Virus and Spyware Removal Guides, uninstall instructions

What is ngthatwe[.]fun?

It is uncommon for websites like ngthatwe[.]fun to be visited by users intentionally. Usually, these pages are promoted through various untrustworthy websites, advertisements, or potentially unwanted applications (PUAs) that most users download and install inadvertently.

A couple of examples of pages like ngthatwe[.]fun are ndmeeting[.]fun, rdsb21[.]club, and bengekoo[.]com. Typically, these pages display questionable content and open other untrustworthy sites.

What is CRaccoon?

CRaccoon is a piece of software endorsed as a tool for cleaning operating systems. According to its promotional material, among its listed features are deletion of browsing cookies and temporary and download files.

Due to the dubious methods used to promote this app, it is considered to be a PUA (Potentially Unwanted Application). Software within this classification may have unmentioned abilities and/or be distributed alongside harmful programs.

What kind of scam is "Your System Is Infected With 3 Viruses!"?

"Your System Is Infected With 3 Viruses!" is a fake alert stating that a Mac computer is infected with some viruses. This (and other) fake messages are often displayed on untrustworthy, deceptive websites that trick people into purchasing software or services.

People do not generally visit these websites intentionally - they are redirected to them by unwanted apps. These are installed inadvertently without users' knowledge. Furthermore, once installed, these apps feed users with intrusive advertisements and gather data relating to browsing habits.

What are Frlock, Grlock, Itlock, Czlock, and Zalock?

Belonging to the MedusaLocker ransomware family, Frlock, Grlock, Itlock, Czlock, and Zalock are malicious programs, named after the extensions they add to the files they encrypt. These ransomwares operate by encrypting the data stored on infected systems - in order to demand payment for the decryption.

In other words, they render files inaccessible/useless and request victims to pay - to recover the access/use. During the encryption process, affected files are appended with the ".frlock", ".grlock", ".itlock", ".czlock", or ".zalock" extensions - depending on the ransomware variant.

For example, a file initially titled something like "1.jpg" would appear as "1.jpg.frlock", "1.jpg.grlock", "1.jpg.itlock", "1.jpg.czlock", or "1.jpg.zalock".

After the encryption is complete, ransom notes - "Recovery_Instructions.html" - are dropped into compromised folders. All of the ransomware variants create identical notes.

What is ndmeeting[.]fun?

There is a great number of pages like ndmeeting[.]fun on the Internet. Some examples are dollarsurvey365[.]online, rdsb21[.]club, and bengekoo[.]com.

Usually, the content on these pages is not trustworthy, often deceptive, and they are used to promote other questionable websites. It is important to mention that users do not visit sites like ndmeeting[.]fun intentionally.

Typically, they are promoted through shady advertisements, other unreliable websites, or potentially unwanted applications (PUAs) that most users download and install unknowingly.

What is "Your iPhone was hacked after visiting an Adult website"?

There are various ways to trick users into downloading and installing potentially unwanted applications (PUAs). One of them is design websites to display a fake virus notification (or multiple notifications) claiming that a device is infected with a virus (or a number of viruses) and encouraging to remove it with a certain PUA.

It is important to mention that users do not visit websites showing fake virus, error notifications intentionally. In most cases, these pages get opened after clicking on some dubious ads, visiting other pages of this kind. Also, they can be opened by some PUA that is already installed on the operating system or a browser.

What is "Shopper Survey"?

"Shopper Survey scam" refers to a scheme run on various untrustworthy websites. The scam states that users can claim a prize by completing a short survey.

By offering fake rewards, such schemes aim to promote other deceptive and possibly malicious sites. Therefore, by trusting scams like "Shopper Survey", users can experience a variety of severe issues.

Typically, scam pages are accessed via mistyped URLs, redirects caused by intrusive ads, or force-opened by installed PUAs (Potentially Unwanted Applications). It is noteworthy that the "Shopper Survey" scam has been promoted through spam campaigns - mass-scale operations during which deceptive emails are sent by the thousand.

The subject of these letters is "Claim your Amazon gift card now", but both the title and the text presented in the emails - may vary.

What is the partmentha[.]fun site?

Partmentha[.]fun is a rogue website designed to present visitors with dubious material and/or redirect them to other unreliable/malicious pages. The Internet is rife with such untrustworthy sites; dollarsurvey365.online, rdsb21.club, bengekoo.com - are just a few examples.

Users tend to access partmentha[.]fun and webpages akin to it unintentionally. Most get redirected to them by intrusive adverts or installed PUAs (Potentially Unwanted Applications).

These apps do not need explicit user consent to infiltrate systems. PUAs operate by force-opening websites, running intrusive advertisement campaigns, and gathering browsing-related data.

What is Hknet?

Ransomware is a type of malware that blocks access to files by encrypting them. Usually, victims cannot access or use any of the encrypted files until they decrypt them with a specific decryption tool that the attackers encourage them to purchase. It is common that ransomware modifies filenames.

Hknet renames encrypted files by appending ".hknet" as the file extension. For instance, it renames a file named "1.jpg" to "1.jpg.hknet", "2.jpg" to "2.jpg.hknet", and so on.

It also creates the "Recovery_Instructions.html" file (its ransom note) in all folders that contain affected files. Hknet is part of the MedusaLocker ransomware family.

What is the security-protect[.]org website?

Security-protect[.]org is an untrustworthy site designed to promote various scams. At the time of research, this webpage ran a scheme targeting iPhone users.

However, it is not unlikely that the website can be accessed on other Apple devices as well. The scam claims that visitors' iPhones have been infected and recommends an untrustworthy software product, supposedly capable of eliminating the nonexistent malware.

Typically, schemes of this type endorse fake anti-viruses, adware, browser hijackers, and other PUAs (Potentially Unwanted Applications). The scams may even proliferate malware (e.g., trojans, ransomware, cryptominers, etc.).

Users seldom enter deceptive webpages intentionally; most access them via mistyped URLs, redirects caused by intrusive ads, or have the sites force-opened by installed PUAs.