Virus and Spyware Removal Guides, uninstall instructions

What is CryptoViki?

CryptoViki is a ransomware-type virus discovered by malware security researcher, Marcelo Rivero. Once infiltrated, CryptoViki encrypts various data and appends the ".viki" extension to the names of all compromised files. For instance, "sample.jpg" is renamed to "sample.jpg.viki".

Following successful encryption, CryptoViki changes the desktop wallpaper and creates a text file ("readme.txt"), placing it in each folder containing encrypted files.

What is ShareWithUs?

ShareWithUs is a deceptive application that stealthily infiltrates systems during installation of other programs (the "bundling" method).

Following infiltration, this app generates various intrusive online advertisements and continually records information relating to users' Internet browsing activity. For these reasons, ShareWithUs is categorized as adware and a potentially unwanted program (PUP).

What is GruxEx?

GruxEx is a copy of an open-source ransomware project called Hidden Tear. Once infiltrated, GruxEx employs AES cryptography to encrypt various files. During encryption, this ransomware appends the ".grux" extension to the name of each encrypted file.

For instance, "sample.jpg" is renamed to "sample.jpg.grux". Following successful encryption, GruxEx opens a pop-up window containing a ransom-demand message.

What is DarkoderCrypt0r?

Discovered by security researcher, Lawrence Abrams, DarkoderCrypt0r is a copy of a ransomware-type virus called Wcry (WannaCry). Once infiltrated, DarkoderCrypt0r encrypts various data and appends the ".DARKCRY" extension to the name of each encrypted file (for example, "sample.jpg" is renamed to "sample.jpg.DARKCRY").

Following successful encryption, DarkoderCrypt0r opens a pop-up window with a ransom-demand message. Note that this ransomware is still under development and, thus, currently only encrypts files stored on the desktop.

What is Your Windows Computer Has Been Blocked?

"Your Windows Computer Has Been Blocked" is a fake error message displayed by a malicious website. Users are redirected to this site by potentially unwanted adware-type programs (PUPs). These apps often infiltrate systems without users' consent. In addition, they collect personally identifiable information and deliver intrusive online advertisements.

What is rambler.ru?

Developers present rambler.ru as an Internet search engine that supposedly generates improved search results and, therefore, enhances the Internet browsing experience.

Judging on appearance alone, rambler.ru may appear legitimate and useful, however, this site records various user-system information relating to Internet browsing activity. In addition, developers promote this rogue website by employing browser hijackers, which stealthily modify web browser settings without users' permission.

What is Spora?

Spora is a ransomware-type virus distributed via spam emails (malicious attachments). Each rogue email contains an HTA file which, once executed, extracts a Javascript file ("closed.js"), placing it in the system "%Temp%" folder. The Javascript file extracts an executable with a random name and runs it.

The executable then starts to encrypt files using RSA cryptography. Note that, unlike other ransomware-type viruses, Spora does not rename encrypted files. The aforementioned HTA file also extracts a DOCX file. This file is corrupted and, thus, an error will be displayed once opened.

This is being performed to trick victims into believing that the download of email attachments has failed. Following successful encryption, Spora generate a .html and .KEY files (both named using random characters), placing them in all folders that contain encrypted files.

What is UIWIX?

Discovered by Michael Gillespie, UIWIX is a ransomware-type virus that stealthily infiltrates systems and encrypts various data.

In doing so, UIWIX appends filenames with the "._[victim’s id].UIWIX" extension. For example, "sample.jpg" might be renamed to a filename similar to "sample.jpg._2314324924.UIWIX". The virus then creates a text file ("_DECODE_FILES.txt") containing a ransom-demand message.

What is Wcry?

Wcry (also known as WannaCry, Wana Decrypt0r 2.0, WanaDecryptor or WNCRY virus) is a ransomware-type virus discovered by security reasearcher S!Ri. Once infiltrated, Wcry encrypts files using AES-128 cryptography. During encryption, this malware appends filenames with the ".wcry" extension (for example, "sample.jpg" is renamed to "sample.jpg.wcry").

Updated variants of this ransomware use .wncry extension for encrypted files (encrypted .bmp files receive .WNCRYT extension). Following successful encryption, Wcry opens a pop-up window with a ransom-demand message.

What is Searchalgo.com?

Developed by SmartCyberTechnology, the searchalgo.com (or apps.searchalgo.com) browser hijacker employs a deceptive software marketing method called 'bundling' (stealth installation of additional software with the chosen program) to install on browsers without users' consent.

After successful infiltration on Internet Explorer, Google Chrome, and Mozilla Firefox, SearchAlgo modifies browser settings (homepage and default Internet search engine) by assigning them to searchalgo.com.

Furthermore, the software is delivered with several additional applications ('helper objects' - at time of testing, the searcgalgo.com browser hijacker installed SettingsGuard) that prevent users from reverting unwanted browser modifications.