Severity scale:  

Remove DetoxCrypto ransomware / virus (Improved Instructions) - Jan 2021 update

removal by Olivia Morelli - - | Type: Ransomware

DetoxCrypto ransomware releases two versions at once: Calipso and Pokemon. How do these viruses operate?

DetoxCrypto virus happens to be a severe ransomware-type computer infection, which has been discovered under two different names. The first one is Pokemon ransomware, and the second one is known as Calipso ransomware. Both of these viruses were created to encrypt victim’s files and make data inaccessible. The point of such malicious activity is to swindle money from the victim, asking to pay a ransom in exchange for a decryption software. No matter what, we do not recommend paying the ransom, so instead of reaching for your credit card, you should start thinking about DetoxCrypto removal. We recommend using a strong malware removal tool, for example, ReimageIntego software to remove DetoxCrypto virus. For more information about its removal, follow instructions provided at the end of this article.

The infection is distributed in a form of a single executable file, which, once executed, drops the following files on victim’s computer:

  • MicrosoftHost.exe – this file is intended to encrypt victim’s data and stop database servers. It also changes victim’s desktop wallpaper with an image displaying a message from cyber criminals.
  • Pokemon.exe or Calipso.exe file – this is ransomware’s executable file that allows to decrypt victim’s data in case the victim has the right decryption key. It also plays the audio file.
  • .wav extension file – this is the audio file, which is going to be executed by Pokemon.exe or Calipso.exe program.

Variants of DetoxCrypto virus

Questions about DetoxCrypto ransomware virus

Both these viruses act similarly and during the encryption process, they do not append any file extensions to encrypted data. However, there are some differences between these malware variants. Besides, new versions have been spotted, so we would like to list all DetoxCrypto virus variants below.

Versions of DetoxCrypto malware

Calipso ransomware virus – this virus creates a folder named Calipso, where it stores its components. This virus plays an audio file, which reads a short message informing the victim that files have been encrypted and to unlocked them the victim needs to pay 2 Bitcoins in 3 days. According to the message played, the ransom price increases each extra day by 1 BitCoin. The message claims that if the victim deletes the virus, all encrypted files will be removed as well. The ransomware sample that was tested provided email address. The victim can contact cyber criminals via it to get instructions on how to pay the ransom. What is also interesting about this ransomware variant is that it screenshots victim’s desktop image and sends it to cybercriminals’ server. Although there is no exact information why this virus acts like that, we assume that it might try to find valuable files on victim’s screen and attempt to ask the victim to pay a higher ransom.

Pokemon ransomware virus, also known as We are all Pokemons virus. Although it is named similarly to PokemonGo ransomware, this malicious program is an entirely different example of malware. Once it locks the computer, it executes the audio file, which basically plays a silly melody. The desktop background will be changed to an image displaying some text and a sad Pikachu next to it. The price of the decryption software does not differ from Calipso’s. The victim is asked to pay up in 96 hours; otherwise, all files on computer will be deleted. According to the ransom note, the same happens if the victim removes the ransomware components from the computer. The email provided on the lock screen is

Serpico ransomware virus. This is the latest version of this malware. Though it asks for a relatively modest ransom, do not consider paying the money. Its operation ways and encryption techniques are still under the veil of mystery. In addition, Serpico virus has a distinctive feature – it does not append any extension to the corrupted files. Its distribution techniques do not differ much from the rest of ransomware threats. Avoid reading spam emails and verify the sender before opening the form of a supposed official document. File sharing domains should be avoided as well. Finally, the virus presents the same email address as calipso malware –

MotoxLocker ransomware virus. This is the newest variant of DetoxCrypto ransomware, which locks files with AES encryption and then demands a ransom of 50 Euros. Of course, the virus claims that it is impossible to recover data in any way except of paying the ransom. Luckily, that is not true because victims of MotoxLocker virus can now recover their files for free – MotoxLocker decryption tool has already been released. It appears that there were flaws in virus' code that allowed to reveal the unique decryption key quite easily. Before using this tool, MotoxLocker malware must be removed from the compromised computer. 

September 2016 update: DetoxCrypto ransomware now imitates antivirus to get into the users' computers

DetoxCrypto ransomware does not cease to cause havoc on the users' computers, but the virus developers want more. They are still looking for the best virus distribution techniques and have recently released a test version of the virus which spreads disguised as malwerbyte.exe executable. You can clearly see a problem here. Though there is a mistake in the title, some less attentive users may easily mistake it for the legitimate Malwarebytes antivirus file. You can be offered to download this file in some deceptive software update pop-up or receive it pinned to a malicious email directly to your inbox. Thus, you have to be very careful and update or download the desired software only through the reputable sources. Luckily, this praticular variant of the virus does not encrypt files and can be deleted from the computer quite easily. Nevertheless, as we have already said, the hackers might be simply testing the waters, and it is just a matter of time when this strategy of will be applied for spreading real ransomware.

