Virus and Spyware Removal Guides, uninstall instructions

What is ModuleUpgrade?

ModuleUpgrade is a rogue app that our researchers found during a routine inspection of new submissions to VirusTotal. Our analysis of ModuleUpgrade revealed that it operates as advertising-supported software (adware) and belongs to the AdLoad malware family.

What kind of malware is Onelock?

Onelock is one of the ransomware variants from the MedusaLocker ransomware family. It encrypts files, appends the ".onelock" extension to filenames, and creates an HTML file named "how_to_back_files.html" that contains a ransom note. An example of how Onelock renames files: it changes "1.jpg" to "1.jpg.onelock", "2.png" to "2.png.onelock", and so forth.

It is worth noting that Onelock ransomware is not in any way related to the OneLock Inc. (onelock.com).

What is Moonshine malware?

Moonshine is a spyware-type malicious program targeting Android devices. It is capable of obtaining a variety of vulnerable data from infected systems. There are several versions of this malware; the later ones include improved surveillance functionalities.

Moonshine has been actively proliferated as "useful" software via Telegram channels frequented by Uyghurs - a Turkic ethnic group native to Xinjiang.

Considering that this malware is skillfully crafted, has related documentation written in simplified Chinese, and targets an ethnic minority in China - it is possible that the threat actors behind Moonshine are backed by the Chinese state. For example, another malware called BadBazaar has been used to attack Uyghurs, and these attacks are attributed to APT15 (Pitty Tiger) - a state-backed group.

What kind of page is fastnetworkprotocol[.]com?

Our team investigated fastnetworkprotocol[.]com and learned that it runs the "McAfee - Your PC is infected with 5 viruses!" scam. Its creators use fraudulent marketing to promote legitimate antivirus software. Additionally, fastnetworkprotocol[.]com wants to show notifications.

What is BadBazaar?

BadBazaar is the name of a spyware targeting Android OSes (Operating Systems). Spyware is a type of malware that can stealthily extract and record data on infected devices.

Evidence found by researchers at Bleeping Computer suggests that BadBazaar is linked to attacks against ethnic and religious minority groups in China. Most notably, this malware has targeted Uyghurs - a Turkic ethnic group native to Xinjiang. Furthermore, this malicious activity is likely the work of Chinese state-backed threat actors - the APT15 (Pitty Tiger) group.

What kind of scam is "Mail Error"?

We have analyzed this letter and determined that it is written by fraudsters hoping to obtain personal information from recipients. This email contains a link to a phishing website. It is disguised as a letter from an email service provider. It should be marked as spam and deleted.

What is Muldrop?

Muldrop trojan - refers to a type of malware that drops multiple malicious programs onto infected devices. These droppers tend to cause extensive chain infections, which could potentially overload the system to the point of failure. Trojans of this kind can infect devices with just about any type of malware - hence, the threats posed by their infections are extensive.

It is pertinent to mention that Muldrop trojans are commonly distributed through fake "cracked" software download websites.

What kind of malware is TMS5?

TMS5 is ransomware that encrypts files and modifies their filenames and creates the "!TMS5_INFO!.rtf" file that contains a ransom note. TMS5 is part of the Matrix ransomware family. Our team discovered this ransomware variant while inspecting malware samples submitted to the VirusTotal page.

TMS5 renames files by replacing their names with an email address, a string of random characters and appending the ".TMS5" extension to them (e.g., it would rename a file named "1.jpg" to "[TomSoyer5@protonmail.com].0RS11z4v-rGxLrEjN.TMS5").

What kind of application is GeneralOperation?

GeneralOperation is the name of an application we discovered while inspecting a fake installed downloaded from a deceptive web page. We learned that the purpose of GeneralOperation is to display intrusive advertisements. Thus, we classified GeneralOperation as adware. In most cases, users install adware inadvertently.

What kind of application is Search-Mgr?

While examining the Search-Mgr browser extension, we found that it functions as a browser hijacker: it changes certain browser's settings to searchmgr.online. It forces users to browse the Internet using a shady search engine. It is worth mentioning that browser hijackers usually are promoted and distributed using questionable methods.