Virus and Spyware Removal Guides, uninstall instructions

What is Mon-thu?

Mon-thu is a family of many untrustworthy web pages that deceptively advertise dubious applications. Mon-thu tricks people into believing that their Mac computers are infected with viruses and encourages them to download and install the Smart Mac Booster app (or other similar apps).

Websites of this type and apps promoted on them should never be trusted. Browsers usually open these web pages due to potentially unwanted applications (PUAs) installed on them. PUAs can cause redirects to dubious pages, display unwanted ads, and gather information relating to users.

What is oo7?

Discovered by Jakub Kroustek, this ransomware belongs to the Crysis/Dharma malware family. oo7 is designed to encrypt data and keep it locked, until a ransom is paid (i.e. until the decryption tool is purchased). During the encryption process, files are renamed with the victim's unique ID number, developer's email address, and the ".oo7" extension.

For example, "1.jpg" might be renamed to a filename such as "1.jpg.id-1E857D00.[b1tc01n@aol.com].oo7". Once the process is complete, a text file called "FILES ENCRYPTED.txt" is stored on the desktop and a pop-up window is displayed.

What kind of malware is AppleJeus?

AppleJeus is the name of backdoor malware that was distributed by the Lazarus group. They spread this malicious software through a fake app disguised as a cryptocurrency trading application called Celas Trade Pro.

There is now a new trojanized cryptocurrency trading app called JMT Trader that operates in a similar manner - it installs the AppleJeus backdoor trojan on the victim's computer. JMT Trader can be installed on Windows and MacOS computers.

What is Leto?

Leto is malicious software, belonging to the Djvu ransomware family. It operates by encrypting data and keeping it locked until a ransom is paid (i.e., decryption software/tool and a unique key are purchased). As Leto encrypts, it renames all files by adding the ".leto extension.

For example, a file named "1.jpg" will appear as "1.jpg.leto", and so on. After the process is complete, a text file called "_readme.txt" is stored on the desktop.

What is Cobain?

Discovered by dnwls0719, Cobain is malicious software classified as ransomware. Cobain originates from another ransomware infection called Hermes837. It is designed to encrypt data and keep it inaccessible until a ransom is paid (i.e. until the decryption software/tool and private key is purchased).

During the encryption process, all files are renamed with the ".cobain" extension. Therefore, "1.jpg" becomes "1.jpg.cobain". After the process is complete, a text file - "!!!READ_ME!!!.txt" containing the ransom message is stored on the affected user's desktop.

What is Mondaysunday?

Mondaysunday is a deceptive website used to advertise a rogue application called Smart Mac Booster. When opened, it informs visitors that their computers are infected with viruses and encourages them to remove the threats with the aforementioned application.

Websites such as Mondaysunday and apps promoted on them should not be trusted. Typically, websites of this type are opened by potentially unwanted applications (PUAs) that are installed on browsers or computers. PUAs are often designed to record various user-system information and display annoying, often deceptive advertisements.

What is mybestmv.com?

mybestmv.com is a rogue website designed to cause redirects to other dubious sites. It is virtually identical to notifychheck.com, servedbytrackingdesk.com, notification-browser.tools, and many others.

Generally, users visit mybestmv.com inadvertently - they are redirected by potentially unwanted applications (PUAs) or intrusive advertisements displayed on untrustworthy sites. Research shows that PUAs typically infiltrate systems without permission and, cause redirects, record user-system information, and deliver intrusive advertisements.

What is "Nspchlpr"?

The pop-up message "nspchlpr will damage your computer. You should move it to the Bin." is associated with the Similar Photo Cleaner application. Nspchlpr files originate during the installation process of this rogue app. This is a more likely occurrence on devices with the Catalina version of the MacOS (Mac Operating System).

Immediate removal of all Nspchlpr-related files is strongly recommended. Helpermcp, Smbstrhlpr, and Helperamc are examples of other applications identical to Nspchlpr.

What is KRAB?

Discovered by Jakub Kroustek, KRAB (not to be confused with KRAB ransomware of the same name) is malicious software belonging to the Dharma ransomware family. KRAB encrypts files and demands ransom payments for decryption. During data encryption, it renames all files with the victim's unique ID number, developer's email address, and the ".KRAB" extension.

For example, "1.jpg" might be renamed to a filename such as "1.jpg.id-1E857D00.[Blackmax@tutanota.com ].KRAB". Once KRAB encryption is complete, the ransomware creates a text file called "FILES ENCRYPTED.txt and stores it on the desktop. It also displays a pop-up window (HTML application).

What is Ummhlpr?

Ummhlpr is one of many unwanted applications that are installed together with other apps of this kind. In this particular case, users install Ummhlpr through an app called Unpollute My Mac.

People who have Ummhlpr installed on MacOS Catalina (the latest MacOS operating system) are forced to encounter a pop-up window stating that "ummhlpr" will damage the computer and that it should be removed to the Bin. Research shows that this pop-up often freezes operating systems.

To solve this problem, the Ummhlpr app must be uninstalled and all associated files removed. We also advise that you uninstall Unpollute My Mac.