Virus and Spyware Removal Guides, uninstall instructions

What is XData?

Discovered by malware security researcher, S!Ri, XData is a ransomware-type virus that infiltrates systems and encrypts various data using asymmetric cryptography. In doing so, XData appends filenames with the ".~xdata~" extension (for example, "sample.jpg" is renamed to "sample.jpg.~xdata~").

Following successful encryption, the virus creates a text file ("HOW_CAN_I_DECRYPT_MY_FILES.txt"), placing it in each folder containing encrypted files.

What is luckystarting.com?

luckystarting.com is a fake Internet search engine identical to startpageing123.com, mylucky123.com, gosearchitnow.com, and many others. Its appearance barely differs from Bing, Yahoo, Google, and other legitimate search engines. Therefore, many users believe that luckystarting.com is also legitimate and useful.

Be aware, however, that developers promote luckystarting.com via deceptive download/installation set-ups designed to hijack web browsers and modify various settings without permission. In addition, luckystarting.com continually tracks users' Internet browsing activity.

What is Serpent?

Serpent is a ransomware-type virus similar to Hades Locker. The evolution of this ransomware is as follows: Zyklon - WildFire - HadesLocker - Serpent (the latest variant from this family). Cyber criminals spread this ransomware via spam emails (malicious .doc attachments containing macros that infect the system).

Once infiltrated, Serpent encrypts files using AES-256 and RSA-2048 algorithms. This ransomware also appends names of encrypted files with the ".serpent" extension (for example, "sample.jpg" is renamed to "sample.jpg.serpent"). Updated variants of this ransomware use .serp or .srpx extensions for encrypted files.

Following successful encryption, Serpent creates two files ("HOW_TO_DECRYPT_YOUR_FILES_Dn6.txt" and "HOW_TO_DECRYPT_YOUR_FILES_Dn6.html"), placing them in each folder containing encrypted files. (Updated variants of this ransomware use README_TO_RESTORE_FILES[random characters].txt file for ransom instructions). Both files contain an identical ransom-demand message.

What is searches.safehomepage.com?

Searches.safehomepage.com is a popular website that can be used as a homepage and default search engine. The developers employ a deceptive software marketing method called 'bundling' to install this browser hijacker on Internet browsers (Internet Explorer, Google Chrome, and Mozilla Firefox) without users' permission.

Once installed, this app modifies the new tab URL, homepage, and default search engine browser settings by assigning them to searches.safehomepage.com. Furthermore, several small applications called 'helper objects' are installed with this app to prevent users from reverting these changes.

Bundling is stealth installation of third-party software together with regular software, and for this reason, users commonly install this browser hijacker inadvertently during download of free software from freeware download websites.

What is Interstitial Information advertisement?

"Interstitial Information?" is a type of intrusive online advertisement that conceals visited website content. The ads are delivered by potentially unwanted adware-type programs.

By giving fake promises to enhance Internet browsing activity, adware-type applications such as InterYield are designed to give the impression of legitimate software, thereby tricking users to install. After infiltrating the system, however, these applications simply generate intrusive online ads and track users' Internet browsing activity.

What is Stampado?

A ransomware service called Stampado is new malware available on the dark market. This virus is advertised and sold on the 'dark web' - anyone can purchase a lifetime license and proliferate the virus without little effort.

After infiltrating computers, Stampado encrypts various files and appends the name of each encrypted file with the .locked extension. Stampado then opens a ransom-demand window.

What is search.tagadin.com?

search.tagadin.com is presented as an Internet search engine that significantly enhances the Internet browsing experience by generating improved results.

Judging on appearance alone, search.tagadin.com may appear legitimate and useful, however, developers promote this website via rogue download/installation set-ups designed to modify browser settings without permission. Furthermore, this website continually records various information relating to users' Internet browsing activity.

What is May?

May is a ransomware-type virus discovered by MalwareHunterTeam. Once infiltrated, May encrypts various data using AES-256 and RSA-4096 encryption algorithms and appends filenames with the ".locked" extension (for example, "sample.jpg" is renamed to "sample.jpg.locked").

May then creates a text file ("Restore_your_files.txt") containing a ransom-demand message and places it in each folder containing encrypted files.

What is weather-genie.com?

According to the developers, weather-genie.com is a 'high-experience' Internet search engine that significantly enhances the browsing experience by generating improved results. Judging on appearance alone, weather-genie.com may appear legitimate and useful, however, this website is promoted via a rogue application called WeatherGenie.

By falsely claiming to provide local weather forecasts, WeatherGenie attempts to give the impression of legitimacy.

In fact, it is categorized as a potentially unwanted program (PUP) and a browser hijacker. There are three main reasons for these negative associations: 1) stealth installation without consent; 2) modification of web browser settings, and; 3) tracking of users' Internet browsing activity.

What kind of malware is ONYONLOCK?

ONYONLOCK is a new variant of a ransomware-type virus called BTCWare. This virus was discovered by security researcher, MalwareHunterTeam. Following successful infiltration, ONYONLOCK encrypts various data stored on victims' computers.

Furthermore, it appends the ".onyon" extension to the name of each encrypted file (for example, "sample.jpg" is renamed to "sample.jpg.onyon"). Once files are encrypted, ONYONLOCK creates a text file ("!#_DECRYPT_#!.inf"), placing it in each folder containing encrypted files.