Virus and Spyware Removal Guides, uninstall instructions

What is the "Order Error" scam email?

"Order Error" is an spam email campaign. This term defines a mass-scale operation during which thousands of deceptive emails are distributed. There are several variants of the "Order Error" scam emails, however, the messages are thematically identical. They are presented as messages sent by a wrongly charged customer/buyer, with the recipient positioned as the seller.

Note that these emails are scams, and none of the information provided by them is genuine. The purpose of this campaign is to promote a phishing/malicious site, and so visiting and trusting it can cause serious issues.

What is Word ransomware?

Word is a malicious program belonging to the Dharma ransomware family. It operates by encrypting (locking) files (making them inaccessible to victims) in order to demand payment for decryption.

When Word ransomware encrypts data, all affected files are renamed following this pattern: original filename, unique ID assigned to the victim, cyber criminals' email address, and the ".word" extension. For example, a file originally named "1.jpg" would appear as something similar to "1.jpg.id-C279F237.[vm1iqzi@aol.com].word" following encryption.

After this process is complete, ransom-demand messages are created in a pop-up window and "FILES ENCRYPTED.txt" text file.

What is Ygkz?

Ransomware is a type of malware that cyber criminals use to encrypt files and then demand payment to unlock and decrypt them. In summary, victims of ransomware attacks cannot access or use files unless they pay a ransom.

Usually, ransomware renames encrypted files and creates a ransom message. Ygkz renames files by appending the ".ygkz" extension to filenames. For example, it renames "1.jpg" to "1.jpg.ygkz", "2.jpg" to "2.jpg.ygkz", and so on. It also creates the "_readme.txt" file in all folders that contain encrypted data.

Note that this ransomware belongs to the family called Djvu.

What is lcutterlyba[.]top?

lcutterlyba[.]top and other pages of this kind are promoted through deceptive advertisements, rogue web pages, various unwanted apps, and so on. Users do not often visit them intentionally. Note that lcutterlyba[.]top and similar sites contain dubious content and promote other bogus websites.

More examples of other, similar sites are goodmode[.]biz, zvideo-live[.]com, and fypretailo[.]top. If a browser opens these web pages automatically, there is a high probability that potentially unwanted applications (PUAs) are installed on it.

What is the greemed[.]top website?

greemed[.]top is a dubious site, sharing many similarities with blackfr1dayz.com, goldeneraaudio.org, load28.biz, and countless others. Visitors to this website are presented with dubious content and/or are redirected to other untrusted/malicious pages.

The greemed[.]top web page is rarely accessed intentionally. In most cases, users are redirected to it by intrusive advertisements or Potentially Unwanted Applications (PUAs). This software does not require explicit consent to be installed onto systems, and thus users may be unaware of its presence.

What is blackfr1dayz[.]com?

Typically, websites such as blackfr1dayz[.]com promote various untrusted websites and attempt to trick visitors into allowing them to show notifications.

Note that users do not often visit these pages intentionally - they are opened when they click dubious ads or visit other untrusted pages. Browsers also open bogus web pages by when potentially unwanted applications (PUAs) are installed on them.

There are many web pages similar to blackfr1dayz[.]com on the internet. Some examples are goldeneraaudio[.]org, load28[.]biz and goodmode[.]biz.

What is captchatopsource[.]com?

The internet is rife with various untrusted and rogue websites, and captchatopsource[.]com is a prime example. It shares many similarities with continue-site.site, freshnewmessage.com, check-me.online, and thousands of others. Visitors to this page are presented with dubious material and are redirected to other bogus/malicious sites.

Most visits to such web pages occur via redirects caused by intrusive ads or Potentially Unwanted Applications (PUAs). Software within this classification does not require explicit permission to be installed onto systems, and thus users may be unaware of its presence on their devices.

What is Danielthai ransomware?

Discovered by xiaopao, Danielthai is a malicious program and a new variant of RIP lmao ransomware. It is designed to encrypt data and demand ransoms for decryption. During the encryption process, files are appended with the ".locked" extension.

For example, a file originally named as something like "1.jpg" would appear as "1.jpg.locked", "2.jpg" as "2.jpg.locked", and so on. After this process is complete, ransom messages are created in a pop-up window and "___RECOVER__FILES__.locked.txt" text file.

What is Santa APP?

Generally, browser hijacking programs change browser settings to promote a specific address, usually a fake search engine. The Santa APP browser hijacker promotes the keysearchs.com address, but not by changing settings (see below). Other rogue apps also promote this address.

Santa APP can also read browsing histories and might access other information as well.

Browser hijackers are classified as potentially unwanted applications (PUAs), since users often download and install them unintentionally.

What is the fake "Banco de Espana" email?

"Banco de Espana email scam" refers to a spam campaign. This term defines a mass-scale operation during which deceptive emails are sent by the thousand. The scam messages distributed through this campaign are disguised as deposit notifications from "Banco de Espana".

Note that these emails are in no way associated with the real Banco de España (Bank of Spain). The purpose of the deceptive emails is to promote a phishing/malicious website via link presented in them.