Virus and Spyware Removal Guides, uninstall instructions

What is the ro01[.]biz site?

ro01[.]biz is a rogue website sharing common traits with appzery.com, finddealsdaily.com, liveads.net, and thousands of others. This page operates by delivering dubious content and redirecting visitors to other untrusted/malicious sites.

Most users access these web pages unintentionally - they are redirected to them by intrusive ads or installed Potentially Unwanted Applications (PUAs). These apps do not require explicit user permission to infiltrate systems. PUAs are designed to cause redirects, run intrusive advertisement campaigns, and collect browsing-related data.

What is Liz?

Ransomware is a type of malware that blocks access to the computer (or files stored on it) by encryption. In order to unlock (decrypt) data, victims are required to pay a ransom.

Liz ransomware encrypts files and renames them by adding the victim's ID, the lizardcrypt@tuta.io email address to their filenames, and appending ".liz" as the file extension. For example, "1.jpg" is renamed to "1.jpg.id-C279F237.[lizardcrypt@tuta.io].liz", "2.jpg" to "2.jpg.id-C279F237.[lizardcrypt@tuta.io].liz", and so on.

Liz also displays a pop-up window and creates the "Manual.txt" file, both of which are ransom messages.

This ransomware variant belongs to the ransomware family called Dharma.

What kind of page is appzery[.]com?

Appzery[.]com is a rogue website that operates by presenting visitors with dubious content and/or redirecting them to other untrusted, possibly malicious pages. The internet is rife with these sites - finddealsdaily.com, liveads.net, freshannouncement.com, and itscythera.com are just some examples.

Users seldom access these web pages intentionally - most are redirected to them by intrusive advertisements or by installed rogue applications. This software does not require explicit user permission to be installed onto systems. It can have dangerous functionality, including causing redirects, delivering intrusive ad campaigns, and gathering browsing-related information.

What is the "Terminal would like to access files in your Download folder" message?

Despite its close resemblance to legitimate system messages, "Terminal would like to access files in your Download folder" is a fake pop-up.

This window asks to allow "Terminal" access to the "Download" folder. You are strongly advised against permitting dubious software access to any preferences, as this can lead to serious issues.

The "Terminal would like to access files in your Download folder" pop-up is likely to be displayed when adware has infiltrated the device, however, browser hijackers and other Potentially Unwanted Applications (PUAs) are likewise capable of showing bogus messages.

What is finddealsdaily[.]com?

There are many pages similar to finddealsdaily[.]com on the internet. Some examples are liveads[.]net, freshannouncement[.]com, and itscythera[.]com. All of these pages are created to promote other bogus sites and load dubious content.

None of these sites can be trusted and, in most cases, people do not visit them intentionally - they are opened by browsers that have potentially unwanted applications (PUAs) installed on them, through clicked deceptive advertisements, and other dubious pages.

What is the "Double Your ETHEREUM" scam email?

The "Double Your ETHEREUM email scam" refers to a spam campaign, a large-scale operation during which thousands of deceptive emails are sent. The scam messages distributed through this campaign claim recipients can double their Ethereum cryptocurrency investments.

Note that these emails are scams - users will not receive any cryptocurrency returns and only lose the sums they transfer to the scam.

What is Telegram virus?

Telegram is legitimate messaging software and an application service with approximately 500 million monthly active users. It is available for download on its official web page, Google Play, and App Store.

Research shows that there are several unofficial, deceptive pages (telegramdesktop[.]com, telegramdesktop[.]net, and telegramdesktop[.]org) offering download of a fake Telegram app, which actually functions as spyware and an information stealer.

There are at least three web pages used to trick users into installing the fake Telegram app. Note that these sites may appear similar to the official Telegram page (desktop.telegram.org).

What is the Barboza ransomware?

Belonging to the Matrix ransomware family, Barboza is a malicious program designed to encrypt data and demand payment for decryption. The files stored on the infected system are rendered inaccessible, and victims receive ransom demands for access recovery.

When Barboza ransomware encrypts, files are renamed following this pattern: "[random_string].[barboza40@yahoo.com]", which consists of a random character string and the cyber criminals' email address. For example, a file originally named "1.jpg" would appear as something similar to "pAWQLhmp-4sRJ505q.[barboza40@yahoo.com]" after encryption.

Once this process is complete, ransom-demand messages in "!_!WHERE-IS-MY-FILES!_!.rtf" files are dropped into compromised folders.

Additionally, Barboza changes the desktop wallpaper.

What is Networklock?

Networklock is a type of malicious software that encrypts files and restricts access to them until a ransom is paid to decrypt (unlock) them. This ransomware variant creates ransom messages (HTML files named "Recovery_Instructions.html") in each folder that contain encrypted files.

Networklock also renames each encrypted file by appending ".networklock" to the filename. For example, "1.jpg" is renamed to "1.jpg.networklock", "2.jpg" to "2.jpg.networklock", and so on.

What is the "Proof Of Payment" scam email?

The "Proof Of Payment email scam" refers to a spam campaign, a mass-scale operation during which deceptive emails are sent by the thousand. The messages distributed through this campaign claim to contain a payment-related document attached to them.

The fake attachment redirects to a phishing website, which is presented as an email account sign-in page. The site is designed to record log-in credentials (i.e., passwords) entered into it, thereby allowing the scammers access to the vulnerable information and the associated email account.