Virus and Spyware Removal Guides, uninstall instructions

What is 4AGcf ransomware?

While inspecting new submissions to VirusTotal, our researchers discovered the 4AGcf ransomware. This malicious program is part of the Babuk ransomware family.

After we executed a sample of this ransomware on our test machine, it encrypted files and appended their filenames with a ".4AGcf" extension. For example, a file originally titled "1.jpg" appeared as "1.jpg.4AGcf", "2.png" as "2.png.4AGcf", etc. Once this process was concluded, a ransom-demanding message named "How To Restore Your Files.txt" was dropped onto the desktop.

What kind of website is securityguardplus[.]site?

Our team has examined securityguardplus[.]site and found that this page uses deceptive marketing to promote legitimate antivirus software. It shows deceptive messages to trick visitors into believing that their computers might be infected. We determined that securityguardplus[.]site runs the "Norton Security - Your PC Might Be Infected With Viruses! scam.

What kind of email is "Mailbox Cache Is Full"?

Our inspection of the "Mailbox Cache Is Full" email revealed that it is spam. This mail operates as a phishing scam targeting recipients' email account log-in credentials (passwords). These spam emails claim that the mailbox cache must be cleared so that the account could operate without problems.

What kind of application is Word Replace And Load?

After downloading and adding the Word Replace And Load application to a web browser, we learned that this extension shows intrusive advertisements. Software that displays ads is classified as adware. Our team discovered Word Replace And Load while examining deceptive websites.

What kind of malware is RYKCRYPT?

RYKCRYPT is one of the ransomware variants belonging to a ransomware family called VoidCrypt. We discovered RYKCRYPT while checking the VirusTotal website for recently submitted malware samples. RYKCRYPT is ransomware that encrypts files, provides a ransom note (creates the "unlock-info.txt" file), and modifies filenames.

RYKCRYPT appends the victim's ID, encoderdecryption@gmail.com email address, and ".RYKCRYPT" extension to filenames. For example, it renames "1.jpg" to "1.jpg.(CW-PF6231847590)(encoderdecryption@gmail.com).RYKCRYPT", "2.png" to "2.png.(CW-PF6231847590)(encoderdecryption@gmail.com).RYKCRYPT", and so forth.

What is kind of page store-notifications[.]online?

While analyzing store-notifications[.]online, our team learned that this is a deceptive page that shows a fake message to trick visitors into downloading a certain application. We discovered store-notifications[.]online while inspecting shady ads and other pages of this kind. Store-notifications[.]online and similar pages should be ignored/closed.

What kind of page is yourtopdefencebulwark[.]site?

Our research team discovered yourtopdefencebulwark[.]site during a routine investigation of untrustworthy websites. This rogue page is designed to promote scams and spam browser notifications. Additionally, it can redirect users to other (likely dubious/malicious) sites.

Users typically access webpages like yourtopdefencebulwark[.]site through redirects caused by websites using rogue advertising networks.

What is OperativeQueue?

While reviewing new submissions to VirusTotal, our research team discovered the OperativeQueue application. After installing this app on our testing system, we verified that it operates as advertising-supported software (adware). It is noteworthy that OperativeQueue is part of the AdLoad malware family.

What kind of email is "Fund For God's Work"?

After inspecting the "Fund For God's Work" email, we determined that it is spam. The fake sender introduces themselves as a gravely ill widow who will give the email recipient an exorbitant amount of money to do god's work. It must be emphasized that all the claims made by this scam letter are false and must be disregarded.

What is LummaC2?

LummaC2 is the name of a malicious program classified as a stealer. It operates by stealing sensitive information from infected devices and installed applications.

At the time of writing, this malware is sold on the Web; as such, it can be distributed by multiple cyber criminals. According to its promotional material, LummaC2 is lightweight (150-200 KB) and can infect operating systems Windows 7 through Windows 11.