Virus and Spyware Removal Guides, uninstall instructions

What is AES-NI?

AES-NI (full name "AES-NI Ransomware SPECIAL VERSION: NSA EXPLOIT EDITION", named after the recent NSA exploit kit leak) is a ransomware-type virus that stealthily infiltrates systems and encrypts files using AES-256 and RSA-2048 cryptoraphies.

During encryption, AES-NI appends filenames with the ".aes_ni_0day" extension (previous variants of this ransomware appended ".aes_ni"). For example, "sample.jpg" is renamed to "sample.jpg.aes_ni_0day". Following successful encryption, AES-NI creates a text file ("!!! READ THIS - IMPORTANT !!! txt") containing a ransom-demand message, placing it on the desktop.

What is ATLAS?

First discovered by malware security researcher Marcelo Rivero, ATLAS is an updated version of CHIP ransomware. Following successful infiltration, ATLAS encrypts files using RSA cryptography.

During encryption, this malware appends the ".ATLAS" extension to the name of each compromised file (for example, "sample.jpg" is renamed to "sample.jpg.ATLAS"). ATLAS then creates a text file ("ATLAS_FILES.txt"), placing it on the desktop.

What is Cradle?

Cradle is a ransomware-type virus discovered by malware security researcher, Michael Gillespie. Once infiltrated, Cradle encrypts various files and appends the ".cradle" extension to the name of each encrypted file. For instance, "sample.jpg" is renamed to "sample.jpg.cradle".

Following successful encryption, Cradle creates an HTML file ("_HOW_TO_UNLOCK_FILES_.html") containing a ransom-demand message, and places it on the desktop. Note also that, in dark forums, Cradle is offered as a RaaS (Ransomware as a Service).

What is Philadelphia?

Philadelphia is an updated version of the Stampado ransomware-type virus. It is distributed via phishing email messages that contain a fake overdue payment notice. These messages, however, often include links to Philadelphia's websites, which contain a Java application that downloads the ransomware.

Following successful infiltration, Philadelphia encrypts various files (for example, .7z, .avi, .bmp, .doc, etc.) stored on the victim's computer. During encryption, Philadelphia changes names of encrypted files to a number of random characters and appends the ".locked" extension.

For example, the encrypted file "sample.jpg" might be renamed to something similar to "HJG234B23JKHLK1J32KL1J3LKJOI.locked". Following successful encryption, Philadelphia opens a window that contains a ransom-demand message (LOCKED.txt).

What is MyStart.com?

The MyStart toolbar browser add-on is developed by Visicom Media. This browser toolbar can be downloaded from its homepage, however, it is often 'bundled' with free software downloaded from the Internet. At time of research, this potentially unwanted application was also bundled with fake downloads such as Java, Flash, and browser updates.

Bundling in this manner is a commonly-used and deceptive software marketing method. When installed on users' computers, this toolbar assigns the browser homepage and default search engine settings to mystart.com This website alone is not related to malware or virus infections, however, creators of this toolbar have full control over the software, and thus, are capable of redirecting users to malicious websites at any time.

What is home.dimakadima.com?

home.dimakadima.com is presented as an Internet search engine that supposedly enhances the browsing experience by generating improved results and by providing quick access to various popular websites.

Judging on appearance alone, home.dimakadima.com may seem legitimate and useful, however, this rogue website continually records information relating to users' browsing activity. Furthermore, developers promote it via a deceptive browser-hijacking application called Dima Kadima, which supposedly allows users to solve various quizzes.

What is iconssliding.com?

iconssliding.com is a fake search engine that falsely claims to generate improved search results. Judging on the appearance, iconssliding.com may seem legitimate and useful, however, this site is promoted via deceptive downloaders/installers that hijack web browsers and modify various options without permission.

In addition, this rogue website continually gathers various information relating to users' Internet browsing activity.

What is Net Surf?

Net Surf is a rogue application that supposedly saves time and money by providing coupons and notifications of special deals/discounts available on various e-shops. This functionality may appear legitimate and useful, however, Net Surf is categorized as a potentially unwanted program (PUP) and adware.

There are three main reasons for these negative associations: 1) stealth installation without consent; 2) display of intrusive online advertisements, and; 3) tracking of users' Internet browsing activity.

What is MSIL?

MSIL is a ransomware-type virus written in Microsoft Intermediate Language. This malware was first discovered by malware security researcher, SecPanda.

Once infiltrated, the virus encrypts various files and appends associated filenames with the ".ransom" extension (for example, "sample.jpg" is renamed to "sample.jpg.ransom"). MSIL then creates two text files ("README_TO_DECRYPT_FILES.txt" and "README_TO_DECRYPT_FILES.html"), placing them in each folder containing encrypted files.

What is Navigate Pro?

According to the developers, Navigate Pro saves time and money by providing coupons and notifications of special deals/discounts available on various online stores. Initially, this functionality may seem legitimate and useful, however, Navigate Pro often infiltrates systems without consent.

Furthermore, it delivers intrusive online advertisements and continually records various user-system information. For these reasons, Navigate Pro is categorized as a potentially unwanted program (PUP) and adware.