Virus and Spyware Removal Guides, uninstall instructions

What is LegionLocker?

Ransomware is designed to encrypt files and demands a ransom payment. Ransomware victims cannot use encrypted files until they are decrypted with a specific decryption tool.

Quite often, malware of this type not only encrypts but also renames files - it appends its extension to the filenames of all encrypted files. LegionLocker appends the ".Legion" extension. For instance, it renames a file named "1.jpg" to "1.jpg.Legion", "2.jpg" to "2.jpg.Legion", and so on.

LegionLocker demands a ransom payment by displaying a ransom note in its pop-up window. This ransomware is another variant of the Cobra Locker ransomware.

At the time of the research LegionLocker encrypted system files when other ransomware variants skip those files to avoid damaging the entire operating system. Therefore, it is likely that LegionLocker has flaws.

What is the Charlie J0hnson ransomware?

Belonging to the Maoloa ransomware family, Charlie J0hnson is a malicious program designed to encrypt data (render files inaccessible/unusable) and demand ransoms for the decryption (access/use recovery). This malware's discovery is credited to dnwls0719.

As Charlie J0hnson ransomware encrypts, files are appended with the ".charlie.j0hnson" extension.

To elaborate on how an affected file would appear, then one initially named something like "1.jpg" would be retitled as "1.jpg.charlie.j0hnson", "2.jpg" as "2.jpg.charlie.j0hnson", "3.jpg" as "3.jpg.charlie.j0hnson", and so forth.

Once this process is complete, ransom-demanding messages - "HOW TO RETURN YOU FILES.exe" - are dropped into compromised folders.

What is Wrui?

Ransomware is a type of malware that encrypts files to prevent victims from accessing, using them unless they decrypt them using a tool purchased from the attackers. It is common that malware of this type renames encrypted files by appending its extension to their filenames.

Wrui appends the ".wrui" extension, for example, it renames a file named "1.jpg" to "1.jpg.wrui", "2.jpg" to "2.jpg.wrui", and so on. Like most ransomware variants, Wrui generates a ransom note, it creates the "_readme.txt" file. It is noteworthy that Wrui is part of the Djvu ransomware family.

What is informistio[.]com?

Sharing many similarities with news-hot.xyz, ro01.biz, appzery.com, finddealsdaily.com, and thousands of others, informistio[.]com is a rogue website. This page presents visitors with questionable material and/or redirects them to other untrustworthy and possibly malicious sites.

Usually, users access such websites inadvertently. Most get redirected to them by intrusive ads or PUAs (Potentially Unwanted Applications) already infiltrated into their devices.

These apps can have heinous functionalities, including - causing redirects, running intrusive advertisement campaigns, and collecting browsing-related information.

What is YoutubeDownloader?

YoutubeDownloader is a piece of rogue software, endorsed as a tool capable of downloading audio and video content from YouTube and Facebook.

The application operates by converting provided YouTube/Facebook video URLs (links) into various audio/video files, e.g., MP3, MP4, WMA, M4A, FLV, WebM, and other formats.

The downloads are stated to be unlimited and free. In addition to infringing on copyright laws, the YoutubeDownloader app is also classified as adware. Following successful installation, it runs intrusive advertisement campaigns. In other words, this adware delivers undesirable, misleading, and even malicious ads.

Since most users install YoutubeDownloader unintentionally, it is categorized as a PUA (Potentially Unwanted Application) as well.

What is IncognitoSearchBox?

Browser hijackers are potentially unwanted applications (PUAs) that are designed to promote fake search engines. Usually, applications of this type promote their search engines by changing browser settings. IncognitoSearchBox promotes the incognitosearchbox.com address.

Additionally, most browser hijackers are designed to gather data related to Internet browsing activities or other details. Apps like IncognitoSearchBox are called potentially unwanted applications because it is uncommon for them to be downloaded and installed by users on purpose.

What is CRYSTAL?

Ransomware is a form of malicious software that prevents victims from using their files by encrypting them. Typically, malware of this type encrypts files, renames them, and generates a ransom note.

CRYSTAL renames files by appending the victim's ID, black_privat@tuta.io email address, and ".CRYSTAL" as the file extension.

For instance, it renames a file named "1.jpg" to "1.jpg.[ID-C279F237].[black_privat@tuta.io].CRYSTAL", "2.jpg" to "2.jpg.[ID-C279F237].[black_privat@tuta.io].CRYSTAL".CRYSTAL creates the "RESTORE_FILES_INFO.txt" text file as its ransom note. It places this file in each folder that contains encrypted files.

What is Hydra (VoidCrypt) ransomware?

Belonging to the VoidCrypt ransomware family, Hydra is a malicious program that operates by encrypting data and demanding ransoms for the decryption. In other words, victims cannot access the files affected by Hydra (VoidCrypt) ransomware, and they are asked to pay to restore their data.

During the encryption process, files are retitled following this pattern: original filename, cyber criminals' email address, unique ID assigned to the victims, and the ".hydra" extension.

For example, a file initially named "1.jpg" would appear as something similar to "1.jpg.[wyooy@tutanota.com][MJ-PV8479036215].hydra" - after encryption. Once this process is complete, ransom notes - "Decrypt-me.txt" - are dropped into compromised folders.

What is topgirlsdating[.]com?

Topgirlsdating[.]com is a rogue website designed to deliver questionable material and/or redirect visitors to other untrustworthy/malicious pages. There are countless sites of this type on the Web; wsoyourwi.fun, ourbestnews.com, revercecaptcha.com - are but a few examples.

Users seldom access such webpages intentionally. Most get redirected to them by intrusive advertisements or PUAs (Potentially Unwanted Applications) already installed onto their systems. This software does not require explicit user permission to infiltrate devices.

PUAs operate by causing redirects, running intrusive advert campaigns, and collecting browsing-related information.

What is the "Debt Settlement" scam email?

"Debt Settlement email scam" refers to a spam campaign - a large-scale operation during which thousands of deceptive emails are sent. The letters sent through this campaign - notify recipients of a paid debt. It must be emphasized that the information provided by these scam emails - is false.

The spam campaign's aim is to promote a phishing website, which requests users to validate their email accounts by providing their log-in credentials (i.e., email addresses and passwords). Phishing sites operate by recording data entered into them.

Therefore, by trusting the "Debt Settlement" letters, recipients can have their email accounts stolen.