The .Cetori virus – typical traits

Cetori is a new piece of malware that belongs to the Ransomware cryptovirus category (Masodas, Vesrato). It uses its advanced data encryptions to make the files of its targets inaccessible without the application of the corresponding unique decryption key. That key is kept on the hackers’ servers, and is promised to the users who pay the demanded ransom sum. The problem with the ransom payment, aside from it being quite costly most of the time, is that the user doesn’t get any guarantee that their files would indeed get released in the end. Some hackers offer to restore a file or two for free in order to convince their victims that they have a working decryption solution. However, even if the criminals do indeed have a decryption key, you can’t be sure that it will get sent to you once you pay. There are more than enough examples where the payment of the ransom from the user’s side didn’t result in the sending of the decryption key by the hackers. Considering how risky this all is, and also considering the fact that the required sum can oftentimes be quite sizeable, we advise you to first try other methods of dealing with this issue before you even think about paying.

The .Cetori file lockdown – solutions?

Sadly, we cannot offer you a surefire solution that will release all of your files with a hundred percent effectiveness, and that would work in all cases. Instead, the goal here is to try different things and minimize the negative consequences of the malware attack. In some cases, this might mean getting all of your files back, while in others it may be limited to removing the virus.

 The removal of Cetori is actually where you should start, no matter what alternative recovery method you want to try to use next. Below, you will find our Cetori removal guide, and you are advised to follow its instructions in order to get rid of the nefarious threat. After the malware is no longer inside your computer, you should visit the second section of the guide, which is focused on recovery. Try the suggestions there, and see if they work for you. Also, do not forget to check all your other devices and cloud services (if you use any) for any forgotten copies of the files that the Ransomware has locked in your computer – you may get lucky and find that some of your important files are still accessible on those other devices/cloud storages.

Cetori SUMMARY:

[add_third_banner]

Remove Cetori Ransomware 

1: Preparations

Note: Before you go any further, we advise you to bookmark this page or have it open on a separate device such as your smartphone or another PC. Some of the steps might require you to exit your browser on this PC.

2: Task Manager

Press Ctrl + Shift + Esc to enter the Task Manager. Go to the Tab labeled Processes (Details for Win 8/10). Carefully look through the list of processes that are currently active on you PC.

If any of them seems shady, consumes too much RAM/CPU or has some strange description or no description at all, right-click on it, select Open File Location and delete everything there.

Also, even if you do not delete the files, be sure to stop the process by right-clicking on it and selecting End Process.

3: IP related to Cetori

Go to c:\windows\system32\drivers\etc\hosts. Open the hosts file with notepad.

Find where it says Localhost and take a look below that. 

If you see any IP addresses there (below Localhost) send them to us here, in the comments since they might be coming from the Cetori.

[add_forth_banner]

4: Disable Startup programs

Re-open the Start Menu and type msconfig.

Click on the first search result. In the next window, go to the Startup tab. If you are on Win 10,  it will send you to the Startup part of the task manager instead, as in the picture:

If you see any sketchy/shady looking entries in the list with an unknown manufacturer or a manufacturer name that looks suspicious as there could be a link between them and Cetori , disable those programs and select OK.

5: Registry Editor

Press Windows key + R and in the resulting window type regedit.

Now, press Ctrl + F and type the name of the virus.

Delete everything that gets found. If you are not sure about whether to delete something, do not hesitate to ask us in the comments. Keep in mind that if you delete the wrong thing, you might cause all sorts of issues to your PC.

6: Deleting potentially malicious data – Cetori

Type each of the following locations in the Windows search box and hit enter to open the locations:

%AppData%

%LocalAppData%

%ProgramData%

%WinDir%

%Temp%

Delete everything you see in Temp linked to Cetori Ransomware. About the other folders, sort their contents by date and delete only the most recent entries. As always, if you are not sure about something, write to us in the comment section.

7: Cetori Decryption

The previous steps were all aimed at removing the Cetori Ransomware from your PC. However, in order to regain access to your files, you will also need to decrypt them or restore them. For that, we have a separate article with detailed instructions on what you have to do in order to unlock your data. Here is a link to that guide.

The post Cetori Virus Removal (+.Cetori File Recovery) appeared first on Malware Complaints.

