Virus and Spyware Removal Guides, uninstall instructions

What is checkpost[.]club?

Similar to weads32.com, robotcaptcha3.info, topernews.me, and many others, checkpost[.]club is a rogue site designed to feed users with dubious content and redirect them to other dubious websites.

Research shows that many visitors arrive at checkpost[.]club inadvertently - they are redirected by potentially unwanted applications (PUAs) or intrusive ads encountered on other rogue sites. PUAs infiltrate computers without users' consent, cause redirects, deliver intrusive advertisements, and gather various sensitive data.

What is weads32[.]com?

Weads32[.]com is a rogue site, sharing many similar traits with naneso.com, pushmobilenews.com, clckworld.club  and thousands of others. It operates by redirecting visitors to unreliable and potentially malicious sites, as well as presenting highly questionable content for user consumption.

In most cases, weads32[.]com is accessed unintentionally/unwillingly. Users either get redirected from other compromised sites (specifically, by clicking intrusive advertisements hosted there) or have this dubious website force-opened by PUAs (potentially unwanted applications).

What should be known about PUAs is that they do not need explicit user permission to be installed onto their device, and are considered to be a high security risk. These undesired apps cause unauthorized redirects, deliver invasive ad campaigns and track data.

What is fastmailtab.com?

Fastmailtab.com is the address of a fake search engine that is promoted through a potentially unwanted application (PUA) called Fast Mail Tab.

This app is categorized as a browser hijacker and supposedly allows access to multiple email accounts directly from a new browser tab, however, its actual purpose is to change browser settings (promote a fake search engine) and gather user-system information.

Typically, people do not download or install apps such as Fast Mail Tab intentionally (hence why they are known as PUAs).

What is .pdf ransomware?

.pdf is a ransomware-type infection that belongs to the Dharma ransomware family. As with most of infections from this family, .pdf was discovered by Jakub Kroustek. After successful infiltration, .pdf encrypts most stored data, thereby rendering it unusable.

Additionally, it renames each file by appending the victim's ID, developer's email address, and ".pdf" extension. For example, "sample.jpg" might be renamed to a filename such as "sample.jpg.id-1E857D00.[decryptbots@cock.li].pdf".

Note that the ".pdf" is extension is a genuine Portable Document Format (PDF) and, therefore, encrypted files are likely to have a PDF file icon. Despite this, do not be tricked - files are certainly encrypted, not just their formats changed. Once encryption is complete, .pdf opens a pop-up window (HTML application) and stores the "RETURN FILES.txt" text file on the desktop.

Updated variants of this ransomware use the ".[3442516480@qq.com].pdf" extension for encrypted files.

What is revmake[.]com?

revmake[.]com is similar to other sites of this type such as routgpushs[.]com, procontent[.]me, and exclusivenotifications[.]com. When opened, this rogue site opens other untrusted websites or presents visitors with dubious content. In most cases, browsers open these web pages due to potentially unwanted applications (PUA) installed on the system.

Therefore, people do not generally visit websites such as revmake[.]com intentionally. PUAs also collect user-system information and display intrusive advertisements.

What is topernews[.]me?

Topernews[.]me is a rogue site, designed to cause unauthorized redirects and present visitors with highly suspect content (largely, of the click-bait type). There are thousands of rogue websites, sharing many similarities in-between (e.g. rembrandium.com, checking-your-browser.com, getmedia.me, dancewithlittleredpony.com and so on). It should be mentioned that few users enter topernews[.]me willingly.

Most visitors are either redirected from other untrustworthy sites (more specifically, the intrusive adverts therein) or have it opened by PUAs (potentially unwanted applications). Said apps do not require express user permission to be installed onto their systems.

Unwanted applications cause redirects to unreliable/malicious sites, deliver likewise questionable invasive ads and track user data.

What is plsppushme[.]com?

plsppushme[.]com is a web address that should not be trusted. Most people do not visit this site intentionally - it is opened by potentially unwanted applications (PUAs) installed on browsers or operating systems. Examples of other web pages of this type are routgpushs[.]com, procontent[.]me, and exclusivenotifications[.]com.

When opened, they display dubious content or open other untrustworthy web pages. In addition to forcing people to visit dubious sites, PUAs gather data and feed users with unwanted ads. Many people download and install PUAs unintentionally.

What is datsadstrack[.]com?

datsadstrack[.]com is yet another rogue site designed to feed visitors with dubious content and redirect them to other rogue sites. It is virtually identical to routgpushs.com, robotcaptcha3.info, pushmehoney.com, and many others.

Most visitors arrive at datsadstrack[.]com unintentionally - they are redirected by potentially unwanted applications (PUAs) or intrusive advertisements encountered on other rogue sites. PUAs infiltrate computers without users’ permission, cause redirects, deliver intrusive ads, and record user-system information.

What is Xtron PC Speedup?

According to the developers, Xtron PC Speedup allows computers to run smoothly, faster, and error free. Although advertised as system optimization software, it is distributed through the set-ups of other programs. Developers use these set-ups to trick people into downloading and installing Xtron PC Speedup.

People often download and install programs distributed in this way unintentionally. For this reason, Xtron PC Speedup is categorized as a potentially unwanted application (PUA).

What is .ad?

First discovered by malware researcher, GrujaRS, .ad is a high-risk ransomware infection belonging to the GlobeImposter ransomware family. The purpose of this malware is to stealthily infiltrate systems and encrypt most stored data.

During encryption, .ad renames each file by appending the developer's email address and the ".ad" extension (hence the ransomware's name).

For example, "sample.jpg" becomes "sample.jpg.[gustafkeach@johnpino.com].ad". Encrypted data immediately becomes unusable. Additionally, .ad generates an HTML file ("Read_For_Restore_File.html") and stores it on the victim's desktop.