Virus and Spyware Removal Guides, uninstall instructions

What is Go?

Go is newly-discovered ransomware that infiltrates systems and encrypts files using AES cryptography. This malware is named after Go - a programming language used to design it. This is the first time a ransomware-type virus is seen in this programming language - most are written using C#, C++, and other professional object-oriented programming languages.

During encryption, Go renames all compromised files by generating a series of random characters and appending the ".enc" extension. For instance, an encrypted file might be renamed to "FBdfg8JKsdg2l11!km.enc", which makes it impossible to identify the original files.

Following successful encryption, Go creates an "Instructions.html" file and places it in each folder containing encrypted files.

What is Exotic?

Exotic is ransomware that encrypts and renames files using the "[several_random_characters].exotic" pattern. For instance, "sample.jpg" is renamed to "78!bk).exotic". Once files are encrypted, Exotic opens a pop-up message informing victims of the infection. A window is then displayed containing a ransom-demand message.

What is Windows Defender has detected Critically Corrupted File System!?

"Windows Defender has detected Critically Corrupted File System!" is a fake error message distributed using various adware-type applications.

This error locks the computer screen and claims that Windows Defender has detected corrupted files. Adware-type applications often infiltrate systems during installation of other programs. Furthermore, these apps continually gather various user/system information, cause unwanted browser redirects, and deliver intrusive online advertisements.

What is TVPlusNewtab?

TVPlusNewtab is a browser hijacker, endorsed as a tool for easy access to movie trailers, TV series and celebrity content. It is also supposedly capable of allowing users to quickly view PDF documents. TVPlusNewtab operates by making modifications to browser settings in order to promote search.tvplusnewtabsearch.com - a fake search engine.

Additionally, this browser hijacker has data tracking abilities, which are used to record information relating to users' Internet browsing activity. Since most users install TVPlusNewtab inadvertently, it is also considered to be a PUA (Potentially Unwanted Application).

What is Ncrypt?

Ncrypt is a ransomware-type malware designed to encrypt victims' files. It was first discovered by a security researcher Michael Gillespie. 

During encryption, this malware appends a ".NCRYPT" extension to the name of each file. For instance, "sample.jpg" is renamed to "sample.jpg.NCRYPT". After encryption, Ncrypt creates a "_FILE_RETRIEVAL_INFORMATION.html" file (placed on the desktop) containing a ransom-demand message.

What is CryptoLocker 5.1?

CryptoLocker 5.1 is newly-discovered ransomware claiming to be the CryptoLocker virus. It is based on Hidden Tear - an open-source ransomware project. Following system infiltration, CryptoLocker 5.1 encrypts files using RSA-2048 cryptography and appends a ".locked" extension to the name of each encrypted file.

For example, "sample.jpg" is renamed to "sample.jpg.locked". Most ransomware appends unique extensions, however, recently, the ".locked" extension is popular amongst these viruses. Following encryption, CryptoLocker 5.1 opens a pop-up window and creates a "LEGGI.txt" file, placing it on the desktop. Both contain ransom-demand messages.

What is FunSafeTab?

FunSafeTab is a browser hijacker, endorsed as a tool to increase user security when browsing. It operates by modifying web browser settings in order to promote search.funsafetabsearch.com - a fake search engine. Search.funsafetabsearch.com may appear legitimate and useful, however it is unable to provide search results.

Additionally, FunSafeTab tracks data, specifically information relating to Internet browsing activity. Due to its dubious proliferation methods, FunSafeTab is also considered to an unwanted application.

What is APT ransomware?

APT Ransomware v2.0 is a ransomware-type virus designed to encrypt files using RSA-4096 cryptography. This ransomware is based on a Hidden Tear project (so-called 'educational ransomware' that was released as Open Source in August 2015). APT appends a ".dll" extension to the name of each encrypted file.

For example, "sample.jpg" would be renamed to "sample.jpg.dll". In fact, ".dll" files are used by MS Windows (read more).

Therefore, we assume that by adding this extension to regular files, APT's developers attempt to confuse victims. Once the encryption is finished, APT creates a "DECRYPT_YOUR_FILES.html" file and places it in each folder that contains encrypted files.

What is Enigma ransomware?

Enigma is a ransomware-type virus that encrypts files using AES-128 cryptography. During encryption, Enigma appends a ".1txt" extension to the name of each encrypted file (a previous version of Enigma appended the ".enigma" extension). For example, "sample.jpg" is renamed to "sample.jpg.1txt".

Once the files are encrypted, Enigma opens a pop-up window and creates a text file ("enigma_info.txt", previously "E_N_I_G_M_A.txt" and "enigma_encr.txt"). Both contain an identical ransom-demanding message.

Be aware that this ransomware is not related to or affiliated with any legitimate company whose name has the word "Enigma" in it.

What is login.hhtxnet.com?

login.hhtxnet.com is a rogue website claiming to be a legitimate Internet search engine. Developers promote this site via malicious javascript files that stealthily modify web browser settings without users' consent. Furthermore, login.hhtxnet.com continually gathers information relating to Internet browsing activity.