The .Masodas virus – notable characteristics

Like other Ransomware infections, this virus is used for blackmailing purposes. It won’t compromise your computer system, and it won’t cause any actual damage to the system or to the files in it. Instead, it will make use of an encryption algorithm, that would allow it to lock up your files. All data found on your computer that may be valuable to you is likely to get locked up by this cryptovirus. If you know anything about data encryption, then you should be aware of the fact that the only reliable way of accessing an encrypted file is by using the corresponding access key. Without that key, accessing the locked files is highly difficult, and sometimes even impossible.

 Needless to say, the hackers have that key and they want you to “buy” it from them, be sending them a certain amount of money. This money is the ransom demanded of you if you wish to restore your access to the sealed data. As we said, without the access key, recovering your files may not always be possible.

 This brings us to the important question: “Should you give in to the demands of the hackers and go with the ransom payment?”, and to be honest, the answer to this question may vary greatly. However, the general advise given to Ransomware victims is to seek other methods of file recovery. Paying the ransom is rather risky as you may never really get the key for your files from the hackers, but if you have already sent the money to the criminals, that money could never be returned to you, even if you don’t really get the decryption key. Many users have faced such an issue – they have paid the ransom, but haven’t received anything that could help them with the recovery of their data.

The .Masodas file lockdown – our suggestion

The advice we give our readers who have faced a threat like Masodas, Vesrato or Nuksus is simply – remove the virus with the help of our guide, and then go to the section in our site that offers alternative recovery solutions. Sadly, we cannot guarantee if or how effective those solutions would be – you will have to try them and see for yourself. However, with those alternatives, you will at least not have to spend money on something you may never get, and even if you don’t recover your data, you will still manage to remove the Ransomware, which is essential if you want to be able to safely use your PC in the future.

SUMMARY:

[add_third_banner]

Remove .Masodas Virus Ransomware

1: Preparations

Note: Before you go any further, we advise you to bookmark this page or have it open on a separate device such as your smartphone or another PC. Some of the steps might require you to exit your browser on this PC.

2: Task Manager

Press Ctrl + Shift + Esc to enter the Task Manager. Go to the Tab labeled Processes (Details for Win 8/10). Carefully look through the list of processes that are currently active on you PC.

If any of them seems shady, consumes too much RAM/CPU or has some strange description or no description at all, right-click on it, select Open File Location and delete everything there.

Also, even if you do not delete the files, be sure to stop the process by right-clicking on it and selecting End Process.

3: IP related to Masodas

Go to c:\windows\system32\drivers\etc\hosts. Open the hosts file with notepad.

Find where it says Localhost and take a look below that. 

If you see any IP addresses there (below Localhost) send them to us here, in the comments since they might be coming from the Masodas.

[add_forth_banner]

4: Disable Startup programs

Re-open the Start Menu and type msconfig.

Click on the first search result. In the next window, go to the Startup tab. If you are on Win 10,  it will send you to the Startup part of the task manager instead, as in the picture:

If you see any sketchy/shady looking entries in the list with an unknown manufacturer or a manufacturer name that looks suspicious as there could be a link between them and Masodas , disable those programs and select OK.

5: Registry Editor

Press Windows key + R and in the resulting window type regedit.

Now, press Ctrl + F and type the name of the virus.

Delete everything that gets found. If you are not sure about whether to delete something, do not hesitate to ask us in the comments. Keep in mind that if you delete the wrong thing, you might cause all sorts of issues to your PC.

6: Deleting potentially malicious data – Masodas

Type each of the following locations in the Windows search box and hit enter to open the locations:

%AppData%

%LocalAppData%

%ProgramData%

%WinDir%

%Temp%

Delete everything you see in Temp linked to Masodas Ransomware. About the other folders, sort their contents by date and delete only the most recent entries. As always, if you are not sure about something, write to us in the comment section.

7: Masodas Decryption

The previous steps were all aimed at removing the Masodas Ransomware from your PC. However, in order to regain access to your files, you will also need to decrypt them or restore them. For that, we have a separate article with detailed instructions on what you have to do in order to unlock your data. Here is a link to that guide.

