Virus and Spyware Removal Guides, uninstall instructions

What is BNFD?

BNFD belongs to the Matrix ransomware family. It prevents victims from accessing/using their files by encrypting them and creates a ransom message (within the "BNFD_README.rtf" file) with instructions about how to contact the developers regarding decryption of files.

BNFD also renames files by replacing their filenames with the Benford333@criptext.com email address and a string or random characters, and appending ".BNFD" as the extension.

For example, "1.jpg" is renamed to "[Benford333@criptext.com].SbWbBnkT-4QQddgbX.BNFD", "2.jpg" to "[Benford333@criptext.com].DnQnVmjL-5HHkkloZ.BNFD", and so on.

What is Osx Uninstaller?

Osx Uninstaller is untrusted software, endorsed as a tool to optimize and carry out effective application uninstall processes, however, due to the dubious techniques used to proliferate Osx Uninstaller, it is classified as a Potentially Unwanted Application (PUA).

Software within this classification is typically nonoperational (i.e. the advertised features do not work) and can also have undisclosed dangerous capabilities.

What is DirectStreamSearch?

Like most browser hijackers, after installation DirectStreamSearch changes certain browser settings to the address of a fake search engine. In this case, it assigns them to directstreamsearch.com. It is very likely that DirectStreamSearch will also collect information relating to users' browsing activities.

Typically, users download and install browser hijackers inadvertently and, for this reason, they are classified as potentially unwanted applications (PUAs).

What is Ahmed Minegames ransomware?

Discovered by malware researcher S!Ri, Ahmed Minegames is ransomware-type program. This ransomware encrypts data and displays a pop-up window, demanding a password to decrypt files. Typically, malicious programs of this type rename the compromised files, however, this is not the case with Ahmed Minegames (hence, filenames remain unchanged).

Additionally, the main purpose of ransomware is to encrypt data and/or lock the device's screen in order to demand ransom payments for decryption and to restore access. Ahmed Minegames is decryptable ransomware - the recovery password is "minegames321" (without quotation marks).

What is .docm ransomware?

.docm ransomware is designed to encrypt files, modify their filenames, create the "README_RECOVERY.txt" text file and change the desktop wallpaper. It renames encrypted files by appending the ".docm" extension, which is a legitimate file extension used in Microsoft Word.

For example, "1.jpg" is renamed to "1.jpg.docm", "2.jpg" to "2.jpg.docm", and so on. The ransomware creates the "README_RECOVERY.txt" file in all folders that contain encrypted files. This text file and the desktop wallpaper are the ransom messages with instructions about how to contact the cyber criminals and pay the ransom.

What is Jdyi ransomware?

Jdyi is a malicious program belonging to the Djvu ransomware family. Systems infected with this malware experience data encryption and users receive ransom demands for decryption tools/keys. During the encryption process, all affected files are appended with the ".jdyi" extension.

For example, a file originally named something like "1.jpg" would appear as "1.jpg.jdyi", "2.jpg" as "2.jpg.jdyi", "3.jpg" as "3.jpg.jdyi", and so on. After this process is complete, ransom messages in "_readme.txt" files are dropped into compromised folders.

What is Secure Driver Updater?

As its name suggests, Secure Driver Updater scans the operating system for outdated, old drivers and updates them. Developers distribute this program using dubious methods and, therefore, users who install Secure Driver Updater onto their computers often do so inadvertently. Therefore, this software is categorized as a potentially unwanted application (PUA).

What is Bondy ransomware?

Discovered by S!Ri, Bondy is ransomware designed to encrypt files, append its extension to the filenames of all affected files, and create a ransom message (within the "HELP_DECRYPT_YOUR_FILES.txt" text file) in all folders that contain encrypted files.

It renames files by appending the ".bondy" extension. For example, "1.jpg" is renamed to "1.jpg.bondy", "2.jpg" to "2.jpg.bondy", and so on. The "HELP_DECRYPT_YOUR_FILES.txt" file contains instructions about how to pay the ransom and contact the cyber criminals who created Bondy.

What is undertain[.]work?

Generally, users do not open undertain[.]work or similar web pages intentionally - they are opened by browsers with potentially unwanted applications (PUAs) installed on them. These rogue apps are classified as PUAs because most users download and install them inadvertently. In addition to promoting sites such as undertain[.]work, PUAs often serve ads and gather data.

What is swindoors[.]work?

swindoors[.]work is a rogue website designed to present visitors with dubious content and/or redirect them to other untrusted/malicious pages. Few users access this site intentionally - most are redirected to it by intrusive ads or by Potentially Unwanted Applications (PUAs) already installed on their devices.

This software does not need explicit user consent to infiltrate systems. PUAs operate by causing redirects, running intrusive advertisement campaigns and collecting browsing-related data. There are thousands of websites similar to swindoors[.]work on the web - liveplayingnow.com, finvesterns.work, bargaret.work, and jrg-news1.club are just some examples.