Virus and Spyware Removal Guides, uninstall instructions

What kind of page is securitypczone[.]site?

Securitypczone[.]site is a rogue site that our research team discovered during a routine investigation of suspicious webpages.

At the time of research, it promoted the "Norton Security - Your PC Might Be Infected With Viruses!" scam. This page also pushed spam browser notifications. Additionally, it is capable of redirecting visitors to other (likely dubious/malicious) websites.

Most users access securitypczone[.]site and similar webpages through redirects caused by sites that use rogue advertising networks.

What is Word Counter?

During a routine inspection of deceptive sites, our research team found the Word Counter browser extension. It is supposedly capable of providing the word count of any current webpage. However, our inspection of this extension revealed that it is adware, i.e., Word Counter runs intrusive ad campaigns and collects sensitive data.

What kind of page is resiastawsix[.]xyz?

Our researchers discovered the resiastawsix[.]xyz rogue page while inspecting dubious websites. We learned that this webpage promotes scams and browser notification spam. Additionally, it can redirect users to different (likely untrustworthy/malicious) sites.

Most visitors to resiastawsix[.]xyz and websites akin to it – access them via redirects caused by pages that use rogue advertising networks.

What is Tzw ransomware?

Tzw is the name of a ransomware-type program we discovered while inspecting new submissions to VirusTotal. We executed a sample of Tzw on our test machine, and this ransomware encrypted the files and changed their titles. The filenames were appended with a ".tzw" extension, e.g., a file initially named "1.jpg" appeared as "1.jpg.tzw", "2.png" as "2.png.tzw", and so forth. Afterward, a ransom-demanding message – "readme.txt" – was created.

What kind of malware is NeedleDropper?

NeedleDropper is a malware variant designed to drop malicious payloads (inject malware). It is advertised and sold on hacking forums. NeedleDropper is a self-extracting archive that contains files used for malware execution. Threat actors have been observed distributing this malware via email.

What kind of email is "Real Estate Investment"?

After inspecting the "Real Estate Investment" email – we determined that it is fake. The spam letter claims to be sent by an ex-government official from the opposition party in Syria. The fabricated sender expresses wishes to make the recipient a foreign partner in their business ventures. This implies that the recipient will receive a large sum of money.

Typically, spam mail of this type aims to obtain personally identifiable information and/or trick users into transferring money. Hence, this letter must be ignored and reported as spam.

What kind of malware is Nyx?

Nyx is ransomware that encrypts files, appends the victim's ID, datasupp@onionmail.com email address, and the ".NYX" extension to filenames, and drops the "READ_ME.txt" file (its ransom note). Our team discovered Nyx ransomware while inspecting malware samples submitted to VirusTotal page.

An example of how Nyx renames files: it changes "1.jpg" to "1.jpg.[R6T0SO1OCNAXIUM9].[datasupp@onionmail.com].NYX", "2.png" to "2.png.[R6T0SO1OCNAXIUM9].[datasupp@onionmail.com].NYX", and so forth.

What kind of malware is Xollam?

While examining malware samples submitted to VirusTotal, our team discovered ransomware dubbed Xollam. We found that Xollam is a new variant of Mallox ransomware with a reversed name. It encrypts files, appends the ".xollam" extension to filenames, and creates the "FILE RECOVERY.txt" text file containing a ransom note.

An example of how Xollam modifies filenames: it renames "1.jpg" to "1.jpg.xollam", "2.png" to "2.png.xollam", and so forth.

What kind of email is "Data Backup"?

Our inspection revealed that this "Data Backup" email is spam. It operates as a phishing scam targeting email account log-in credentials. The fake letter claims that the mail service will be shut down, but if the recipient uses the linked backup guide – they will be able to continue using their account. However, the link redirects to a phishing site.

What kind of page is youractualjournal[.]com?

Youractualjournal[.]com is the address of a rogue webpage that our researchers discovered while inspecting untrustworthy sites. This page promotes browser notification spam and redirects visitors to other (likely unreliable/malicious) websites.

Users typically enter such pages through redirects caused by sites using rogue advertising networks, mistyped URLs, spam notifications, intrusive ads, or installed adware.