Virus and Spyware Removal Guides, uninstall instructions

What is CoderWare?

CoderWare (also known as BlackKingdom) is designed to encrypt victims' files, modify their filenames, and generate ransom messages. It renames encrypted files by appending ".DEMON" as the file extension. For example, "1.jpg" is renamed to "1.jpg.DEMON", "2.jpg" to "2.jpg.DEMON", and so on.

CoderWare is designed to display a pop-up window and create the "README.txt" text file, which contains instructions about how to pay the ransom, contact the developers, etc.

What is Omfl?

Omfl encrypts victims' files and renames each encrypted file by appending the ".omfl" extension to filenames. For example, "1.jpg" is renamed to "1.jpg.omfl", "2.jpg" to "2.jpg.omfl", and so on. Omfl also creates the "_readme.txt" text file (a ransom message) in each folder that contains encrypted files. This ransomware belongs to the family of ransomware called Djvu.

What is 21btc ransomware?

21btc is a malicious program belonging to the Dharma ransomware family. It is designed to encrypt data and demand payment for decryption. During the encryption process, all affected files are renamed following this pattern: original filename, unique ID assigned to the victims, cyber criminals' email address and the ".21btc" extension.

For example, a file named "1.jpg" would appear as something similar to "1.jpg.id-C279F237.[21btc@cock.li].21btc" after encryption. Once this process is complete, ransom-demand messages are created in a pop-up window and "FILES ENCRYPTED.txt" text file.

What is webquizspot[.]com?

Web pages such as webquizspot[.]com are promoted by potentially unwanted applications (PUAs), which people install on their computers/browsers inadvertently. I.e., they do not often visit these sites intentionally.

There are many websites that are similar to webquizspot[.]com including, for example, enhesita[.]online, npolicito[.]online, and roboverify[.]xyz.

What is VIAM ransomware?

VIAM is malicious software categorized as ransomware. Systems infected with this malware experience data encryption and users receive ransom demands for decryption tools. I.e., VIAM locks files, making them inaccessible and redundant to users.

During the encryption process, files are appended with the ".viamwasted" extension. For example, a file originally named "1.jpg" would appear as "1.jpg.viamwasted", "2.jpg" as "2.jpg.viamwasted", "3.jpg" as "3.jpg.viamwasted", and so on.

After this process is complete, ransom messages are created for each affected file, with their original names included in the associated filenames (e.g. "1.jpg.viamwasted_info"). The message contained in each of these files is identical.

What is Rastar?

This ransomware was discovered by xiaopao.

Rastar encrypts files and appends the ".rastar" extension to their filenames. For example, "1.jpg" is renamed to "1.jpg.rastar", "2.jpg" to "2.jpg.rastar", and so on. Rastar also creates a ransom message within the "HOW_TO_DECYPHER_FILES.txt" file, which it drops into all folders that contain encrypted files.

What is SearchConverterBox?

SearchConverterBox is a browser hijacker that modifies browser settings by assigning some of them to searchconverterbox.com. Like most apps of this type, it is likely that SearchConverterBox also collects information.

Typically, users do not download or install browser hijackers intentionally and, for this reason, they are classified as potentially unwanted applications (PUAs).

What is enhesita[.]online website?

Sharing many similarities with npolicito.online, roboverify.xyz, emindeed.top and thousands of others, enhesita[.]online is a rogue website. Visitors to this site are presented with dubious material and/or are redirected to other deceptive and possibly malicious websites.

Typically, users access these web pages via redirects caused by intrusive advertisements or by Potentially Unwanted Applications (PUAs) already installed on their devices. These apps do not need permission to infiltrate systems, and thus users may be unaware of their presence.

PUAs cause redirects, run intrusive advertisement campaigns and collect browsing data.

What is Horizon ransomware?

Horizon is malicious software belonging to the Voidcrypt ransomware family. Systems infected with this malware experience data encryption and users receive ransom demands for decryption tools. During the encryption process, files are renamed following this pattern: original filename, cyber criminals' email address, unique ID and the ".Horizon" extension.

For example, a file originally named "1.jpg" would appear as something similar to "1.jpg.[price.decoding@tutanota.com][M45PW2LO9CDAHJR].Horizon" following encryption. Once this process is complete, ransom messages within "!INFO.HTA" files are created and dropped into affected folders.

What is the "EniGaseLuce" scam email?

"EniGaseLuce email virus" refers to a spam campaign, spreading the Ursnif trojan. The term "spam campaign" defines a mass-scale operation, during which thousands of deceptive emails are sent. The scam emails distributed through this campaign, claim that recipients have an unpaid bill for the services of "EniGaseLuce".

Eni gas e luce is the name of the Italian gas and electricity provider for homes and businesses. Note that these messages are in no way associated with Eni gas e luce, and all of the information provided by them is false. The purpose of these messages is to trick recipients into opening the infectious file attached to them, which then triggers the infection process (i.e. download/installation of Ursnif).

This malware also steals various sensitive information from compromised systems.