Virus and Spyware Removal Guides, uninstall instructions

What is Shadow Cryptor?

Discovered by dnwls0719, Shadow Cryptor is malicious software classified as ransomware. It operates by encrypting data in order to demand payment for decryption. There is reason to believe that this variant of Shadow Cryptor is a test version, which is likely to be updated in future.

During the encryption process, this malware appends files with an extension consisting of six random characters. For example, a file originally named "1.jpg" would appear as something similar to "1.jpg.F3F388" following encryption. Once this process is complete, a ransom message ("[extension]-DECRYPT.txt") is dropped into every compromised folder.

What is OptimumSearch?

OptimumSearch (search.optimum.icu) is a potentially unwanted application (PUA), a browser hijacker designed to promote search.optimum.icu (the address of a fake search engine) by changing browser settings and adding the "Managed by your organization" feature.

It might also collect various data. Browser hijackers are categorized as PUAs, since people often download and install them unintentionally.

What is CrypTron?

Discovered by dnwls0719, CrypTron is malicious software classified as ransomware and written in the Python programming language. Malware within this classification operates by encrypting data and demanding ransom payments for decryption. During the encryption process, all affected files are appended with the ".crypt" extension.

For example, a file originally named "1.jpg" would appear as "1.jpg.crypt" following encryption. Once this process is complete, a pop-up widow is displayed.

What is "COVID-19 pandemic is straining health systems worldwide"?

Many scammers are taking advantage of the coronavirus pandemic by sending various scams via email. These attempt to trick recipients into transferring money, clicking on malicious links, opening malicious attachments, etc. In this particular case, scammers seek to deceive recipients into transferring cryptocurrency to the provided BTC wallet.

They attempt to trick them into believing that, by sending Bitcoins, they will donate money for starving people living in poor countries. You are strongly advised to ignore this and other similar scams.

What is LookupTool?

Commonly distributed through fake Adobe Flash Player updates, LookupTool is a rogue application. It operates as adware by running intrusive advertisement campaigns. Additionally, it has browser hijacker characteristics, such as browser settings modification and fake search engine promotion.

Most adware infections and browser hijackers possess data tracking capabilities, which are employed to monitor users' browsing activity, LookupTool is likely to have these capabilities as well. Due to the dubious methods used to proliferate this app, it is classified as a Potentially Unwanted Application (PUA).

Note that bogus software updaters/installers are often used to spread various PUAs and even malware (e.g. Trojans, ransomware, etc.).

What is the .iso (Phobos) ransomware?

.iso (Phobos) is a malicious program belonging to the Phobos ransomware family. This malware encrypts data and demands payment for decryption.

During the encryption process, files are renamed according to this pattern: original filename, unique ID assigned to the victims, cyber criminals' email address and the ".iso" extension (not to be confused with the genuine ISO disk image format).

To elaborate upon how an encrypted file would appear, a file originally name "1.jpg" would appear as something similar to "1.jpg.id[1E857D00-2589].[backup.iso@aol.com].iso", and so on for all affected files. After this process is complete, two ransom messages ("info.hta" and "info.txt") are created on the desktop.

What is SearchZone?

SearchZone is a potentially unwanted application (PUA), a browser hijacker that assigns certain browser settings to feed.search-zone.com. In this way, it promotes a fake search engine (feed.search-zone.com) by forcing users to visit the site.

It is also likely that SearchZone can access and record data. SearchZone is categorized as PUA, since people often download and install these browser hijackers unintentionally.

What is biosc.xyz?

biosc.xyz is the address of a fake search engine, which is promoted through at least two browser hijackers called DISI APP and SApp+, Vitos APP. Generally, browser hijackers promote fake search engines by modifying browser settings. Additionally, apps of this type can often record data.

Few users download or install browser hijackers intentionally - this is caused inadvertently through rogue apps. Therefore, browser hijackers are categorized as potentially unwanted applications (PUAs).

What is the takeprizes-now[.]life site?

The takeprizes-now[.]life website promotes dubious content by redirecting to other untrustworthy and possibly malicious sites. This web page has been observed redirecting to the download pages of browser hijackers, however, redirects to the promotional websites of other rogue software are also likely.

Additionally, takeprizes-now[.]life has been known to redirect to sites running the "Dear [ISP name] user, Congratulations!" scam. Most visitors to takeprizes-now[.]life enter it through redirects caused by intrusive advertisements or Potentially Unwanted Applications (PUAs). Note that these apps do not need explicit consent to infiltrate systems.

What is the "Medicare" email?

The "Medicare" emails are part of a scam campaign designed to proliferate Ursnif malware. These deceptive emails claim to contain information regarding payment transactions to the Australian healthcare insurance provider, Medicare. Rather than providing the alleged information, however, the attached file contains malware.

If opened, the file can trick people into starting the Ursnif installation process.