Virus and Spyware Removal Guides, uninstall instructions

What is Ctpl ransomware?

Ctpl is a piece of malicious software, which is part of the Dharma ransomware family. Systems infected with this malware have their data encrypted and users receive ransom demands for decryption. I.e., victims are unable to access/use files affected by Ctpl and they are asked to pay to recover their data.

When this ransomware encrypts, files are renamed following this pattern: original filename, unique IDs assigned to the victims, cyber criminals' email address, and the ".ctpl" extension. For example, a file originally named "1.jpg" would appear as something similar to "1.jpg.id-C279F237.[catapultacrypt@tuta.io].ctpl" after encryption.

Once this process is complete, ransom messages are created in a pop-up window and "MANUAL.txt" text file.

What is 4o4 ransomware?

Most ransomware variants encrypt files, preventing access to them without specific decryption software/keys held only by the attackers.

4o4 not only encrypts files but also renames them by appending the victim's ID, godecrypt@onionmail.org email address, and the ".4o4" extension. For example, "1.jpg" is renamed to "1.jpg.id-C279F237.[godecrypt@onionmail.org].4o4", "2.jpg" to "2.jpg.id-C279F237.[godecrypt@onionmail.org].4o4", and so on.

4o4 also creates the "FILES ENCRYPTED.txt" file and a pop-up window. Both are ransom messages containing contact information and various other details.

Note that the 4o4 ransomware variant is part of the Dharma ransomware family.

What is sakh[.]site?

Sakh[.]site is an untrusted website that is promoted via deceptive advertisements, malicious websites, and potentially unwanted applications (PUAs). Users are sometimes forced to visit sakh.site without their consent.

Note that most PUAs are downloaded and installed by users unintentionally. More examples of websites similar to sakh[.]site are mobilemediahits[.]com, cfplay[.]online, and cehuiy[.]com.

What is SearchConverterIt?

SearchConverterIt is dubious software categorized as a browser hijacker. It operates by promoting the searchconverterit.com fake search engine through modifications made to affected browser settings.

Additionally, SearchConverterIt monitors users' browsing activity. Due to the dubious techniques used in the distribution of browser hijackers, they are also classified as Potentially Unwanted Applications (PUAs).

What is Karla404?

Ransomware is a form of malware that blocks access to files and displays or creates ransom messages with instructions about how to restore files. It prevents victims from accessing their files by encryption using strong encryption algorithms.

Karla404 is another variant of ZEPPELIN ransomware.

In addition to locking files, Karla404 renames them by appending ".@Karla404" and the victim's ID to filenames. For example, "1.jpg" is renamed to "1.jpg.@Karla404.2D0-876-029", "2.jpg" to "2.jpg.@Karla404.2D0-876-029", and so on.

It creates the ransom message ("!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT" file) in folders containing encrypted data.

What is FilesRecoverEN?

FilesRecoverEN is a ransomware-type program designed to encrypt data (i.e., render files inaccessible/useless) and demand payment for the decryption.

During the encryption process, files are renamed following this pattern: original filename, unique ID assigned to the victim, cyber criminals' email address, and a random four-character (number and character) extension. For example, a file initially named "1.jpg" would appear as something similar to "1.jpg[ID=1DPKN7-Mail=FilesRecoverEN@Gmail.com].1aLA" after encryption.

Once this process is complete, ransom messages are created in a pop-up window ("ReadMe_Now!.hta") and "Read_Me!_.txt" text files, which are dropped into compromised folders.

What is mobilemediahits[.]com?

Mobilemediahits[.]com is an untrusted web page containing deceptive content and promoting other untrusted pages.

Generally, users do not open/visit pages such as mobilemediahits[.]com intentionally - they are opened by potentially unwanted applications (PUAs) installed on browsers/computers, through clicked deceptive ads, and via bogus websites. PUAs can gather various data and generate advertisements.

Note that there are many websites similar to mobilemediahits[.]com on the internet including, for example, cehuiy[.]com, premiumbros[.]com, and viketohelp[.]online.

What is iosdfnc[.]com?

Iosdfnc[.]com is a deceptive website using scare tactics to trick visitors into downloading and installing potentially unwanted applications (PUAs).

websites like iosdfnc[.]com generally display fake virus or error notifications encouraging people to immediately fix the problem (remove viruses, errors) using an app, which can be downloaded via the provided links. In all cases, you should ignore iosdfnc[.]com and similar pages.

Users do not often visit websites like iosdfnc[.]com intentionally - they are opened when users click dubious ads, visit other bogus web pages, or have PUAs installed on browsers or operating systems.

What is the cfplay[.]online site?

Cfplay[.]online is a rogue website designed to deliver dubious content and redirect visitors to other untrusted and possibly malicious web pages. The internet is full of dangerous sites including cehuiy.com, premiumbros.com, and viketohelp.online - these are just some examples of ones similar to cfplay[.]online.

Typically, users access these web pages unintentionally - most are redirected to them by intrusive ads or installed Potentially Unwanted Applications (PUAs). These apps do not require explicit permission to infiltrate systems, and thus users may be unaware of their presence. This software can have harmful functionality, including causing redirects, running intrusive advertisement campaigns, and collecting browsing-related information.

What is DiscoveryUnit?

DiscoveryUnit is an advertising-supported application that generates unwanted advertisements. This app also changes browser settings to promote a fake search engine address. Therefore, DiscoveryUnit functions not only as adware but also as a browser hijacker.

DiscoveryUnit is likely to gather information relating to browsing habits (and other) data.

Note that most users download and install DiscoveryUnit and similar apps unintentionally. For this reason, they are classified as potentially unwanted applications (PUAs). Note that this particular app is distributed using a fake Adobe Flash Player installer.