Virus and Spyware Removal Guides, uninstall instructions

What is vossulekuk[.]com?

vossulekuk[.]com is an untrusted website due to its content and the other dubious web pages that it can open. People do not often vossulekuk[.]com or similar sites intentionally - they are opened by clicking deceptive advertisements and visiting other bogus web pages.

These sites are also opened when potentially unwanted applications (PUAs) are installed on browsers/operating systems.

There are many web pages like vossulekuk[.]com on the web. Some examples are messages-email[.]com, netflowgroup[.]com, and theactualnewz[.]com.

What is RANZYLOCKED?

When computers are infected with ransomware, victims cannot use the system or access stored files. Ransomware is a type of malware that locks computers or encrypts files stored on them.

Note that RANZYLOCKED is a new variant of the Ranzy Locker ransomware, which encrypts files and appends the ".RANZYLOCKED" extension to filenames. For example, "1.jpg" is renamed to "1.jpg.RANZYLOCKED", "2.jpg" to "2.jpg.RANZYLOCKED", and so on. An updated RANZYLOCKED variant appends the ".lock" extension.

RANZYLOCKED also creates the "readme.txt" file (a ransom message) in all folders that contain affected data.

What is the fake "KROHNE" email?

"KROHNE email virus" refers to a malware-spreading spam campaign. This term defines a mass-scale operation during which thousands of scam emails are sent. The messages distributed through this campaign are disguised as product purchase inquiries from the KROHNE company. This is a legitimate industrial manufacturing/supplying company, mainly dealing in the fields of chemicals and petrochemicals, food and beverages, water and wastewater, oil and gas, power generation and distribution, shipping, papermaking, pharmaceuticals, and minerals and mining.

The deceptive emails contain information copied straight from the official English-language version of KROHNE's website. The purpose of these scam messages is to infect recipients' devices with the Agent Tesla RAT (Remote Access Trojan).

What is ProtocolPort?

Never install the ProtocolPort app on operating systems or browsers, since it generates advertisements, changes browser settings (to force users to visit certain sites), and collects data relating to internet browsing activities. In summary, this app functions as adware and a browser hijacker.

Developers distribute ProtocolPort using a fake Adobe Flash Player installer to trick people into installing the rogue app. Apps that users download and install inadvertently are classified as potentially unwanted applications (PUAs).

What is messages-email[.]com?

messages-email[.]com is a rogue website that shares similarities with netflowgroup.com, theactualnewz.com, newsfeedzscrollz.com, and thousands of others. Visitors to them are presented with dubious material and/or are redirected to other untrusted/malicious sites.

People often visit messages-email[.]com and similar web pages inadvertently - most are redirected to them by intrusive ads or by installed Potentially Unwanted Applications (PUAs). These apps do not need explicit user permission to be installed onto systems. PUAs often have undisclosed and dangerous capabilities, including causing redirects, running intrusive advertisement campaigns, and collecting private data.

What is app-department[.]report?

Websites such as app-department[.]report commonly display pop-up windows and/or show messages warning visitors that their devices have viruses, and that they must click a link to download and install an application to remove them. I.e., app-department[.]report is one of many deceptive pages that use scare tactics to trick visitors into installing dubious applications.

Virus alerts (and other notifications) delivered by app-department[.]report and similar sites are fake. Typically, these web pages are opened when visiting certain (usually bogus) websites, after clicking dubious ads, or by installed potentially unwanted applications (PUAs).

What is the protectad[.]online website?

protectad[.]online is a deceptive web page designed to promote various scams. The schemes run on this site mainly target iPhone users (but might be accessed via other Apple devices). At the time of research, the website promoted a scam claiming that users' iPhones were exposed to malware and adware.

To rectify this, the scheme urges users to download/install the recommended ad-blocker. The purpose of this type of scam is to endorse a variety of dubious and possibly malicious software. For example, they commonly promote fake anti-virus tools, adware, browser hijackers, and different Potentially Unwanted Applications (PUAs).

These schemes might even proliferate malware (e.g., Trojans, ransomware, etc.). Typically, deceptive web pages are accessed via mistyped URLs, redirects caused by untrusted sites, intrusive advertisements, or installed PUAs.

Note that the tionscalen[.]top scam website has been observed redirecting to protectad[.]online.

What is the TIM email scam?

Typically, scammers behind phishing emails attempt to trick recipients into installing malware or providing sensitive information. They send emails containing malicious attachments (or download links for malicious files) or links designed to open deceptive websites asking to enter/provide personal information.

In most cases, scammers impersonate legitimate organizations/companies and design their emails to seem like important, official messages.

In this particular case, scammers masquerade as TIM, an Italian telecommunications company.

What is Four ransomware?

Part of the Dharma ransomware family, Four is a malicious program. Systems infected with this malware experience data encryption and users receive ransom demands for decryption.

When this ransomware encrypts, affected files are renamed following this pattern: original filename, unique ID assigned to the victims, cyber criminals' email address, and the ".four" extension. For example, a file originally named "1.jpg" would appear as something similar to "1.jpg.id-C279F237.[lizardcrypt@msgsafe.io].four" after encryption.

Once this process is complete, ransom messages are created in a pop-up window and the "MANUAL.txt" text file.

What is tionscalen[.]top?

tionscalen[.]top is one of many deceptive websites that use a scare tactic to trick users into believing they must download and install (sometimes even buy) a potentially unwanted application (PUA).

One common tactic used by tionscalen[.]top and similar pages to trick unsuspecting into unnecessary downloads and installations is to display fake virus notifications (that the device is infected) and urge them to take immediate action.

Generally, websites such as tionscalen[.]top are promoted through dubious advertisements, bogus websites, and PUAs. I.e., users do not often visit them intentionally.