Virus and Spyware Removal Guides, uninstall instructions

What is the "B, S, Tab, A, F, Enter" CAPTCHA scam?

"B, S, Tab, A, F, Enter" is a CAPTCHA scam. This scheme appears as a pop-up window requesting users to verify that they are not a robot. The genuine CAPTCHA ("Completely Automated Public Turing test to tell Computers and Humans Apart") is a challenge-response test to determine whether the user is human or an automated user (i.e., bot).

These tests are common throughout the Web; hence, CAPTCHA is an often-used disguise for scams. The scheme in question - asks users to press specific keys to bypass the Google Chrome browser warning about a malicious file pending download and to confirm it. This scam has been observed being used to proliferate the Ursnif trojan.

What is ExpandedActivity adware?

ExpandedActivity is designed to display unwanted advertisements and promote a fake search engine by modifying browser's settings. In other words, ExpandedActivity is designed to function as an adware-type application and a browser hijacker. Like most apps of this type, it is distributed using deceptive methods.

What is Karen ransomware?

Typically, ransomware encrypts files and provides contact information. It is also common that malware of this type renames encrypted files (for example, it appends its extension to their filenames). Karen ransomware creates the "README.txt" text file and appends the ".karen" extension (e.g., it renames "1.jpg" to "1.jpg.karen", "2.jpg" to "2.jpg.karen").

What is C0v ransomware?

Belonging to the Dharma ransomware family, C0v is a malicious program designed to encrypt files and demand payment for the decryption. In other words, victims cannot access the data affected by C0v, and they are asked to pay a ransom - to restore access to it.

During the encryption process, files are renamed following this pattern: original filename, unique ID assigned to the victim, cyber criminals' email address, and ".c0v" extension. For example, a file like "1.jpg" would appear as something similar to "1.jpg.id-C279F237.[c0v1d19@job4u.com].c0v" - after encryption.

Once the encryption process is complete, ransom notes are created/displayed in a pop-up window and "FILES ENCRYPTED.txt" text file, which is dropped onto the desktop.

What is MOSN ransomware?

MOSN is a piece of malicious software classified as ransomware. It operates by encrypting the data stored on infected systems and demands payment for the decryption. In other words, victims cannot access the files affected by MOSN, and they are asked to pay - to recover access to their data.

During the encryption process, files are appended with ".MOSN" extension. For example, a file like "1.jpg" would appear as "1.jpg.MOSN", etc. After this process is complete, the desktop wallpaper is changed and a text file named "INFORMATION_READ_ME.txt" is dropped onto the desktop. This wallpaper and text file contain ransom notes.

What kind of malware is Loki Locker ransomware?

Loki Locker prevents victims from accessing their files by encrypting them. Also, it renames all encrypted files, changes the desktop wallpaper, displays a pop-up window, and creates the "Restore-My-Files.txt" text file. Loki Locker's wallpaper, pop-up window, and text file contain instructions on how to contact the attackers.

Loki Locker renames encrypted files by replacing their filenames with the recoverdata@onionmail.org email address, victim's ID, original filename and the ".Loki" extension. For example, it renames "1.jpg" to "[recoverdata@onionmail.org][C279F237]1.jpg.Loki", "2.jpg" to "[recoverdata@onionmail.org][C279F237]2.jpg.Loki", and so on. Updated variants of Loki Locker append ".Rainman" or either ".PayForKey" extension instead of ".Loki".

What is MainCharacterSearch adware?

MainCharacterSearch displays advertisements and changes a browser's homepage, the default search engine, and new tab. It has the qualities of advertisement-supported software and a browser hijacker. It is known that MainCharacterSearch is distributed via a fake installer. Therefore, it is very unlikely that someone would install this app intentionally.

What is CheckAMap browser hijacker?

CheckAMap is a potentially unwanted application (PUA) that modifies a web browser's settings. The primary purpose of this browser hijacker is to promote the checkamap.com address, a fake search engine. CheckAMap and other apps of this type are categorized as PUA because users rarely install them intentionally.

What is TopSearchStreams?

TopSearchStreams is a browser hijacker promoting the topsearchstreams.com search engine. It makes changes to browser settings to promote its web searcher. Additionally, TopSearchStreams likely has data tracking abilities. Since most users download/install browser hijacker unintentionally, they are also classified as PUAs (Potentially Unwanted Applications).

What is Ufymmtjonc ransomware?

Ufymmtjonc is part of the Snatch ransomware family. It prevents victims from accessing their files by encrypting them and appends the ".ufymmtjonc" extension to their filenames. For example, it renames "1.jpg" to "1.jpg.ufymmtjonc", "2.jpg" to "2.jpg.ufymmtjonc", and so on. Also, Ufymmtjonc creates the "HOW TO RESTORE YOUR FILES.TXT" file (a ransom note).