DetoxCrypto ransomware / virus (Improved Instructions) - Sep 2016 update

DetoxCrypto virus Removal Guide

What is DetoxCrypto ransomware virus?

DetoxCrypto ransomware releases two versions at once: Calipso and Pokemon. How do these viruses operate?

DetoxCrypto virus happens to be a severe ransomware-type computer infection, which has been discovered under two different names. The first one is Pokemon ransomware, and the second one is known as Calipso ransomware. Both of these viruses were created to encrypt victim’s files and make data inaccessible. The point of such malicious activity is to swindle money from the victim, asking to pay a ransom in exchange for a decryption software. No matter what, we do not recommend paying the ransom, so instead of reaching for your credit card, you should start thinking about DetoxCrypto removal. We recommend using a strong malware removal tool, for example, FortectIntego software to remove DetoxCrypto virus. For more information about its removal, follow instructions provided at the end of this article.

The infection is distributed in a form of a single executable file, which, once executed, drops the following files on victim’s computer:

  • MicrosoftHost.exe – this file is intended to encrypt victim’s data and stop database servers. It also changes victim’s desktop wallpaper with an image displaying a message from cyber criminals.
  • Pokemon.exe or Calipso.exe file – this is ransomware’s executable file that allows to decrypt victim’s data in case the victim has the right decryption key. It also plays the audio file.
  • .wav extension file – this is the audio file, which is going to be executed by Pokemon.exe or Calipso.exe program.

Variants of DetoxCrypto virus

Both these viruses act similarly and during the encryption process, they do not append any file extensions to encrypted data. However, there are some differences between these malware variants. Besides, new versions have been spotted, so we would like to list all DetoxCrypto virus variants below.

Versions of DetoxCrypto malware

Calipso ransomware virus – this virus creates a folder named Calipso, where it stores its components. This virus plays an audio file, which reads a short message informing the victim that files have been encrypted and to unlocked them the victim needs to pay 2 Bitcoins in 3 days. According to the message played, the ransom price increases each extra day by 1 BitCoin. The message claims that if the victim deletes the virus, all encrypted files will be removed as well. The ransomware sample that was tested provided email address. The victim can contact cyber criminals via it to get instructions on how to pay the ransom. What is also interesting about this ransomware variant is that it screenshots victim’s desktop image and sends it to cybercriminals’ server. Although there is no exact information why this virus acts like that, we assume that it might try to find valuable files on victim’s screen and attempt to ask the victim to pay a higher ransom.

Pokemon ransomware virus, also known as We are all Pokemons virus. Although it is named similarly to PokemonGo ransomware, this malicious program is an entirely different example of malware. Once it locks the computer, it executes the audio file, which basically plays a silly melody. The desktop background will be changed to an image displaying some text and a sad Pikachu next to it. The price of the decryption software does not differ from Calipso’s. The victim is asked to pay up in 96 hours; otherwise, all files on computer will be deleted. According to the ransom note, the same happens if the victim removes the ransomware components from the computer. The email provided on the lock screen is

Serpico ransomware virus. This is the latest version of this malware. Though it asks for a relatively modest ransom, do not consider paying the money. Its operation ways and encryption techniques are still under the veil of mystery. In addition, Serpico virus has a distinctive feature – it does not append any extension to the corrupted files. Its distribution techniques do not differ much from the rest of ransomware threats. Avoid reading spam emails and verify the sender before opening the form of a supposed official document. File sharing domains should be avoided as well. Finally, the virus presents the same email address as calipso malware –

MotoxLocker ransomware virus. This is the newest variant of DetoxCrypto ransomware, which locks files with AES encryption and then demands a ransom of 50 Euros. Of course, the virus claims that it is impossible to recover data in any way except of paying the ransom. Luckily, that is not true because victims of MotoxLocker virus can now recover their files for free – MotoxLocker decryption tool has already been released. It appears that there were flaws in virus' code that allowed to reveal the unique decryption key quite easily. Before using this tool, MotoxLocker malware must be removed from the compromised computer.

September 2016 update: DetoxCrypto ransomware now imitates antivirus to get into the users' computers

DetoxCrypto ransomware does not cease to cause havoc on the users' computers, but the virus developers want more. They are still looking for the best virus distribution techniques and have recently released a test version of the virus which spreads disguised as malwerbyte.exe executable. You can clearly see a problem here. Though there is a mistake in the title, some less attentive users may easily mistake it for the legitimate Malwarebytes antivirus file. You can be offered to download this file in some deceptive software update pop-up or receive it pinned to a malicious email directly to your inbox. Thus, you have to be very careful and update or download the desired software only through the reputable sources. Luckily, this praticular variant of the virus does not encrypt files and can be deleted from the computer quite easily. Nevertheless, as we have already said, the hackers might be simply testing the waters, and it is just a matter of time when this strategy of will be applied for spreading real ransomware.

