Virus and Spyware Removal Guides, uninstall instructions

What is Gtsc ransomware?

Gtsc is a malicious program belonging to the Dharma ransomware family. Systems infected with this malware experience data encryption and users receive ransom demands for decryption.

During the encryption process, all affected files are renamed following this pattern: original filename, unique ID assigned to the victims, cyber criminals' email address and the ".gtsc" extension. For example, a file named "1.jpg" would appear as something similar to "1.jpg.id-C279F237.[getscoin3@protonmail.com].gtsc" after encryption.

Once this process is complete, ransom messages are created in a pop-up window and "FILES ENCRYPTED.txt" text file.

What is linkspeed[.]xyz?

Typically, browsers open websites such as linkspeed[.]xyz when potentially unwanted applications (PUAs) are installed on them. Users do not often visit these web pages intentionally. Additionally, PUAs can serve ads and record data. They are classified as PUAs because, in most cases, people download and install them inadvertently.

More examples of pages similar to linkspeed[.]xyz are cristall[.]club, increamy[.]club and soloassocial[.]club.

What is Dme ransomware?

Dme belongs to the ransomware family called Dharma. Malware of this type encrypts files, renames them, and provides instructions about how to contact the developers by creating and/or displaying a ransom message. Dme renames files by appending the victim's ID, decrypttme@airmail.cc email address, and the ".dme" extension to filenames.

For example, "1.jpg" is renamed to "1.jpg.id-C279F237.[decrypttme@airmail.cc].dme", "2.jpg" to "2.jpg.id-C279F237.[decrypttme@airmail.cc].dme", and so on. Instructions about how to contact the developers can be found in the "FILES ENCRYPTED.txt" text file and a pop-up window that Dme displays after installation.

What is ProductiveRotator?

ProductiveRotator is rogue software classified as adware. It also has browser hijacker characteristics. It operates by delivering intrusive advertisement campaigns and by making changes to browser settings to promote fake search engines. ProductiveRotator promotes 6v5f3l.com on Safari browsers and search.locatorunit.com on Google Chrome browsers.

Additionally, adware-type apps and browser hijackers have data tracking capabilities, which are employed to monitor users' browsing activity. Since most users download/install ProductiveRotator inadvertently, it is also classified as a Potentially Unwanted Application (PUA).

One of the dubious methods used to proliferate ProductiveRotator is via fake Adobe Flash Player updates. Bogus software updaters/installers proliferate PUAs, ransomware, Trojans and other malware.

What is 6v5f3l.com?

6v5f3l.com is a bogus search engine. These fake search engines are usually promoted by rogue software programs classified as browser hijackers. They promote fake search engines by making modifications to browser settings. Additionally, most browser hackers and the search engines they promote collect browsing-related information.

The 6v5f3l.com web searcher has been observed being promoted by adware-type applications that have browser hijacking capabilities (e.g. ProductiveRotator). Due to the dubious methods used to proliferate adware and browser hijackers, they are also classified as Potentially Unwanted Applications (PUAs).

One of the techniques used in PUA distribution is proliferation via fake Adobe Flash Player updates. Bogus software updaters/installers are used to spread Trojans, ransomware and other malware.

What is cristall[.]club?

Commonly, websites such as cristall[.]club are promoted by potentially unwanted applications (PUAs) that most users download and install inadvertently. I.e., people do not often visit these sites intentionally.

There are many other web pages similar to cristall[.]club online including, for example, allow-to-continue[.]com, mynewtrkdomain[.]com and watchtvnow[.]org. Additionally, PUAs can serve advertisements and collect data.

What is increamy[.]club?

Generally, users do not visit increamy[.]club or similar sites intentionally - in most cases, they are promoted and opened by potentially unwanted applications (PUAs). There are many sites similar to increamy.club online including, for example, go4news[.]biz, dabluehole[.]com and equiposeguridadindustrial[.]com.

They are designed to open other bogus pages or load dubious content. Note that PUAs promote addresses such as increamy[.]club, serve ads, and record information.

What is PC SmartCare?

PC SmartCare is advertised as a tool which allows users to scan their computers for viruses, issues with network and security, installed software, hardware and connected devices. In fact, it is distributed using dubious methods and users often install this program unintentionally. For this reason, PC SmartCare is categorized as a potentially unwanted application (PUA).

What is soloassocial[.]club?

Sharing similarities with allow-to-continue.com, mynewtrkdomain.com, watchtvnow.org, devineoffers.com and thousands of others, soloassocial[.]club is a rogue site. It presents visitors with dubious material and/or redirects them to other dubious/malicious web pages.

Typically, rogue websites are entered via redirects caused by intrusive ads or Potentially Unwanted Applications (PUAs) already infiltrated into the system. This software does not need explicit user consent to be installed onto devices. PUAs operate by causing redirects, delivering intrusive advertisement campaigns, and monitoring/recording browsing activity.

What is the BazarLoader backdoor?

Developed by the same threat actors behind TrickBot, BazarLoader (also known as BazarBackdoor, BazaLoader, BEERBOT, KEGTAP, and Team9Backdoor) is a malicious program classified as a backdoor/loader Trojan. This type of malware opens a "backdoor" to other malicious software. I.e., these Trojans operate by downloading/installing additional malware.

At the time of research, BazarLoader was used to infect compromised systems with RYUK ransomware. BazarLoader malware has been observed being proliferated via spam email campaigns, supposedly containing inside information concerning President Donald Trump's health condition.

The US President's COVID-19 infection diagnosis has been widely used by cyber criminals for malware distribution and phishing purposes.