Virus and Spyware Removal Guides, uninstall instructions

What is quickstart.ninja?

According to the developers, quickstart.ninja significantly enhances the Internet browsing experience by generating improved search results.

These claims often trick users into believing that quickstart.ninja is legitimate and useful, however, this site gathers various information relating to Internet browsing activity. In addition, developers promote it by employing rogue downloaders/installers designed to modify web browser options without permission.

What is betterfind.me?

Developers present betterfind.me as an improved Internet search engine that supposedly enhances the browsing experience by generating improved results.

Judging on appearance alone, betterfind.me may seem legitimate and useful, however, developers promote this site by employing various download/installation set-ups that modify web browser settings without permission. Furthermore, betterfind.me continually records information relating to users' Internet browsing activity.

What is maxwebsearch.com?

Maxwebsearch.com is a search engine which is distributed through a potentially unwanted application (PUA), a browser hijacker. Typically, apps of this type promote fake search engines.

They promote them by changing certain browser's settings. It is common that browser hijackers not only modify settings but also collect browsing-related and/or other data. Also, in most cases users download and install such apps unknowingly.

What is Zyklon?

Zyklon is ransomware that infiltrates victims' computers and encrypts various files using AES 256 - an asymmetric encryption algorithm, which generates two keys (public to encrypt and private to decrypt). It is impossible to restore encrypted files without the private key and, therefore, developers demand a ransom payment in exchange for this key.

Note that this ransomware appends the name of each encrypted file with the .zyklon extension, making it straightforward to determine which files are compromised.

What is Shifr?

Shifr is a ransomware-type virus written in the Google Go programming language. This malware was first discovered by MalwareHunterTeam.

Once infiltrated, Shifr encrypts various files and appends the ".shifr" extension to the name of each encrypted file (for example, "sample.jpg" is renamed to "sample.jpg.shifr"). After successfully encrypting data, Shifr creates an HTML file ("HOW_TO_DECRYPT_FILES.html"), placing it in each folder containing encrypted files.

What is AES-NI?

AES-NI (full name "AES-NI Ransomware SPECIAL VERSION: NSA EXPLOIT EDITION", named after the recent NSA exploit kit leak) is a ransomware-type virus that stealthily infiltrates systems and encrypts files using AES-256 and RSA-2048 cryptoraphies.

During encryption, AES-NI appends filenames with the ".aes_ni_0day" extension (previous variants of this ransomware appended ".aes_ni"). For example, "sample.jpg" is renamed to "sample.jpg.aes_ni_0day". Following successful encryption, AES-NI creates a text file ("!!! READ THIS - IMPORTANT !!! txt") containing a ransom-demand message, placing it on the desktop.

What is ATLAS?

First discovered by malware security researcher Marcelo Rivero, ATLAS is an updated version of CHIP ransomware. Following successful infiltration, ATLAS encrypts files using RSA cryptography.

During encryption, this malware appends the ".ATLAS" extension to the name of each compromised file (for example, "sample.jpg" is renamed to "sample.jpg.ATLAS"). ATLAS then creates a text file ("ATLAS_FILES.txt"), placing it on the desktop.

What is Cradle?

Cradle is a ransomware-type virus discovered by malware security researcher, Michael Gillespie. Once infiltrated, Cradle encrypts various files and appends the ".cradle" extension to the name of each encrypted file. For instance, "sample.jpg" is renamed to "sample.jpg.cradle".

Following successful encryption, Cradle creates an HTML file ("_HOW_TO_UNLOCK_FILES_.html") containing a ransom-demand message, and places it on the desktop. Note also that, in dark forums, Cradle is offered as a RaaS (Ransomware as a Service).

What is Philadelphia?

Philadelphia is an updated version of the Stampado ransomware-type virus. It is distributed via phishing email messages that contain a fake overdue payment notice. These messages, however, often include links to Philadelphia's websites, which contain a Java application that downloads the ransomware.

Following successful infiltration, Philadelphia encrypts various files (for example, .7z, .avi, .bmp, .doc, etc.) stored on the victim's computer. During encryption, Philadelphia changes names of encrypted files to a number of random characters and appends the ".locked" extension.

For example, the encrypted file "sample.jpg" might be renamed to something similar to "HJG234B23JKHLK1J32KL1J3LKJOI.locked". Following successful encryption, Philadelphia opens a window that contains a ransom-demand message (LOCKED.txt).

What is MyStart.com?

The MyStart toolbar browser add-on is developed by Visicom Media. This browser toolbar can be downloaded from its homepage, however, it is often 'bundled' with free software downloaded from the Internet. At time of research, this potentially unwanted application was also bundled with fake downloads such as Java, Flash, and browser updates.

Bundling in this manner is a commonly-used and deceptive software marketing method. When installed on users' computers, this toolbar assigns the browser homepage and default search engine settings to mystart.com This website alone is not related to malware or virus infections, however, creators of this toolbar have full control over the software, and thus, are capable of redirecting users to malicious websites at any time.