Virus and Spyware Removal Guides, uninstall instructions

What is securitymobile[.]club?

securitymobile[.]club is one of many deceptive websites that display fake virus alerts, errors, and other notifications. The main purpose of these web pages is to trick visitors into downloading and installing potentially unwanted applications (PUAs) that will supposedly solve the detected problems.

Note that these sites are mostly opened via other untrusted websites, deceptive ads, or PUAs already installed on devices. I.e., pages such as securitymobile[.]club are not often visited by users intentionally. Research shows that people generally arrive at securitymobile[.]club due to deceptive events in their Calendar apps, which are designed to open this web page.

What is the "Email Quarantine" email message?

"Email Quarantine" refers to a phishing spam email campaign. The term "spam campaign" is used to define a mass-scale operation, during which thousands of deceptive emails are sent. The messages distributed through the "Email Quarantine" campaign claim that users have several incoming emails, which have been "quarantined" (i.e., did not reach the inbox).

To prevent these (nonexistent) messages from being deleted, recipients are instructed to log-in to their email accounts. This is the main goal of this scam: to encourage users to inadvertently reveal their email account log-in credentials by entering them into a phishing website.

What is "National Lottery email scam"?

Scammers behind lottery scams send notifications stating that the recipient has won some money or another prize. Typically, they send such notifications via email, text messages, and social media.

They exploit names of existing lottery companies/organizations to deceive users into believing that their scams are legitimate. Scammers use these methods to extort money and personal information.

What is the F0x ransomware?

F0xis a malicious program that is part of the Xorist ransomware family. Systems infected with this malware have their data encrypted and users receive ransom demands for decryption. During the encryption process, all affected files are appended with the ".f0x" extension.

For example, a file originally named something like "1.jpg" would appear as "1.jpg.f0x", "2.jpg" as "2.jpg.f0x", "3.jpg" as "3.jpg.f0x", and so on. After this process is complete, identical ransom messages are created in a pop-up window, desktop wallpaper and "HOW TO DECRYPT FILES.txt" text files, which are dropped into compromised folders.

What is Uhofbgpgt?

Belonging to the Snatch ransomware family, Uhofbgpgt encrypts files, modifies their filenames, and creates a ransom message. Uhofbgpgt renames encrypted files by appending the ".uhofbgpgt" extension to filenames. For example, "1.jpg" is renamed to "1.jpg.uhofbgpgt", "2.jpg" to "2.jpg.uhofbgpgt", and so on.

It also creates a ransom message within the "HOW TO RESTORE YOUR FILES.TXT" text file in all folders that contain encrypted files.

What is DUSK 2 ransomware

Discovered by Lukáš Zobal, DUSK 2 is an updated variant of Dusk ransomware. This malware is designed to encrypt data and demand payment for decryption. During the encryption process, all affected files are appended with the ".DUSK" extension. For example, a file named something like "1.jpg" would appear as "1.jpg.DUSK" following encryption.

Once this process is complete, ransom messages within "README.txt" files are dropped into compromised folders and the desktop wallpaper is changed.

What is security-update-required[.]com?

security-update-required[.]com is a deceptive website running various scams. At the time of research, this web page promoted two different schemes. The scams promoted on this site primarily target iPhone users, yet it is often accessed via other Apple devices as well.

One variant claims visitors' devices are infected, the other that they must update their VPN software. The goal of these schemes is to promote various untrusted applications, however, other scam versions with different purposes are possible. This web page has been observed being promoted through deceptive Calendar events.

Typically, these websites are promoted via redirects caused by intrusive advertisements or by Potentially Unwanted Applications (PUAs) already installed on the system.

What is the Wire Transfer email scam?

There are many examples of phishing emails, which scammers send to deceive unsuspecting recipients into providing sensitive information. Commonly, scammers disguise their emails as official messages from legitimate companies. In this particular case, they attempt to trick recipients into opening a deceptive website and entering specific information.

What is Pay2Key?

Pay2Key is ransomware written in the C++ programming language that encrypts files with AES and RSA cryptography algorithms. Research shows that cyber criminals behind Pay2Key target companies located in Israel, however, it might also be used to attack other companies.

So far, cyber criminals have performed attacks by infecting a computer on the network, which followed execution of this ransomware on the remaining computers in the network. It is likely that Pay2Key uses a Remote Desktop Protocol (RDP) to gain access other computers. Note that Pay2Key can infect an entire network within one hour.

What is the "ERROR # 0xuaO-0x156m(3)" scam?

"ERROR # 0xuaO-0x156m(3)" is a technical support scam. At the time of research, this scheme was promoted via the azurewebsites[.]net - Microsoft Azure website-hosting platform. In general, online scams are promoted on various deceptive web pages.

The gist of tech support scams is claiming that users' devices are infected and/or at risk, and urging them to call fake helplines - they then abuse victims' trust. These schemes are often disguised as important messages, warnings or alerts from legitimate companies/service providers.

The "ERROR # 0xuaO-0x156m(3)" scam is no exception to this and is presented as a warning from Microsoft. In fact, this scheme is in no way associated with the Microsoft Corporation. In many cases, users access deceptive sites via mistyped URLs, redirects caused by intrusive advertisements or by Potentially Unwanted Applications (PUAs) already installed on their devices.

This software does not need express permission to infiltrate systems, and hence users may be unaware of its presence.