Virus and Spyware Removal Guides, uninstall instructions

What is JayTHL?

Discovered by GrujaRS, JayTHL is malicious software classified as ransomware. It derives its name from malware researcher, JayTHL - this is an attempt at defamation and a personal attack from the developers of this ransomware.

Note that this researcher is not associated with this ransomware infection, however, his work in malware research has made him undesirable to cyber criminals. The JayTHL malicious program is designed to encrypt data and demand ransom payments for decryption.

During the encryption process, all files are renamed with the ".JayTHL" extension. For example, a file named "1.jpg" appears as "1.jpg.JayTHL", and so on for all affected files. Once this process is complete, many identical text files are created on the victim's desktop and in the encrypted folders.

Their filenames are variations of "F*ckYouJayTHL_HELP_ENCRYPTED_FILES.TXT" (without the * symbol), differentiated with numbers at the end of the titles (0, 1, 2, 3, 4, 5, etc.).

What is Nakw?

Nakw is one of many ransomware-type programs that belongs to the Djvu ransomware family. Its victims cannot access/use their files, since Nakw encrypts them with a strong encryption algorithm. Typically, people who have computers infiltrated by ransomware can only regain access to their files with decryption software and/or keys.

To obtain these, they must pay ransoms to cyber criminals. Nakw creates the "_readme.txt" file, which contains instructions about how to recover encrypted data. This ransomware also renames files by changing extensions to ".nakw". For example, "1.jpg" becomes "1.jpg.nakw".

What is a website sextortion scam?

Typically, scammers proliferate sextortion scams via email, however, in this case, they are implemented through hacked WordPress and Blogger accounts, which post scam messages on the homepages of various websites.

Once opened, the sites display posts stating that the visitor's computer is hacked and the camera was used to record a video, whereby the visitor can be seen watching a video on an adult website. Scammers behind these posts attempt to trick people by stating that they will distribute recorded videos unless victims pay the ransoms.

Never trust these scams, even if they are posted on legitimate blogging websites (such as hacked WebPress, Blogger pages) or elsewhere.

What is Worm?

Discovered by Michael Gillespie, Worm is a new variant of Paradise ransomware. It is designed to encrypt data and demand ransom payments for decryption. During the encryption process, all affected files are appended with a unique ID number, developer's email address, and the ".worm" extension ("[id-[victim's_ID]].[corpseworm@protonmail.com].worm").

For example, "1.jpg" might appear similar to "1.jpg[id-SSJXbLaK].[corpseworm@protonmail.com].worm". After encryption is complete, Worm creates an HTML file ("$%~-#_ABOUT_YOUR_FILES_#$=$$.html") and stores it on the desktop.

What is "Badmonday"?

Badmonday is a family of deceptive/scam websites, which operate using scare tactics to trick people into installing untrustworthy applications. This variation promotes Smart Mac Booster, which is classified as a Potentially Unwanted Application (PUA).

Badmonday warns visitors of viruses it has detected on the MacOS (Mac Operating System) and offers Smart Mac Booster for removal. Note that no website can detect threats/issues on devices. Therefore, any problem alerts displayed by these sites are fake.

Websites displaying these messages cannot be trusted - do not download or install software advertised on them. Applications endorsed by deceptive sites are often bogus and nonfunctional. Most visitors to Badmonday access it inadvertently - they are redirected by PUAs already present on the system.

What is lm?

Discovered by dnwls0719, Lm is ransomware that belongs to the Paradise ransomware family. It is designed to encrypt files and keep them inaccessible unless victims purchase a decryption tool from the cyber criminals (lm developers). This ransomware changes filenames of all encrypted files.

The name of encrypted files comprise "_Kim Chin lm_", the victim's ID, and ".lm" extension. For example, "1.jpg" might be renamed to "1.jpg_Kim Chin Im_{5zkVf2}.lm", and so on. lm also generates a ransom message within the "---==%$$$OPEN_ME_UP$$$==---.txt" text file.

What is IdeaShared?

IdeaShared is an untrustworthy application that supposedly enhances the browsing experience. In fact, it is an adware-type app that feeds users with advertisements and gathers various user information. Typically, people download and install adware unintentionally and, therefore, IdeaShared is categorized as a potentially unwanted application (PUA).

What is Xda?

Discovered by Jakub Kroustek and belonging to the Dharma/Crysis malware family, Xda is ransomware. This malicious program operates by encrypting victims' data and demanding ransom payments for decryption. During the encryption process, all files are renamed with an ID number (generated individually for each victim), developer's email address, and the ".xda" extension.

For example, "1.jpg" might appear similar to "1.jpg.id-1E857D00.[fullrestore@qq.com].xda", and so on for all compromised files. After this process is complete, Xda creates a text file ("FILES ENCRYPTED.txt"), stores it on the desktop, and also displays a pop-up window.

What kind of malware is NEMTY REVENGE 2.0?

NEMTY REVENGE 2.0 ransomware is malicious software discovered by Michael Gillespie. People with files encrypted by ransomware cannot regain access without the use of a decryption key. To obtain the key, victims are urged to pay a ransom to the cyber criminals who designed NEMTY REVENGE 2.0.

This ransomware renames all encrypted files by adding the ".NEMTY_[victim's ID]" extension. For example, "1.jpg" to "1.jpg.NEMTY_AZW1EKL". It also creates a ransom message within "NEMTY_AZW1EKL-DECRYPT.txt" (the filename also includes the victim's ID), which contains instructions about how to obtain a decryption key.

As the name suggests, NEMTY REVENGE 2.0 is not the first version of this ransomware - it is very likely that the previous version had flaws, now resolved in 2.0.

What is "Sundayfunny"?

Sundayfunny is a family of scam web sites designed to promote untrustworthy applications. This variant advertises Smart Mac Booster, which is classified as a Potentially Unwanted Application (PUA). Websites of this type operate using scare tactics to trick visitors into downloading/installing the software that they endorse.

Sundayfunny alerts users of viruses it has supposedly detected and offers Smart Mac Booster to eliminate them. Note that no website is capable of finding issues/threats on devices and the alarms they display are fake. Furthermore, applications promoted on these web pages tend to be bogus and nonoperational.

Few visitors access these sites intentionally, and most are redirected by PUAs already present on the system.