.Coot Virus



The .Coot Virus will encrypt your files with the .coot extension.


With its new variants applying strong military-grade encryptions on their victims’ data, Ransomware is arguably the most feared online threat at the moment. .Coot is the latest addition to this feared software category and operates as a cryptovirus. You were most likely affected by its secret file-encryption and are now looking for a way to fix the situation, which is why you are here. If this is the case, we’ve got some good news and some not-so-good news for you. The good news is that, on this page, you will find a removal guide that is specially designed to help in case of Ransomware infections. The directions in it will assist you with correctly detecting and removing .Coot from your computer, which absolutely must be done before you try anything else. The bad news is that the data encrypted by the infection may not get decrypted that easily. Yet, in the removal guide below, we’ve included several steps that may help you get some of your information back, although we cannot guarantee that they will succeed in all the cases. We suggest you read on to better understand the nature of the malware you are facing and the potential ways to combat it.

The .Coot virus

As standard Ransomware, the moment .Coot, .Leto or .Nols infects you, it begins scanning your drives for certain file types which could be documents, archives of data, images, music and video files, and more. After generating a list of targeted data, the virus then starts creating encrypted copies of the files while secretly removing the originals. The result of this activity is that you end up with identical copies of your files, which, however, have different, unknown extensions and every time you try to open them, you will see an error message stating you cannot access them.
Upon the completion of the file-encryption process, .Coot typically presents you with a ransom-demanding message. The message informs you that, to get your files back, you need to pay a certain amount of money. You will be provided with instructions on how to transfer the money and a deadline within which you are supposed to do it. The attackers behind the Ransomware typically seek to put as much pressure on you as possible and make you transfer the money quickly, without giving you time to consider other options. Normally, the transaction is expected to be made in bitcoins, which is a cryptocurency that is very difficult to trace.

The .Coot file encryption

The most challenging aspect of the Ransomware’s attack is not the removal of the virus, but the reversal of its file-encryption. This process is usually possible only through the use of the unique corresponding decryption key, which gets generated during the encryption process itself. Sadly, that key is stored in the hackers’ servers and they require big amounts of money to give it to you. Therefore, if you don’t want to send your money to some criminals with no guarantee that they will really send you the key, we advise you to explore some of the alternative file-recovery methods. To do that, however, you will first need to remove .Coot with the help of the instructions below. This will allow you to safely connect eventual file backup sources from which you can recover your data. Another file-restoration option would be to give a try to the data-recovery steps from the guide on this page, or look for free file decryptors that may work in your case.


Name .Coot
Type Ransomware
Danger Level High (Ransomware is by far the worst threat you can encounter)
Symptoms Very few and unnoticeable ones before the ransom notification comes up.
Distribution Method From fake ads and fake system requests to spam emails and contagious web pages.


Remove .Coot Ransomware 

1: Preparations

Note: Before you go any further, we advise you to bookmark this page or have it open on a separate device such as your smartphone or another PC. Some of the steps might require you to exit your browser on this PC.

2: Task Manager

Press Ctrl + Shift + Esc to enter the Task Manager. Go to the Tab labeled Processes (Details for Win 8/10). Carefully look through the list of processes that are currently active on you PC.

If any of them seems shady, consumes too much RAM/CPU or has some strange description or no description at all, right-click on it, select Open File Location and delete everything there.

Also, even if you do not delete the files, be sure to stop the process by right-clicking on it and selecting End Process.

3: IP related to .Coot

Go to c:\windows\system32\drivers\etc\hosts. Open the hosts file with notepad.

Find where it says Localhost and take a look below that. 

hosts_opt (1)

If you see any IP addresses there (below Localhost) send them to us here, in the comments since they might be coming from the .Coot.


4: Disable Startup programs

Re-open the Start Menu and type msconfig.

Click on the first search result. In the next window, go to the Startup tab. If you are on Win 10,  it will send you to the Startup part of the task manager instead, as in the picture:

If you see any sketchy/shady looking entries in the list with an unknown manufacturer or a manufacturer name that looks suspicious as there could be a link between them and .Coot , disable those programs and select OK.

5: Registry Editor

Press Windows key + R and in the resulting window type regedit.

Now, press Ctrl + F and type the name of the virus.

Delete everything that gets found. If you are not sure about whether to delete something, do not hesitate to ask us in the comments. Keep in mind that if you delete the wrong thing, you might cause all sorts of issues to your PC.

6: Deleting potentially malicious data – .Coot

Type each of the following locations in the Windows search box and hit enter to open the locations:






Delete everything you see in Temp linked to .Coot RansomwareAbout the other folders, sort their contents by date and delete only the most recent entries. As always, if you are not sure about something, write to us in the comment section.

7: .Coot Decryption

The previous steps were all aimed at removing the .Coot Ransomware from your PC. However, in order to regain access to your files, you will also need to decrypt them or restore them. For that, we have a separate article with detailed instructions on what you have to do in order to unlock your data. Here is a link to that guide.

Daniel Sadakov has a degree in Information Technology and specializes in web and mobile cyber security. He harbors a strong detestation for anything and everything malicious and has committed his resources and time to battling all manners of web and mobile threats. He has founded MobileSecurityZone.com, a website dedicated to covering the top tech stories and providing useful tips for the everyday user, in an effort to reach and help more people.

Leave a Reply

Your email address will not be published. Required fields are marked *