Methods used to distribute DetoxCrypto malware

DetoxCrypto virus, just like any other crypto-ransomware type virus is distributed via malicious emails and malvertising. Sadly, we cannot provide any specific email addresses that send emails including this ransomware, because crooks create hundreds of them. Our advice is always to bypass emails that come from unknown sources, and not to open files attached to them. You might also install this ransomware after clicking on a malware-laden web advertisement. We suggest you to avoid clicking on aggressive ads that urge you to scan your computer system with some never-heard-of computer security software and do not agree to install Java or Flash updates if these offers come from suspicious third-party websites. If you think that you need to update these programs, just go directly to their official developer’s site and install legitimate ones. What is more, this malware might be distributed via exploit kits, although currently there is no official information claiming that a particular exploit kit spreads one of these DetoxCrypto viruses. However, we strongly suggest installing a strong anti-malware program to protect your PC from malware attacks.

DetoxCrypto removal tutorial

To remove DetoxCrypto virus, please use a strong malware removal software. Make sure you update it to its latest version before you allow it to perform a system scan. We do not recommend you to carry out DetoxCrypto removal manually because it is a highly important procedure that needs to be completed in a correct way. If you are not an advanced PC user, please do not try to delete this virus manually. If you cannot download anti-malware software or update the one that you have because this virus does not allow you to do so, please follow these instructions:

do it now!
Reimage Happiness
Intego Happiness
Compatible with Microsoft Windows Supported versions Compatible with OS X Supported versions
What to do if failed?
If you failed to remove virus damage using Reimage Intego, submit a question to our support team and provide as much details as possible.
Reimage Intego has a free limited scanner. Reimage Intego offers more through scan when you purchase its full version. When free scanner detects issues, you can fix them using free manual repairs or you can decide to purchase the full version in order to fix them automatically.
Alternative Software
Different software has a different purpose. If you didn’t succeed in fixing corrupted files with Reimage, try running SpyHunter 5.
Alternative Software
Different software has a different purpose. If you didn’t succeed in fixing corrupted files with Intego, try running Combo Cleaner.

To remove DetoxCrypto virus, follow these steps:

Remove DetoxCrypto using Safe Mode with Networking

  • Step 1: Reboot your computer to Safe Mode with Networking

    Windows 7 / Vista / XP
    1. Click Start Shutdown Restart OK.
    2. When your computer becomes active, start pressing F8 multiple times until you see the Advanced Boot Options window.
    3. Select Safe Mode with Networking from the list Select 'Safe Mode with Networking'

    Windows 10 / Windows 8
    1. Press the Power button at the Windows login screen. Now press and hold Shift, which is on your keyboard, and click Restart..
    2. Now select Troubleshoot Advanced options Startup Settings and finally press Restart.
    3. Once your computer becomes active, select Enable Safe Mode with Networking in Startup Settings window. Select 'Enable Safe Mode with Networking'
  • Step 2: Remove DetoxCrypto

    Log in to your infected account and start the browser. Download ReimageIntego or other legitimate anti-spyware program. Update it before a full system scan and remove malicious files that belong to your ransomware and complete DetoxCrypto removal.

If your ransomware is blocking Safe Mode with Networking, try further method.

Remove DetoxCrypto using System Restore

  • Step 1: Reboot your computer to Safe Mode with Command Prompt

    Windows 7 / Vista / XP
    1. Click Start Shutdown Restart OK.
    2. When your computer becomes active, start pressing F8 multiple times until you see the Advanced Boot Options window.
    3. Select Command Prompt from the list Select 'Safe Mode with Command Prompt'

    Windows 10 / Windows 8
    1. Press the Power button at the Windows login screen. Now press and hold Shift, which is on your keyboard, and click Restart..
    2. Now select Troubleshoot Advanced options Startup Settings and finally press Restart.
    3. Once your computer becomes active, select Enable Safe Mode with Command Prompt in Startup Settings window. Select 'Enable Safe Mode with Command Prompt'
  • Step 2: Restore your system files and settings
    1. Once the Command Prompt window shows up, enter cd restore and click Enter. Enter 'cd restore' without quotes and press 'Enter'
    2. Now type rstrui.exe and press Enter again.. Enter 'rstrui.exe' without quotes and press 'Enter'
    3. When a new window shows up, click Next and select your restore point that is prior the infiltration of DetoxCrypto. After doing that, click Next. When 'System Restore' window shows up, select 'Next' Select your restore point and click 'Next'
    4. Now click Yes to start system restore. Click 'Yes' and start system restore
    Once you restore your system to a previous date, download and scan your computer with ReimageIntego and make sure that DetoxCrypto removal is performed successfully.

