Virus and Spyware Removal Guides, uninstall instructions

What is LulzDecryptor?

Discovered by MalwareHunterTeam, LulzDecryptor is a ransomware-type program. It operates by encrypting data and demanding payment for decryption.

Malicious programs of this type typically append affected files with extensions or otherwise rename them, however, the filenames of files affected by LulzDecryptor remain unchanged. After the encryption process is complete, a ransom message is created in a pop-up window.

LulzDecryptor ransomware is deemed to be skidware, a piece of malicious software created by individuals severely lacking the necessary skills.

Furthermore, this malware is decryptable. The decryption key is "4aEWaAMtxGnHPcvGnuxtEWYCPb5AxuC3ABcLRmz7AQZ2wdVpreduKK9C7LU7" (without the quotation marks).

What is the Napoli Merda ransomware?

Napoli Merda is a ransomware-type program designed to encrypt data and demand payment for decryption. I.e., the files affected by this malware are rendered inaccessible and victims are asked to pay to recover access to them.

Typically, ransomware renames encrypted files, however, this is not the case with Napoli Merda. Once the encryption process is complete, this ransomware displays a pop-up window containing a ransom message in Italian.

Napoli Merda is considered to be skidware: malicious software created by individuals severely lacking the necessary skills. This program is decryptable and the password to initiate the decryption process is "password123" (without the quotation marks).

What is the fake "GoDaddy" email?

"GoDaddy email scam" refers to a spam campaign, a mass-scale operation during which deceptive emails are sent by the thousand.

The emails distributed through this campaign are presented as notifications from GoDaddy, a publicly traded internet domain registrar and web hosting company. These scam messages inform of an upcoming upgrade to the recipients' emails and ask them to verify their email accounts.

This mail promotes a phishing website designed to record entered account log-in credentials (i.e., passwords). Note that all of the information provided by these emails is false, and they are in no way associated with the genuine GoDaddy, Inc.

What is Xtreme?

Xtreme is a Remote Access Trojan (RAT), which grants access and control of infected machines to facilitate various malicious actions.

This malware has been used globally, targeting governments and governmental organizations, financial institutions, large private corporations, telecommunication companies and media outlets, however, while it primarily targeted representatives and employees of the aforementioned entities, smaller businesses or average users are often targeted.

What is the hanksforyou[.]biz site?

hanksforyou[.]biz is a rogue website designed to deliver dubious content and redirect visitors to other untrusted, possibly malicious web pages.

Users rarely access hanksforyou[.]biz and similar sites intentionally - most are redirected to them by intrusive advertisements or installed Potentially Unwanted Applications (PUAs). This software does not need explicit permission to infiltrate systems, and thus users may be unaware of its presence.

PUAs are designed to cause redirects, run intrusive advertisement campaigns, and collect browsing-related data. The internet is full of rogue websites including fastcaptcharesolve.com, allowsuccess.org, ardoppoprus.biz, and thedailyrobotcheck.site as just some examples.

What is the "Facebook Lottery" scam email?

"Facebook Lottery" is a spam email campaign, a large-scale operation during which deceptive email messages are sent by the thousand. This campaign is in no way associated with Facebook, Inc. and all of the information provided by these emails is false.

The scam messages claim that recipients have been selected as one of the three winners of a fake lottery. This spam mail operates as a phishing scam. I.e., the purpose is to extract sensitive/personal information and use it for nefarious purposes.

What is Search Button?

Search Button is a browser hijacker promoting the keysearchs.com bogus search engine. Typically, software within this classification modifies browser settings to promote its associated search engines, however, Search Button does not always make alterations to the settings when promoting the keysearchs.com web searcher (see below).

Additionally, Search Button has data tracking capabilities, which are used to monitor users' browsing habits. Since most users download/install browser hijackers inadvertently, they are also classified as Potentially Unwanted Applications (PUAs).

What is optavut[.]com?

optavut[.]com is a deceptive website used to promote potentially unwanted applications (PUAs). There are many similar pages on the internet, all of which display fake notifications stating that a device is infected, damaged, hacked, etc., and encouraging users to download and install an application, which will supposedly fix the problem (remove viruses, fix errors, etc.).

Neither optavut[.]com nor other similar page can be trusted. Commonly, these sites are promoted via dubious advertisements, other untrusted web pages, or PUAs that users download/install onto their devices inadvertently.

What is Ncovid ransomware?

Ncovid is a malicious program designed to encrypt data and demand ransoms for decryption. This is a new variant of RIP lmao ransomware. The files stored on systems infected with Ncovid are rendered inaccessible, and victims are asked to pay to recover access to their data.

When this ransomware encrypts, affected files are appended with the ".ncovid" extension. For example, a file originally named something like "1.jpg" will appear as "1.jpg.ncovid", "2.jpg" as "2.jpg.ncovid", "3.jpg" as "3.jpg.ncovid", and so on.

After this process is complete, ransom-demand messages are created in a pop-up window and "___RECOVER__FILES__.ncovid.txt" text file.

What kind of malware is FluBot?

FluBot (also known as Cabassous) is malicious software that targets Android smartphones. Cyber criminals distribute FluBot via SMS messages, which they send (in at least in three different languages such as German, Polish, and Hungarian) with links to download websites for a fake FedEx application. These websites download a malicious APK file (Android Package file) designed to install FluBot banking malware.