Methods used to distribute DetoxCrypto malware

DetoxCrypto virus, just like any other crypto-ransomware type virus is distributed via malicious emails and malvertising. Sadly, we cannot provide any specific email addresses that send emails including this ransomware, because crooks create hundreds of them. Our advice is always to bypass emails that come from unknown sources, and not to open files attached to them. You might also install this ransomware after clicking on a malware-laden web advertisement. We suggest you to avoid clicking on aggressive ads that urge you to scan your computer system with some never-heard-of computer security software and do not agree to install Java or Flash updates if these offers come from suspicious third-party websites. If you think that you need to update these programs, just go directly to their official developer’s site and install legitimate ones. What is more, this malware might be distributed via exploit kits, although currently there is no official information claiming that a particular exploit kit spreads one of these DetoxCrypto viruses. However, we strongly suggest installing a strong anti-malware program to protect your PC from malware attacks.

DetoxCrypto removal tutorial

To remove DetoxCrypto virus, please use a strong malware removal software. Make sure you update it to its latest version before you allow it to perform a system scan. We do not recommend you to carry out DetoxCrypto removal manually because it is a highly important procedure that needs to be completed in a correct way. If you are not an advanced PC user, please do not try to delete this virus manually. If you cannot download anti-malware software or update the one that you have because this virus does not allow you to do so, please follow these instructions:

do it now!
Fortect Happiness
Intego Happiness
Compatible with Microsoft Windows Compatible with macOS
What to do if failed?
If you failed to fix virus damage using Fortect Intego, submit a question to our support team and provide as much details as possible.
Fortect Intego has a free limited scanner. Fortect Intego offers more through scan when you purchase its full version. When free scanner detects issues, you can fix them using free manual repairs or you can decide to purchase the full version in order to fix them automatically.
Alternative Software
Different software has a different purpose. If you didn’t succeed in fixing corrupted files with Fortect, try running SpyHunter 5.
Alternative Software
Different software has a different purpose. If you didn’t succeed in fixing corrupted files with Intego, try running Combo Cleaner.

Getting rid of DetoxCrypto virus. Follow these steps

Manual removal using Safe Mode

Important! →
Manual removal guide might be too complicated for regular computer users. It requires advanced IT knowledge to be performed correctly (if vital system files are removed or damaged, it might result in full Windows compromise), and it also might take hours to complete. Therefore, we highly advise using the automatic method provided above instead.

Step 1. Access Safe Mode with Networking

Manual malware removal should be best performed in the Safe Mode environment. 

Windows 7 / Vista / XP
  1. Click Start > Shutdown > Restart > OK.
  2. When your computer becomes active, start pressing F8 button (if that does not work, try F2, F12, Del, etc. – it all depends on your motherboard model) multiple times until you see the Advanced Boot Options window.
  3. Select Safe Mode with Networking from the list. Windows 7/XP
Windows 10 / Windows 8
  1. Right-click on Start button and select Settings.
  2. Scroll down to pick Update & Security.
    Update and security
  3. On the left side of the window, pick Recovery.
  4. Now scroll down to find Advanced Startup section.
  5. Click Restart now.
  6. Select Troubleshoot. Choose an option
  7. Go to Advanced options. Advanced options
  8. Select Startup Settings. Startup settings
  9. Press Restart.
  10. Now press 5 or click 5) Enable Safe Mode with Networking. Enable safe mode

Step 2. Shut down suspicious processes

Windows Task Manager is a useful tool that shows all the processes running in the background. If malware is running a process, you need to shut it down:

  1. Press Ctrl + Shift + Esc on your keyboard to open Windows Task Manager.
  2. Click on More details.
    Open task manager
  3. Scroll down to Background processes section, and look for anything suspicious.
  4. Right-click and select Open file location.
    Open file location
  5. Go back to the process, right-click and pick End Task.
    End task
  6. Delete the contents of the malicious folder.

Step 3. Check program Startup

  1. Press Ctrl + Shift + Esc on your keyboard to open Windows Task Manager.
  2. Go to Startup tab.
  3. Right-click on the suspicious program and pick Disable.

Step 4. Delete virus files

Malware-related files can be found in various places within your computer. Here are instructions that could help you find them:

  1. Type in Disk Cleanup in Windows search and press Enter.
    Disk cleanup
  2. Select the drive you want to clean (C: is your main drive by default and is likely to be the one that has malicious files in).
  3. Scroll through the Files to delete list and select the following:

    Temporary Internet Files
    Recycle Bin
    Temporary files

  4. Pick Clean up system files.
    Delete temp files
  5. You can also look for other malicious files hidden in the following folders (type these entries in Windows Search and press Enter):


After you are finished, reboot the PC in normal mode.

