Virus and Spyware Removal Guides, uninstall instructions

What is the "Google Forms" email scam?

"Google Forms email scam" refers to a phishing spam campaign, which employs Google Forms to gather user data under false pretences. The term "spam campaign" defines a mass-scale operation, during which thousands of scam emails are sent. Google Forms is survey administration software, which is part of the Google Docs Editors suite.

At the time of research, there were two variants of this phishing scam distributed through the "Google Forms" spam campaign.

One email variant issues a story of a supposedly widowed cancer patient seeking the recipients' aid to distribute her wealth to charities. The other claims the recipient is deceased and that bank funds will soon be transferred out of associated accounts, unless proper action is taken.

Both versions contain links to surveys on Google Forms, which ask users to provide personal information. Note that the deceptive messages proliferated via the "Google Forms" spam campaign are scams and all information within them is false.

Therefore, any data revealed (i.e. entered into the questionnaires) will be exposed to the scammers behind this spam campaign.

What is Banhu ransomware?

Banhu is malware that belongs to the Phobos ransomware family. It is designed to encrypt files, modify their filenames, and generate two similar ransom messages.

Banhu renames files by adding the victim's ID, gooddecrypt@airmail.cc email address and appending the ".banhu" extension to filenames. For example, "1.jpg" is renamed to "1.jpg.id[1E857D00-2422].[gooddecrypt@airmail.cc].banhu", "2.jpg" to "2.jpg.id[1E857D00-2422].[gooddecrypt@airmail.cc].banhu", and so on.

Banhu also displays a pop-up window and creates the info.txt file, both of which contain instructions on how to contact the developers.

What is yskimmed[.]top?

Commonly, websites such as yskimmed[.]top are promoted by potentially unwanted applications (PUAs) that many users download and install inadvertently. I.e., people do not often visit these sites intentionally.

There are many other pages similar to yskimmed[.]top on the web including, for example, fastsolvecaptcha[.]com, kersatur[.]online and yourwownewz[.]com.

Note that PUAs can be designed to serve advertisements and also to collect various data.

What kind of malware is AMJIXIUS?

Discovered by M. Shahpasandi, AMJIXIUS encrypts files and renames them by adding the ancrypted1@gmail.com email address, victim's ID, a string of random characters, and appending the ".AMJIXIUS" extension to filenames.

For example, "1.jpg" is renamed to "1.jpg.[ancrypted1@gmail.com][RHNjhHl29nDt].AMJIXIUS", "2.jpg" to "2.jpg.[ancrypted1@gmail.com][RHNjhHl29nDt].AMJIXIUS", and so on. It also generates a ransom message that contains instructions about how to contact the developers.

What is superpush[.]net?

People do not often visit websites such as superpush[.]net intentionally - they are usually opened by installed potentially unwanted applications (PUAs), through other bogus web pages, or dubious advertisements.

Note that superpush[.]net is similar to yourwownewz[.]com, npolicito[.]online, roboverify[.]xyz site, and many other web pages.

What is fastsolvecaptcha[.]com?

fastsolvecaptcha[.]com is one of many rogue websites that are designed to promote/open other bogus web pages or display dubious content. Some examples of other sites similar to fastsolvecaptcha[.]com are kersatur[.]online, yourwownewz[.]com and dozki[.]pro.

Generally, users do not visit these websites intentionally - browsers often open them when potentially unwanted applications (PUAs) are installed on them.

What is VoidRAT?

Similar to Quasar RAT, VoidRAT is malicious software and a Remote Access Tool (RAT). When used maliciously, RATs are termed 'Remote Access Trojans'. Malware of this type enables remote access and control over infected machines. RATs have various functionalities that allow likewise varied misuse.

These malicious programs are often employed to steal information. Ultimately, RAT infections endanger device and user safety.

What is StandardBoost?

StandardBoost is an adware-type application with browser hijacker traits. It operates by delivering intrusive advertisement campaigns and making changes to browser settings to promote fake search engines. Additionally, most adware and browser hijackers have data tracking capabilities, which are used to monitor users' browsing activity.

Since users typically download/install this app inadvertently, it is also classified as a Potentially Unwanted Application (PUA). One of the dubious techniques used in StandardBoost's distribution is proliferation through fake Adobe Flash Player updates.

Note that bogus updaters/installers are employed to spread, not only PUAs, but also Trojans, ransomware and other malware.

What is Bill of lading email virus?

Generally, malspam emails are disguised as official messages from legitimate companies and organizations and contain a website link or attachment. Cyber criminals send these emails to trick recipients into infecting their computers with malware. This particular malspam email is used to distribute Trojan-type malware called Dridex.

What is lookawoman[.]com?

lookawoman[.]com is an untrusted site that should not be trusted or visited. Browsers often open these pages because of potentially unwanted applications (PUAs) installed on them. I.e., users do not generally visit pages such as lookawoman[.]com intentionally.

Some examples of other sites like this are yourwownewz[.]com, kersatur[.]online and aldiscret[.]online. Note that PUAs not only promote various bogus sites, but also collect certain information and generate advertisements.