Virus and Spyware Removal Guides, uninstall instructions

What is NetWalker?

NetWalker is an updated variant of Mailto ransomware. Systems infected with this malware suffer data encryption and users receive ransom demands for decryption tools/software. During the encryption process, all compromised files are appended with a random character string extension.

For example, a file originally named "1.jpg" could appear as something similar to "1.jpg.3289cf" following encryption. After this process is complete, a ransom message ("[random-string]-Readme.txt") is dropped into every affected folder.

What is Oled?

Oled ransomware was discovered by S!Ri. Typically, software of this type encrypts files, renames them and creates ransom messages. Oled renames encrypted files by adding the victim's ID and developer's email address, and appending the ".oled" extension to filenames.

For example, it might rename "1.jpg" to a filename such as "1.jpg.[EF7BE7BC].[oled@airmail.cc].oled", and so on. Oled also creates a ransom message within a text file named "readme-warning.txt".

What is OFFWHITE ransomware?

Discovered by dnwls0719, OFFWHITE is a part of the Nefilim ransomware family. Software of this type is designed encrypt data, rename encrypted files and create and/or display ransom messages. OFFWHITE renames encrypted files by appending the ".OFFWHITE" extension to filenames.

For example, it changes "1.jpg" to "1.jpg.OFFWHITE", "2.jpg" to "2.jpg.OFFWHITE", and so on. It also creates a ransom message within a text file named "OFFWHITE-MANUAL.txt".

What is Manuals Aid?

Manuals Aid is rogue software categorized as a browser hijacker. It is endorsed as a tool for easy access to various product and brand manuals, however, Manuals Aid modifies browsers and promotes manualsaid.com (a bogus search engine).

Additionally, this browser hijacker has data tracking capabilities, which are used to gather sensitive information derived from users' browsing activity. Since most people install Manuals Aid unintentionally, it is also classified as a Potentially Unwanted Application (PUA).

What is ZorgoCry?

ZorgoCry is ransomware which was discovered by Amigo-A. It encrypts victims' files, renames them by appending a new extension, changes the desktop wallpaper and creates a ransom message. ZorgoCry appends the ".projectzorgo" extension to filenames.

For example, it would rename a file called "1.jpg" to "1.jpg.projectzorgo", "2.jpg" to "2.jpg.projectzorgo", etc. A ransom message is generated within a text file ("READ_ME.txt"), which ZorgoCry stores in every folder that contains encrypted files.

What is MusiCalm?

MusiCalm is a rogue application categorized as adware. It operates by running intrusive advertisement campaigns. Therefore, it delivers various unwanted and possibly harmful ads. Furthermore, most adware programs possess data tracking capabilities employed to monitor users' browsing habits, and it is highly likely that this app has such capabilities.

Due to MusiCalm's dubious proliferation methods, it is also classified as a Potentially Unwanted Application (PUA). It has been observed being distributed via illegal software activation tools ("cracks"), which are commonly used to proliferate malware as well (e.g. Trojans, ransomware, etc.).

What is Paymen45?

Paymen45 is malicious software that is part of the Everbe ransomware family. This malware encrypts data and demands ransom payments for decryption. During the encryption process, all files are appended with the ".g8R4rqWIp9" extension. For example, a file such as "1.jpg" would appear as "1.jpg.g8R4rqWIp9" following decryption.

Once this process is complete, a ransom message ("readme.txt") is dropped into compromised folders.

What is hastopnet.com?

hastopnet[.]com is a deceptive website designed to promote potentially unwanted applications (PUAs). Like many other web pages of this kind, hastopnet[.]com claims that the visitor's device is infected with viruses and encourages them to remove the issue with a PUA (which it offers to download and install).

Another variant of hastopnet[.]com claims that, by installing a PUA, the visitor is able to continue watching a video. Note that applications should never be downloaded via hastopnet[.]com or similar web pages.

What is .Crypto?

.Crypto ransomware was discovered by dnwls0719 and is written in the Go programming language. Like most programs of this type, .Crypto encrypts files, renames them and generates a ransom message. It renames files by adding the victim's ID, filerestory@gmail.com email address and appending the ".Crypto" extension to filenames.

For example, it renames "1.jpg" to "1.jpg.Id-TYSCKVNJ.[filerestory@gmail.com].Crypto", "2.jpg" to "2.jpg.Id-TYSCKVNJ.[filerestory@gmail.com].Crypto", and so on. Instructions about how to contact .Crypto's developers are provided in the "Unlock_Files.txt" text file.

What is LOL (Dharma)?

Discovered by Dnwls0719, LOL (Dharma) is a malicious program belonging to the Dharma ransomware family. Systems infected with this malware have their data encrypted and users receive ransom demands for decryption.

During the encryption process, all compromised files are renamed according to this pattern: original filename, unique ID assigned to the victim, cyber criminals' email address and the ".LOL" extension. For example, a file like "1.jpg" would appear as something similar to "1.jpg.id-1E857D00.[Helpsir@rape.lol].LOL" following encryption.

After this process is complete, LOL (Dharma) ransomware creates a ransom message in a pop-up window and "FILES ENCRYPTED.txt" text file.