Virus and Spyware Removal Guides, uninstall instructions

What is captchatopsource[.]com?

The internet is rife with various untrusted and rogue websites, and captchatopsource[.]com is a prime example. It shares many similarities with continue-site.site, freshnewmessage.com, check-me.online, and thousands of others. Visitors to this page are presented with dubious material and are redirected to other bogus/malicious sites.

Most visits to such web pages occur via redirects caused by intrusive ads or Potentially Unwanted Applications (PUAs). Software within this classification does not require explicit permission to be installed onto systems, and thus users may be unaware of its presence on their devices.

What is Danielthai ransomware?

Discovered by xiaopao, Danielthai is a malicious program and a new variant of RIP lmao ransomware. It is designed to encrypt data and demand ransoms for decryption. During the encryption process, files are appended with the ".locked" extension.

For example, a file originally named as something like "1.jpg" would appear as "1.jpg.locked", "2.jpg" as "2.jpg.locked", and so on. After this process is complete, ransom messages are created in a pop-up window and "___RECOVER__FILES__.locked.txt" text file.

What is Santa APP?

Generally, browser hijacking programs change browser settings to promote a specific address, usually a fake search engine. The Santa APP browser hijacker promotes the keysearchs.com address, but not by changing settings (see below). Other rogue apps also promote this address.

Santa APP can also read browsing histories and might access other information as well.

Browser hijackers are classified as potentially unwanted applications (PUAs), since users often download and install them unintentionally.

What is the fake "Banco de Espana" email?

"Banco de Espana email scam" refers to a spam campaign. This term defines a mass-scale operation during which deceptive emails are sent by the thousand. The scam messages distributed through this campaign are disguised as deposit notifications from "Banco de Espana".

Note that these emails are in no way associated with the real Banco de España (Bank of Spain). The purpose of the deceptive emails is to promote a phishing/malicious website via link presented in them.

What kind of malware is HelloKitty?

Ransomware is a type of malware that encrypts files and demands a ransom to decrypt them. It targets both businesses and individuals. Typically, cyber criminals demand to be paid in Bitcoins or other cryptocurrencies, and ransomware victims cannot access or use files unless a ransom is paid.

HelloKitty ransomware targets businesses (companies), with one of the known victims being the Cyberpunk 2077 developer CD Project. This ransomware renames encrypted files and appends the ".crypted" extension to their filenames. For example, "1.jpg" is renamed to "1.jpg.crypted", "2.jpg" to "2.jpg.crypted", and so on.

HelloKitty also creates the "read_me_unlock.txt" file (ransom messages), which it drops among encrypted files (in all directories that contain encrypted data). The ransom message name and the text contained within it may change depending on the attacked victim (company).

What is "Ministero dello Sviluppo Economico email virus"?

"Ministero dello Sviluppo Economico email virus" refers to a spam campaign designed to proliferate the Ursnif trojan. The term "spam campaign" defines a mass-scale operation during which thousands of deceptive emails are sent.

The scam messages distributed through this campaign are disguised as messages from the Italian Ministry of Economic Development (Ministero dello Sviluppo Economico). The emails claim to contain information relating to tax and social security benefits for companies. Upon opening, the attached file initiates download/installation of Ursnif malware.

What is goldeneraaudio[.]org?

goldeneraaudio[.]org is a rogue web page that operates by delivering dubious content and redirecting visitors to other untrusted/malicious sites. There are thousands of these bogus pages on the web including load28.biz, greenmode.biz, and zvideo-live.com to name just a few examples.

Users rarely access these websites intentionally - most are redirected to them by intrusive ads or Potentially Unwanted Applications (PUAs) already installed on their devices. This software does not require express permission to infiltrate systems, and thus users may be unaware of its presence.

PUAs can have dangerous functionality such as causing redirects, running intrusive advertisement campaigns, and collecting browsing-related data.

What is Con30 ransomware?

Belonging to the Dharma ransomware family, Con30 is data-encrypting malware. It operates by encrypting files (rendering them inaccessible and useless) to demand payment from the victims.

During the encryption process, affected files are renamed following this pattern: original filename, unique ID assigned to the victims, cyber criminals' email address, and the ".con30" extension. For example, a file originally named "1.jpg" would appear as something similar to "1.jpg.id-C279F237.[con3003@msgsafe.io].con30" following encryption.

After this process is complete, ransom messages are created in a pop-up window and "FILES ENCRYPTED.txt" text file.

What is SmartPCFixer?

SmartPCFixer is advertised as a tool that helps users to fix Windows errors and optimize the operating system. It is likely that this application arrives bundled with other software or is distributed using other dubious methods (e.g., through specific deceptive advertisements).

Typically, users are unaware that they have these apps installed on their computers or how they were installed. Therefore, SmartPCFixer is classified as a potentially unwanted application (PUA).

What is Wcg ransomware?

Wcg is malicious software, which is part of the Dharma ransomware group. Systems infected with this malware have their data encrypted and users receive ransom demands for decryption. I.e., files stored on devices become inaccessible and are renamed, and victims receive payment demands for access recovery.

During the encryption process, affected files are renamed according to this pattern: original filename, unique ID, cyber criminals' email address, and the ".wcg" extension. For example, a file originally named "1.jpg" would appear as something similar to "1.jpg.id-C279F237.[btc11@gmx.com].wcg" after encryption.

Following the completion of this process, ransom-demand messages are created in a pop-up window and "FILES ENCRYPTED.txt" text file.