Virus and Spyware Removal Guides, uninstall instructions

What is Moloch?

Moloch belongs to the Makop ransomware family. This ransomware is designed to encrypt and rename files, and create the "readme-warning.txt" file (ransom message) in each folder that contains encrypted files. Moloch modifies filenames of encrypted files by adding the victim's ID, moloch_helpdesk@tutanota.com email address, and appending the ".moloch" extension.

For example, "1.jpg" is renamed to "1.jpg.[9B83AE23].[moloch_helpdesk@tutanota.com].moloch", "2.jpg" to "2.jpg.[9B83AE23].[moloch_helpdesk@tutanota.com].moloch", and so on.

What is Stream Tube?

Apps such as Stream Tube hijack browsers by modifying the settings. Users are then forced to open a specific address on certain occasions. Stream Tube promotes tailsearch.com (a fake search engine) in this way. It also collects browsing history.

In most cases, users download and install browser hijackers unintentionally and, therefore, Stream Tube and other apps of this type are classified as potentially unwanted applications (PUAs).

What is Ufo ransomware?

Ufo blocks access to files by encryption, renames each encrypted file, displays a pop-up window ("info.hta") and generates a text file ("@READ_ME@.txt"). Ufo renames files by adding ".encrypted11", the happynewyear2021@tutanota.com email address, and appending ".ufo" as the file extension.

For example, "1.jpg" is renamed to "1.jpg.encrypted11.[HappyNewYear2021@tutanota.com].ufo", "2.jpg" to "2.jpg.encrypted11.[HappyNewYear2021@tutanota.com].ufo", etc.

What is department[.]limited?

department[.]limited cannot be trusted because it attempts to trick users into believing that their devices are infected, and into downloading a potentially unwanted application (PUA), which will supposedly remove detected threats.

Typically, users do not visit websites such as department[.]limited intentionally - they are promoted via deceptive ads, other dubious web pages, and certain PUAs.

What is StreamsSearchWeb?

StreamsSearchWeb is a potentially unwanted application (PUA) that hijacks browsers by changing certain settings to streamssearchweb.com. In this way, it promotes this fake search engine.

Apps such as StreamsSearchWeb are classified as PUAs, since they are often downloaded and installed by users inadvertently. Note that these apps can also gather browsing-related data.

What is Saher Blue Eagle?

Saher Blue Eagle was discovered by xiaopao. This ransomware encrypts and renames files, changes the desktop wallpaper, and displays a ransom message in full screen mode.

It renames files by appending "..MaxSteel.Saher Blue Eagle" as the filename extensions. For example, "1.jpg" would be renamed to "1.jpg..MaxSteel.Saher Blue Eagle", "2.jpg" to "2.jpg..MaxSteel.Saher Blue Eagle", and so on.

What is spaceshellvpn[.]com?

Websites such as spaceshellvpn[.]com cannot be trusted because they often trick visitors into installing potentially unwanted applications (PUAs). Furthermore, these web pages are promoted via other bogus pages, deceptive advertisements, and PUAs. I.e., users do not often visit them intentionally.

Like many similar sites, spaceshellvpn[.]com is disguised as an official Apple web page, however, the Apple company (and its official pages) has nothing to do with this or other deceptive sites.

What is Easy ransomware?

Easy belongs to the Phobos ransomware family. It is designed to encrypt files, rename each encrypted file, and generate "info.hta" and "info.txt" files (ransom messages). Easy renames files by adding the victim's ID, easybackup@aol.com email address, and appending the ".easy" extension.

More precisely, "1.jpg" would be renamed to "1.jpg.id[C279F237-2723].[easybackup@aol.com].easy", "2.jpg" to "2.jpg.id[C279F237-2723].[easybackup@aol.com].easy", and so on.

What is check-this[.]news?

check-this[.]news is similar to chat-message[.]live, tlouslyrevor[.]top, yskimmed[.]top and many other rogue web pages. Typically, these sites are promoted via other dubious websites, deceptive advertisements, and potentially unwanted applications (PUAs). I.e., users do not often open/visit these web pages intentionally.

What is Bip?

Bip is part of the Dharma ransomware family. Bip encrypts files, modifies their filenames, displays a pop-up window and creates the "FILES ENCRYPTED.txt" file, which contains instructions about how to contact the ransomware developers.

Bip renames encrypted files by adding a unique victim ID, the buydecrypt@qq.com email address, and appending the ".bip" extension to filenames. For example, "1.jpg" is renamed to "1.jpg.id-C279F237.[buydecrypt@qq.com].bip", "2.jpg" to "2.jpg.id-C279F237.[buydecrypt@qq.com].bip", and so on.