Virus and Spyware Removal Guides, uninstall instructions

What is CU?

CU is the name of malware belonging to the Crysis/Dharma ransomware family. Systems infected with this program have data encrypted and users receive ransom demands for file decryption.

When CU ransomware encrypts, all files are renamed according to the following pattern: original filename; unique ID assigned to the victims; cyber criminals' email address, and; the ".CU" extension. For example, a file like "1.jpg" would appear as something similar to "1.jpg.id-1E857D00.[cyberunion@tuta.io].CU".

After this process is finished, a text file ("FILES ENCRYPTED.txt") is created on the desktop and a pop-up window is displayed.

What is 2fatoffers[.]xyz?

When visited, 2fatoffers[.]xyz opens untrustworthy websites or loads dubious content. There are many other rogue websites that operate in this way including, for example, younwild[.]com, zahkit[.]pro and usinesmycete[.]info. 

Typically, people do not open them intentionally - in most cases they are redirected to them by browsers that have potentially unwanted applications (PUAs) installed. PUAs open dubious web pages, display intrusive advertisements and collect information relating to users' browsing activity.

What is creasonsau[.]info?

Sharing considerable similarities with wbamedia.net, sawhitpew.site, zahkit.pro and countless others, creasonsau[.]info is a rogue website, which operates by presenting visitors with dubious content and/or redirecting them to other untrusted or malicious sites.

In most cases, web pages such as creasonsau[.]info are accessed through redirects generated by intrusive advertisements and/or Potentially Unwanted Applications (PUAs) already installed on the device.

These apps can infiltrate systems without users' consent and, following successful installation, cause redirects, deliver intrusive ads and track data relating to browsing activity.

What is allow2continue[.]com?

allow2continue[.]com is one of many rogue websites that are usually opened via other untrusted pages, deceptive ads or potentially unwanted applications (PUAs) that are installed on browsers and/or operating systems. When opened, sites such as allow2continue[.]com redirect visitors to a number of other dubious pages or load unwanted content.

Note that usinesmycete[.]info, younwild[.]com and pushbestdevice[.]com are examples of other pages that operate in a similar way to allow2continue[.]com. Unfortunately, there are many other websites of this type. PUAs usually gather information and display intrusive advertisements.

What is CryptoPatronum?

CryptoPatronum was discovered by Amigo-A. Like most programs of this type, this ransomware is designed to block access to data by encryption. The program also changes names of all encrypted files by adding the "cryptopatronum@protonmail.com" email address and appending the ".enc" extension.

For example, CryptoPatronum renames "1.jpg" to "1.jpg.cryptopatronum@protonmail.com.enc", and so on. Additionally, it creates a text file (containing the ransom message) named "HOW TO RECOVER ENCRYPTED FILES.txt".

What is cocketexercine[.]info?

Similar to younwild.com, zahkit.pro, pushbestdevice.com and many others, cocketexercine[.]info is a rogue website. When opened, it presents visitors with dubious content and/or redirects them to other untrusted, malicious web pages.

Most users access cocketexercine[.]info and similar websites via redirects caused by intrusive ads or Potentially Unwanted Applications (PUAs) already installed on the system. Note that these apps stealthily infiltrate devices without users' knowledge. PUAs cause redirects, deliver intrusive ads (pop-ups, banners, surveys, etc.) and can track browsing-related information.

What kind of malware is EnCiPhErEd?

EnCiPhErEd is malicious software and part of the Xorist ransomware family. This malware is designed to encrypt data and demand payment for decryption. During the encryption process, all affected files are converted into executables and their filenames are appended with the ".EnCiPhErEd" extension.

For example, a file originally named "1.jpg" would appear as "1.jpg.EnCiPhErEd". When any of the compromised files are opened (i.e., double-clicked), a pop-up window is opened, which contains the ransom demand message.

Additionally, an identical ransom message in the form of a text file ("HOW TO DECRYPT FILES.txt") is dropped onto the desktop, the wallpaper of which is changed and also contains part of the message.

What is .com (Phobos)?

Discovered by Karsten Hahn, .com (Phobos) is a part of the Phobos ransomware family. Like many other programs of this type, .com (Phobos) encrypts victims' files, changes filenames and provides instructions about how to contact the developers (and other details) in a ransom message.

It renames all encrypted files by adding the victim's ID, email address of the developers, and appending the ".com" extension to filenames.

For example, a file called "1.jpg" might be renamed to something similar to "1.jpg.id[1E857D00-1127].[MerlinWebster@aol.com].com", and so on. It also displays a ransom message in a pop-up window ("info.hta") and creates another in a text file named "info.txt".

What is "IFC Global Development Funding Program Email Scam"?

This email scam is disguised as a message regarding fund approval, supposedly by "IFC Global Development Funding Program". Scammers behind this email claim that recipients can receive a specific sum of money by sending various personal details.

We strongly advise against replying to this email or providing any information to scammers - they are likely to misuse the details to generate revenue, which would lead to a number of problems. Ignore this and other, similar emails and do not believe the statements.

What is twok[.]pro?

twok[.]pro is a rogue website that shares many similarities with zahkit.pro, scuseami.net, showeverig.info and countless others. Visitors to this page are presented with dubious content and/or are redirected to other untrusted, even malicious sites.

Typically, users do not access these web pages intentionally - they are redirected by intrusive ads or Potentially Unwanted Applications (PUAs) already infiltrated into the system. Note that these apps do not require explicit consent to be installed onto users' devices. PUAs generate redirects, deliver intrusive advertisement campaigns and gather browsing-related information.