Virus and Spyware Removal Guides, uninstall instructions

What is .Crypto?

.Crypto ransomware was discovered by dnwls0719 and is written in the Go programming language. Like most programs of this type, .Crypto encrypts files, renames them and generates a ransom message. It renames files by adding the victim's ID, filerestory@gmail.com email address and appending the ".Crypto" extension to filenames.

For example, it renames "1.jpg" to "1.jpg.Id-TYSCKVNJ.[filerestory@gmail.com].Crypto", "2.jpg" to "2.jpg.Id-TYSCKVNJ.[filerestory@gmail.com].Crypto", and so on. Instructions about how to contact .Crypto's developers are provided in the "Unlock_Files.txt" text file.

What is LOL (Dharma)?

Discovered by Dnwls0719, LOL (Dharma) is a malicious program belonging to the Dharma ransomware family. Systems infected with this malware have their data encrypted and users receive ransom demands for decryption.

During the encryption process, all compromised files are renamed according to this pattern: original filename, unique ID assigned to the victim, cyber criminals' email address and the ".LOL" extension. For example, a file like "1.jpg" would appear as something similar to "1.jpg.id-1E857D00.[Helpsir@rape.lol].LOL" following encryption.

After this process is complete, LOL (Dharma) ransomware creates a ransom message in a pop-up window and "FILES ENCRYPTED.txt" text file.

What is Get Recipes Now?

Get Recipes Now is presented as an application that allows people to access websites providing recipes and recommendations. For example, Food Network and Yummly. In fact, this app promotes a fake search engine (search.hgetrecipesnow.com), changes browser settings, and is categorized as a potentially unwanted application (PUA), a browser hijacker.

What is afunione[.]club?

afunione[.]club is virtually identical to many other rogue websites including, for example, rdsb2[.]club, allmeganews[.]com, and cicort[.]com. When opened, web pages of this type load dubious content or open other untrusted websites.

People often arrive at pages such as afunione[.]club due to potentially unwanted apps (PUAs) that are installed on browsers and/or operating systems. I.e., users do not often visit them intentionally. Note that PUAs promote dubious web pages, display intrusive ads and gather browsing-related information.

What is sLoad?

sLoad (also known as StarsLord) is the name of malicious software that infects operating systems with other malware (e.g., a banking Trojan or ransomware). In this way, sLoad operates as a malware downloader/dropper. Research shows that cyber criminals proliferate sLoad via spam campaigns (emails) - i.e., through malicious documents attached to email messages.

If you believe that sLoad (and its payload) might be installed on the operating system, remove it immediately.

What is world-search.net?

world-search.net is the address of a bogus search engine. Fake web searching tools are usually promoted by rogue software classified as browser hijackers. Music World Search is a browser hijacker known to promote world-search.net. Furthermore, most bogus search engines and browser hijacker record browsing activity.

Browser hijackers are seldom installed intentionally and are, therefore, also classified as Potentially Unwanted Applications (PUAs).

What is Mpal?

Mpal is malicious software belonging to the Djvu ransomware family. It encrypts data and demands payment for decryption. During the encryption process, all affected files are appended with the ".mpal" extension. For example, a file originally named something like "1.jpg" would appear as "1.jpg.mpal" following encryption.

After this process is complete, a ransom message ("_readme.txt") is created on the desktop. Additionally, Mpal ransomware disables Windows Task Manager.

What is Php ransomware?

Discovered by Jakub Kroustek, Php is a ransomware-type infection from the Dharma malware family. After successful infiltration, Php encrypts most stored files, thereby rendering them unusable.

During encryption, Php appends filenames with the victim's unique ID, developer's email address, and ".php" extension (e.g., "sample.jpg" might be renamed to a filename such as "sample.jpg.id-1E857D00.[back_me@foxmail.com].php").

Once encryption is complete, Php generates a text file ("RETURN FILES.txt") and stores it on the desktop. In addition, Php opens a pop-up window.

What is SocialNewPages?

SocialNewPages is a browser hijacker endorsed as a tool for easy access to various popular social networking/media websites (e.g. Facebook, Twitter, LinkedIn, etc.) in addition to supposedly generating improved search results. In fact, it stealthily modifies web browser settings to promote search.socialnewpagessearch.com (a fake search engine).

Furthermore, SocialNewPages continually records data relating to browsing activity. Due to its dubious proliferation methods, this software is also categorized as a Potentially Unwanted Application (PUA).

What is allmeganews[.]com?

There are many rogue websites similar to allmeganews[.]com. Others examples include rdsb2[.]club, hesterinoc[.]info and cicort[.]com. Usually, these web pages display dubious content or redirect visitors to other untrusted, potentially malicious websites.

Commonly, they are opened by browsers that have potentially unwanted apps (PUAs) installed on them. Therefore, most users do not visit allmeganews[.]com or other, similar sites intentionally.