Virus and Spyware Removal Guides, uninstall instructions

What is rambler.ru?

Developers present rambler.ru as an Internet search engine that supposedly generates improved search results and, therefore, enhances the Internet browsing experience.

Judging on appearance alone, rambler.ru may appear legitimate and useful, however, this site records various user-system information relating to Internet browsing activity. In addition, developers promote this rogue website by employing browser hijackers, which stealthily modify web browser settings without users' permission.

What is Spora?

Spora is a ransomware-type virus distributed via spam emails (malicious attachments). Each rogue email contains an HTA file which, once executed, extracts a Javascript file ("closed.js"), placing it in the system "%Temp%" folder. The Javascript file extracts an executable with a random name and runs it.

The executable then starts to encrypt files using RSA cryptography. Note that, unlike other ransomware-type viruses, Spora does not rename encrypted files. The aforementioned HTA file also extracts a DOCX file. This file is corrupted and, thus, an error will be displayed once opened.

This is being performed to trick victims into believing that the download of email attachments has failed. Following successful encryption, Spora generate a .html and .KEY files (both named using random characters), placing them in all folders that contain encrypted files.

What is UIWIX?

Discovered by Michael Gillespie, UIWIX is a ransomware-type virus that stealthily infiltrates systems and encrypts various data.

In doing so, UIWIX appends filenames with the "._[victim’s id].UIWIX" extension. For example, "sample.jpg" might be renamed to a filename similar to "sample.jpg._2314324924.UIWIX". The virus then creates a text file ("_DECODE_FILES.txt") containing a ransom-demand message.

What is Wcry?

Wcry (also known as WannaCry, Wana Decrypt0r 2.0, WanaDecryptor or WNCRY virus) is a ransomware-type virus discovered by security reasearcher S!Ri. Once infiltrated, Wcry encrypts files using AES-128 cryptography. During encryption, this malware appends filenames with the ".wcry" extension (for example, "sample.jpg" is renamed to "sample.jpg.wcry").

Updated variants of this ransomware use .wncry extension for encrypted files (encrypted .bmp files receive .WNCRYT extension). Following successful encryption, Wcry opens a pop-up window with a ransom-demand message.

What is Searchalgo.com?

Developed by SmartCyberTechnology, the searchalgo.com (or apps.searchalgo.com) browser hijacker employs a deceptive software marketing method called 'bundling' (stealth installation of additional software with the chosen program) to install on browsers without users' consent.

After successful infiltration on Internet Explorer, Google Chrome, and Mozilla Firefox, SearchAlgo modifies browser settings (homepage and default Internet search engine) by assigning them to searchalgo.com.

Furthermore, the software is delivered with several additional applications ('helper objects' - at time of testing, the searcgalgo.com browser hijacker installed SettingsGuard) that prevent users from reverting unwanted browser modifications.

What is mysearch24.com?

According to the developers, mysearch24.com significantly enhances the Internet browsing experience by generating improved search results.

Judging on appearance alone, mysearch24.com may appear legitimate and useful, however, this website is promoted via rogue download/installation set-ups that hijack web browsers and stealthily modify various options. Furthermore, it continually records various information relating to users' Internet browsing activity.

What is hp.myway.com?

Gifables is a deceptive application that falsely claims to provide access to hundreds of various GIF images. On initial inspection, Gifables may appear legitimate and useful, however, this app often infiltrates systems without consent.

In addition, it stealthily modifies web browser settings and continually records information relating to users' Internet browsing activity. For these reasons, Gifables is categorized as a potentially unwanted program (PUP) and a browser hijacker.

What is vCrypt?

Discovered by MalwareHunterTeam, vCrypt is a ransomware-type virus that stealthily infiltrates systems and encrypts various data using RSA-2048 cryptography. During encryption, vCrypt appends filenames with the ".xcrypt", ".bCrypt", ".vCrypt1", or ".aCrypt" extension.

For example, "sample.jpg" is renamed to "sample.jpg.vCrypt1" or "sample.jpg.aCrypt". Following successful encryption, vCrypt creates a text file ("КАК_РАСШИФРОВАТЬ_ФАЙЛЫ.txt"), placing it in each folder containing encrypted files.

What is yokeline.com?

Developers present yokeline.com as an Internet search engine that generates improved results and, therefore, enhances the browsing experience. Judging on appearance alone, yokeline.com may seem similar to Google, Bing, Yahoo, and other legitimate search engines.

Therefore, many users believe that yokeline.com is also legitimate and useful, however, this website continually records various information relating to browsing activity. In addition, developers promote yokeline.com via rogue download and installation set-ups that hijack browser settings without permission.

What is search.eshield.com?

eShield is a rogue browser add-on that claims to offer protection when searching the Internet.

By using a deceptive software marketing method called 'bundling' (stealth installation of additional programs together with the chosen software), this browser hijacking application installs on Internet browsers (Internet Explorer, Google Chrome, and Mozilla Firefox) without users' consent.

Following successful infiltration, the browser homepage, new tab URL, and default search engine settings are assigned to search.eshield.com. In addition, search.eshield.com installs together with several other applications called 'helper objects'.

These applications prevent users from reverting these changes. search.eshield.com is also distributed using deceptive 'installers' that trick unsuspecting users into installing this rogue application together with the chosen software.