Virus and Spyware Removal Guides, uninstall instructions

What is lXXwXXXNQ ransomware?

During a routine inspection of new malware submissions to VirusTotal, our researchers discovered the lXXwXXXNQ ransomware.

Once this malicious program was executed on our test machine, it encrypted files and appended their filenames with a ".lXXwXXXNQ" extension. For example, a file originally titled "1.jpg" appeared as "1.jpg.lXXwXXXNQ", "2.png" as "2.png.lXXwXXXNQ", etc.

Afterwards, this ransomware created a ransom note - "HELP_DECRYPT_YOUR_FILES.txt" - on the desktop.

What kind of page is protectpcscan[.]com?

While inspecting untrustworthy websites, our researchers discovered the protectpcscan[.]com scam site. It is a fake McAfee website. This fraudulent page is presented as the "official" site of McAfee anti-virus. It must be emphasized that this scam webpage is in no way associated with the McAfee Corp. or its products.

What kind of page is save-your-time[.]com?

While inspecting dubious websites, our researchers discovered the save-your-time[.]com rogue page. It is designed to load deceptive content, push browser notification spam, and redirect visitors to other (likely untrustworthy/malicious) sites. Users typically enter these webpages via redirects caused by sites using rogue advertising networks.

What kind of page is securtytrk[.]xyz?

Securtytrk[.]xyz uses scare tactics to trick visitors into believing that their computers are infected. It runs the "Keep Your PC Updated With Norton!" scam. Additionally, securtytrk[.]xyz asks for permission to show notifications. Our team discovered this page while inspecting other dubious pages (illegal movie streaming, torrent, and similar pages).

What kind of software is named is Settings?

Settings is the name of an application that we have discovered after downloading software from a shady website and cracked software distribution page. During the analysis, we found that it runs in the Task Manager as "Settings software Copyright © 2021" (the process name may vary). The purpose of this application is to generate intrusive advertisements (it functions as adware).

What is ChromeLoader?

ChromeLoader was first analyzed by x3ph, and later dubbed by G-Data researchers as Choziosi loader. This malware is designed to install malicious extension(s) onto browsers. Currently, two distinct variants of ChromeLoader have been detected - one targeting Windows Operating Systems and another - Mac Operating Systems.

It is noteworthy that this piece of malicious software has been actively spread through Twitter in the form of QR codes promoting pirated software (predominantly video games) and media (movies/TV).

What kind of application is Files Download Now?

Files Download Now is presented as a tool allowing users to keep track of their downloads and quickly access (and manage) downloads, and create new downloads. We have discovered this app on a deceptive website. After downloading and installing the app, we learned that it generates intrusive advertisements. For this reason, we classified Files Download Now as adware.

What kind of page is news-rulujo[.]cc?

News-rulujo[.]cc displays deceptive content and asks for permission to deliver notifications. It is an untrustworthy page promoted via other pages of this kind. Our team discovered news-rulujo[.]cc while examining various torrent sites, illegal movie streaming websites, etc.

What kind of email is "DHL NOTICE OF ARRIVAL"?

After inspecting the "DHL NOTICE OF ARRIVAL" email, we determined that it is malspam. These letters are disguised as notifications concerning a package shipped through DHL - a legitimate logistics and package delivery company. It must be emphasized that these emails are in no way associated with DHL.

This spam is designed to spread malware, specifically AsyncRAT. This malicious program is classified as a Remote Access Trojan (RAT).

What is kind of scam is "YOUR MAILBOX IS OUTDATED"?

After inspection, we have concluded that this is a phishing email pretending to be a letter from the email service provider. Scammers behind this email aim to trick recipients into providing personal information. The email contains a hyperlink that opens a deceptive website (fake Webmail login page) asking to provide a password.