Virus and Spyware Removal Guides, uninstall instructions

What is Scl ransomware?

During a routine inspection of the newest malware submissions on VirusTotal, our researchers found the Scl ransomware.

After launching a sample on our test machine, we observed this ransomware encrypting data and renaming files by appending them with a unique ID, the cyber criminals' email address, and a ".scl" extension. For example, a file originally titled "1.jpg" appeared as "1.jpg.id_9ecfa84e4a778478_email_enc1@usa.com_.scl".

Once the encryption process was finished, the Scl program dropped two ransom notes - "HELP_DECRYPT_YOUR_FILES.HTML" and "HELP_DECRYPT_YOUR_FILES.TXT" - onto the desktop.

What kind of malware is Qqqw?

While analyzing the ransomware sample, we found out that Qqqw belongs to a family of ransomware called Djvu. It encrypted files and appended the ".qqqw" extension to filenames (for example, it renamed "1.jpg" to "1.jpg.qqqw", "document.txt" to "document.txt.qqqw"), and created the "_readme.txt" file as its ransom note.

What kind of page is webprotrctionprogramm[.]com?

Webprotrctionprogramm[.]com is yet another one of our findings from a routine exploration of untrustworthy websites. This page is designed to load deceptive content (e.g., "McAfee - Your PC is infected with 5 viruses!" scam), promote spam browser notifications, and redirect visitors to other unreliable/malicious sites.

Webpages of this type are seldom accessed intentionally; most access them via other pages that use rogue advertising networks.

What is "Cornèrcard email scam"?

After receiving this email, our researchers determined that it is a phishing email. The "Cornèrcard" letter in question is fake and in no way associated with Cornèr Bank - a Swiss private bank and credit card business. These emails target French-speaking users and attempt to trick them into disclosing their Cornèrcard account log-in credentials.

What is Arizona ransomware?

Our researchers discovered the Arizona ransomware during an investigation into new malware samples uploaded to VirusTotal.

After running this malicious program on our test system, we noticed it encrypting files and appending their filenames with the ".AZ" extension. For example, a file initially titled "1.jpg" appeared as "1.jpg.AZ","2.jpg" as "2.jpg.AZ", "3.jpg" as "3.jpg.AZ", etc.

Once the encryption process was completed, this ransomware created a message named "README.txt" on the desktop. It also changed the desktop wallpaper.

What is "Wallet Access Connect"?

"Wallet Access Connect" is a phishing scam targeting cryptocurrency wallet log-in credentials. We found it when analyzing sites that use rogue advertising networks. This scheme is presented as a tool to ease access between dApps (decentralized applications) and mobile wallets.

What kind of malware is Factfull?

While testing the sample, we identified that Factfull is ransomware - malware that encrypts files. We learned that this ransomware appends a string of random characters, factfull0103@airmail.cc email address, and the ".factfull" extension to filenames.

For example, it renames "1.jpg" to "1.jpg.[87C29B86].[factfull0103@airmail.cc].factfull", "document.txt" to "document.txt.[87C29B86].[factfull0103@airmail.cc].factfull". Factfull also creates the "readme-warning.txt" file/a ransom note. We also found that Factfull is part of the Makop ransomware family. It was discovered by GrujaRS.

What kind of application is need dark?

While examining the need dark application, we have learned that it hijacks a web browser by changing its settings. The purpose of this app is to promote iwsooos.com - a fake search engine. Our team has discovered the need dark browser hijacker while visiting a deceptive website.

What kind of page is 3v4lu4t3-4pp0intm3nt[.]xyz?

While researching rogue sites, our researchers stumbled upon the 3v4lu4t3-4pp0intm3nt[.]xyz webpage. We've discovered that this website promotes deceptive content and browser notification spam. Additionally, it can redirect visitors to other unreliable/malicious sites. We have observed this website running the "You've visited illegal infected website" scam.

Most users access pages like 3v4lu4t3-4pp0intm3nt[.]xyz unintentionally via others that use rogue advertising networks. However, these webpages can also be entered via redirects caused by deceptive notifications/ intrusive advertisements or installed harmful software.

What kind of page is foodme[.]info?

Our team has discovered foodme[.]info while browsing illegal movie streaming, torrent, adult dating, and similar sites that use questionable advertising networks. At the time of the research, foodme[.]info displayed a fake CAPTCHA to trick visitors into allowing it to deliver notifications.