Virus and Spyware Removal Guides, uninstall instructions

What is greendsign[.]com?

greendsign[.]com is a rogue website sharing many similarities with gleguidat.info, linkspeed.xyz, increamy.club and thousands of others. Visitors to this web page are presented with dubious content and/or are redirected to other untrusted or possibly malicious sites.

Most users access greendsign[.]com unintentionally - they are redirected to it by intrusive advertisements or Potentially Unwanted Applications (PUAs) already installed into their devices. This software does not need explicit user consent to infiltrate systems. PUAs cause redirects, run intrusive ad campaigns and collect browsing-related information.

What is Zxcv ransomware?

Zxcv is malicious software categorized as ransomware. It belongs to the Dharma malware family and is designed to encrypt data and demand payment for decryption. During the encryption process, files are renamed according to this pattern: original filename, unique ID assigned to the victims, cyber criminals' email address and the ".zxcv" extension.

For example, a file named "1.jpg" would appear as something similar to "1.jpg.id-C279F237.[decrypt@null.net].zxcv" following encryption. Once this process is complete, ransom messages are created in a pop-up window and "FILES ENCRYPTED.txt" text file.

What is Locked3dllkierff?

Locked3dllkierff belongs to the Xorist ransomware family. It prevents victims from accessing/using their files by encrypting them. It also provides instructions about how to contact the developers. 

Locked3dllkierff replaces the desktop wallpaper with a ransom message, displays another in a pop-up window (this appears as gibberish when there is no Russian language installed on infected Windows systems) and creates the "КАК РАСШИФРОВАТЬ ФАЙЛЫ.txt" text file.

Like most ransomware-type programs, Locked3dllkierff renames encrypted files as well. This ransomware appends ".locked3dllkierff" to filenames. For example, "1.jpg" is renamed to "1.jpg.locked3dllkierff", "2.jpg" to "2.jpg.locked3dllkierff", and so on.

What is d2sri.com?

d2sri.com is the address of a fake search engine, which is promoted by various potentially unwanted applications (PUAs) including browser hijackers, adware-type apps.

One PUA promoting d2sri.com is called ElementaryUnit. In summary, most users do not use fake search engines intentionally - they are forced to do so by potentially unwanted application installed on browsers and/or computers. Generally, users do not download or install PUAs intentionally.

What is gleguidat[.]info?

gleguidat[.]info is a rogue website and one of thousands of similar sites - linkspeed.xyz, increamy.club, and soloassocial.club are just some examples. The gleguidat[.]info web page presents visitors with dubious content and/or redirects them to other untrusted or possibly malicious websites.

Most users unintentionally access these sites - they are redirected to them by intrusive advertisements or Potentially Unwanted Applications (PUAs) already infiltrated into their systems. These apps do not need express user permission to be installed onto devices. PUAs operate by causing redirects, delivering intrusive ad campaigns and collecting browsing-related information.

What is ElementaryUnit?

ElementaryUnit is classified as adware and thus serves advertisements. In fact, it also functions as a browser hijacker and promotes d2sri.com (the address of a fake search engine) by changing certain Safari browser settings. Additionally, ElementaryUnit can read sensitive information from browsers that have this rogue software installed on them.

In most cases, users download and install adware unintentionally and, for this reason, ElementaryUnit and other apps of this type are classified as potentially unwanted applications (PUAs). This particular app is distributed via a fake installer that is disguised as the installer for Adobe Flash Player.

What is Gtsc ransomware?

Gtsc is a malicious program belonging to the Dharma ransomware family. Systems infected with this malware experience data encryption and users receive ransom demands for decryption.

During the encryption process, all affected files are renamed following this pattern: original filename, unique ID assigned to the victims, cyber criminals' email address and the ".gtsc" extension. For example, a file named "1.jpg" would appear as something similar to "1.jpg.id-C279F237.[getscoin3@protonmail.com].gtsc" after encryption.

Once this process is complete, ransom messages are created in a pop-up window and "FILES ENCRYPTED.txt" text file.

What is linkspeed[.]xyz?

Typically, browsers open websites such as linkspeed[.]xyz when potentially unwanted applications (PUAs) are installed on them. Users do not often visit these web pages intentionally. Additionally, PUAs can serve ads and record data. They are classified as PUAs because, in most cases, people download and install them inadvertently.

More examples of pages similar to linkspeed[.]xyz are cristall[.]club, increamy[.]club and soloassocial[.]club.

What is Dme ransomware?

Dme belongs to the ransomware family called Dharma. Malware of this type encrypts files, renames them, and provides instructions about how to contact the developers by creating and/or displaying a ransom message. Dme renames files by appending the victim's ID, decrypttme@airmail.cc email address, and the ".dme" extension to filenames.

For example, "1.jpg" is renamed to "1.jpg.id-C279F237.[decrypttme@airmail.cc].dme", "2.jpg" to "2.jpg.id-C279F237.[decrypttme@airmail.cc].dme", and so on. Instructions about how to contact the developers can be found in the "FILES ENCRYPTED.txt" text file and a pop-up window that Dme displays after installation.

What is ProductiveRotator?

ProductiveRotator is rogue software classified as adware. It also has browser hijacker characteristics. It operates by delivering intrusive advertisement campaigns and by making changes to browser settings to promote fake search engines. ProductiveRotator promotes 6v5f3l.com on Safari browsers and search.locatorunit.com on Google Chrome browsers.

Additionally, adware-type apps and browser hijackers have data tracking capabilities, which are employed to monitor users' browsing activity. Since most users download/install ProductiveRotator inadvertently, it is also classified as a Potentially Unwanted Application (PUA).

One of the dubious methods used to proliferate ProductiveRotator is via fake Adobe Flash Player updates. Bogus software updaters/installers proliferate PUAs, ransomware, Trojans and other malware.