Virus and Spyware Removal Guides, uninstall instructions

What is HappyLocker?

HappyLocker is file-encryption ransomware based on Hidden Tear - an open-source ransomware project. Cyber criminals promote HappyLocker via "Instant Satoshi BOT" - a malicious application that supposedly rewards users in Bitcoins for completing various 'captchas'.

Following infiltration, HappyLocker encrypts files and appends the ".happy" extension to filenames (e.g., "sample.jpg" is renamed to "sample.jpg.happy"). Following successful encryption, HappyLocker creates a .txt ("READDDDDDD.txt") and .bmp ("READ.bmp", set as the desktop wallpaper) file, and places them on the desktop.

What kind of malware is AiraCrop?

AiraCrop is ransomware-type malware that encrypts files using asymmetric cryptography. AiraCrop append the names of encrypted files with the "._AiraCropEncrypted!" extension (some AiraCrop variants append ".airacropencrypted!").

For example, "sample.jpg" is renamed to "sample.jpg._AiraCropEncrypted!" Following successful encryption, AiraCrop creates a text file ("How to decrypt your files.txt") containing a ransom-demand message, and places it on the desktop.

Newer variants of this ransomware add HOW_TO_DECRYPT_YOUR_FILES.HTML instead of the .txt file for ransom demanding instructions.

What is WickedLocker?

WickedLocker is a file-encryption virus based on Hidden Tear - an open-source ransomware project. Following successful infiltration, WickedLocker encrypts files and file names with the ".locked" extension (e.g., "sample.jpg" is renamed to "sample.jpg.locked").

Following encryption, WickedLocker opens a pop-up window and creates a text file associated with each encrypted file. These text files are named after the encrypted files (e.g., "READ_IT_sample.txt").

What is PaySafeGen?

PaySafeGen is file encryption malware presented as a hacking tool, which supposedly generates genuine PaySafeCard codes free of charge. In fact, these claims are false. When executed, PaySafeGen encrypts various files stored on the system. During encryption, PaySafeGen appends the ".cry_" extension to the name of each encrypted file.

For instance, "sample.jpg" is renamed to "sample.jpg.cry_". After file encryption, PaySafeGen changes the desktop wallpaper and displays a pop-up window. Both contain a ransom-demand message.

What is Telecrypt?

Telecrypt is file encryption ransomware written in the Delphi (programming language) and, therefore, the virus is in the form of a binary file and must be executed manually. If run accidentally, Telecrypt encrypts various files stored on the system (e.g., .doc, .pdf, .jpg, etc.).

Research shows that there are a number of variants of this ransomware. While some do not rename encrypted files, others append the ".Xcri" extension (e.g., "sample.jpg" is renamed to "sample.jpg.Xcri"). Following successful encryption, Telecrypt downloads an executable ("Xhelp.exe"), which displays a ransom-demand message.

What is copypast.ru?

copypast.ru is a fake Internet search engine identical to nixunhuan.com, searchisweb.com, searchemyn.com, and many others. Judging on appearance alone, copypast.ru barely differs from Yahoo, Bing, Google, and other similar legitimate search engines.

Therefore, many users believe that copypast.ru is also legitimate. In fact, this rogue site is distributed via deceptive software download/installation set-ups that hijack web browsers and stealthily modify various options. In addition, copypast.ru continually tracks users' Internet browsing activity by recording various user/system information.

What is nixunhuan.com?

nixunhuan.com is a fake Internet search engine identical to doseofhealthy.com, searchisweb.com, searchemyn.com, and many others. 

By offering improved search results, nixunhuan.com often tricks users into believing that it is legitimate and useful. In fact, nixunhuan.com is promoted via deceptive download/installation set-ups that hijack web browsers and stealthily modify various options. Furthermore, this website continually records information relating to users' Internet browsing activity.

What is "Microsoft Windows is not genuine"?

"Microsoft Windows is not genuine" is a fake error message that locks computer screens and states that the operating system (Windows) is not genuine. To return systems to their previous states, victims must enter a Windows product key. Be aware, however, that "Microsoft Windows is not genuine" error (screenshot below) is fake.

What is search.swissfist.com?

Developers present search.swissfist.com as a legitimate Internet search engine that generates improved search results, thereby enhancing the Internet browsing experience.

These claims often trick users into believing that search.swissfist.com is legitimate, however, developers promote the site via rogue software download/installation set-ups that hijack web browsers and stealthily modify various options. In addition, search.swissfist.com tracks users' Internet browsing activity by collecting various user/system information.

What is searchdisk.de?

Search Disk is a deceptive application that supposedly enhances the web browsing experience by improving Internet search results and allowing price comparison of various e-shops. Many believe that Search Disk is legitimate and useful, however, this application often infiltrates systems without users' consent.

Furthermore, it stealthily modifies web browser settings and continually monitors users' Internet browsing activity. For these reasons, Search Disk is categorized as a potentially unwanted program (PUP) and a browser hijacker.