Virus and Spyware Removal Guides, uninstall instructions

What is Tofsee?

Tofsee (also known as Gheg) is a malicious Trojan-type program that is capable of performing DDoS attacks, mining cryptocurrency, sending emails, stealing various account credentials, updating itself, and more.

Cyber criminals mainly use this program as an email-oriented tool (they target users' email accounts), however, having Tofsee installed can also lead to many other problems.

What is topmedia24[.]me?

Topmedia24[.]me - like many others (soptarroutg.com, viralupdatestoday.com, goodmedia.me and etc.) is a rogue site, designed to cause non-consensual redirects to compromised or malicious sites and for spreading of likewise unreliable content. In most cases access to this website is not voluntary.

Visitors enter it by getting redirected from other similarly untrustworthy sites (via intrusive advertisements hosted therein) or by having topmedia24[.]me forcefully opened by PUAs (potentially unwanted applications).

These applications are guilty of causing unauthorized redirects, intrusive ad campaigns and data-tracking. It must be pointed out that PUAs require no explicit user permission to invade their devices.

What is Bulk Uploader?

Bulk Uploader is an add-on created by Webcraftic and Ash Durham. Cyber criminals often hijack this WordPress plugin to generate traffic for malicious websites such as jackielovesdogs[.]com, tomorrowwillbehotmaybe[.]com, activeandbanflip[.]com, beforwardreallygo[.]com, and others.

Website owners who use the Bulk Uploader add-on, or people who visit their websites, are forced to visit these rogue sites when cyber criminals hijack the Bulk Uploader add-on.

What is soptarroutg[.]com?

Soptarroutg[.]com is a rogue site, the purpose of which is to cause unauthorized redirects to compromised sites and present visitors with untrustworthy and even malicious content. It shares many traits with dreamteammyfriend.com, dredrewlaha.info, allowpush.club and numerous other rogue websites.

Entering soptarroutg[.]com intentionally is a rarity, as most of its visitors access it without their consent. Mostly this website is reached through redirection (by entry to duplicitous sites and invasive adverts therein) or by having it force-opened by PUAs (potentially unwanted applications).

What is noteworthy about these applications is that they cause redirects, deliver ad campaigns and track user data.

What is Universal Converter?

Universal Converter is advertised as an application that, when installed on browsers, gives easy access to various file converter tools. This app is presented as legitimate and useful, however, Universal Converter is a browser hijacker - it changes browser settings (promoting a fake search engine) and collects information relating to users' browsing habits.

Typically, people download and install apps of this type inadvertently and are thus categorized as potentially unwanted applications (PUAs). Furthermore, developers distribute Universal Converter with another PUA called Hide My Searches.

What is rumiceseeds[.]com?

Similar to checking-your-browser.com, markably.info, ernorvious.com - rumiceseeds[.]com is a rogue website, functioning as a redirect to other compromised and/or malicious sites, as well as a place rife with questionable/hazardous content for user consumption.

Most visitors of this website happen upon it unwillingly, by being redirected to it by other untrustworthy sites (specifically, via intrusive advertisements found within them) or by PUAs (potentially unwanted applications) opening rumiceseeds[.]com autonomously. It should be known that said applications do not require express user approval to invade their system.

What is Coupons Flash?

Coupons Flash is a rogue application that claims to save time and money by providing shopping coupons and information about special deals/offers on various online stores. Judging on appearance alone, Coupons Flash may seem legitimate and useful, however, it is categorized as a potentially unwanted application (PUA) and a browser hijacker.

There are three main reasons for these negative associations: 1) stealth installation without users' consent; 2) promotion of fake search engine, and; 3) tracking of browsing activity.

What is Grethen?

Grethen is ransomware-type software and possibly a mix of other programs of this type such as Scarab and Dharma. Grethen locks (encrypts) victims' files and denies access to them unless a ransom is paid.

It stores the "READ ME.TXT" file (a ransom message) in all folders that contain encrypted data and opens an HTML application ("READ ME.hta"), which displays a pop-up window.

Grethen renames encrypted files by changing extensions to ".[grethen@tuta.io]" and assigning filenames to a random string. For example, it might rename "1.jpg" to a filename such as "Al4=BLF3eb8CWv6pNF WINtbicg25DuIxdz8nsT19 spStjXrKhiT1Y34S.[grethen@tuta.io]".

What is Nacro?

Belonging to the Djvu ransomware family, Nacro is a high-risk infection designed to encrypt stored data and make ransom demands.

As with most infections from this ransomware family, Nacro was first discovered by Michael Gillespie. During encryption, Nacro renames each compromised file by adding the ".nacro" appendix (e.g., "sample.jpg" becomes "sample.jpg.nacro"). Additionally, Nacro generates a text file ("_readme.txt") and stores copies in most existing folders.

What is Track Your Transit Info?

Track Your Transit Info is the name of an application that supposedly gives free access to public transit routes. It is presented as a useful app, however, Track Your Transit Info is a browser hijacker that changes browser settings (promotes a fake search engine) and might also gather data relating to its users.

Additionally, the developers of Track Your Transit Info distribute it with another similar app called Hide My Searches. Typically, people download and install apps of this type unintentionally. They are also known as potentially unwanted applications (PUAs).