Virus and Spyware Removal Guides, uninstall instructions

What is XinFrams?

XinFrams prevents victims from accessing the operating system (restricts login and file access) by locking the screen. It displays a ransom message that contains instructions about how to pay a ransom to the developers plus various other details. Note that XinFrams is non-encrypting malware - it restricts access to files, but does not encrypt them.

What is ClickMovieSearch?

Apps such as ClickMovieSearch promote fake search engines by modifying certain browser settings. This particular apps assigns the settings to clickmoviesearch.com. ClickMovieSearch also promotes a fake search engine and gathers details relating to users' browsing habits.

Typically, users download and install browser hijackers inadvertently and, therefore, they are classified as potentially unwanted applications (PUAs).

What is Nsemad ransomware?

Nsemad is a malicious program, which is part of the Snatch ransomware family. It is designed to encrypt data and demand payment for decryption. During the encryption process, all compromised files are appended with the ".nsemad" extension. For example, a file originally titled something like "1.jpg" would appear as "1.jpg.nsemad" following encryption.

After this process is complete, ransom-demand messages within "HOW TO RESTORE YOUR FILES.TXT" files are dropped into affected folders.

What is HOTEL?

HOTEL is part of the Phobos ransomware family. This malware encrypts files, modifies their filenames, and generates two ransom messages ("info.hta" and "info.txt"). HOTEL renames files by adding the victim's ID, ICQ_username of its developers, and appending the ".HOTEL" extension to filenames.

For example, "1.jpg" is renamed to "1.jpg.id[C279F237-3098].[ICQ_RIXOSHORSE].HOTEL", "2.jpg" to "2.jpg.id[C279F237-3098].[ICQ_RIXOSHORSE].HOTEL", and so on.

What is SUKA ransomware?

Discovered by Jakub Kroustek, SUKA is malicious software belonging to the Dharma ransomware family. Systems infected with this malware experience data encryption and users receive ransom demands for decryption.

During the encryption process, all affected files are renamed following this pattern: original filename, unique IDs assigned to victims, cyber criminals' email address, and the ".SUKA" extension. For example, a file originally named "1.jpg" would appear as "1.jpg.id-C279F237.[kjingx@tuta.io ].SUKA" after encryption.

Once this process is complete, ransom messages are created in a pop-up window and "FILES ENCRYPTED.txt" text file.

What is psalrausoa[.]com?

psalrausoa[.]com is often visited by users intentionally - these sites are opened when people click dubious, deceptive ads, visit other bogus websites, or have potentially unwanted applications (PUAs) installed on browsers and/or operating systems. There are many sites similar to psalrausoa[.]com including, for example, odrivicdriv[.]top, hilycover[.]top and urtheredevo[.]top.

What is OnlineStreamSearch?

OnlineStreamSearch hijacks browsers by modifying settings. In this case, by assigning them to onlinestreamsearch.com, a fake search engine. Like most browser hijackers, OnlineStreamSearch is likely to also collect browsing data.

People often download and install apps such as OnlineStreamSearch (browser hijackers) unintentionally and, for this reason, they are categorized as potentially unwanted applications (PUAs).

What is Weui?

Weui belongs to the Djvu ransomware family. It encrypts and renames victims' files, and creates a ransom message. Weui modifies the filenames of all encrypted files by appending the ".weui" extension.

For example, "1.jpg" is renamed to "1.jpg.weui", "2.jpg" to "2.jpg.weui", and so on. It also creates a ransom message within the "_readme.txt" file in all folders that contain encrypted files.

What is RestorFile ransomware?

RestorFile is a malicious program belonging to the Matrix ransomware family. Systems infected with this malware experience data encryption and users receive ransom demands for decryption.

During the encryption process, affected files are renamed with a random character string and the ".[RestorFile@tutanota.com]" extension (which contains the cyber criminals' email address). For example, a file originally named "1.jpg" would appear as something similar to "Dm1VcZ9U-DOAwLcvy.[RestorFile@tutanota.com]" following encryption.

Once this process is complete, ransom messages within "#Decrypt_Files_ReadMe#.rtf" files are dropped into compromised folders.

What is starmode[.]biz?

starmode[.]biz and similar sites are generally opened due to potentially unwanted applications (PUAs). I.e., users do not often visit these pages intentionally. People also arrive at these websites by clicking deceptive ads or through other bogus websites. Some examples of other web pages that are similar to starmode[.]biz are odrivicdriv[.]top, hilycover[.]top and urtheredevo[.]top.