Virus and Spyware Removal Guides, uninstall instructions

What is God ransomware?

God is a malicious program, which is part of the VoidCrypt ransomware family. Systems infected with this malware have their data encrypted and users receive ransom demands for decryption.

During the encryption process, files are renamed following this pattern: original filename, cyber criminals' email address, unique ID assigned to the victims and the ".God" extension. For example, a file like "1.jpg" would appear as something similar to "1.jpg.[God85Ar@yandex.com][369DLVSPNK1BE07].God" after encryption.

Once this process is complete, ransom messages within "!INFO.HTA" files are dropped into compromised folders.

What is Blackheel?

Blackheel encrypts files (and modifies their filenames), changes desktop wallpaper, and creates the "READ_ME.txt" file (ransom message). It renames files by appending ".a" as the extension. For example, "1.jpg" would be renamed to "1.jpg.a", "2.jpg" to "2.jpg.a", and so on.

Note that Blackheel ransomware is based on Hidden Tear (open-source ransomware) and was discovered by Ravi.

What is the "Emails Sync Failure" scam message?

"Emails Sync Failure" is a spam email campaign. The term "spam campaign" refers to a mass-scale operation, during which deceptive emails are sent by the thousand. The messages sent through this campaign are disguised as notifications concerning undelivered emails.

The purpose of this scam is to trick the recipients into disclosing their email account passwords via a phishing website, thereby allowing scammers access to the account.

What is the Epsilon ransomware?

Discovered by GrujaRS, Epsilon is a ransomware-type program. This malware is designed to encrypt the data of infected systems in order to demand payment for decryption.

When Epsilon encrypts, all affected files are renamed following this pattern: original filename, cyber criminals' email address, and the ".boom" extension. For example, "1.jpg" would appear as something similar to "1.jpg.[neftet@tutanota.com].boom" after encryption. Once this process is complete, a ransom message within the "READ_ME.hta" file is created.

What is ActiveToken?

The ActiveToken application functions as adware (generates advertisements) and as a browser hijacker (changes browser settings without users' permission). It is likely that ActiveToken will also gather certain information.

Note that, in most cases, users download and install adware/browser hijackers inadvertently and, for this reason, ActiveToken is categorized as a potentially unwanted application (PUA).

What is ConsoleProgram?

ConsoleProgram is an untrusted app, which is classified as adware. As well as running intrusive advertisement campaigns (i.e. delivering various unwanted ads), this application also operates like a browser hijacker. I.e., ConsoleProgram modifies browser settings to promote fake search engines.

Due to the dubious techniques employed in this app's distribution, it is also classified as a Potentially Unwanted Application (PUA). Most PUAs collect browsing-related information, and it is likely that ConsoleProgram also has these data tracking capabilities.

Note that ConsoleProgram has been observed being promoted by an installer of another PUA called DLVPlayer.

What is Dis ransomware?

Dis is designed to encrypt files, modify the filenames of all encrypted files, display a pop-up window, and create the "FILES ENCRYPTED.txt" file.

It renames encrypted files by adding the victim's ID, decrypt@disroot.org email address, and appending the ".dis" extension to filenames. For example, "1.jpg" is renamed to "1.jpg.id-C279F237.[decrypt@disroot.org].dis", "2.jpg" to "2.jpg.id-C279F237.[decrypt@disroot.org].dis", and so on.

The pop-up window displayed by Dis (and the text file that it creates) are ransom messages containing instructions about how to contact the developers. Note that Dis belongs to the Dharma ransomware family.

What is ExtendedMode adware

ExtendedMode is an adware-type application, which possesses certain characteristics of browser hijackers. Following successful infiltration, this app delivers intrusive advertisement campaigns and makes modifications to browser settings to promote fake search engines.

Additionally, most adware-type apps and browser hijackers monitor users' browsing activity and gather sensitive information extracted from it. Due to the dubious methods used to proliferate ExtendedMode, it is also categorized as a Potentially Unwanted Application (PUA).

What is Wbxd?

Wbxd belongs to the Djvu ransomware family. It encrypts files and modifies their filenames by appending the ".wbxd" extension. For example, after encryption, "1.jpg" would be renamed to "1.jpg.wbxd", "2.jpg" to "2.jpg.wbxd", and so on.

This ransomware also creates a ransom message ("_readme.txt" text file) that contains instructions about how to contact the ransomware developers, cost of decryption, and various other details. It creates this message in each folder that contains encrypted files.

What is SkillApplication?

SkillApplication generates unwanted ads, changes browser settings, and possibly collects browsing-related and/or other data. Therefore, this app is classified not only as adware but also as a browser hijacker.

In most cases, users download and install these apps inadvertently and, therefore, SkillApplication is categorized as a potentially unwanted application (PUA).

Note that this app is distributed via a fake Adobe Flash Player installer.