Virus and Spyware Removal Guides, uninstall instructions

What kind of page is flymylife[.]info?

While inspecting questionable sites, we discovered the flymylife[.]info rogue webpage. It is designed to promote browser notification spam and cause redirects to other (likely untrustworthy/harmful) websites. Users typically access pages like flymylife[.]info through redirects caused by websites that use rogue advertising networks.

What is Rugby Start?

Rugby Start is a rogue browser extension that our research team found during a routine investigation of untrustworthy websites. This piece of software is promoted as a quick-access tool for Rugby results and related news. After analyzing Rugby Start, we determined that it operates as a browser hijacker and promotes (by causing redirects to) the search.nstart.online fake search engine.

What is ESCANOR ransomware?

While investigating new submissions to VirusTotal, our researchers discovered the ESCANOR ransomware. It is designed to encrypt data and demand ransoms for the decryption.

When we executed a sample of this ransomware on our test machine, it began encrypting files and changed their filenames. To elaborate, the names were appended with a ".ESCANOR" extension, e.g., a file initially titled "1.jpg" appeared as "1.jpg.ESCANOR", "2.jpg" as "2.png.ESCANOR", etc.

Afterward this process was completed, ESCANOR ransomware dropped a ransom-demanding message - "HELP_DECRYPT_YOUR_FILES.txt" - onto the desktop.

What kind of malware is The Wise Guys?

The Wise Guys is the name of a data wiper disguised as ransomware. It deletes all files (it does not encrypt them). Also, it generates three files ("readme.txt", "readme.hta", and "readme.html") containing identical ransom notes. Our team discovered The Wise Guys malware while checking the VirusTotal website for recently submitted malware samples.

What kind of application is border colors?

border colors is the name of a browser extension that supposedly puts border colors on layouts of websites. Our team discovered this app while inspecting various deceptive pages (it is promoted on several shady pages). During the examination, we found that border colors shows annoying advertisements. Thus, we classified border colors as adware.

What kind of page is protectionsurveys[.]online?

Protectionsurveys[.]online is a rogue webpage that our research team discovered while inspecting dubious sites. It is designed to promote deceptive content, push spam browser notifications, and redirect visitors to different (likely untrustworthy/harmful) websites. Users typically enter these pages via redirects caused by sites that use rogue advertising networks.

What kind of page is posto[.]click?

While examining posto[.]click, our team found that this page runs the "McAfee - Your PC is infected with 5 viruses!" scam and wants to deliver its notifications. It uses deceptive marketing to trick visitors into purchasing legitimate computer security software. We discovered posto[.]click while investigating pages that use rogue advertising networks.

What kind of scam is "Elon Musk Twitter Giveaway"?

After examining this website, we concluded that it is a fake crypto giveaway scam page that offers to send cryptocurrency to a specified wallet and get twice as much back. Scammers behind this scam impersonate Elon Musk (use a fake Twitter page) to d deceive users. It is a complete scam that should be ignored.

What is Chromnius?

Chromnius is a rogue browser based on the Chromium open-source project. Our research team discovered this piece of software while inspecting suspicious software-promoting websites.

After installing this application on our test machine, we determined that it operates as adware and has qualities that are typical for browser hijackers. Furthermore, it is highly likely that Chromnius collects private information. Due to the fact that most users download/install this untrustworthy browser unintentionally, it is also classified as a PUA (Potentially Unwanted Application).

What kind of malware is Tuis?

Tuis is one of the ransomware variants belonging to the Djvu family. Cybercriminals use it to encrypt files. Tuis not only encrypt files but also appends the ".tuis" extension to filenames and creates a ransom note (the "_readme.txt" file). We discovered this ransomware while checking the VirusTotal website for recently submitted malware samples.

An example of how Tuis renames files: it changes "1.jpg" to "1.jpg.tuis", "2.png" to "2.png.tuis", "3.exe" to "3.exe.tuis", and so forth. It is important to mention that before encrypting files, threat actors behind Djvu ransomware attacks often use information stealers (like Vidar and RedLine) to gain sensitive information.