How to remove (uninstall) DetoxCrypto

Recently, the new ransomware virus was discovered on the Internet. Researchers from MalwareHunterTeam reported that there are two viruses that have almost the same structure, but use different names, the message and the visual interface. Viruses are called Calypso and Pokemongo, and the common name of this group of viruses - DetoxCrypto.

These two viruses are quite different from each other. Pokemongo virus was first detected in Canada, and is distributed via installation file pokemongo.exe. This virus is different in that it uses the symbolism of the famous game PokemonGo to attract users. The user thinks that installs a new version of the game, or a special application for it, and it allows the virus to enter the computer. Hackers ask a ransom of 2 BTC, and threaten user to delete all files within 96 hours from the onset of the message. They also threaten to destroy the files if the user tries to remove the virus or stop its process in task manager.

The second virus named Calypso was first discovered in Korea and distributed in form of file Calypso.exe. It does not use any special symbols or images, but makes screenshots of the user's desktop before showing him a message with the ransom demand. It is not known for what purpose it is done. Also, it is unknown do the viruses bind to specific countries. Both viruses are using AES encryption algorithm.

Viruses differ by the complex anatomy. After penetrating a computer, a single .exe file is installed, and extracts a few files that are responsible for separate processes. The main threat is a file called MicrosoftHost.exe, which directly carries out encryption and replaces the extension to files. He also is responsible for stopping MySQL and MSSQL services and replacement of wallpaper on the desktop. Files matching the name of the virus are responsible for playing audio messages, and the ability to decrypt the files, after entering the correct password.

How to remove DetoxCrypto manually

While infected by ransomvare, removing the virus is of secondary importance, but if you are going to try to decipher the data manually, or restore them - you should remove the virus firts. While there is no data on whether the files are actually deleted when you try to shut down the computer, or stop the virus process. However, if you want to be sure that the data will be safe - you should turn off the power of computer by disconnecting the power cord. Then turn on the PC in safe mode and remove the virus as it is written in our instructions.

Step 1. Boot into Safe mode

Safe mode

Start -> Msconfig.exe

Safe mode. Step 1

On the tab Boot select Safe boot

Safe mode. Step 2

Step 2. Check Startup folder

Start -> Msconfig.exe ->Disable unknown programs in the Startup tab

Startup

Step 3. Check hosts file

Modify hosts file, that located in C:\Windows\System32\drivers\etc\ .

Hosts file.Step 1

Open the file with Notepad and delete suspicious strings.

Hosts file.Step 2

It has to look like this:

Hosts file.Step 3

Step 4. Scan the system with antiviral scanner

 

Antivirus scanner

Why we recommend SpyHunter antimalware as removal tool

Removes virus fully: all files and even registry keys of malware will be deleted

Protects your system in the future

24/7 free support team

bwd  Instructions 1/2  fwd

Step 5. Disable Safe mode

Start -> Msconfig.exe ->Disable Safe boot in the Boot tab

Deactivate Safe mode

How to restore the encrypted files

DetoxCrypto virus appeared on the Internet recently, and at the moment we cannot say it is possible to recover files through the normal means of recovery. Currently there is no special decryption tool. If you want to try to recover the files using the Shadow Volume Copies service, then you need a program called Recuva or Shadow Explorer. All instructions on how to use them can be found on the official websites. We still don’t have full information on DetoxCrypto, and we will update the article as soon as new data will arrive.

Add comment

Security code
Refresh

This website uses cookies to improve your experience. If you continue using the site, we will assume that you accept our cookies policy.