Virus and Spyware Removal Guides, uninstall instructions

What kind of page is columnstoodth[.]com?

During our inspection of columnstoodth[.]com, we found that this page uses clickbait to obtain permission to show notifications. If allowed, columnstoodth[.]com can send deceptive notifications. Therefore, users are advised not to trust columnstoodth[.]com (avoid visiting the page and granting it permission to deliver notifications).

What is the fake "$PAW Token Exchange"?

While investigating deceptive websites, our researchers discovered this fake "$PAW Token Exchange". It was endorsed on claims-pawfury[.]app (potentially on other domains). Regardless of any similarities to existing projects, platforms, and entities – this scam is not associated with any of them. The purpose of this fraudulent page is to trick users into exposing their digital wallets to a cryptocurrency drainer.

What kind of malware is SHAVELP**SY?

SHAVELP**SY (censored) is ransomware our team discovered while analyzing malware samples uploaded to VirusTotal. We found that it encrypts files, appends the ".p**sylikeashavel@cyberfear.com" extension to filenames, and creates a ransom note ("README_SHAVEL.txt").

An example of how SHAVELP**SY modifies filenames: it renames "1.jpg" to "1.jpg.p**sylikeashavel@cyberfear.com", "2.png" to "2.png.p**sylikeashavel@cyberfear.com", and so forth.

What kind of malware is R2Cheats?

While inspecting samples submitted to VirusTotal, we discovered R2Cheats, a ransomware variant that encrypts files and appends "_R2Cheats" to filenames. It also provides a ransom note ("ransom_note.txt"). An example of how R2Cheats renames files: it changes "1.jpg" to "1.jpg_R2Cheats", "2.png" to "2.png_R2Cheats", etc.

What is the fake "LINGO Airdrop"?

Our researchers discovered this fake "LINGO Airdrop" during a routine investigation. The scam entices users into exposing their wallets to a cryptocurrency drainer. Victims of this scheme experience financial loss. It must be stressed that this bogus airdrop is not associated with the actual Lingo website (mylingo.io).

What kind of page is safetydefender[.]top?

Our researchers found the safetydefender[.]top rogue page while inspecting dubious websites. After examining this webpage, we determined that it promotes browser notification spam and generates redirects to different (likely unreliable/dangerous) sites.

Safetydefender[.]top and similar pages are most commonly accessed via redirects caused by websites that use rogue advertising networks.

What is the fake "Trust Wallet Airdrop"?

While investigating suspicious sites, our research team discovered this fake "Trust Wallet Airdrop". The scam imitates the official Trust Wallet website – trustwallet.com; not only in appearance but also with its URL – claiming-trustwallet[.]com (other domains are possible).

It must be emphasized that this giveaway is a hoax, and the goal of the scam site is to lure users into exposing their digital wallets to a crypto drainer.

What kind of malware is PXA?

PXA stealer is a type of malware designed to steal vulnerable information. This malicious program is written in the Python programming language. PXA stealer targets various log-in credentials, credit card numbers, cryptowallets, and other sensitive data.

It is known that the cyber criminals behind this malware are Vietnamese speakers, and it has been used in attacks targeting the Indian education sphere and European governmental organizations (such as ones located in Sweden and Denmark). Data extracted utilizing PXA has been observed being sold on Telegram.

What is the fake "BitPay" website?

"Fake BitPay Wallet" refers to a scam that masquerades as the official website of BitPay (bitpay.com) – a cryptocurrency payment service provider. The fake page claims that 1.824 BTC (Bitcoin cryptocurrency) is pending transfer to the user's wallet. The goal is to deceive the victim into paying a bogus commission.

It must be emphasized that the claims made by this scam are false, and it is in no way associated with the actual BitPay or any other existing service providers and entities.

What kind of malware is Glove?

Glove is an information stealer written in .NET. It is capable of harvesting sensitive information from browsers (including added extensions) and software installed on computers. Threat actors have been observed distributing Glove stealer through deceptive emails. Infected computers should be scanned using a security tool immediately.