Virus and Spyware Removal Guides, uninstall instructions

What kind of scam is "Andrew Tate Crypto Giveaway"?

Upon investigating this scam, we have determined that it is a classic crypto giveaway scam that purports to be orchestrated by a public figure (in this instance, Andrew Tate). The scammers' objective behind it is to dupe unsuspecting individuals into transferring their cryptocurrency funds. It is advisable to disregard this site as none of the assurances on it are true.

What is "Critical Threat Detected: Adware App"?

While examining this scam, our team learned that it is a technical support scam delivered by a deceptive website designed to trick unsuspecting visitors into calling a fake number (contacting scammers). This scam page displays multiple fake messages urging visitors to take immediate action. Typically, users end up on such sites inadvertently.

What kind of malware is BlackByteNT?

BlackByteNT is ransomware that blocks access to files by encrypting them. Also, BlackByteNT modifies filenames and creates a text file (a ransom note) named "BB_Readme_[random_string].txt". It renames files by replacing their names with a string of random characters and appending the ".blackbytent" extension.

For instance, BlackByteNT renames a file named "1.jpg" to "dnoJJlc=.blackbytent", "2.png" to "cXoJOEQf.blackbytent", and so forth.

What kind of malware is WiKoN?

During our examination of malware samples submitted to VirusTotal, we discovered ransomware belonging to the Xorist family dubbed WiKoN. This ransomware encrypts files, appends the ".WiKoN" extension to filenames, changes the desktop wallpaper, creates the "HOW TO DECRYPT FILES.txt" file (a ransom note), and displays an error message (also containing a ransom note).

An example of how WiKoN renames files: it changes "1.jpg" to "1.jpg.WiKoN", "2.png" to "2.png.WiKoN", and so forth.

What is "Authentication Required"?

Upon inspection, we have determined that this email is fraudulent and contains an attachment. It intends to mislead unsuspecting individuals into divulging personal information. Such emails are referred to as phishing emails. It is advised that recipients disregard such emails.

What kind of page is justcoolcaptcha[.]top?

After analyzing justcoolcaptcha[.]top, we discovered that this website displays a deceptive message and requests authorization to display notifications. Also, justcoolcaptcha[.]top may redirect to other sites of this kind. We came across justcoolcaptcha[.]top while scrutinizing sites that employ fraudulent advertising networks.

What kind of malware is Charmant?

While checking the VirusTotal website for recently submitted malware samples, we discovered Charmant ransomware. This malware encrypts data, appends the ".charmant" extension to filenames, and creates a ransom note (the "#RECOVERY#.txt" file).

An example of how Charmant renames files: it changes "1.jpg" to "1.jpg.charmant", "2.png" to "2.png.charmant", and so forth.

What kind of application is ExpandedOrigin?

Upon our investigation of the ExpandedOrigin application, we found that it exhibits intrusive advertising behavior, leading us to classify ExpandedOrigin as adware. Adware is frequently distributed through questionable and deceptive means, making it easy for unsuspecting users to download and install it inadvertently.

What kind of malware is Nitz?

Our recent analysis of malware samples submitted to VirusTotal has revealed the emergence of a new member of the Djvu ransomware family called Nitz. Its primary objective is to encrypt files on the compromised device and modify their filenames by adding the ".nitz" extension.

Also, Nitz generates a file called "_readme.txt", which contains a ransom note. It is important to note that Nitz could be distributed alongside information-stealing malware such as RedLine or Vidar. An illustration of how Nitz modifies file names: it renames "1.jpg" to "1.jpg.nitz", "2.png" to "2.png.nitz", and so on.

What kind of malware is Nifr?

While analyzing malware samples submitted to VirusTotal, our team came across Nifr ransomware, which belongs to the Djvu family. Upon infecting a computer, Nifr encrypts files and adds the ".nifr" extension to their filenames. For instance, a file originally named "1.jpg" would be renamed to "1.jpg.nifr", while "2.png" would become "2.png.nifr", etc.

Nifr also generates a ransom note in the form of a text file named "_readme.txt". It is probable that threat actors distribute Nifr together with information stealers such as Vidar and RedLine.