Virus and Spyware Removal Guides, uninstall instructions

What is BITCOINPAYMENT ransomware?

While inspecting new submissions to VirusTotal, our researchers found yet another malicious program belonging to the Phobos ransomware family. We acquired a sample of this ransomware-type program called BITCOINPAYMENT and executed it on our test machine.

This ransomware encrypted files and appended their filenames with a unique ID, the attackers' email address, and a ".BITCOINPAYMENT" extension. For example, a file named "1.jpg" appeared as "1.jpg.id[9ECFA84E-1095].[cleverhorse@protonmail.com].BITCOINPAYMENT" following encryption.

Once this process was finished, BITCOINPAYMENT dropped two ransom notes titled "info.hta" (pop-up) and "info.txt" (text file) onto the desktop.

What kind of page is style-buzz-blog[.]com?

Style-buzz-blog[.]com is an untrustworthy page that shows deceptive messages to trick visitors into allowing it to show notifications. Also, style-buzz-blog[.]com redirects visitors to other pages of this kind. We discovered this site while examining pages that use rogue advertising networks (it is uncommon for pages like style-buzz-blog[.]com to be visited willingly).

What kind of malware is Ccyu?

Ccyu is ransomware belonging to the Djvu family. We discovered it while inspecting malware samples submitted to the VirusTotal site. Ccyu encrypts and renames files (by appending the ".ccyu" extension to filenames). It also drops a ransom note, a text file named "_readme.txt".

An example of how Ccyu renames files: it renames "1.jpg" to "1.jpg.ccyu", "2.png" to "2.png.ccyu", "3.exe" to "3.exe.ccyu", and so forth.

What kind of malware is Ccew?

We discovered a new Djvu ransomware called Ccew while examining malware samples submitted to the VirusTotal page. We learned that Ccew encrypts files, appends the ".ccew" extension to filenames, and drops the "_readme.txt" file (a ransom note) on the desktop.

An example of how Ccew renames files: it renames "1.jpg" to "1.jpg.ccew", "2.png" to "2.png.ccew", "3.exe" to "3.exe.ccew", and so forth.

What kind of page is listen-heres[.]com?

Our research team discovered the listen-heres[.]com rogue webpage while investigating suspicious sites. This page pushes browser notification spam and causes redirects to other (likely unreliable/malicious) websites. Users typically access such webpages via redirects caused by sites using rogue advertising networks.

What kind of page is private-mastermind[.]com?

Private-mastermind[.]com is a rogue page that endorses scams, pushes spam browser notifications, and redirects users to different (likely untrustworthy/malicious) websites. Users typically enter these webpages via redirects caused by sites using rogue advertising networks.

What kind of page is cleantraf[.]xyz?

Our research team discovered the cleantraf[.]xyz rogue page while inspecting questionable websites. It promotes scams, pushes browser notification spam, and redirects visitors to other (likely untrustworthy/malicious) sites. Most users enter these webpages via redirects caused by websites that use rogue advertising networks.

What is smartsearchresults.com?

While researching rogue software, we found the smartsearchresults.com fake search engine. It can generate search results that are inaccurate and contain dubious/malicious advertisements.

Websites of this kind are promoted by browser-hijacking software, which changes browser settings to cause redirects to their search engines. Furthermore, both sites like smartsearchresults.com and browser hijackers are known to collect sensitive data.

What kind of scam is "Your Windows Got Corrupted Due To Virus"?

It is a technical support scam website that shows deceptive pop-ups (fake warnings/notifications) to trick visitors into believing that they must call the provided number to remove a virus from their computer. We discovered this site while examining other questionable pages and shady advertisements. It is uncommon for scam websites to be visited on purpose.

What kind of page is somenewforyou[.]cc?

During a routine inspection of dubious websites, our research team discovered the somenewforyou[.]cc rogue page. It promotes browser notification spam and causes redirects to various (likely untrustworthy or malicious) sites.

Users typically access websites like somenewforyou[.]cc through redirects caused by pages that use rogue advertising networks.