Virus and Spyware Removal Guides, uninstall instructions

What is "UltraViewer Tech Support Scam"?

"UltraViewer Tech Support Scam" refers to technical support scams facilitated through the use of the UltraViewer application.

UltraViewer is a legitimate remote access software which allows users to connect and control systems over a distance. Tech support scammers rely on such programs to gain access/control over their victims' devices. It must be stressed that the developers of this software are not associated with scams; cyber criminals abuse these apps for their own malicious goals.

Technical support scams are promoted on deceptive websites, and they typically involve claims about users' devices being infected but recoverable by calling "expert technicians", "technical support", etc.

What is Video Downloader?

Video Downloader is a rogue browser extension that promises to allow users to download videos off of popular platforms. Our researchers discovered this piece of software while inspecting dubious download webpages. After analyzing the Video Downloader extension, we determined that it is adware.

What is Lavasky ransomware?

Our researchers discovered the Lavasky malicious program, which is classified as ransomware, while investigating new submissions to VirusTotal. Additionally, it is pertinent to mention that Lavasky is part of the VoidCrypt ransomware family.

Once we executed a sample of this ransomware on our testing system, it encrypted data and altered filenames. The original file titles were appended with a unique ID assigned to the victim, the cyber criminals' email address, and a ".lavasky" extension. For example, a file named "1.jpg" appeared as "1.jpg.(CW-MX8607321954)(blackpirate@cock.li).lavasky".

After the encryption process was completed, Lavasky dropped a text file titled "unlock-info.txt" text file. The message within was the ransom note.

What is "Phone Update Recommended"?

While inspecting rogue webpages, our researchers discovered the "Phone Update Recommended" scam, which targets Android device users. This scheme attempts to trick visitors into downloading/installing and/or purchasing recommended software - by claiming that it will improve the device's poor performance.

What is Nitrokod?

Nitrokod is a malicious program that operates as a backdoor for cryptocurrency mining malware. At the time of writing, Nitrokod was designed to infect systems with the XMRIG cryptominer.

It is noteworthy that Nitrokod has been actively spread via malicious applications disguised as legitimate software, most successfully through a trojanized app presented as Google Translate Desktop. According to Check Point Research, Nitrokod is used by Turkish-speaking cyber criminals, and it has infected devices throughout eleven countries.

What kind of email is "Annual Open Vacation Plan"?

After inspecting the "Annual Open Vacation Plan" email, we learned that it is spam operating as a phishing scam. This letter is presented as a notification regarding vacation approval from an HR (Human Resources) department.

To view the document supposedly containing the list of employees approved for vacation, the recipient is to log-in by using their email credentials. However, this letter and the promoted website are fake; hence, by entering their credentials into the latter - users will expose them to the scammers behind this spam campaign

What kind of page is adforyounews[.]com?

While looking through untrustworthy websites, our researchers discovered the adforyounews[.]com rogue page. It is designed to deceptively promote browser notification spam. Additionally, adforyounews[.]com can redirect visitors to other (likely unreliable/malicious) websites.

Most users enter sites like adforyounews[.]com through redirects caused by webpages using rogue advertising networks.

What is "Norton LifeLock" email scam?

After inspecting this "Norton LifeLock" email, we determined that it is fake. It must be emphasized that this spam mail is in no way associated with either NortonLifeLock Inc. or PayPal Holdings, Inc.

This scam letter is presented as a purchase invoice, which states that the payment has already been processed. The aim is to trick recipients into calling the provided number to cancel the bogus payment/subscription.

What is Xbtl ransomware?

Xbtl is a ransomware-type program that our research team discovered while looking through new malware submissions to VirusTotal. Ransomware is designed to encrypt data and demand payment for decryption.

Once we launched a sample of Xbtl on our test machine, it encrypted files and appended their filenames with a ".xbtl" extension. For example, a file originally titled "1.jpg" appeared as "1.jpg.xbtl", "2.png" as "2.png.xbtl", and so on for all of the compromised files.

Afterwards, this ransomware changed the desktop wallpaper and created a text file named "README.txt". Both contained identical ransom notes, which were in the Russian and English languages.

What is View-Dark?

View-Dark is a rogue browser extension that our research team discovered while inspecting deceptive software-endorsing sites. While View-Dark is promoted as a dark-mode tool for simple design websites, it operates as advertising-supported software (adware) instead.