Virus and Spyware Removal Guides, uninstall instructions

What kind of malware is Rrbb?

Rrbb is the name of ransomware that our team has discovered during the analysis of malware samples submitted to VirusTotal. We found that Rrbb belongs to a ransomware family called Djvu. It encrypts files, appends the ".rrbb" extension to filenames, and provides a ransom note (in the "_readme.txt" file).

An example of how Rrbb modifies filenames: it renames "1.jpg" to "1.jpg.rrbb", "2.png" to "2.png.rrbb", "3.exe" to "3.exe.rrbb".

What kind of malware is Rryy?

We have discovered new ransomware belonging to the Djvu family while analyzing the samples submitted to VirusTotal. It is called Rryy. This ransomware encrypts files, appends its extension (".rryy") to filenames, and generates a text file ("_readme.txt") containing a ransom note.

An example of how Rryy renames files: it changes "1.jpg" to "1.jpg.rryy", "2.png" to "2.png.rryy", and so forth.

What kind of page is advnottech[.]com?

Advnottech[.]com is a rogue webpage that operates by pushing browser notification spam and redirecting visitors to other (likely untrustworthy/malicious) sites.

Our researchers discovered this page while inspecting websites that use rogue advertising networks. Most users access advnottech[.]com (and similar pages) via the aforementioned sites; however, it could also be entered through redirects caused by mistyped URLs, spam browser notifications, intrusive ads, or installed adware.

What kind of page is updatenotification[.]xyz?

Our research team found the updatenotification[.]xyz rogue page during a routine inspection of untrustworthy sites. It is designed to promote deceptive content (scams), push browser notification spam, and redirect visitors to different (likely unreliable/malicious) webpages. At the time of research, updatenotification[.]xyz ran the "McAfee - Your PC is infected with 5 viruses!" scam.

Most users access sites like updatenotification[.]xyz via redirects caused by webpages using rogue advertising networks.

What kind of scam is "Servicio De Administración Tributaria"?

Our team has examined this email and learned that it is part of a phishing campaign. Scammers behind it attempt to trick recipients into providing sensitive information via the provided website. The email is disguised as a letter from the Ministry of Finance of Spain. It is written in the Spanish language.

What kind of malware is ZareuS?

ZareuS is ransomware that encrypts files and appends the ".ZareuS" extension to filenames. We discovered this ransomware on the VirusTotal page (while checking the page for recently submitted samples). ZareuS provides contact and payment instructions in its ransom note, a text file named "HELP_DECRYPT_YOUR_FILES.txt".

An example of how ZareuS modifies filenames: it renames "1.jpg" to "1.jpg.ZareuS", "2.png" to "2.png.ZareuS", and so forth.

What is ElementForce?

While inspecting new submissions to VirusTotal, our research team discovered the ElementForce application. After analyzing this piece of software, we learned that it is adware belonging to the AdLoad malware family.

What is BasicTransaction?

BasicTransaction is the name of a rogue application that we found while inspecting new submissions to VirusTotal. Our analysis of this app revealed that it operates as advertising-supported software (adware) and belongs to the AdLoad malware family.

What is Moonshadow ransomware?

While inspecting new malware submissions to VirusTotal, our researchers discovered the Moonshadow ransomware. We determined that this malicious program is part of the VoidCrypt ransomware family.

After we launched a sample of Moonshadow on our test system, it encrypted files and altered their names. Original filenames were appended with a unique ID, the cyber criminals' email address, and a ".moonshadow" extension. For example, a file initially titled "1.jpg" appeared as "1.jpg.moonshadow", "2.png" as "2.png.moonshadow", etc.

Once the encryption process was completed, Moonshadow ransomware created/displayed a pop-up window ("Decryption-Guide.HTA") and a text file ("Decryption-Guide.txt") that contained identical ransom notes.

What kind of malware is FIXED?

Our team discovered FIXED while inspecting malware samples submitted to the VirusTotal page. We found that FIXED is ransomware that encrypts files and appends ".FIXED" extension to filenames. For example, it renames "1.jpg" to "1.jpg.FIXED", "2.png" to "2.png.FIXED", and so forth. Also, FIXED creates the "Info.hta" file containing a ransom note.