Virus and Spyware Removal Guides, uninstall instructions

What is the Legend ransomware?

Legend is a malicious program, which is part of the Voidcrypt ransomware family. Systems infected with this malware experience data encryption and users receive random demands for decryption.

During the encryption process, all compromised files are renamed following this pattern: original filename, cyber criminals' email address, unique ID assigned to the victims, and the ".legend" extension.

For example, a file originally named "1.jpg" would appear as something similar to "1.jpg.[legendencrypt1@criptext.com][DISUBXG5M4F2CQ6].legend" following encryption. After this process is complete, ransom-demand messages within "!INFO.HTA" files are dropped into affected folders.

What is Mail - Quarantined email scam?

Scammers behind this phishing email attempt to trick recipients into opening a deceptive website and providing their email account login credentials.

Note that emails of this type can be used to deceive recipients into providing other sensitive details as well. For example, bank account numbers, social security numbers, credit card details, etc.

What is RIP lmao?

RIP lmao (also known as JCrypt) ransomware renames encrypted files by appending the ".jcrypt" extension to filenames. For example, "1.jpg" is renamed to "1.jpg.jcrypt", "2.jpg" to "2.jpg.jcrypt", and so on. Depending on the variant, extension may also differ (e.g., ".l33ch", ".omero" extensions).

RIP lmao also displays a pop-up window and generates the "___RECOVER__FILES__.jcrypt.txt" text file, both of which are ransom messages that contain contact and payment information.

Fortunately, current variants of RIP lmao ransomware are decryptable; Avast has released a free decryption tool for this malware (more information below).

What is FlexibleProtocol?

FlexibleProtocol is an adware-type application with browser hijacker characteristics. It operates by delivering intrusive advertisement campaigns and making changes to browser settings to promote fake search engines. In addition, this app has data tracking capabilities, which are used to collect browsing-related information.

Due to the dubious techniques employed in FlexibleProtocol's distribution, it is also classified as a Potentially Unwanted Application (PUA).

What is sbecome[.]online website?

sbecome[.]online is an untrusted site, sharing many similarities with emindeed.top, sionremai.fun, titionasses.fun and thousands of others. Pages of this type are designed to present visitors with dubious material and/or redirect them to other rogue and even malicious websites.

Users rarely access sbecome[.]online or similar sites intentionally - typically, they are redirected to them by intrusive advertisements or by Potentially Unwanted Applications (PUAs). These apps do not require explicit user permission to be installed onto systems. PUAs operate by causing redirects, running intrusive advertisement campaigns and collecting browsing-related information.

What is SearchGuard — Smart Search?

SearchGuard — Smart Search changes specific browser settings to searchwarden.com, the address of a fake search engine. It is likely that this app also collects browsing data and other information. Browser hijackers are often downloaded and installed by users inadvertently and, therefore, SearchGuard — Smart Search and other apps of this type are categorized as potentially unwanted applications (PUAs).

What is the fake "Banco Montepio" email?

"Banco Montepio email scam" refers to a spam campaign, designed to extract recipients' banking credentials (i.e. usernames and PIN codes / passwords). The term "spam campaign" is used to define a mass-scale operation, during which thousands of deceptive emails are sent.

The messages distributed through this spam campaign, inform recipients that unusual transactions have been detected on their banking accounts and they must update account security to prevent them from being suspended.

These scam emails are disguised as notifications from Banco Montepio, a Portuguese banking and mutual savings organization. In fact, the fake messages are in no way associated with the Montepio bank.

The goal of this scam is to trick users into attempting to log-in to their banking accounts via a link provided in the emails, which leads to a phishing website.

What is emindeed[.]top?

emindeed[.]top is similar to sionremai[.]fun, thehugefeed[.]com, titionasses[.]fun and many other pages. Typically, users do not visit these sites intentionally - they are opened by browsers that have potentially unwanted applications (PUAs) installed on them. They are also promoted via other dubious web pages or deceptive advertisements.

What is the "Email Security Alert" message?

"Email Security Alert" refers to the subjects/titles of deceptive emails. These messages claim that recipients must update their email account security. The link users are to click to update their accounts redirects to a phishing website designed to steal email account passwords, thereby gaining access to the accounts.

Note that all of the information provided by "Email Security Alert" scam messages is false.

What kind of scam campaign is "E-Mail Clustered"?

Commonly, scammers use bogus emails to trick recipients into providing personal, sensitive information such as credit card details, login credentials for various accounts, etc. They often attempt to do so by disguising their emails as official, important messages from legitimate companies and organizations.

This particular scam is disguised as a message from an email service provider and is used to to trick recipients into providing their email account login credentials.