Virus and Spyware Removal Guides, uninstall instructions

What is click-to-win-prize[.]com?

click-to-win-prize[.]com is one of many untrusted websites that redirect visitors to other web pages of this kind, or load dubious content. Some examples of similar sites are sabs-news[.]info, pushcleansystem[.]com and checkvd[.]com.

Users do not often visit these pages intentionally - in most cases, they are opened through clicked dubious ads, other bogus websites, or by installed potentially unwanted applications (PUAs). Note that PUAs are often designed to open bogus web pages, gather browsing-related information, and serve various advertisements.

What is the fake "National Bank of Greece" email?

The "National Bank of Greece" email is a deceptive message distributed in large numbers via operations called "spam campaigns". These particular scam emails target Greek users.

The messages supposedly concern bank transfer proposals and have a transaction receipt attached to them, however, upon opening, the attached file triggers download/installation of the NanoCore RAT (Remote Access Trojan). This type of malware allows remote access and control over the infected system.

RATs have a wide range of functionalities, which enable likewise varied misuse of the compromised device.

What is Hlpp ransomware?

Discovered by Jakub Kroustek, this ransomware is a part of the Dharma ransomware family. It is designed to encrypt victims' files, change the filenames, and provide instructions about how to contact the developers. It renames encrypted files by adding the victim's ID, hlpp@protonmail.ch email address, and appending the ".hlpp" to filenames.

For example, it would rename a file such as "1.jpg" to "1.jpg.id-1E857D00.[hlpp@protonmail.ch].hlpp", "2.jpg" to "2.jpg.id-1E857D00.[hlpp@protonmail.ch].hlpp", and so on. Instructions about how to contact Hlpp's developers are provided in the created "FILES ENCRYPTED.txt" text file and pop-up window.

What is Nypd?

Nypd belongs to the Djvu ransomware family. Like most ransomware-type programs, it encrypts files, changes their filenames by appending an extension, and creates a ransom message that contains instructions about how to contact the developers. Nypd appends the ".nypd" extension to files.

For example, it would rename a file such as "1.jpg" to "1.jpg.nypd", "2.jpg" to "2.jpg.nypd", and so on. It drops the "_readme.txt" text file (ransom message) in every folder that contains encrypted files.

What is the .origami ransomware?

.origami is malicious software categorized as ransomware. Systems infected with this malware have their data encrypted and users receive ransom demands for decryption tools/software.

During the encryption process, all affected files are renamed according to this pattern: original filename, unique ID assigned to the victims, cyber criminals' emails address and the ".origami" extension. For example, a file like "1.jpg" would appear as something similar to "1.jpg.[E38D7F03].[origami7@firemail.cc].origami" following encryption.

After this process is complete, a ransom-demand message ("readme-warning.txt") is dropped into every compromised folder.

What is "Apple Rewards Program"?

"Apple Rewards Program" is a scam run on deceptive websites. This scheme targets Apple device users, thanks them for being longtime supporters of Apple, and claims that by completing a short survey and paying a small fee, they can win an iPhone 11 pro. This scam is in no way associated with Apple Inc.

The purpose of this scheme is to extort personal information and trick people into making monetary transactions. Typically, deceptive/scam sites are accessed through redirects caused by intrusive advertisements or Potentially Unwanted Applications (PUAs).

What is ListenToRadio?

As its name suggests, ListenToRadio supposedly provides quick access to radio stations and music websites. In fact, the main purpose of this browser hijacker is to promote blpsearch.com (a fake search engine) by changing certain browser settings. Typically, apps of this type modify settings and collect various browsing-related (and other) data.

People often download and install these apps inadvertently and, therefore, they are categorized as potentially unwanted applications (PUAs).

What kind of malware is the DemonWare?

Discovered by malware researcher, Ravi, DemonWare is malicious software classified as ransomware. Typically, ransomware encrypts data and demands payment for decryption. During the encryption process, DemonWare appends all affected files with the ".DEMON" extension.

For example, a file originally named something like "1.jpg" would appear as "1.jpg.DEMON" following encryption. After this process is complete, DemonWare creates identical messages in a pop-up window and "README.txt" text files, which are dropped into compromised folders.

What is Fonix?

Discovered by Michael Gillespie, Fonix (also known as FonixCrypter) ransomware encrypts victims' files, changes the filenames, and creates a ransom message, which is opened in a pop-up window. It renames encrypted files by adding the fonix@tuta.io email address, victim's ID, and appends the ".Fonix" extension to filenames.

For example, it would rename a file such as "1.jpg" to "1.jpg.EMAIL=[fonix@tuta.io]ID=[1E857D00].Fonix", "2.jpg" to "2.jpg.EMAIL=[fonix@tuta.io]ID=[1E857D00].Fonix", and so on. Instructions about how to contact the cyber criminals behind Fonix (and other details) are provided in the "# How To Decrypt Files #.hta" file.

What is ConnectedBoost?

ConnectedBoost is an adware-type application that has browser hijacker characteristics. It delivers intrusive advertisement campaigns and modifies browser settings in order to promote fake search engines. ConnectedBoost promotes Safe Finder through search.adjustablesample.com and search.anysearchmanager.com.

Additionally, most adware infections and browser hijackers monitor users' browsing activity, and it is highly likely that ConnectedBoost does so as well. Due to the dubious methods used to proliferate this app, it is also considered to be a Potentially Unwanted Application (PUA).