How to remove Hese ransomware virus and restore encrypted files

The article is dedicated to Hese ransomware virus: we describe malware penetration method, possible removal ways and give you tips to restore files, if it is possible.

Hese ransomware virus

In the end of the august, a huge wave of ransomware draw on users all over the world. The most active and difficult to defend was viruses based on DJVU algorithms and Dharma malware. These virus specifies is very old themselves, but new versions are released every three days or even often. The very first versions were decrypted by professional virus strugglers, but the last ones is hard to fight, because they are more complicated. The basic algorithm are the same including AES or RSA cypher system. Both of them is highly complex and difficult and many security features have them as the foundation. The point is that even very skilled people with power machines can’t decrypt information to get access without secret key. All of the success way to restore files in initial state were because of high skilled clever decomposition of the code by specialized antivirus companies.

Hese as same as gero is the DJVU malware sort. Also, it's known as STOP family, because of the first extension name added to the corrupted files. The distribution way is sending to victim fake e-mail by delivery companies. The hackers told the victim that the delivery was failed to get, so open the attachment to see more information. After victim opens the letter, malicious macros are beginning to work. Only excellent antivirus can stop it. If antivirus failed to protect system, user will not see anything until all the files (jpg, jpeg, png, doc, docx, txt, etc.) will be cypher. After those, only backups can save your information. If you have copies on external hard drive, then you are very prudent. In this case, check the system for viruses and then restore the files. If you have backups on the cloud service, break the internet connection immediately, to prevent rewriting original files by its cyphered copies. Then connect with your cloud from the safe system and download files from there and don't forget to turn off synchronizing function.Another method of penetration used by Hese ransomware is to scan unprotected TCP port 3389 and trying to pick up the password to the system. The way to protect you is to close unused TCP ports or turn on your firewall.




So, what to do when infection had gone?

  • Firstly, turn off your internet connection including local networks to prevent other computers infection.
  • Then try to understand how your machine was infected. By malicious letter or by broken TCP connection.
  • Save virus file, it can help virus analyst to understand what was happen.
  • Delete viral elements from the system.
  • Try to restore information.
  • And don't panic, the infection is already made the worse it can.

The first three points is easy to do. For example, the most effective method to break your internet connection is to pull off cable from the computer manually. The second is very individual to each user. We will focus on Hese virus removal and information restore.

How to remove Hese virus

Step 1. Boot in Safe mode

Safe mode

Start -> Msconfig.exe

Safe mode. Step 1

On the tab Boot select Safe boot

Safe mode. Step 2

Step 2. Check Startup folder

Start -> Msconfig.exe ->Disable unknown programs in the Startup tab


Step 3. Check hosts file

Modify hosts file, that located in C:\Windows\System32\drivers\etc\ .

Hosts file.Step 1

Open the file with Notepad and delete suspicious strings.

Hosts file.Step 2

It has to look like this:

Hosts file.Step 3

Step 4. Scan the system with antiviral scanner

Download some other antivirus then you have, because yours have not catch the malware for the first time. We advise to use Spyhunter as good alternative. It is paid to delete viral files, but it is free to detect malware elements, so you can see if there stay any malicious parts.

Special Offer

Antivirus scanner

Why we recommend SpyHunter antimalware

Detects most kind of threats: malicious files and even registry keys of malware will be found

Protects your system in the future

24/7 free support team

SpyHunter's scanner is only for malware detection. If program detects infected elements on the computer, you will need to purchase malware removal tool for $39,99 to delete threats. SpyHunter has Free Trial for one remediation and removal, subject to a 48-hour waiting period. Uninstall steps and additional information EULA , Privacy Policy and Threat Assessment Criteria.

Step 5. Disable Safe mode

Start -> Msconfig.exe ->Disable Safe boot in the Boot tab

Deactivate Safe mode

How to restore .hese files

After uninstalling the virus from the system, you should get back the corrupted files. Of course, the easiest way is to use saved copies and system backups. However, not many of us making backups regulary. We won't try to decipher the data, because it's no use, but we try getting them back via OS functionality and the additional software. There are the lucky chances, but usually file restoration needs lots of time and money. If you are very interested in the manual file restore, look at this article, which describes all the very efficient manners: article about files decryption. There is no decryption tool to the concretely hese ransomware, so another variant is to copy cypher files to the external drive with _readme.txt and save it to the best time. If someone find the way to decrypt the data, we can use it.

How to prevent infection in the future

There is one common feature for all types of hazardous programs: it is simplier to avoid it than to cure it. Unfortunately, 90% of users realize the importance of computer literacy only after ransomware infection. To shield yourself, you must remember a three basic principles:

  • Carefully check your e-mails, specifically those messages that have attached files. The very popular model of fraud letters is the notification about prize winning or parcel obtaining. In addition, you should keep an eye on business-related messages, especially if the sender's address and the content is unknown. It is natural to take an interest and open the letter even if it is obviously not for you, but remember that one click on the attached file can cost you lots of time, money and headache.
  • Keep an eye on the status of your PC. It requires much of computing resources to encrypt the files. If you notice a sudden fall in computer capacity or notice a weird process in the Process Manager, you should switch off the computer, boot it in safe mode, and search for viruses. Surely, some files will be lost, but you will protect the other part.
  • Take notice to the pop-up windows. One of the most efficient methods of information recovery is the restoration through Shadow Copies, and hackers have included the elimination of it into the primary features of malware. However, deletion of shadow copies needs administrator rights and your verification. Therefore, if you do not accept alterations from a weird program at the right time, you will save the chances to restore all lost files free of charge.

Virus elimination isn't the happy end - it's only a first step on the long road until the complete data restoration.


This website uses cookies to improve your experience. If you continue using the site, we will assume that you accept our cookies policy.