Remove DetoxCrypto using System Restore

  • Step 1: Reboot your computer to Safe Mode with Command Prompt
    Windows 7 / Vista / XP
    1. Click Start Shutdown Restart OK.
    2. When your computer becomes active, start pressing F8 multiple times until you see the Advanced Boot Options window.
    3. Select Command Prompt from the list Select 'Safe Mode with Command Prompt'

    Windows 10 / Windows 8
    1. Press the Power button at the Windows login screen. Now press and hold Shift, which is on your keyboard, and click Restart..
    2. Now select Troubleshoot Advanced options Startup Settings and finally press Restart.
    3. Once your computer becomes active, select Enable Safe Mode with Command Prompt in Startup Settings window. Select 'Enable Safe Mode with Command Prompt'
  • Step 2: Restore your system files and settings
    1. Once the Command Prompt window shows up, enter cd restore and click Enter. Enter 'cd restore' without quotes and press 'Enter'
    2. Now type rstrui.exe and press Enter again.. Enter 'rstrui.exe' without quotes and press 'Enter'
    3. When a new window shows up, click Next and select your restore point that is prior the infiltration of DetoxCrypto. After doing that, click Next. When 'System Restore' window shows up, select 'Next' Select your restore point and click 'Next'
    4. Now click Yes to start system restore. Click 'Yes' and start system restore
    Once you restore your system to a previous date, download and scan your computer with FortectIntego and make sure that DetoxCrypto removal is performed successfully.

Bonus: Recover your data

Guide which is presented above is supposed to help you remove DetoxCrypto from your computer. To recover your encrypted files, we recommend using a detailed guide prepared by security experts.

Unfortunately, there is no decryption tool invented for the DetoxCrypto yet, but you can follow a few of the data recovery methods our experts provide below. We hope that among them you will find a technique which allows you to get at least some of your personal data back.

If your files are encrypted by DetoxCrypto, you can use several methods to restore them:

Method of DetoxCrypto recovery using Data Recovery Pro

DetoxCrypto is a tricky infection and it will most likely leave you without your data. But with the modern software such as Data Recovery Pro, you still have some hope of recovering your data. It is the least skill and effort requiring technique which can really help you recover your data, so why not give it a try? The steps you'll need to take are provided below: 

  • Download Data Recovery Pro;
  • Follow the steps of Data Recovery Setup and install the program on your computer;
  • Launch it and scan your computer for files encrypted by DetoxCrypto ransomware;
  • Restore them.

Method of retrieving data after DetoxCrypto using Windows Previous Versions feature

If you haven't heard about data recovery using Windows Previous Versions feature, you may find this data recovery method helpful. All you need for this method to work is make sure your System Restore function was enabled before DetoxCrypto infiltration. Then, simply follow this guide:

  • Find an encrypted file you need to restore and right-click on it;
  • Select “Properties” and go to “Previous versions” tab;
  • Here, check each of available copies of the file in “Folder versions”. You should select the version you want to recover and click “Restore”.

Method of data retrieval with the help of ShadowExplorer

If DetoxCrypto has not deleted Shadow Volume Copies from your PC — you are lucky. You can try to recover your data using ShadowExplorer which extracts the mentioned copies of the files from the system's backup and restores them. To carry out this procedure properly, please read through the instructions below: 

  • Download Shadow Explorer (;
  • Follow a Shadow Explorer Setup Wizard and install this application on your computer;
  • Launch the program and go through the drop down menu on the top left corner to select the disk of your encrypted data. Check what folders are there;
  • Right-click on the folder you want to restore and select “Export”. You can also select where you want it to be stored.

Finally, you should always think about the protection of crypto-ransomwares. In order to protect your computer from DetoxCrypto and other ransomwares, use a reputable anti-spyware, such as FortectIntego, SpyHunter 5Combo Cleaner or Malwarebytes

How to prevent from getting ransomware

Choose a proper web browser and improve your safety with a VPN tool

Online spying has got momentum in recent years and people are getting more and more interested in how to protect their privacy online. One of the basic means to add a layer of security – choose the most private and secure web browser. Although web browsers can't grant full privacy protection and security, some of them are much better at sandboxing, HTTPS upgrading, active content blocking, tracking blocking, phishing protection, and similar privacy-oriented features. However, if you want true anonymity, we suggest you employ a powerful Private Internet Access VPN – it can encrypt all the traffic that comes and goes out of your computer, preventing tracking completely.


Lost your files? Use data recovery software

While some files located on any computer are replaceable or useless, others can be extremely valuable. Family photos, work documents, school projects – these are types of files that we don't want to lose. Unfortunately, there are many ways how unexpected data loss can occur: power cuts, Blue Screen of Death errors, hardware failures, crypto-malware attack, or even accidental deletion.

To ensure that all the files remain intact, you should prepare regular data backups. You can choose cloud-based or physical copies you could restore from later in case of a disaster. If your backups were lost as well or you never bothered to prepare any, Data Recovery Pro can be your only hope to retrieve your invaluable files.

About the author
Olivia Morelli
Olivia Morelli - Ransomware analyst

If this free guide helped you and you are satisfied with our service, please consider making a donation to keep this service alive. Even a smallest amount will be appreciated.

Contact Olivia Morelli
About the company Esolutions

Removal guides in other languages