Virus and Spyware Removal Guides, uninstall instructions

What kind of page is cosmovideo[.]cam?

While investigating dubious websites, our research team found the cosmovideo[.]cam rogue webpage. It is designed to promote browser notification spam and redirect visitors to different (likely unreliable/hazardous) sites. Most users access pages like cosmovideo[.]cam via redirects caused by websites that use rogue advertising networks.

What kind of email is "Payment Proforma Invoice / Contract"?

After inspecting the "Payment Proforma Invoice / Contract" email, we determined that it is spam. This letter operates as a phishing scam; it makes false claims regarding a received voice message to trick recipients into attempting to sign in via a fake website. This spam campaign targets email account log-in credentials.

What is Miserium ransomware?

Our researchers discovered the Miserium ransomware during a routine investigation of new submissions to VirusTotal. Malware within this classification operates by encrypting data and demanding payment for its decryption.

After we executed a sample of Miserium on our test system, it encrypted files and appended their filenames with an extension consisting of four random characters. For example, a file initially titled "1.jpg" appeared as "1.jpg.mbkx", "2.png" as "2.png.zx16", etc. Once this process was completed, Miserium changed the desktop wallpaper to one containing a ransom note.

What kind of application is SearchProvided?

After testing the SearchProvided application, our team has discovered that it exhibits aggressive and unsolicited advertisements. As a result, we have categorized SearchProvided as adware, which pertains to software specifically created to generate revenue by displaying ads. Typically, users are unaware that they have installed adware on their devices.

What is BouldSpy?

BouldSpy is a spyware and data-stealer type malware that targets Android devices. It can record and extract a wide variety of information from infected systems. This malicious program has been around since at least as early as 2020.

The research undertaken by Lookout Threat Lab analysts revealed evidence potentially linking BouldSpy to the Iranian authorities, specifically the Law Enforcement Command of the Islamic Republic of Iran (FARAJA).

The malware's activity has been connected to law enforcement activity, such as the prevention of illegal substance and gun trafficking. However, BouldSpy was also noted targeting minorities, including Iranian Kurds, Azeris, Baluchis, and possibly Armenian Christian groups.

There is reason to believe that BouldSpy relies on manual installation that likely occurs when Iranian law enforcement confiscates devices upon their owners' detainment/arrest.

What kind of page is buycfr[.]com?

Buycfr[.]com has been labeled untrustworthy because of its clickbait approach to persuade visitors to subscribe to its notifications. Our team encountered buycfr[.]com during our inquiry into websites that use illegitimate advertising networks. It is worth knowing that most users stumble upon such pages inadvertently.

What kind of page is buyadvupfor24[.]com?

Buyadvupfor24[.]com is among the websites that show misleading content to trick visitors into subscribing to notifications. Our investigation of sites employing rogue advertising networks led us to uncover buyadvupfor24[.]com. Visitors do not intentionally access pages such as buyadvupfor24[.]com.

What kind of malware is crYptA3?

While examining malware samples submitted to VirusTotal, our team discovered crYptA3 - malware that operates as ransomware. The purpose of crYptA3 is to encrypt files. Also, it provides a ransom note ("readme_for_unlock.txt" file) and appends the ".crYptA3" extension to filenames.

An example of how crYptA3 renames files: it changes "1.jpg" to "1.jpg.crYptA3", "2.png" to "2.png.crYptA3", and so forth.

What kind of malware is Vypt?

Vypt is ransomware that encrypts files stored on a computer, modifies filenames of all affected files, and creates two ransom notes ("Restore_Your_Files.txt" and "ReadMe.hta"). Our malware researchers discovered Vypt during examination of malware samples submitted to the VirusTotal site.

Vypt appends the victim's ID, ross.dec1966@gmail.com email address, and the ".Vypt" extension to filenames. For instance, it renames "1.jpg" to "1.jpg_[ID-N4J7B_Mail-Ross.dec1966@gmail.com].Vypt", "2.png" to "2.png_[ID-N4J7B_Mail-Ross.dec1966@gmail.com].Vypt", and so forth.

What is TrafficStealer?

The TrafficStealer malware employs open container APIs to redirect web traffic to specific sites and manipulate user interaction with ads. Through the use of Docker containers, this program generates profits by sending traffic to monetized destinations. Despite appearing to be legitimate, the software includes compromised elements.