoder Trojan that was discovered by malware analysts who stumbled upon a sample found on an online security platform. The Kuntzware Ransomware was reported in the last week of June and appears to be a WIP (Work-In-Progress) project. There are no reports for the Kuntzware Ransomware released to users officially. However, the Trojan is fully functional as far as data encoding is concerned. The author of the program lacks a client-server configuration, and that may be implemented soon. Malware analysts alert that the Kuntzware Ransomware is classified as a mid-tier crypto-threat considering that it has the capability to encode files hosted on a cloud platform like Google Drive and Dropbox. The Kuntzware Ransomware is named after the file 'Kuntz.exe,' which the Trojan may use to run on compromised...

When it first arrived back in January, the Spora ransomware amazed security researchers both with its incredibly complicated and strong encryption routine and with the professionally designed payment and support page. At one point, Spora was among the top ransomware families, and the chat transcripts between the victims and the crooks showed just how many people were left locked out of their computers. In March, however, its popularity suddenly started to dwindle. Although it didn't disappear completely, infections slowed to a crawl, and some of the domains that linked to the crooks' support page stopped working. Nevertheless, the experts thought it unlikely that the Spora gang would abandon their project after the considerable time spent creating what has to be one of the most sophisticated ransomware families of the year. Indeed,...

The CryptoDark Ransomware is not your typical encryption Trojan that corrupts your data and invites you to pay for a decryption software. The CryptoDark Ransomware is a screen locker Trojan that uses deception and scaremongering to convince the user to pay 300 USD in Bitcoins (0.12469 BTC) and restore access to the system. The CryptoDark Ransomware Trojan may be installed on computers via macro-enabled documents attached to spam emails. Users might be suggested to open fake invoices and payment orders, which serve as the payload for the CryptoDark Ransomware. PC security experts warn users to avoid spam emails and ask for confirmation from the sender if the attached document is safe to open. It is unlikely that the sender would reply if the message is part of a spam campaign. The CryptoDark Ransomware is classified as a screen locker...

The Pricegroup.online domain is classified as a source of phishing content. The Pricegroup.online site is registered to the 104.236.150.81 IP address where we have found more than twenty clones of Pricegroup.online. The site at hand is used to display fake security alerts to users that include messages like 'Windows Defender Alert: Zeus Virus Detected in Your Computer!', 'Error#268d3 Detected' and 'Critical Alert From Windows'. Additionally, the Pricegroup.online phishing site features a disturbing voice recording that says: 'Your system has been infected with spyware. This virus is sending your credit card details, Facebook login and personal emails to hackers remotely. Please call us immediately at the toll-free number listed so that our support engineers can walk you through the removal process over the phone. If you close this page...