Virus and Spyware Removal Guides, uninstall instructions

What is Win32/Zpevdo?

Win32/Zpevdo is high-risk trojan designed to modify Windows Firewall settings. This malware typically infiltrates systems when another trojan is installed (a result of "chain infections") or when users visit malicious websites. The presence of Win32/Zpevdo trojan makes the system more vulnerable to other infections.

What is "Xerox Color Workstation Email Virus"?

"Xerox Color Workstation Email Virus" is the name of a spam campaign, designed by cyber criminals to proliferate a malicious program, a keystroke logger called Hawkeye. 

The main purpose of the email issued by this campaign is to trick people into opening the attached file, which infects computers with the aforementioned malware. We strongly recommend that you ignore this email and leave the attachment unopened.

What is renropsitto[.]info?

The internet is flooded with websites similar to renropsitto[.]info including, for example, Pushnews[.]online, txtnews[.]online, and watch-this[.]live. These are just some examples from many. Most of these sites are virtually identical. Once visited, they display untrustworthy content or open other dubious websites.

Typically, people do not visit these sites intentionally - they are redirected to them by potentially unwanted applications (PUAs) installed on their systems. Additionally, these apps often operate as information tracking tools and feed users with unwanted ads.

What is ticeroftertal[.]info?

ticeroftertal[.]info is a rogue website that has the same purpose as pushnews[.]online, txtnews[.]online, watch-this[.]live, and many other websites of this type.

Once visited, it redirects users to websites that cannot be trusted or displays dubious content. Typically, people are forced to visit these websites when they have potentially unwanted applications (PUAs) installed on their browsers. PUAs often deliver intrusive ads and record information.

What is "PayPal account is on hold"?

The "PayPal account is on hold" scam is presented on a deceptive website that should not be trusted. Scammers use it to steal PayPal accounts.

Typically, people end up visiting websites of this type due to potentially unwanted applications (PUAs) installed on their browsers or operating systems. In addition to unwanted redirects, PUAs often serve users with intrusive advertisements and collect information relating to browsing habits.

What is wal?

wal is high-risk ransomware that belongs to the Dharma ransomware family. This malware stealthily infiltrates the system and encrypts most stored files, thereby rendering them impossible to use. It is also appends filenames with the victim's unique ID, developer's email address, and ".wal" extension.

For example, "sample.jpg" might be renamed to a filename such as "sample.jpg.id-1E857D00.[decryptdocs@protonmail.com].wal". Once the encryption process is finished, wal opens a pop-up window and stores a "FILES ENCRYPTED.txt" file on the desktop.

What is 1 Click PDF?

1 Click PDF (also known as 1ClickPDF) is promoted as a file conversion app capable of converting virtually any file format to PDF.

It is promoted as a useful and legitimate tool, however, 1 Click PDF is categorized as a potentially unwanted (adware-type) application (PUA) and adware. It changes browser settings, feeds users with ads, and gathers information. Do not trust or use the 1 Click PDF converter.

What is Forasom?

Belonging to the Djvu ransomware family, Forasom is a high-risk infection designed to encrypt victims' data and make ransom demands. During encryption, Forasom appends filenames with the ".forasom" extension (e.g., "sample.jpg" is renamed to "sample.jpg.forasom").

As with other Djvu variants, Forasom also creates a text file called "_readme.txt" and stores a copy in each existing folder.

What is .bat?

Discovered by Jakub Kroustek, .bat is a malicious program classified as ransomware. Generally, malware of this type blocks victims from accessing their files by encryption. To decrypt them, victims are forced to buy a decryption tool/key from cyber criminals who developed the program, in this case .bat ransomware.

It also creates a text file called "RETURN FILES.txt" and displays a ransom message in a pop-up window. This ransomware also renames all encrypted files by adding the ".bat" extension (together with the victim's ID and email address of .bat's developers).

For example, if a file is called "1.jpg", .bat will rename it to "1.jpg.id-1E857D00.[decryptyourdata@qq.com].bat", and so on. This malicious program is a part of the Dharma ransomware family and locks files using RSA-1024 encyption.

What is qbix?

The number of new ransomware-type programs is growing daily, including qbix, which was discovered by Jakub Kroustek and belongs to the Dharma ransomware family. Like most programs of this type, qbix is used by cyber criminals who aim to extort money from their victims.

Ransomware-type programs encrypt files so that victims are unable to access and use them unless a ransom is paid.

In this particular case, each encrypted file is renamed by adding the ".qbix" extension plus the victim's ID and email address. For example, qbix renames "1.jpg" to "1.jpg.id-1E857D00.[backdata@qq.com].qbix". It also creates a "RETURN FILES.txt" file and displays a ransom message in a pop-up window.