Virus and Spyware Removal Guides, uninstall instructions

What kind of malware is R3tr0?

R3tr0 (also known as RETRO-ENCRYPTED) is ransomware belonging to the Dharma family. We discovered it while checking the VirusTotal website for recently submitted malware samples. R3tr0 encrypts files and appends the victim's ID, r3tr0crypt@tuta.io email address, and ".r3tr0" extension to filenames. Also, it generates two ransom notes: "Info.hta" and "info.txt".

An example of how R3tr0 ransomware modifies filenames: it renames "1.jpg" to "1.jpg.id-9ECFA84E.[r3tr0crypt@tuta.io].r3tr0", "2.png" to "2.png.id-9ECFA84E.[r3tr0crypt@tuta.io].r3tr0", and so forth.

What is EfficientRecord?

EfficientRecord is a rogue application that our research team discovered while inspecting new submissions to VirusTotal. After analyzing this app, we determined that it operates as advertising-supported software (adware) and belongs to the AdLoad malware family.

What kind of page is scan-pro-guard[.]com?

During a routine inspection of questionable websites, our research team discovered the scan-pro-guard[.]com page. It promotes deceptive content, pushes spam browser notifications, and redirects visitors to different (likely untrustworthy/malicious) sites.

Most users enter webpages like scan-pro-guard[.]com through redirects caused by websites using rogue advertising networks, mistyped URLs, spam notifications, intrusive ads, or installed adware.

What is DynamicLush?

While looking through new submissions to VirusTotal, our researchers discovered the DynamicLush application. Our analysis of this piece of software revealed that it operates as adware and belongs to the AdLoad malware family.

What kind of page is trexvideo[.]biz?

We discovered the trexvideo[.]biz rogue webpage while inspecting dubious websites. It is designed to push browser notification spam and redirect visitors to other (likely untrustworthy or malicious) sites. Users typically enter pages of this kind via redirects caused by webpages using rogue advertising networks.

What kind of page is juicycelebinfo[.]com?

Juicycelebinfo[.]com uses a clickbait technique to trick visitors into allowing it to show notifications. Also, it redirects them to other untrustworthy pages. As a rule, pages like juicycelebinfo[.]com are not visited on purpose. Our team found this page while inspecting websites that use shady advertising networks.

What kind of email is "I am a Russian hacker who has access to your operating system"?

After checking the "I am a Russian hacker who has access to your operating system" email, we determined that it is spam that operates as a sextortion scam.

This spam mail attempts to trick recipients into paying a ransom over nonexistent recordings. In other words, these emails state that the sender has made a compromising video featuring the recipient, and it will be leaked unless a ransom is paid. It must be emphasized that all the claims made by these spam letters are false.

What is investdigest[.]xyz?

Investdigest[.]xyz is one of the websites running the "McAfee - Your PC is infected with 5 viruses!" scam. Also, it asks for permission to show shady notifications. Typically, websites like investdigest[.]xyz are visited inadvertently. We have discovered this page while examining other pages that use rogue advertising networks.

What kind of software is GenesisMass?

GenesisMass is an advertising-supported application that generates advertisements. We have discovered it while inspecting deceptive websites. We also found that this app can read sensitive information. Having adware installed on the operating system (or a web browser) can lead to various problems. Thus, GenesisMass should not be trusted.

What is HORSEMAGYAR ransomware?

While inspecting new submissions to VirusTotal, our research team found the HORSEMAGYAR ransomware.

We executed a sample of this malware on our test machine and learned that it encrypts data and renames the affected files. The filenames were altered according to this pattern - "[original_filename].[victim's_ID].[spanielearslook].likeoldboobs", e.g., a file initially titled "1.jpg" appeared as "1.jpg.[2da28fb1f2].[spanielearslook].likeoldboobs".

Once the encryption process was finished, a ransom-demanding message named "Horse.txt" was created on the desktop.