Virus and Spyware Removal Guides, uninstall instructions

What is linkwinners[.]net?

Linkwinners[.]net is a rogue site sharing similarities with yourcoolfeed.com, news-befuka.cc, ourcoolstories.com, captcharesolverhere.top, and countless others. This website loads dubious content, pushes its browser notifications, and/or redirects visitors to various (likely untrustworthy or malicious) pages.

Users are typically redirected to rogue sites by suspect webpages, intrusive ads, or installed PUAs (Potentially Unwanted Applications).

What is ALPHV (BlackCat) ransomware?

ALPHV (BlackCat) is a sophisticated ransomware-type program written in the Rust programming language. This program is used in Ransomware-as-a-Service (RaaS) operations.

Malware of this type encrypts data (locks files) and demands payment for the decryption. Typically, these malicious programs rename encrypted files by appending them with specific extensions. However, since ALPHV (BlackCat) is offered as RaaS - its extensions, ransom note filenames (e.g., "GET IT BACK-[file_extension]-FILES.txt") and their contents - vary due to the different cyber criminals involved.

For example, files could be appended with an extension similar to ".bzeakde" (hence, a file named "1.jpg" would appear as "1.jpg.bzeakde", etc.) and then drop a ransom-demanding message titled "GET IT BACK-bzeakde-FILES.txt".

What kind of page is umhiswh[.]club?

Umhiswh[.]club is a deceptive website designed to trick visitors into agreeing to receive its notifications. Also, this page redirects visitors to other untrustworthy web pages. It shares these qualities with news-befuka[.]cc, hrougthatsidh[.]club, paymentsweb[.]org and plenty of other pages.

What kind of malware is BLOCK?

BLOCK is one of the ransomware variants belonging to the Xorist family. This variant encrypts files and appends the ".BLOCK" extension to their filenames. For instance, it renames "1.jpg" to "1.jpg.BLOCK", "sample.png" to "sample.png.BLOCK". BLOCK ransomware creates the "КАК РАСШИФРОВАТЬ ФАЙЛЫ.txt" file as its ransom note.

What is NRCL ransomware?

NRCL is a ransomware-type program that encrypts data (renders files inaccessible) and demands payment for the decryption (access recovery).

Compromised files are appended with the ".NRCL" extension. For example, a file initially titled "1.jpg" would appear as "1.jpg.NRCL", "2.jpg" as "2.jpg.NRCL", "3.jpg" as "3.jpg.NRCL", etc.

Afterwards, ransom-demanding messages are created/displayed in a pop-up window ("NRCL_Decryptor.exe") and a text file named "Note.txt". There is reason to believe that NRCL is still in development, as the email address provided in its ransom notes - appears to be invalid.

What is Mljx?

Mljx is part of the Djvu ransomware family. It is ransomware that encrypts files, modifies their filenames (by appending the ".mljx" extension), and creates a ransom note (the "_readme.txt" file). For example, Mljx renames "sample.jpg" to "sample.jpg.mljx", "file.png" to "file.png.mljx", and so on.

What is yourcoolfeed[.]com?

Yourcoolfeed[.]com is a rogue site akin to news-befuka.cc, hrougthatsidh.club, businesspayments.org, spdate.com, and thousands of others. It operates by loading questionable content and/or redirecting visitors to different (likely, untrustworthy or malicious) webpages.

Users typically enter rogue websites via redirects caused by suspect pages, intrusive adverts, or installed PUAs (Potentially Unwanted Applications).

What kind of website is 2promoter[.]com?

2promoter[.]com displays deceptive content, asks for permission to deliver notifications, and redirects visitors to untrustworthy websites. It is pretty similar to news-befuka[.]cc, hrougthatsidh[.]club, businesspayments[.]org, and many other pages that users do not open intentionally.

What is pHv1 ransomware?

Belonging to the Phobos ransomware family, pHv1 is a malicious program that encrypts data (locks files) and demands ransoms for the decryption.

Files are appended with a unique ID assigned to the victims, the cyber criminals' email address, and a ".pHv1" extension. For example, a file like "1.jpg" would appear similar to "1.jpg.id[9ECFA84E-3273].[phfmzpqbn@petml.com].pHv1".

After the encryption process is finished, ransom notes are created/displayed in a pop-up window ("info.hta") and a text file named "info.txt".

What kind of malware is Xqxqx?

Xqxqx is ransomware that belongs to is Dharma ransomware family. It encrypts files and modifies their filenames. It also creates the "FILES ENCRYPTED.txt" file and displays a pop-up window containing ransom notes.

Xqxqx renames files by appending the victim's ID, decryptionx@onionmail.org email address and ".xqxqx" extension to filenames. For example, it renames "1.jpg" to "1.jpg.id-9ECFA84E.[decryptionx@onionmail.org].xqxqx", "document.txt" to "document.txt.id-9ECFA84E.[decryptionx@onionmail.org].xqxqx", and so on.