Virus and Spyware Removal Guides, uninstall instructions

What is Moonshadow ransomware?

While inspecting new malware submissions to VirusTotal, our researchers discovered the Moonshadow ransomware. We determined that this malicious program is part of the VoidCrypt ransomware family.

After we launched a sample of Moonshadow on our test system, it encrypted files and altered their names. Original filenames were appended with a unique ID, the cyber criminals' email address, and a ".moonshadow" extension. For example, a file initially titled "1.jpg" appeared as "1.jpg.moonshadow", "2.png" as "2.png.moonshadow", etc.

Once the encryption process was completed, Moonshadow ransomware created/displayed a pop-up window ("Decryption-Guide.HTA") and a text file ("Decryption-Guide.txt") that contained identical ransom notes.

What kind of malware is FIXED?

Our team discovered FIXED while inspecting malware samples submitted to the VirusTotal page. We found that FIXED is ransomware that encrypts files and appends ".FIXED" extension to filenames. For example, it renames "1.jpg" to "1.jpg.FIXED", "2.png" to "2.png.FIXED", and so forth. Also, FIXED creates the "Info.hta" file containing a ransom note.

What kind of page is news-fesihe[.]cc?

News-fesihe[.]cc is designed to trick visitors into agreeing to receive notifications and redirect them to other shady pages. As a rule, pages like news-fesihe[.]cc are visited inadvertently. Our team has discovered news-fesihe[.]cc while examining various illegal movie streaming pages, torrent sites, and other pages of this kind.

What kind of malware is R3tr0?

R3tr0 (also known as RETRO-ENCRYPTED) is ransomware belonging to the Dharma family. We discovered it while checking the VirusTotal website for recently submitted malware samples. R3tr0 encrypts files and appends the victim's ID, r3tr0crypt@tuta.io email address, and ".r3tr0" extension to filenames. Also, it generates two ransom notes: "Info.hta" and "info.txt".

An example of how R3tr0 ransomware modifies filenames: it renames "1.jpg" to "1.jpg.id-9ECFA84E.[r3tr0crypt@tuta.io].r3tr0", "2.png" to "2.png.id-9ECFA84E.[r3tr0crypt@tuta.io].r3tr0", and so forth.

What is EfficientRecord?

EfficientRecord is a rogue application that our research team discovered while inspecting new submissions to VirusTotal. After analyzing this app, we determined that it operates as advertising-supported software (adware) and belongs to the AdLoad malware family.

What kind of page is scan-pro-guard[.]com?

During a routine inspection of questionable websites, our research team discovered the scan-pro-guard[.]com page. It promotes deceptive content, pushes spam browser notifications, and redirects visitors to different (likely untrustworthy/malicious) sites.

Most users enter webpages like scan-pro-guard[.]com through redirects caused by websites using rogue advertising networks, mistyped URLs, spam notifications, intrusive ads, or installed adware.

What is DynamicLush?

While looking through new submissions to VirusTotal, our researchers discovered the DynamicLush application. Our analysis of this piece of software revealed that it operates as adware and belongs to the AdLoad malware family.

What kind of page is trexvideo[.]biz?

We discovered the trexvideo[.]biz rogue webpage while inspecting dubious websites. It is designed to push browser notification spam and redirect visitors to other (likely untrustworthy or malicious) sites. Users typically enter pages of this kind via redirects caused by webpages using rogue advertising networks.

What kind of page is juicycelebinfo[.]com?

Juicycelebinfo[.]com uses a clickbait technique to trick visitors into allowing it to show notifications. Also, it redirects them to other untrustworthy pages. As a rule, pages like juicycelebinfo[.]com are not visited on purpose. Our team found this page while inspecting websites that use shady advertising networks.

What kind of email is "I am a Russian hacker who has access to your operating system"?

After checking the "I am a Russian hacker who has access to your operating system" email, we determined that it is spam that operates as a sextortion scam.

This spam mail attempts to trick recipients into paying a ransom over nonexistent recordings. In other words, these emails state that the sender has made a compromising video featuring the recipient, and it will be leaked unless a ransom is paid. It must be emphasized that all the claims made by these spam letters are false.