Virus and Spyware Removal Guides, uninstall instructions

What is ATAWARE?

Discovered by Securityinbits, ATAWARE is a high-risk virus, a ransomware-type program designed to encrypt files stored on victims' computers and keep them unusable until a ransom is paid. The program adds the ".ATANUR" extension to each encrypted file.

For example, "1.jpg" becomes "1.jpg.ATANUR". Once a computer is infected and files are encrypted, ATAWARE displays a ransom message in a pop-up window. It also creates the "Decryptor.exe" file and places it on the Desktop.

What is bitcoin666?

Discovered by MalwareHunterTeam, bitcoin666 is one of many ransomware-type programs on the internet. Cyber criminals use bitcoin666 to prevent victims from accessing their files (by making the data unusable). To recover their files, victims are encouraged to pay the developers a ransom.

This malicious program renames each encrypted file by adding the ".bitcoin666@cock.li.word" extension. For example, "1.jpg" becomes "1.jpg.bitcoin666@cock.li.word". A ransom message in a text file called "Recover Files.TXT" can be found in each folder that contains encrypted files. Furthermore, bitcoin666 changes the desktop wallpaper.

What is NamPoHyu?

NamPoHyu is a new version of MegaLocker ransomware, which developers (cyber criminals) use to encrypt data stored on Samba servers. After successful infiltration, this ransomware uses 'brute-force attacks' to guess the passwords of Samba servers that are being connected to on the infected computer.

If these servers are hacked, NamPoHyu encrypts files stored on them and makes them unusable unless a ransom is paid. NamPoHyu adds the ".NamPoHyu" extension to each encrypted file.

For example, "1.jpg" becomes "1.jpg.NamPoHyu". It also creates a ransom message within a text file called "! DECRYPT_INSTRUCTION.TXT". Victims can find this file in folders that contain encrypted data.

What is MegaLocker?

MegaLocker ransomware is designed to prevent victims from accessing files/data by encryption. In most cases, programs of this type encrypt files stored on the computer, however, following infiltration, MegaLocker searches for connections to Samba servers and attempts to guess passwords used to connect to them. I.e., it initiates a 'brute-force attack'.

After a successful attack, it encrypts files stored on the hacked servers. To decrypt locked data stored on Samba servers, victims are urged to pay a ransom to the cyber criminals. A ransom message can be found in a text file called "! DECRYPT_INSTRUCTION.TXT".

MegaLocker places this file in each folder that contains encrypted data. It also adds the ".crypted" extension to each encrypted file. For example, "1.jpg" becomes "1.jpg.crypted".

What is Langolier?

Langolier was discovered by Emmanuel_ADC-Soft. This malicious program belongs to the Scarab ransomware family. Like most programs of this type, it is used by cyber criminals to encrypt data stored on the victim's computer and to keep it unusable until a ransom is paid.

Langolier renames encrypted files and creates a ransom message in the "HOW TO RECOVER ENCRYPTED FILES.TXT" text file. The program renames encrypted files by adding the ".langolier" extension. For example, "1.jpg" becomes "1.jpg.langolier".

What is Etols?

Etols is a malicious program, a ransomware-type virus that encrypts files stored on the computer and allows developers to demand ransom payments. The program belongs to the Djvu ransomware family. Etols renames each encrypted by adding the ".etols" extension.

For example, "1.jpg" becomes "1.jpg.etols". It also creates a ransom message in the "_readme.txt", which can be found in all folders that contain encrypted files.

What kind of malware is Tellyouthepass?

Discovered by GrujaRS, Tellyouthepass is one of many ransomware-type programs used to block access to files by encryption and keep them in this state unless a ransom is paid.

The program renames all encrypted files by adding the ".locked" extension and creates a ransom message in a text file called "README.html". For example, "1.jpg" is renamed by Tellyouthepass to "1.jpg.locked".

What is "Trojan IRC/Backdor.SdBot4.FRV"?

"Trojan IRC/Backdor.SdBot4.FRV" is a fake virus alert that appears when users visit a scam website. Scammers use the site to trick people into downloading an unwanted application called MacRepair that supposedly removes 'detected viruses'. We strongly recommend that you do not trust this scam.

If the website was opened unintentionally, it is likely that this was done by a potentially unwanted application (PUA) installed on the system. PUAs usually cause unwanted redirects, deliver intrusive ads, and collect data.

What is "Your Mac is infected with 4 viruses"?

"Your Mac is infected with 4 viruses" is a fake virus alert that appears when opening a scam website. Like most scams of this type, it attempts to trick people into downloading a dubious application - in this case, cleaning software for Mac computers.

Typically, these websites are opened by potentially unwanted apps (PUAs) that people have installed on their browsers or computers. PUAs feed users with intrusive ads and gather data.

What is butitereventwil[.]info?

butitereventwil[.]info is one of many rogue websites designed to cause redirects to other untrustworthy sites or display dubious content.

This website is similar to many other pages of this type such as refrebrepheon[.]info, ketintontrat[.]info, and maranhesduve[.]club. People do not generally visit butitereventwil[.]info intentionally - potentially unwanted apps (PUAs) installed on their systems open this site. In addition, PUAs usually gather browsing-related data and deliver advertisements.