Bonus: Recover your data

Guide which is presented above is supposed to help you remove DetoxCrypto from your computer. To recover your encrypted files, we recommend using a detailed guide prepared by security experts.

Unfortunately, there is no decryption tool invented for the DetoxCrypto yet, but you can follow a few of the data recovery methods our experts provide below. We hope that among them you will find a technique which allows you to get at least some of your personal data back.

If your files are encrypted by DetoxCrypto, you can use several methods to restore them:

Method of DetoxCrypto recovery using Data Recovery Pro

DetoxCrypto is a tricky infection and it will most likely leave you without your data. But with the modern software such as Data Recovery Pro, you still have some hope of recovering your data. It is the least skill and effort requiring technique which can really help you recover your data, so why not give it a try? The steps you'll need to take are provided below: 

  • Download Data Recovery Pro;
  • Follow the steps of Data Recovery Setup and install the program on your computer;
  • Launch it and scan your computer for files encrypted by DetoxCrypto ransomware;
  • Restore them.

Method of retrieving data after DetoxCrypto using Windows Previous Versions feature

If you haven't heard about data recovery using Windows Previous Versions feature, you may find this data recovery method helpful. All you need for this method to work is make sure your System Restore function was enabled before DetoxCrypto infiltration. Then, simply follow this guide:

  • Find an encrypted file you need to restore and right-click on it;
  • Select “Properties” and go to “Previous versions” tab;
  • Here, check each of available copies of the file in “Folder versions”. You should select the version you want to recover and click “Restore”.

Method of data retrieval with the help of ShadowExplorer

If DetoxCrypto has not deleted Shadow Volume Copies from your PC — you are lucky. You can try to recover your data using ShadowExplorer which extracts the mentioned copies of the files from the system's backup and restores them. To carry out this procedure properly, please read through the instructions below: 

  • Download Shadow Explorer (;
  • Follow a Shadow Explorer Setup Wizard and install this application on your computer;
  • Launch the program and go through the drop down menu on the top left corner to select the disk of your encrypted data. Check what folders are there;
  • Right-click on the folder you want to restore and select “Export”. You can also select where you want it to be stored.

Finally, you should always think about the protection of crypto-ransomwares. In order to protect your computer from DetoxCrypto and other ransomwares, use a reputable anti-spyware, such as ReimageIntego, SpyHunter 5Combo Cleaner or Malwarebytes

Choose a proper web browser and improve your safety with a VPN tool

Online spying has got momentum in recent years and people are getting more and more interested in how to protect their privacy online. One of the basic means to add a layer of security – choose the most private and secure web browser. Although web browsers can't grant full privacy protection and security, some of them are much better at sandboxing, HTTPS upgrading, active content blocking, tracking blocking, phishing protection, and similar privacy-oriented features. However, if you want true anonymity, we suggest you employ a powerful Private Internet Access VPN – it can encrypt all the traffic that comes and goes out of your computer, preventing tracking completely.


Lost your files? Use data recovery software

While some files located on any computer are replaceable or useless, others can be extremely valuable. Family photos, work documents, school projects – these are types of files that we don't want to lose. Unfortunately, there are many ways how unexpected data loss can occur: power cuts, Blue Screen of Death errors, hardware failures, crypto-malware attack, or even accidental deletion.

To ensure that all the files remain intact, you should prepare regular data backups. You can choose cloud-based or physical copies you could restore from later in case of a disaster. If your backups were lost as well or you never bothered to prepare any, Data Recovery Pro can be your only hope to retrieve your invaluable files.

About the author
Olivia Morelli
Olivia Morelli - Ransomware analyst

If this free removal guide helped you and you are satisfied with our service, please consider making a donation to keep this service alive. Even a smallest amount will be appreciated.

Contact Olivia Morelli
About the company Esolutions

Removal guides in other languages

  1. Glass10 says:
    August 22nd, 2016 at 3:46 am

    Its incredible how quickly these ransomware viruses spread and how many computers they manage to infect! My aunt has become a victim yesterday… no idea how to decrypt files. We were affected by the pokemon-themed ransomware version.

  2. Tears says:
    August 23rd, 2016 at 9:54 am

    Ive got infected with Calipso, I think. No pokemons on my screen. But two bitcoins?? aint gonna pay that!

  3. Omen says:
    August 23rd, 2016 at 9:55 am

    Why people pay ransoms at all? Why would you support a cyber criminal? if the ransom was not that big?

  4. Tears says:
    August 23rd, 2016 at 9:56 am

    Nah, I wouldnt. Im just saying that cybercriminals are greedy as hell!

Your opinion regarding DetoxCrypto ransomware virus