Virus and Spyware Removal Guides, uninstall instructions

What kind of malware is DarkDev?

DarkDev is a ransomware-type virus found by our researchers while inspecting new submissions to the VirusTotal website. Malware of this kind is designed to encrypt data and demand ransoms for the decryption.

After we executed a sample of DarkDev on our test machine, it encrypted files and added a ".darkdev" extension to their filenames. For example, a file initially named "1.jpg" appeared as "1.jpg.darkdev", "2.png" as "2.png.darkdev", and so on for all of the affected files.

Once the encryption process was finished, the ransomware created a ransom note titled "How_to_back_files.hta". Based on the message therein, it is evident that DarkDev targets large entities rather than home users.

What kind of malware is Helldown?

Helldown is ransomware that we discovered during inspection of malware samples uploaded to the VirusTotal platform. Upon examining Helldown, we concluded that its functionality involves encrypting files, appending a random extension to filenames, and creating a ransom note ("Readme.[random_string].txt").

An example of how Helldown renames files: it changes "1.jpg" to "1.jpg.uQlf", "2.png" to "2.png.uQlf", and so on.

What kind of page is resertol.co[.]in?

While examining resertol.co[.]in, we discovered that it uses a deceptive method (clickbait) to lure visitors into agreeing to receive its notifications. Once allowed, resertol.co[.]in shows fake warnings and other misleading notifications. Therefore, users should never permit resertol.co[.]in (and similar pages) to deliver notifications.

What kind of page is denalimount[.]top?

Our researchers found denalimount[.]top while inspecting dubious websites. This rogue page endorses browser notification spam and redirects users to other (likely untrustworthy/dangerous) sites.

The majority of visitors enter webpages like denalimount[.]top via redirects generated by websites that use rogue advertising networks.

What kind of page is datingkoe2[.]site?

We have analyzed datingkoe2[.]site and learned that it presents misleading content to trick visitors into allowing it to show notifications. Datingkoe2[.]site utilizes clickbait to receive this permission. Users should avoid visiting web pages that use such methods and never grant them any permissions.

What kind of page is elixirnexus[.]com?

Elixirnexus[.]com is a rogue page discovered by our researchers during a routine investigation of suspicious websites. Our examination revealed that this webpage endorses browser notification spam and redirects users to other (likely unreliable/hazardous) sites.

Most visitors access pages like elixirnexus[.]com via redirects generated by websites utilizing rogue advertising networks.

What is the fake "Arcium Registration" site?

Our team has analyzed the site (register-arciumhq[.]xyz) and discovered that it is a scam page posing as the Arcium website. The purpose of the fraudulent web page is to trick visitors into believing they are on the real page and performing actions that could lead to financial losses. Users should not trust register-arciumhq[.]xyz and avoid visiting it.

What kind of malware is Lockdown?

We have inspected the Lockdown malware and found that it operates as ransomware. We discovered this ransomware while examining malware samples on VirusTotal. Our analysis has shown that Lockdown encrypts files and appends the ".lockdown" extension to filenames. Also, it locks the screen and displays a ransom note (the screen unlocks after restarting the computer).

Here is an example of how files encrypted by Lockdown are renamed: "1.jpg" is changed to "1.jpg.lockdown", "2.png" to "2.png.lockdown", and so forth.

What kind of page is broidfit[.]com?

Our researchers discovered the broidfit[.]com rogue page while browsing untrustworthy websites. Upon inspecting this webpage, we learned that it aims to trick users into consenting to its browser notification delivery. Additionally, the page can generate redirects to other (likely dubious/dangerous) sites.

Broidfit[.]com and webpages akin to it are most commonly accessed through redirects produced by websites that employ rogue advertising networks.

What is the fake "Join Injective Airdrop"?

After inspecting the "Join Injective Airdrop", we determined that it is fake. We found this scam endorsed on injective.claim-foundation[.]site, but it could be hosted on other domains. This webpage imitates the Injective platform (injective.com) and lures users with a promise of an INJ token airdrop.

This scheme functions as a cryptocurrency drainer. It must be emphasized that this bogus airdrop is not associated with the actual Injective platform or any others.