Virus and Spyware Removal Guides, uninstall instructions

What is privex-protection[.]com?

privex-protection[.]com is an untrusted website that claims to have found an infection on the visitor's device and advises removal of it with a potentially unwanted application (PUA), which can be downloaded via a provided website link.

Generally, users do not visit privex-protection[.]com or similar sites intentionally - they are opened via other visited untrusted web pages, clicked deceptive advertisements, or by PUAs already installed on the system.

What is StreamBee?

StreamBee promotes keysearchs.com, the address of a fake search engine. It can also read certain browsing data. Apps of this type (browser hijackers) are classified as potentially unwanted applications (PUAs), since, in most cases, users download and install them unintentionally.

What is Sophos ransomware?

Sophos is a malicious program belonging to the VoidCrypt ransomware family. It is likely that the name of this malware has been chosen with the intention of vilifying the British security software and hardware company (dealing in communication endpoint, encryption, network security, email and mobile security, and unified threat management) called Sophos.

It must be emphasized that the genuine Sophos company is in no way associated with this ransomware. The malware is designed to encrypt the data of compromised systems in order to demand payment for decryption.

During the encryption process, all affected files are renamed following this pattern: original filename, cyber criminals' email address, unique ID assigned to the victims and the ".Sophos" extension. For example, a file originally named "1.jpg" would appear as something similar to "1.jpg.[encryptadm@criptext.com][ZRDUT4AGKS5CVM7].Sophos" following encryption.

After this process is complete, ransom messages within "!INFO.HTA" files are dropped into affected folders.

What is Konx ransomware?

Konx is a malicious program, which is part of the VoidCrypt ransomware family. Systems infected with this malware experience data encryption and users receive ransom demands for decryption tools.

During the encryption process, files are renamed following this pattern: original filename, cyber criminals' email address, unique ID assigned to the victims and the ".konx" extension. For example, a file named "1.jpg" would appear as something similar to "1.jpg.[konxnobx@tutanota.com][BRF0YLQ3IDTPC6Z].konx" after encryption.

Once this process is complete, ransom messages within "!INFO.HTA" files are dropped into compromised folders.

What is Shiton?

Shiton is a malicious program belonging to the VoidCrypt ransomware family. This software is designed to encrypt files, modify their filenames, and create ransom messages. Shiton renames encrypted files by adding the ad.decrypt01@gmail.com email address and victim's ID, and appending the ".shiton" extension to their filenames.

For example, "1.jpg" is renamed to "1.jpg.[Ad.Decrypt01@Gmail.com][K90SQC1F24EG7WV].shiton", "2.jpg" to "2.jpg.[Ad.Decrypt01@Gmail.com][K90SQC1F24EG7WV].shiton", and so on. It also creates a ransom message (within the "!INFO.HTA" file) in all folders that contain encrypted files.

What is the fake "WhatsApp" email?

"WhatsApp email scam" refers to a spam email campaign. The term "spam campaign" is used to define a large-scale operation, during which thousands of deceptive/scam messages are sent. As the name implies, the emails distributed through this spam campaign are disguised as important notifications from WhatsApp, a cross-platform messaging and VoIP (Voice over IP) service.

These deceptive emails are in no way associated with the genuine WhatsApp company. The scam messages are in Portuguese and claim that they contain recipients' WhatsApp message/call history backups, however, the attached HTML file and the link listed in the emails redirects to a phishing website, which attempts to trick recipients into providing their personal information.

What is Teco New Order email virus?

Cyber criminals behind these malspam emails attempt to trick recipients into clicking a download link for a malicious file, and then opening the file, or executing the file attached to an email. The main purpose of these emails is to deceive recipients into infecting their computers with malicious software.

This particular malspam email is used to distribute a Remote Access Trojan called Agent Tesla.

What kind of malware is the .help (Dharma)?

.help is a malicious program belonging to the Dharma ransomware family. Systems infected with .help (Dharma) experience data encryption and users receive ransom demands for decryption.

During the encryption process, all compromised files are renamed following this pattern: original filename, unique ID assigned to the victims, cyber criminals' email address and the ".help" extension.

For example, a file named "1.jpg" would appear as something similar to "1.jpg.id-C279F237.[alinas89@aol.com].help" following encryption. Once this process is complete, ransom messages are created in a pop-up window and "FILES ENCRYPTED.txt" text file.

What is Sss?

Belonging to the Dharma ransomware family, Sss renames encrypted files by adding the victim's ID, m5b92n5p1@mail.com email address, and appending the ".sss" extension to filenames. For example, "1.jpg" is renamed to "1.jpg.id-C279F237.[m5b92n5p1@mail.com].sss", "2.jpg" to "2.jpg.id-C279F237.[m5b92n5p1@mail.com].sss", and so on.

It also creates the "FILES ENCRYPTED.txt" text file and displays a pop-up window - ransom messages that contain instructions about how to contact Sss developers plus various other details.

What is ZqVIkE ransomware?

ZqVIkE is ransomware-type program based on the Hidden Tear (HiddenTear) open-source project. Systems infected with this type of malware experience data encryption and users receive ransom demands for decryption. Note that ZqVIkE is still in development, and thus might not encrypt all of files stored on the compromised device.

During the encryption process, affected files are appended with the ".ZqVIkE" extension. For example, a file originally named "1.jpg" would appear as "1.jpg.ZqVIkE", "2.jpg" as "2.jpg.ZqVIkE", and so on. The ransom-demand messages are created in the desktop wallpaper and "@READ_ME@.txt" text file.