Virus and Spyware Removal Guides, uninstall instructions

What is "Badmonday"?

Badmonday is a family of deceptive/scam websites, which operate using scare tactics to trick people into installing untrustworthy applications. This variation promotes Smart Mac Booster, which is classified as a Potentially Unwanted Application (PUA).

Badmonday warns visitors of viruses it has detected on the MacOS (Mac Operating System) and offers Smart Mac Booster for removal. Note that no website can detect threats/issues on devices. Therefore, any problem alerts displayed by these sites are fake.

Websites displaying these messages cannot be trusted - do not download or install software advertised on them. Applications endorsed by deceptive sites are often bogus and nonfunctional. Most visitors to Badmonday access it inadvertently - they are redirected by PUAs already present on the system.

What is lm?

Discovered by dnwls0719, Lm is ransomware that belongs to the Paradise ransomware family. It is designed to encrypt files and keep them inaccessible unless victims purchase a decryption tool from the cyber criminals (lm developers). This ransomware changes filenames of all encrypted files.

The name of encrypted files comprise "_Kim Chin lm_", the victim's ID, and ".lm" extension. For example, "1.jpg" might be renamed to "1.jpg_Kim Chin Im_{5zkVf2}.lm", and so on. lm also generates a ransom message within the "---==%$$$OPEN_ME_UP$$$==---.txt" text file.

What is IdeaShared?

IdeaShared is an untrustworthy application that supposedly enhances the browsing experience. In fact, it is an adware-type app that feeds users with advertisements and gathers various user information. Typically, people download and install adware unintentionally and, therefore, IdeaShared is categorized as a potentially unwanted application (PUA).

What is Xda?

Discovered by Jakub Kroustek and belonging to the Dharma/Crysis malware family, Xda is ransomware. This malicious program operates by encrypting victims' data and demanding ransom payments for decryption. During the encryption process, all files are renamed with an ID number (generated individually for each victim), developer's email address, and the ".xda" extension.

For example, "1.jpg" might appear similar to "1.jpg.id-1E857D00.[fullrestore@qq.com].xda", and so on for all compromised files. After this process is complete, Xda creates a text file ("FILES ENCRYPTED.txt"), stores it on the desktop, and also displays a pop-up window.

What kind of malware is NEMTY REVENGE 2.0?

NEMTY REVENGE 2.0 ransomware is malicious software discovered by Michael Gillespie. People with files encrypted by ransomware cannot regain access without the use of a decryption key. To obtain the key, victims are urged to pay a ransom to the cyber criminals who designed NEMTY REVENGE 2.0.

This ransomware renames all encrypted files by adding the ".NEMTY_[victim's ID]" extension. For example, "1.jpg" to "1.jpg.NEMTY_AZW1EKL". It also creates a ransom message within "NEMTY_AZW1EKL-DECRYPT.txt" (the filename also includes the victim's ID), which contains instructions about how to obtain a decryption key.

As the name suggests, NEMTY REVENGE 2.0 is not the first version of this ransomware - it is very likely that the previous version had flaws, now resolved in 2.0.

What is "Sundayfunny"?

Sundayfunny is a family of scam web sites designed to promote untrustworthy applications. This variant advertises Smart Mac Booster, which is classified as a Potentially Unwanted Application (PUA). Websites of this type operate using scare tactics to trick visitors into downloading/installing the software that they endorse.

Sundayfunny alerts users of viruses it has supposedly detected and offers Smart Mac Booster to eliminate them. Note that no website is capable of finding issues/threats on devices and the alarms they display are fake. Furthermore, applications promoted on these web pages tend to be bogus and nonoperational.

Few visitors access these sites intentionally, and most are redirected by PUAs already present on the system.

What is ABAT?

Discovered by dnwls0719, ABAT is a new variant of Matrix ransomware. Malware of this type encodes data so that victims are unable to access their files without using decryption methods. Typically, they are encouraged to purchase decryption tools from the cyber criminals who designed the ransomware.

ABAT renames each file by changing its filename to an email address, a string of random characters, and adding the ".ABAT" extension.

For example, "1.jpg" might appear as "[abat2019@yahoo.com].0j8tGWZ9-WqnQhsgZ.ABAT". Like most programs of this type, ABAT creates a ransom message containing instructions about how to recover files. It also creates the "!ABAT_INFO!.rtf" file and stores it in folders that contain encrypted files.

What kind of malware is FuxSocy ENCRYPTOR?

Discovered by Vitali Kremez, FuxSocy ENCRYPTOR is malicious software, classified as ransomware. This malware emulates Cerber ransomware. It operates by encrypting data and demanding ransom payments for decryption. During FuxSocy ENCRYPTOR encryption, each file is renamed with a randomized filename and extension.

Therefore, a compromised file might appear as "qz9vOWYcxN.8c67", and so on. After this process is complete, the victim's desktop wallpaper is changed. Additionally, a text file with a random name and containing the ransom message is stored in each affected folder.

What is CCryptor?

CCryptor is ransomware-type software that encrypts files using the AES-256 encryption algorithm and creates a ransom message (within the "README!!!.txt" file).

It also renames all encrypted files by changing extensions to ".ccryptor". For example, "1.jpg" becomes "1.jpg.ccryptor". To regain access to their files, victims are encouraged to pay ransoms to the cyber criminals who designed CCryptor.

What is Hdmr?

Discovered by GrujaRS, Hdmr (also known as GO-SPORT) is a ransomware infection. This malicious software is designed to encrypt victims' data and demand ransom payments for decryption. During the encryption process, all files are renamed using the ".hdmr" extension.

For example, "1.jpg" becomes "1.jpg.hdmr". After encryption, Hdmr stores a text file called "ReadMeAndCotact.txt" in each compromised folder.