Virus and Spyware Removal Guides, uninstall instructions

What is Npsk?

Npsk is one of many malicious programs that form part of the ransomware family called Djvu. This particular ransomware infection was discovered by Karsten Hahn and is designed to encrypt victims' files, modify filenames and create ransom messages.

Npsk modifies encrypted files by appending the ".npsk" extension to filenames. For example, it renames a file named "sample.jpg" to "sample.jpg.npsk", and so on. It also drops a ransom message a text file ("_readme.txt") in every folder that contains encrypted data.

What is the PlugX RAT?

PlugX is a Remote Access Trojan (RAT). Malware under this classification grants cyber criminals remote access and control over the infected device. PlugX Trojan has various capabilities, which can cause particularly serious issues.

It has been observed targeting Afghan, American, Russian, Belorussian, Tajikistani, Kazakhstani, and Kyrgyzstani users. The attacks have been primarily targeting individuals working in military and diplomatic branches.

What is DataQuest?

DataQuest is part of the AdLoad adware family. This application displays advertisements, promotes a fake search engine, and might also gather various information. In summary, this app operates as adware and a browser hijacker. Typically, users do not download or install apps of this type intentionally, and therefore they are classified as potentially unwanted applications (PUAs).

Research shows that DataQuest is usually installed through a fake Adobe Flash Player installer.

What is the "Corona case" email?

"Corona case" is a deceptive email designed to trick users into installing TrickBot malware. The message exploits the current social climate (i.e., the coranvirus pandemic). It claims that the attached document contains urgent information concerning the pandemic and recipients are tricked into opening the malicious file.

In this way, people unintentionally infect their systems with a high-risk, information-stealing Trojan called TrickBot. This malware compromises device integrity and user safety.

What is "Coronavirus Email Virus"?

There are a number of variants of the Coronavirus spam campaign. Cyber criminals use it to deceive recipients into infecting their computers with malicious programs such as Agent Tesla, Emotet, LokiBot, Remcos, TrickBot, FormBook, Ave Maria, LimeRAT, CrimsonRAT, and other high-risk malware.

They send emails that contain 1) a website link that downloads a malicious file/display dubious content (e.g., phishing sites), or 2) a malicious attachment. In any case, if opened and executed, these files/attachments install a malicious program. We strongly recommend that you ignore this email, which has nothing to do with the coronavirus.

What is ProLock?

Discovered by PeterM, ProLock is a rebranded version of PwndLocker ransomware. This ransomware encrypts files with the RSA-2048 algorithm, modifies filenames and creates a ransom message. ProLock appends the ".proLock" extension to the filenames of all encrypted files.

Research shows that it appends this extension several times, which might also indicate that it encrypts files several times. It creates ransom messages in the "[HOW TO RECOVER FILES].txt" files, which victims can find in folders that contain encrypted data.

What is Velar?

Discovered by S!Ri, Velar is malicious software categorized as ransomware. It is designed to encrypt data and demand payment for decryption. When this ransomware encrypts, all affected files are appended with the ".Velar" extension.

Therefore, following encryption, a file such as "1.jpg" would appear as "1.jpg.Velar", and so on. A ransom message ("readme.txt") is then dropped onto the victim's desktop.

What is Hack For Life ransomware?

Hack For Life belongs to the Ouroboros ransomware family. Like most programs of this type, it encrypts files with a strong encryption algorithm, renames all encrypted files and provides victims with instructions about what they must do next.

Hack For Life encrypts files with a combination of AES-256 encryption and RSA encryption, renames encrypted files by adding the filerestore07@gmail.com email address, victim's ID and appending the ".encrypt" extension to their filenames.

For example, it changes "1.jpg" to a filename such as "1.jpg.Email=[filerestore07@gmail.com]ID=[DVUFDJUXNQURNNDV].encrypt" (updated variants use the "annabelletools@gmail.com" address instead). It also creates a ransom message named "Unlock_All_Files.txt".

What is Gate ransomware?

Gate belongs to the Dharma ransomware family and is designed to encrypt files, modify their filenames and provide victims with instructions about how to contact the developers (plus some other details). Gate renames encrypted files by adding the victim's ID, lockhelp@qq.com email address and appending the ".gate" extension to filenames.

For example, it renames "1.jpg" to a filename such as "1.jpg.id-1E857D00.[lockhelp@qq.com].gate", and so on. Gate also provides a ransom message in a pop-up window and within a text file named "FILES ENCRYPTED.txt".

What is LX?

Discovered by Jakub Kroustek, LX is malicious software belonging to the Crisis/Dharma ransomware family. It operates by encrypting the data of infected systems and demands payment for decryption tools/software.

When this malware encrypts, all affected files are renamed according to this pattern: original filename, unique ID, cyber criminals' email address and the ".LX" extension. For example, a file such as "1.jpg" would appear as something similar to "1.jpg.id-1E857D00.[help.crypt@aol.com].LX", and so on.

A text file ("FILES ENCRYPTED.txt") is then created on the desktop and a pop-up window is displayed.