Virus and Spyware Removal Guides, uninstall instructions

What kind of malware is Ncov?

Ncov is a part of the Dharma ransomware family. It encrypts files, changes filenames, creates a text file and displays a pop-up window. Ncov renames encrypted files by adding the victim's ID, coronavirus@qq.com email address and appending the ".ncov" extension to filenames.

For example, a file named "1.jpg" becomes "1.jpg.id-1E857D00.[coronavirus@qq.com].ncov", and so on. Ncov also creates the "FILES ENCRYPTED.txt" text file and displays another ransom message within a pop-up window. Updated variants of this ransomware use the ".[3441546223@qq.com].ncov" and ".[bitcoin@email.tg].ncov" extensions for encrypted files.

What is vitosc.xyz?

vitosc.xyz is the address of a fake search engine. Typically, fake search engines are promoted through various potentially unwanted applications (PUAs), browser hijackers. This fake search engine is promoted through a PUA named SApp+ (or Smash App+) and Nittok, however, other apps might also promote vitosc.xyz.

Typically, browser hijackers promote addresses such as vitosc.xyz by changing browser settings. Furthermore, these apps often gather information.

What is Multy App?

Multy App is a browser hijacker endorsed as a multi-purpose tool that supposedly provides quick access to services such as search engines, encyclopedias, email, social networking and social media, e-commerce and online stores. In fact, Multy App operates by modifying browsers to promote searchmulty.com (a fake search engine).

Additionally, this browser hijacker has data tracking capabilities, which it employs to monitor users' browsing activity. Most users install Multy App inadvertently, and therefore it is also categorized as a Potentially Unwanted Application (PUA).

What is Corona-Virus-Map.com?

Despite its name, Corona-Virus-Map.com is not the address of a website - it is the name of a malicious program classified as a Trojan (or more specifically, a "backdoor" Trojan). This type of malware causes chain infections by stealthily downloading and installing additional malicious programs.

Corona-Virus-Map.com is presented as software that allows users to view the progress/spread of the Corona virus epidemic in real time. In fact, this Trojan proliferates AZORult malware.

What is g3treal0ne[.]space?

g3treal0ne[.]space is an untrusted website that redirects visitors to other web pages of this kind. For example, it leads visitors to pages that promote various software 'cracking' tools, rogue installers (e.g., fake Adobe Flash Player installers), potentially unwanted applications (PUAs), and other dubious sites.

Therefore, never trust g3treal0ne[.]space or websites that are opened through it. Note that sites such as g3treal0ne[.]space are usually opened through dubious web pages, deceptive advertisements or Potentially Unwanted Programs (PUAs) that are installed on browsers and/or operating systems.

What is the Gtf ransomware?

Discovered by Jakub Kroustek, Gtf is a malicious program belonging to the Dharma ransomware family. It operates by encrypting the data of infected systems to demand payment for decryption tools/software.

During the encryption process, all affected files are renamed according to the following pattern: original filename, unique ID, cyber criminals' email address and the ".GTF" extension. For example, "1.jpg" would appear as something similar to "1.jpg.id-1E857D00.[grandtheftfiles@aol.com].GTF", and so on.

Another varaint of Gtf ransomware appends ".[getthefiles2@protonmail.ch].gtf" extension. After this process is complete, a text file ("FILES ENCRYPTED.txt") is created on the desktop and a pop-up window is displayed.

What is the BrowserProduct adware?

BrowserProduct is supposedly designed to improve the browsing experience. In fact, this application delivers intrusive advertisements and is, therefore, classified as adware. Additionally, most apps of this type have data tracking capabilities.

Due to the dubious proliferation methods used to promote this rogue software, BrowserProduct is also classed as a Potentially Unwanted Application (PUA).

What are the Deranvizes websites?

Deranvizes is a deceptive website group promoting various online scams. Web pages from this group have been observed promoting the "Dear Safari User, You Are Today's Lucky Visitor" scheme, however, they might also promote other scams.

Few users enter these websites intentionally - they are redirected to them by intrusive advertisements or Potentially Unwanted Applications (PUAs) already installed on the system.

What is InnovativeShare?

The InnovativeShare application is supposedly designed to improve the browsing experience, however, it is categorized as adware and displays intrusive advertisements. These apps often gather information. Generally, users download and install adware unintentionally.

Therefore, InnovativeShare and other, similar apps are classified as potentially unwanted applications (PUAs).

What is Ostap?

Ostap is a JavaScript downloader used by cyber criminals to spread TrickBot, a trojan-type malicious programs that steals various personal, sensitive information. Cyber criminals use the details generate revenue in various ways. If you believe that your computer is infected with Ostap downloader (dropper) or Trickbot, remove these malicious programs immediately.