Virus and Spyware Removal Guides, uninstall instructions

What is Moresa?

Discovered by Michael Gillespie and belonging to the Djvu ransomware family, Moresa is a malicious program categorized as ransomware. Typically, cyber criminals use programs of this type to encrypt data and prevent victims from accessing their files unless a ransom is paid (decryption tool is purchased).

Moresa changes names of all encrypted files by adding the ".moresa" extension. For example, "1.jpg" becomes "1.jpg.moresa". It also creates a ransom message within the "READ_ME.txt" file, which it places in every folder that contains encrypted files.

What is Norvas?

First discovered by malware researcher Petrovic, Norvas is yet another ransomware-type virus belonging to the Djvu malware family.

As with other infections of this type, Norvas encrypts most stored files (thereby rendering them unusable) and appends filenames with an extension (in this case, ".norvas"). For example, "sample.jpg" is renamed to "sample.jpg.norvas". A text file ("_readme.txt") is then created and placed in every existing folder.

What is "apple.com-fast[.]live"?

apple.com-fast[.]live (www.apple.com-fasting.live or www.apple.com-faster.live) is a scam website that should not be trusted. Its purpose is to trick people into downloading and installing the CleanupMy-Mac potentially unwanted app (PUA).

To achieve this, scammers designed apple.com-fast[.]live to show fake notifications about 'detected' viruses that should be removed immediately using the aforementioned application. Websites of this type and apps promoted by them cannot be trusted.

Typically, people do not open these websites intentionally. Unwanted redirects are often responsible and are caused by installed PUAs, which also feed people with unwanted ads and gather information.

What is terjuscalbuttont[.]info?

Like many other websites of this type, terjuscalbuttont[.]info is designed to cause redirects to other untrustworthy, potentially malicious websites or to display dubious content. Some examples of websites that are similar to terjuscalbuttont[.]info include vercallactont[.]com, butitereventwil[.]info, and refrebrepheon[.]info.

People do not generally visit this site intentionally - they are redirected to it by potentially unwanted apps (PUAs) installed on their default browsers (or operating systems). PUAs often feed users with unwanted advertisements and collect information relating to users' browsing activity.

What is ninghimpartidi[.]info?

When opened, ninghimpartidi[.]info displays dubious content or causes redirects to other untrustworthy websites. This site is very similar to many others of this type including arberittertwa[.]info, butitereventwil[.]info, and refrebrepheon[.]info.

Generally, people do not open ninghimpartidi[.]info intentionally - they are redirected to it by installed potentially unwanted applications (PUAs). In most cases, users install PUAs unintentionally. In addition to causing unwanted redirects, these rogue apps often display intrusive advertisements and gather information relating to users' browsing habits.

What is enninghahanspa[.]info?

enninghahanspa[.]info is very similar to arberittertwa[.]info, vercallactont[.]com, butitereventwil[.]info, and many other websites. This site redirects visitors to other rogue, potentially malicious websites or displays dubious content.

Most users visit enninghahanspa[.]info inadvertently - potentially unwanted applications (PUAs) usually cause these redirects. Typically, PUAs are often installed inadvertently without users' knowledge. Once installed, they gather data and deliver intrusive advertisements.

What is deverreb[.]com?

deverreb[.]com is one of many similar websites that, once visited, redirects users to other rogue sites or displays dubious content.

Other examples include arberittertwa[.]info, vercallactont[.]com, and butitereventwil[.]info. Typically, users are redirected to these websites by installed potentially unwanted apps (PUAs) or clicked intrusive ads. PUAs are commonly installed without users' knowledge, cause redirects, collect data, and deliver intrusive advertisements.

What is Exploit?

Exploit belongs to the Paradise ransomware family and was discovered by Amigo-A. The cyber criminals who developed Exploit ransomware use it to extort money from people who have infected computers. This malicious program encrypts data, blocking access to files until a ransom is paid (a decryption tool is purchased from cyber criminals).

Exploit displays a ransom message in a pop-up window and creates another in a text file called "Instructions with your files.txt". It also renames encrypted files by adding the "_ _{support@p-security.li}" line and ".exploit" extension. For example, "1.jpg" becomes "1.jpg_ _{support@p-security.li}.exploit".

What is GANDCRAB 5.3?

Discovered by Jakub Kroustek, GANDCRAB 5.3 (also known as GANDCRAB V5.3) is high-risk ransomware that belongs to the GANDCRAB malware family. After successful infiltration, GANDCRAB 5.3 encrypts most stored data and appends filenames with a random-string extension.

For example, "sample.jpg" might be renamed to a filename such as "sample.jpg.awqrsj". Additionally, GANDCRAB 5.3 changes the desktop wallpaper and places a text file ("AWQRSJ-MANUAL.txt") in every existing folder.

What is lsass.exe?

The lsass.exe (Local Security Authority Subsystem Service) is a legitimate Windows system file that can be found running in Task Manager as Local Security Authority Process. The process is responsible for enforcing the security policy on the operating system.

It manages password changes, validates users logging on to Windows servers or computers and creates access tokens that contain various security credentials. Note, however, that cyber criminals often use the lsass.exe filename or its process name (or a very similar name) to disguise malicious programs.

Therefore, some anti-virus programs detect the genuine lsass.exe file as a threat. Such cases are called 'false positive' detections.