Virus and Spyware Removal Guides, uninstall instructions

What kind of malware is BACKJOHN?

While analyzing malware samples submitted to VirusTotal, our researchers came across BACKJOHN - ransomware that belongs to the Phobos family. We found that BACKJOHN encrypts data, modifies filenames of all encrypted files, and creates "info.hta" and "info.txt" files (ransom notes).

BACKJOHN appends the victim's ID, backjohn131@gmail.com email address, and ".BACKJOHN" extension to filenames. For instance, it changes "1.jpg" to "1.jpg.id[9ECFA84E-3143].[backjohn131@gmail.com].BACKJOHN", "2.png" to "2.png.id[9ECFA84E-3143].[backjohn131@gmail.com].BACKJOHN", and so forth.

What is Cosmos Extension?

While inspecting dubious websites, our research team discovered the Cosmos Extension browser extension. After investigating this piece of software, we determined that it is a browser hijacker. Cosmos Extension makes changes to browser settings in order to promote (via redirects) the cosmosextension.com fake search engine.

What is Price Tracking Pro?

Our researchers discovered the Price Tracking Pro browser extension while investigating deceptive websites. According to its promotional material, this extension is a tool that aids with online shopping, i.e., tracks prices, seller ratings, and other related information. However, our analysis revealed that Price Tracking Pro operates as advertising-supported software (adware).

What is search-mood.com?

Search-mood.com is the address of a fake search engine. These sites cannot generate search results. However, this website is different, but its results are inaccurate and may include deceptive/harmful content.

Typically, illegitimate search engines are promoted (via redirects) by browser hijackers. These sites and the software endorsing them often have data-tracking functionalities.

What kind of application is Communique?

Communique is a rogue application that we discovered while investigating suspicious sites. After inspecting this app, we determined that it is advertising-supported software (adware). It is designed to run intrusive ad campaigns and may have additional harmful abilities.

What is flashcleaner.xyz?

Our team inspected flashcleaner.xyz and found that it is a fake search engine that shows results generated by another search engine. A big part of fake search engines is promoted through browser hijackers. Usually, these apps promote fake (or unreliable) search engines by changing browser settings.

What kind of page is vipcaptchanow[.]top?

Vipcaptchanow[.]top is a rogue page that our researchers discovered while checking out untrustworthy websites. It is designed to promote browser notification spam and redirect visitors to other (likely unreliable/harmful) webpages.

Most users access websites like vipcaptchanow[.]top through redirects caused by pages that employ rogue advertising networks.

What kind of malware is Code?

While checking the VirusTotal page for recently submitted malware samples, our team came across ransomware dubbed Code. This ransomware encrypts data, appends its extension (".code") to filenames, and creates a ransom note (a file named "!!!HOW_TO_DECRYPT!!!.txt" file).

An example of how Code modifies filenames of all encrypted files: it changes "1.jpg" to "1.jpg.code". "2.png" to "2.png.code", and so forth.

What is Cyber (Chaos) ransomware?

Cyber is the name of a malicious program based on the Chaos ransomware. Our researchers discovered this malware while inspecting new submissions to VirusTotal.

Once we executed a sample of Cyber (Chaos) ransomware on our test system, it began encrypting files and appended their filenames with a ".Cyber" extension. To elaborate, a file initially titled "1.jpg" appeared as "1.jpg.Cyber", "2.png" as "2.png.Cyber", etc. Afterwards, the desktop wallpaper was changed, and a ransom note named "read_it.txt" was created.

What kind of page is coolcaptchahere[.]top?

Our team found that coolcaptchahere[.]top displays a misleading message with the intention of tricking visitors into allowing it to display notifications. Additionally, this website may redirect users to other suspicious sites. It is important to note that users access sites like coolcaptchahere[.]top unintentionally.