Virus and Spyware Removal Guides, uninstall instructions

What is bostewsom[.]shop?

Bostewsom[.]shop is a deceptive website running a scam very similar to the "McAfee - Your PC is infected with 5 viruses!" scam. It also asks for permission to deliver its notifications. Our team has discovered bostewsom[.]shop while visiting various illegal movie streaming and torrenting sites (and other pages) that use shady advertising networks.

What is fX ransomware?

During a routine inspection of new submissions to VirusTotal, our researchers found the fX ransomware-type program. We determined that it belongs to the Dharma ransomware family.

After being launched onto our test system, fX began encrypting files. The filenames of affected files were appended with a unique ID assigned to the victim, the cyber criminals' email address, and a ".fX" extension. For example, a file originally titled "1.jpg" appeared as "1.jpg.id-9ECFA84E.[filesx@sent.as].fX".

Once the encryption process was completed, fX displayed a pop-up window and created a text file named "FILES ENCRYPTED.txt" on the desktop.

What kind of malware is Leoxrinse?

Leoxrinse is ransomware that belongs to a ransomware family called Spora. We discovered it while examining malware samples submitted to VirusTotal. It was found that Leoxrinse encrypts files and modifies their filenames by appending the victim's ID, leoxrinse234@mailfence.com email address, and a string of random characters (as the extension) to filenames.

An example of how Leoxrinse modifies filenames: it renames "1.jpg" to "1.jpg.[ID=Hko7vz-Mail=Leoxrinse234@mailfence.com].BwnC", "2.png" to "2.png.[ID=Hko7vz-Mail=Leoxrinse234@mailfence.com].BwnC", and so forth. Its also generates two ransom notes: "ReadMe_Now!.hta" and "Read_Me!_.txt".

What kind of software is DataCharacter?

Our team has discovered the DataCharacter application on a website designed to trick visitors into downloading and executing a deceptive installer. After testing the application, it was concluded that it functions as adware - the purpose of DataCharacter is to generate annoying advertisements.

What kind of malware is ZORN?

ZORN is ransomware that encrypts files and appends the ".ZORN" extension to filenames. It also creates the "RESTORE_FILES_INFO.txt" text file (a ransom note) and displays a black screen with text on it before logging into Windows. We have discovered ZORN ransomware while analyzing malware samples submitted to the VirusTotal page.

An example of how ZORN ransomware changes filenames: it renames "1.jpg" to "1.jpg.ZORN", "2.png" to "2.png.ZORN", "3.exe" to "3.exe.ZORN", and so forth.

What kind of page is speedcaptcha-here[.]top?

Speedcaptcha-here[.]top is a rogue page, which our research team discovered while inspecting dubious websites. This webpage is designed to promote browser notification spam and redirect visitors to different (likely deceptive or malicious) sites.

Webpages like speedcaptcha-here[.]top are usually accessed unintentionally. Most users enter them via redirects caused by websites using rogue advertising networks.

What is TomyBank ransomware?

Discovered by malware analyst Karsten Hahn, TomyBank is a ransomware-type program. It is designed to encrypt data and demand ransoms for the decryption.

We obtained a sample of TomyBank from VirusTotal and launched it onto our test machine. This ransomware began encrypting data and displayed a fake Windows update screen during this process. Additionally, it changed the filenames of affected files with a random character string. For example, a file initially named "1.jpg" appeared as "Mi5wbmc=" following encryption.

Once the encryption was completed, TomyBank dropped a ransom note titled "README_[random_number].txt" onto the desktop.

What is DynamicInterface?

DynamicInterface is the name of a rogue application that our research team found while inspecting new submissions to VirusTotal. After analyzing this app, we discovered that DynamicInterface operates as advertising-supported software (adware) and belongs to the AdLoad malware family.

What is SHILED (SHIELD) ransomware?

SHILED (SHIELD) is the name of a ransomware-type program that we discovered while looking through new malware submissions on VirusTotal. Typically, malicious programs within this category encrypt data to demand ransoms for the decryption.

After analyzing SHILED (SHIELD), we determined that it encrypts files and appends their filenames with an extension consisting of four random characters. For example, a file originally titled "1.jpg" appeared as "1.jpg.7cnp". This ransomware also created a message names ""README.txt" and changed the desktop wallpaper.

When we inspected the note, we learned that SHILED (SHIELD) does not demand payment. The goal of this malware is unclear; it could be that the program has been released for testing purposes and will operate as a standard ransomware in the future.

What kind of application is ExecutiveBrowser?

We have discovered the ExecutiveBrowser application on a shady website offering to download an update for the Adobe Flash Player. After testing the app, we found that it generates advertisements - it functions as adware. Ads displayed by adware downloaded from untrustworthy sources cannot be trusted.