Nemucod Ransomware Removal Guide

Nemucod Ransomware is a Trojan infection that encrypts user data with the RSA-1024 algorithm. Fortunately, this cryptosystem is not the most difficult one, and someone managed to develop a working decryptor. It means that even if you do not pay the ransom, you still have a chance to recover your enciphered files. Either way, you should not hesitate to delete the malware from your system. Our researchers tested the infection and learned that it can auto-start with Windows, connect to the Internet without permission or even download other malicious applications. That is why it is crucial to delete the malware from your computer. The instructions below will tell you how to get rid of it manually. If you want to be completely sure that there are no other malicious programs, you should scan your system with a reliable antimalware tool after Nemucod Ransomware is gone.

Firstly, the malware places a text document in the %TEMP% directory that contains a warning from the ransomware’s creators. It says that you must pay the ransom in three days, or you will lose your data. The payment must be made in Bitcoins. Thus, the instructions on the text document also explain how to create a Bitcoin wallet and transfer the money. As you realize, the main purpose of the malware is to extort money by encrypting the data that is personal and important to the infected user. That is why it affects videos, pictures, photos, and other similar files in various formats. It is not difficult to recognize the encrypted files since it is impossible to open them and they have the .crypted extension at the end. The encryption process begins right after the malware settles in your system.

Nemucod Ransomware is distributed through email attachments. Unlike other similar threats that spread through malicious text or executable files, this one travels with .js files. It was noticed that the malicious .js file could be inside an archive. It might look curious, but it is better to avoid such attachments unless they come from someone you can trust. However, the best way to check if the file is malicious is to scan it with a security tool.

What we noticed about this particular malware is that it might download a Trojan that is known as Kovter (Poweliks). Thus, if you noticed any other unusual activities on your computer, you should read more about this Trojan, too. Probably, the best way to get rid of both malicious programs would be to download an antimalware tool and use its automatic removal features.

If you are confident that the only malicious application on your computer is Nemucod Ransomware, you can try to delete it with the instructions placed below the article. They list the main folders and files that are related to the malware. Also, it will tell you how to recognize random Value names created by this infection and how to remove them as well. As we said before, if this seems too complicated to you, do not waste your time and eliminate the ransomware with a trustworthy antimalware tool. We should also mention that if you have not decided whether you want to pay the ransom or not, you should not delete the text document as it contains the payment instructions.

Delete Nemucod Ransomware

1. Launch the RUN (Windows Key+R).
2. Type regedit and press Enter.
3. Locate given path: HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
4. Find Value name Upkfmedia.
5. Right-click and select Delete.
6. Locate one more Value name that has a random title.
7. Check if its Value data contains the following line: C:\Windows\SysWOW64\regsvr32.exe C:\Users\user\AppData\Local\Upkfmedia\libtext.dll
8. Right-click such Value name and select Delete.
9. Close the Registry Editor.
10. Open the Explorer (Windows Key+E).
11. Copy and paste this directory %TEMP%
12. Find and remove given files: a0.exe, a2.exe, a.txt.
13. Go to: %LocalAppData%
14. Locate a folder that is named as Upkfmedia and right-click to delete it.
15. Close the Explorer and empty Recycle bin.