Virus and Spyware Removal Guides, uninstall instructions

What is the .origami ransomware?

.origami is malicious software categorized as ransomware. Systems infected with this malware have their data encrypted and users receive ransom demands for decryption tools/software.

During the encryption process, all affected files are renamed according to this pattern: original filename, unique ID assigned to the victims, cyber criminals' emails address and the ".origami" extension. For example, a file like "1.jpg" would appear as something similar to "1.jpg.[E38D7F03].[origami7@firemail.cc].origami" following encryption.

After this process is complete, a ransom-demand message ("readme-warning.txt") is dropped into every compromised folder.

What is "Apple Rewards Program"?

"Apple Rewards Program" is a scam run on deceptive websites. This scheme targets Apple device users, thanks them for being longtime supporters of Apple, and claims that by completing a short survey and paying a small fee, they can win an iPhone 11 pro. This scam is in no way associated with Apple Inc.

The purpose of this scheme is to extort personal information and trick people into making monetary transactions. Typically, deceptive/scam sites are accessed through redirects caused by intrusive advertisements or Potentially Unwanted Applications (PUAs).

What is ListenToRadio?

As its name suggests, ListenToRadio supposedly provides quick access to radio stations and music websites. In fact, the main purpose of this browser hijacker is to promote blpsearch.com (a fake search engine) by changing certain browser settings. Typically, apps of this type modify settings and collect various browsing-related (and other) data.

People often download and install these apps inadvertently and, therefore, they are categorized as potentially unwanted applications (PUAs).

What kind of malware is the DemonWare?

Discovered by malware researcher, Ravi, DemonWare is malicious software classified as ransomware. Typically, ransomware encrypts data and demands payment for decryption. During the encryption process, DemonWare appends all affected files with the ".DEMON" extension.

For example, a file originally named something like "1.jpg" would appear as "1.jpg.DEMON" following encryption. After this process is complete, DemonWare creates identical messages in a pop-up window and "README.txt" text files, which are dropped into compromised folders.

What is Fonix?

Discovered by Michael Gillespie, Fonix (also known as FonixCrypter) ransomware encrypts victims' files, changes the filenames, and creates a ransom message, which is opened in a pop-up window. It renames encrypted files by adding the fonix@tuta.io email address, victim's ID, and appends the ".Fonix" extension to filenames.

For example, it would rename a file such as "1.jpg" to "1.jpg.EMAIL=[fonix@tuta.io]ID=[1E857D00].Fonix", "2.jpg" to "2.jpg.EMAIL=[fonix@tuta.io]ID=[1E857D00].Fonix", and so on. Instructions about how to contact the cyber criminals behind Fonix (and other details) are provided in the "# How To Decrypt Files #.hta" file.

What is ConnectedBoost?

ConnectedBoost is an adware-type application that has browser hijacker characteristics. It delivers intrusive advertisement campaigns and modifies browser settings in order to promote fake search engines. ConnectedBoost promotes Safe Finder through search.adjustablesample.com and search.anysearchmanager.com.

Additionally, most adware infections and browser hijackers monitor users' browsing activity, and it is highly likely that ConnectedBoost does so as well. Due to the dubious methods used to proliferate this app, it is also considered to be a Potentially Unwanted Application (PUA).

What is "Black Lives Matter Email virus"?

Typically, cyber criminals behind malspam campaigns such as this attempt to trick recipients into opening a malicious file, which is attached to the email or can be downloaded through an included website link. When executed, the file infects computers with malware. This particular malspam campaign is used to distribute an information-stealing Trojan called TrickBot.

What is "CV Email Virus"?

"CV Email Virus" is a spam campaign designed to proliferate ZLoader malware. The term "spam campaign" is used to define a large scale operation, during which deceptive emails are sent by the thousand. The messages distributed in the "CV Email Virus" spam campaign are presented as work applications.

The attached malicious Excel spreadsheet supposedly contains the CV, however, when opened, it initiates download/installation of ZLoader malware. This malicious program infect devices with additional malware and typically injects systems with the Zeus banking Trojan.

What is "VIRUS ALERT FROM Windows"?

Like many other technical support scams, this one is designed by scammers who attempt to trick unsuspecting users into calling them via the provided number. In most cases, their main purpose is to trick people into paying to fix a non-existent computer problem (remove viruses).

In any case, such scams should be ignored. Note that the deceptive websites associated with these scams are often opened through dubious ads, bogus websites, or installed potentially unwanted applications (PUAs).

What is ProgressTrend?

In most cases, users download and install apps like ProgressTrend unintentionally.

Therefore, this and other apps of this type (adware/browser hijackers) are categorized as potentially unwanted applications (PUAs). ProgressTrend is designed to change certain browser settings, promote the Safe Finder website (by opening it through akamaihd.net), and display various advertisements. It can also read personal, sensitive information.