When the virus is done encrypting your files it leaves a Restore-My-Files.txt file with instructions:

:-------------
All your files are Encrypted!
For data recovery needs decryptor.
How to buy decryptor:
 
----------------------------------------------------------------------------------------
 
| 1. Download Tor browser - https://www.torproject.org/ and install it.
 
| 2. Open link in TOR browser - http://decrmbgpvh6kvmti.onion/
               
| 3. Follow the instructions on this page 
 
----------------------------------------------------------------------------------------
 
Note! This link is available via "Tor Browser" only.
 
------------------------------------------------------------
Free decryption as guarantee.
Before paying you can send us 1 file for free decryption.
------------------------------------------------------------
 
alternate address - http://helpinfh6vj47ift.onion/

Within the following lines, you will have the opportunity to learn some essential information concerning one of the nastiest malware kinds, namely, the noxious Ransomware category. Actually, you are likely currently on this page in order to search for assistance against .Docm, which is one of the newest Ransomware versions.

How Dangerous is .Docm Virus?

The vast majority of Ransomware versions (.Redmat, .Stone) are programmed to work in a similar manner. The thing that you can expect as the first stage of the .Docm contamination would be a thorough hard-disk scan that is normally done with purpose of locating certain pre-set computer file types. The predetermined formats might include various text documents or audio/image/video files which are likely to be important to the harassed user. Once the scan of your disks for the pre-set computer file types is carried out, .Docm continues with the encryption of these computer files – it does it through creating a copy of each file with the new copy being sealed using a highly-advanced encryption code. Naturally, when all targeted documents have been copied, the originals would get removed so that the user is left only with the locked data copies. This stage concludes with the display of a money-demanding letter on the victim’s PC desktop, where it’s said a set amount of money needs to be transferred to the hacker by the customer for the computer files to get restored. That’s why we’ve prepared this article and the removal guide manual added to it – to aid those users who may have had their PC infected with this sort of Ransomware and help them cope with this nasty infection.

Removing .Docm Ransomware manually

As soon as the specified private files have gotten encrypted and the targeted victim is no longer capable of accessing their personal data, the nasty software piece will go on to pressure the targeted victim in an attempt to extort money from them. The way of informing the users that a ransom transfer to the hacker is demanded and also how the transfer ought to be carried out is via a pop-up message generated on the Computer screen, within which message, the internet criminal has included strict and thorough directions. Most of the time, users get quite panicked once they realize that their system has been infiltrated by a Ransomware which is exactly what the online criminals are counting on. The more confused and intimidated the Ransomware victims become, the more likely they would be to give in to the hackers’ demands. Having said that, remember that issuing the ransom payment right away, without thinking about the potential unforeseen consequences, is definitely something that you must not do. Instead of jumping to rash decisions and transferring money to shady cyber criminals, you must really check out the potential alternatives that might be at your disposal and pick the one that looks like the most practical one. In an effort to offer you a possible substitute for the transaction ‘solution’, we have created a removal manual for .Docm and we have added it to this article so go ahead and give it a try after you are done reading the article.

SUMMARY:

[add_third_banner]

Remove .Docm Ransomware Virus

1: Preparations

Note: Before you go any further, we advise you to bookmark this page or have it open on a separate device such as your smartphone or another PC. Some of the steps might require you to exit your browser on this PC.

2: Task Manager

Press Ctrl + Shift + Esc to enter the Task Manager. Go to the Tab labeled Processes (Details for Win 8/10). Carefully look through the list of processes that are currently active on you PC.

If any of them seems shady, consumes too much RAM/CPU or has some strange description or no description at all, right-click on it, select Open File Location and delete everything there.

Also, even if you do not delete the files, be sure to stop the process by right-clicking on it and selecting End Process.

3: IP related to .Docm

Go to c:\windows\system32\drivers\etc\hosts. Open the hosts file with notepad.

Find where it says Localhost and take a look below that. 

If you see any IP addresses there (below Localhost) send them to us here, in the comments since they might be coming from the .Docm.

[add_forth_banner]

4: Disable Startup programs

Re-open the Start Menu and type msconfig.

Click on the first search result. In the next window, go to the Startup tab. If you are on Win 10,  it will send you to the Startup part of the task manager instead, as in the picture:

If you see any sketchy/shady looking entries in the list with an unknown manufacturer or a manufacturer name that looks suspicious as there could be a link between them and .Docm , disable those programs and select OK.

5: Registry Editor

Press Windows key + R and in the resulting window type regedit.

Now, press Ctrl + F and type the name of the virus.

Delete everything that gets found. If you are not sure about whether to delete something, do not hesitate to ask us in the comments. Keep in mind that if you delete the wrong thing, you might cause all sorts of issues to your PC.

6: Deleting potentially malicious data – .Docm

Type each of the following locations in the Windows search box and hit enter to open the locations:

%AppData%

%LocalAppData%

%ProgramData%

%WinDir%

%Temp%

Delete everything you see in Temp linked to .Docm Ransomware. About the other folders, sort their contents by date and delete only the most recent entries. As always, if you are not sure about something, write to us in the comment section.

7: .Docm Decryption

The previous steps were all aimed at removing the .Docm Ransomware from your PC. However, in order to regain access to your files, you will also need to decrypt them or restore them. For that, we have a separate article with detailed instructions on what you have to do in order to unlock your data. Here is a link to that guide.

The post Remove .Docm Ransomware Virus (+File Recovery) appeared first on Malware Complaints.