Virus and Spyware Removal Guides, uninstall instructions

What is Show Tabs?

Show Tabs is a typical browser hijacker: it modifies certain browser settings to promote a fake search engine (it changes the settings to fxsmash.xyz).

This app can also read browsing histories and possibly other, more personal details. In any case, browser hijackers should never be installed. Note that users do not often download or install software of this type intentionally and, for this reason, Show Tabs and similar apps are classified as potentially unwanted applications (PUAs).

What is Jdtdypub?

Ransomware is a type of malicious software that blocks access to files by encryption and demands ransom payments to recover them.

Jdtdypub both encrypts and renames files, appending ".jdtdypub" as the file extension. For example, "1.jpg" is renamed to "1.jpg.jdtdypub", "2.jpg" to "2.jpg.jdtdypub", and so on.

Like most ransomware variants, Jdtdypub generates a ransom message - in this case, within the "HOW TO RESTORE YOUR FILES.TXT" text file, which is stored in all folders containing encrypted files.

Note that Jdtdypub is part of the Snatch ransomware family.

What is the eouldeco[.]online site?

Sharing similarities with mekiroki.com, sakh.site, mobilemediahits.com, cfplay.online, and countless others, eouldeco[.]online is a rogue website. It operates by delivering dubious content and redirecting visitors to other untrusted/malicious sites.

Users seldom enter these web pages intentionally - most are redirected to them by intrusive ads or Potentially Unwanted Applications (PUAs) already infiltrated into their devices. These apps do not require explicit permission to be installed onto systems, and thus users may be unaware of their presence. PUAs can have dangerous functionality, including causing redirects, running intrusive advertisement campaigns, and collecting browsing-related information.

What is mekiroki[.]com?

You are strongly advised not to trust mekiroki[.]com or web pages that it opens. Mekiroki[.]com is a deceptive website used to promote other pages of this kind.

Generally, these sites are promoted through deceptive advertisements, other untrusted sites, and potentially unwanted applications (PUAs). I.e., People do not often visit these rogue sites intentionally. Remove all PUAs from browsers/computers immediately, since these apps can collect data and generate advertisements.

More examples of pages similar to mekiroki[.]com are mobilemediahits[.]com, cehuiy[.]com, and premiumbros[.]com.

What is the "Upgrade Account" scam email?

"Upgrade Account email scam" refers to a spam campaign, a large-scale operation during which scam emails are sent by the thousand. The messages distributed through this campaign claim that recipients' email accounts will be deactivated unless they update them.

This deceptive email aims to promote a phishing website, which is disguised as the email account sign-in page. Information entered into this web page (i.e., email addresses and passwords) are recorded and sent to the scammers behind the "Upgrade Account" spam campaign.

What is Dark ransomware?

Ransomware is a type of malware that prevents victims from accessing/using their files by encryption and displays (or creates) a ransom message with payment, contact, or other information. Note that Dark ransomware is part of the Makop ransomware family.

This ransomware variant encrypts files and renames them by appending the victim's ID, revilsupport@privatemail.com email address, and the ".dark" extension to filenames. For example, Dark would rename "1.jpg" to "1.jpg.[9B83AE23].[revilsupport@privatemail.com].dark", "2.jpg" to "2.jpg.[9B83AE23].[revilsupport@privatemail.com].dark", and so on.

A ransom message within the "readme-warning.txt" file is created in all folders that contain encrypted files.

What is Ctpl ransomware?

Ctpl is a piece of malicious software, which is part of the Dharma ransomware family. Systems infected with this malware have their data encrypted and users receive ransom demands for decryption. I.e., victims are unable to access/use files affected by Ctpl and they are asked to pay to recover their data.

When this ransomware encrypts, files are renamed following this pattern: original filename, unique IDs assigned to the victims, cyber criminals' email address, and the ".ctpl" extension. For example, a file originally named "1.jpg" would appear as something similar to "1.jpg.id-C279F237.[catapultacrypt@tuta.io].ctpl" after encryption.

Once this process is complete, ransom messages are created in a pop-up window and "MANUAL.txt" text file.

What is 4o4 ransomware?

Most ransomware variants encrypt files, preventing access to them without specific decryption software/keys held only by the attackers.

4o4 not only encrypts files but also renames them by appending the victim's ID, godecrypt@onionmail.org email address, and the ".4o4" extension. For example, "1.jpg" is renamed to "1.jpg.id-C279F237.[godecrypt@onionmail.org].4o4", "2.jpg" to "2.jpg.id-C279F237.[godecrypt@onionmail.org].4o4", and so on.

4o4 also creates the "FILES ENCRYPTED.txt" file and a pop-up window. Both are ransom messages containing contact information and various other details.

Note that the 4o4 ransomware variant is part of the Dharma ransomware family.

What is sakh[.]site?

Sakh[.]site is an untrusted website that is promoted via deceptive advertisements, malicious websites, and potentially unwanted applications (PUAs). Users are sometimes forced to visit sakh.site without their consent.

Note that most PUAs are downloaded and installed by users unintentionally. More examples of websites similar to sakh[.]site are mobilemediahits[.]com, cfplay[.]online, and cehuiy[.]com.

What is SearchConverterIt?

SearchConverterIt is dubious software categorized as a browser hijacker. It operates by promoting the searchconverterit.com fake search engine through modifications made to affected browser settings.

Additionally, SearchConverterIt monitors users' browsing activity. Due to the dubious techniques used in the distribution of browser hijackers, they are also classified as Potentially Unwanted Applications (PUAs).