Virus and Spyware Removal Guides, uninstall instructions

What is Aieou ransomware?

Discovered by malware researcher, S!Ri, Aieou is a malicious program categorized as ransomware. Systems infected with this ransomware experience data encryption and ransom demands are made for decryption. During the encryption process, files are appended with the ".aieou" extension.

For example, a file originally named something like "1.jpg" would appear as "1.jpg.aieou", and so on for all affected files. Once this process is complete, ransom-demand messages in "README.txt" files are dropped into compromised folders.

What is Update_3239?

Update_3239 is adware that is designed to serve advertisements, change certain browser settings (to promote a fake search engine), and collect sensitive information. In this way, Update_3239 functions as adware and a browser hijacker.

Users do not generally download or install these apps intentionally and, for this reason, Update_3239 is categorized as a potentially unwanted application (PUA). Developers distribute this app with another PUA called OriginalEngineSearch, which is distributed via a fake installer for Adobe Flash Player.

What is Lalaland ransomware?

Discovered by xiaopao, Lalaland is a new variant of VoidCrypt ransomware. Systems infected with this malware have their data encrypted and users receive ransom demands for decryption tools/software.

During the encryption process, all affected files are renamed following this pattern: original filename, cyber criminals' email address, unique ID assigned to the victims and the ".lalaland" extension. For example, a file like "1.jpg" would appear as something similar to "1.jpg.[recover10@tutanota.com][JT1GILC9F526M43].lalaland" following encryption.

After this process is complete, ransom messages within "!INFO.HTA" files are dropped into compromised folders.

What is Exploit?

Discovered by xiaopao, Exploit is a ransomware-type program belonging to the VoidCrypt ransomware family. Exploit encrypts files, changes the filename of each encrypted file and creates the "!INFO.HTA" file, which is designed to create and display a ransom message.

It creates this file in all folders that contain encrypted files. Exploit renames files by adding the alix1011@mailfence.com email address and victim's ID, and appending the ".exploit" extension.

For example, "1.jpg" is renamed to "1.jpg.[alix1011@mailfence.com][V039OS21D4NYFXU].exploit", "2.jpg" to "2.jpg.[alix1011@mailfence.com][V039OS21D4NYFXU].exploit", and so on.

What is BNFD?

BNFD belongs to the Matrix ransomware family. It prevents victims from accessing/using their files by encrypting them and creates a ransom message (within the "BNFD_README.rtf" file) with instructions about how to contact the developers regarding decryption of files.

BNFD also renames files by replacing their filenames with the Benford333@criptext.com email address and a string or random characters, and appending ".BNFD" as the extension.

For example, "1.jpg" is renamed to "[Benford333@criptext.com].SbWbBnkT-4QQddgbX.BNFD", "2.jpg" to "[Benford333@criptext.com].DnQnVmjL-5HHkkloZ.BNFD", and so on.

What is Osx Uninstaller?

Osx Uninstaller is untrusted software, endorsed as a tool to optimize and carry out effective application uninstall processes, however, due to the dubious techniques used to proliferate Osx Uninstaller, it is classified as a Potentially Unwanted Application (PUA).

Software within this classification is typically nonoperational (i.e. the advertised features do not work) and can also have undisclosed dangerous capabilities.

What is DirectStreamSearch?

Like most browser hijackers, after installation DirectStreamSearch changes certain browser settings to the address of a fake search engine. In this case, it assigns them to directstreamsearch.com. It is very likely that DirectStreamSearch will also collect information relating to users' browsing activities.

Typically, users download and install browser hijackers inadvertently and, for this reason, they are classified as potentially unwanted applications (PUAs).

What is Ahmed Minegames ransomware?

Discovered by malware researcher S!Ri, Ahmed Minegames is ransomware-type program. This ransomware encrypts data and displays a pop-up window, demanding a password to decrypt files. Typically, malicious programs of this type rename the compromised files, however, this is not the case with Ahmed Minegames (hence, filenames remain unchanged).

Additionally, the main purpose of ransomware is to encrypt data and/or lock the device's screen in order to demand ransom payments for decryption and to restore access. Ahmed Minegames is decryptable ransomware - the recovery password is "minegames321" (without quotation marks).

What is .docm ransomware?

.docm ransomware is designed to encrypt files, modify their filenames, create the "README_RECOVERY.txt" text file and change the desktop wallpaper. It renames encrypted files by appending the ".docm" extension, which is a legitimate file extension used in Microsoft Word.

For example, "1.jpg" is renamed to "1.jpg.docm", "2.jpg" to "2.jpg.docm", and so on. The ransomware creates the "README_RECOVERY.txt" file in all folders that contain encrypted files. This text file and the desktop wallpaper are the ransom messages with instructions about how to contact the cyber criminals and pay the ransom.

What is Jdyi ransomware?

Jdyi is a malicious program belonging to the Djvu ransomware family. Systems infected with this malware experience data encryption and users receive ransom demands for decryption tools/keys. During the encryption process, all affected files are appended with the ".jdyi" extension.

For example, a file originally named something like "1.jpg" would appear as "1.jpg.jdyi", "2.jpg" as "2.jpg.jdyi", "3.jpg" as "3.jpg.jdyi", and so on. After this process is complete, ransom messages in "_readme.txt" files are dropped into compromised folders.