The post Masodas Virus Removal (+.Masodas File Recovery) appeared first on Malware Complaints.

 Nuksus is a virus of this category and though it has been released quite recently, the number of its victims is already quite high, and more and more people are falling prey to this malicious program everyday. Below this short article, you will find a guide which focuses on the removal of Nuksus – we advise you to use that guide if Nuksus has managed to enter your computer and lock up your files. However, you must know that removing the cryptovirus will probably not be enough to get your files unlocked, because the encryption would remain on them regardless of whether the virus is in your computer or not.

Fighting the .Nuksus file encryption

One obvious way you can deal with the encryption is if you pay the ransom. However, we do not advise you to take that path. Firstly, the money for the ransom is likely to be quite a lot, and not everyone can afford to pay such a ransom. Secondly, even if the files that the malware has locked are so important that you are ready to spend a big amount of money in order to unlock them, there can’t be any guarantee that after the payment you will receive the needed access key. Do not forget that the people behind Nuksus, Coharos or Nasoh are criminals, and the ransom payment is not a legitimate deal but a criminal money extortion scheme. As soon as the hackers get your money, you are left at their mercy – you may or may not receive a key from them. In either case, however, your money would be gone, and there is nothing you can do to change that.

Dealing with the .Nuksus virus

As we said, the guide below will help you eliminate the infection, and while this will likely not result in the automatic release of your files, it will give you the opportunity to try some other methods of restoring your data. Several such methods you can find in the second part of our guide – use them once you are done removing the virus and see if they work for you. Unfortunately, it is possible that the recovery suggestions we have here, on our site, may not be effective in your case. However, the same can be said about the ransom payment. At least if you go for the alternatives, you won’t be spending your money be giving it to the criminal hackers, who are responsible for all of this to begin with.

Nuksus SUMMARY:

[add_third_banner]

Nuksus Virus Removal

1: Preparations

Note: Before you go any further, we advise you to bookmark this page or have it open on a separate device such as your smartphone or another PC. Some of the steps might require you to exit your browser on this PC.

2: Task Manager

Press Ctrl + Shift + Esc to enter the Task Manager. Go to the Tab labeled Processes (Details for Win 8/10). Carefully look through the list of processes that are currently active on you PC.

If any of them seems shady, consumes too much RAM/CPU or has some strange description or no description at all, right-click on it, select Open File Location and delete everything there.

Also, even if you do not delete the files, be sure to stop the process by right-clicking on it and selecting End Process.

3: IP related to Nuksus

Go to c:\windows\system32\drivers\etc\hosts. Open the hosts file with notepad.

Find where it says Localhost and take a look below that. 

If you see any IP addresses there (below Localhost) send them to us here, in the comments since they might be coming from the Nuksus.

[add_forth_banner]

4: Disable Startup programs

Re-open the Start Menu and type msconfig.

Click on the first search result. In the next window, go to the Startup tab. If you are on Win 10,  it will send you to the Startup part of the task manager instead, as in the picture:

If you see any sketchy/shady looking entries in the list with an unknown manufacturer or a manufacturer name that looks suspicious as there could be a link between them and Nuksus , disable those programs and select OK.

5: Registry Editor

Press Windows key + R and in the resulting window type regedit.

Now, press Ctrl + F and type the name of the virus.

Delete everything that gets found. If you are not sure about whether to delete something, do not hesitate to ask us in the comments. Keep in mind that if you delete the wrong thing, you might cause all sorts of issues to your PC.

6: Deleting potentially malicious data – Nuksus

Type each of the following locations in the Windows search box and hit enter to open the locations:

%AppData%

%LocalAppData%

%ProgramData%

%WinDir%

%Temp%

Delete everything you see in Temp linked to Nuksus Ransomware. About the other folders, sort their contents by date and delete only the most recent entries. As always, if you are not sure about something, write to us in the comment section.

7: Nuksus Decryption

The previous steps were all aimed at removing the Nuksus Ransomware from your PC. However, in order to regain access to your files, you will also need to decrypt them or restore them. For that, we have a separate article with detailed instructions on what you have to do in order to unlock your data. Here is a link to that guide

The post Nuksus Virus Removal (+.Nuksus File Recovery) appeared first on Malware Complaints.