Severity scale:  
  (98/100)

Djvu ransomware. How to remove? (Uninstall guide)

removal by Gabriel E. Hall - - | Type: Ransomware

Djvu ransomware is a data locking malware that uses a variety of file extensions, including .tfude, .pdff and .adobe

Djvu ransomware virus
Djvu ransomware is a risky file locking cyber threat which adds the .djvu, .djvus, .tfude, .adobe or .pdff appendix to each blocked document and displays the _openme.txt ransom message.

Questions about Djvu ransomware

Djvu ransomware, also known as .djvu files virus, is a file locker and a member of STOP virus family. The malware was first introduced in December 2018 and happened to be extremely successful, affecting numerous victims worldwide. Initially, researchers were unaware of how this variant is being distributed, but the victims later reported that they found the infection on their computers after downloading a crack or a keygen. After the infiltration, Djvu ransomware heavily modifies Windows settings, locks up files by adding an appendix and then drops the ransom note which provides contact details of cybercriminals and explains to victims what they should do next. While the original payload used .djvu, .djvus, .djvuu, .uudjvu, .udjvu or .djvuq extensions, the recent variants rely on .promorad and .promock file extensions. Note that these variants cannot be decrypted, unlike some older Djvu ransomware versions which are decryptable with the help of STOPDecrypter. If the decryptor is not working, keep in mind that paying ransom in Bitcoin is not the solution.

Name Djvu
Category Ransomware virus
Sub-category Malware
Appendixes .djvu, .djvus, .djvuu, .udjvu, .uudjvu, .djvuq, .djvur, .pdff, .tro, .tfude, .tfudeq, .tfudet, .adobe, .adobee, .blower, .promorad, .promock.
Ransom message _openme.txt
Crook's email
  • helpshadow@india.com;
  • helpshadow@firemail.cc;
  • restoredjvu@india.com;
  • restoredjvu@firemail.cc;
  • pdfhelp@india.com; 
  • pdfhelp@firemail.cc.
About the ransom Crooks offer a 50% discount for the price if the victims contact them in 72 hours
System modification Deletes shadow volume copies, modifies windows registry, starts/stops various processes, creates scheduled tasks, etc.
Distribution techniques Rogue email attachments, cracks and keygens
Decryptable? Some versions are decryptable. Download this tool (direct download link) to check it for your version 
Removal process Use Reimage to detect malware content 

After spreading on the Internet for several weeks, the ransomware came back with the Djvus virus version. It is the same file encrypting virus which uses unique encryption[1] algorithms to lock up important documents that are found on the infected PC. In this case, the hackers are using RSA encryption algorithm.

Even though the decryption might be hard to perform even for the highly-experienced users (you cannot guess this key or find it on the Internet), there is no need of rushing to pay the criminals. Note that, these people often try to scam their victims by providing them false promises. We suggest taking a look at some data recovery methods that we have provided below this article.

No matter which virus version you are dealing with, the ransom warning stays the same. As you can see from the message body, no particular details about the money are given in the ransom note. However, victims have reported that they were asked to pay from $350 to $500 for the decryption of encrypted data:

———————— ALL YOUR FILES ARE ENCRYPTED ————————

Don't worry, you can return all your files!
All your files documents, photos, databases and other important are encrypted with strongest encryption and unique key.
The only method of recovering files is to purchase decrypt tool and unique key for you.
This software will decrypt all your encrypted files.
What guarantees do we give to you?
You can send one of your encrypted file from your PC and we decrypt it for free.
But we can decrypt only 1 file for free. File must not contain valuable information
Don't try to use third-party decrypt tools because it will destroy your files.
Discount 50% available if you contact us first 72 hours.

——————————————————————————————————-

To get this software you need write on our e-mail:
helpshadow@india.com

Reserve e-mail address to contact us:
helpshadow@firemail.cc

Your personal ID:

Crooks who spread viruses such as Djvu ransomware are most likely to urge for cryptocurrencies only. The most popular demanded currency is Bitcoin[2] as it is commonly used worldwide. Hackers urge for this type of ransom because cryptocurrency transfers do not require any specific personal details, and because of that, the process remains completely untrackable. This lets the crooks to scam victims easily without the risk of getting caught.

If you are seeking to recover your encrypted data, remove Djvu ransomware virus first before that. If you do not proceed with these actions in the right order, your files might be encrypted again after the next computer boot as the cyber threat will still remain in the computer system. For next time, make sure you take care of your data's safety properly. A piece of advice would be to store it on a remote server or device which is accessible only for you. This way no other person will be able to reach that data.

Performing the Djvu ransomware removal requires a lot of attention. That is why you need to leave the process for reliable anti-malware computer software. However, we suggest using a program such as Reimage or Malwarebytes MalwarebytesCombo Cleaner to detect all malware-laden content that might be some type of malicious files hiding in the PC system. If all hazardous components are successfully removed, the ransomware virus should not return to your computer after the process.

One more thing you need to know about Djvu files virus: this file locker can inject malicious components anywhere in the system, furthermore, it can clean paths for other malware to distribute easily, delete Shadow Volume Copies of encrypted documents, and add unwanted content to the Windows Registry.[3] Once you spot this threat, make sure you get rid of it ASAP. 

To recover files encrypted by Djvu ransomware, try the STOPDecrypter from DemonSlay335. According to the researcher, the program is not ready to recover all encrypted files. At the moment, it works only for this personal ID: 6se9RaIxXF9m70zWmx7nL3bVRp691w4SNY8UCir0 which is generated while your computer is off. Take into account that if you try to add invented numbers can result in a complete loss of your encrypted data.

Djvu ransomware infection stages

Djvu ransomware infection progression is multi-stage, and there are several steps that it performs as soon as it is able to get onto the machine. The primary executable installs into the LocalAppData[4] and then downloads several additional files: 1.exe, 2.exe, 3.exe, and pdatewin.exe. All of these executables serve different functions:

  • 1.exe is used to disable various features and functionalities within Windows Defender. Additionally, the file launches PowerShell script called Script.ps1 which disables Defender's real-time protection feature;
  • 2.exe modifies Windows' HOSTS file by adding multiple security site URLs, preventing users from navigating there and seeking for help;
  • 3.exe's functionality is not yet identified.

After these processes are complete, Djvu ransomware will contact C2 server, providing hackers with the unique ID that is based on victims' MAC address.[5] The remote server then responds with the encryption key that is used to encode all personal files. During data encryption, Djvu virus launches a fake Windows Update window (spawned by pdatewin.exe) so that the victim would not suspect anything.

Finally, Djvu ransomware will append the appropriate file extension, depending on the virus version. For example, a file called picture.jpg will be turned into picture.jpg.djvu and will become inaccessible for users. Additionally, an _openme.txt ransom note is inserted into each of the affected folders.

Once the encryption process is complete, malware will create a scheduled task called Time Trigger Task that will periodically encrypt newly-added files.

Djvu ransomware uses Windows Updates
During file encryption process, Djvu ransomware runs fake Windows Update window

Djvu virus versions explained

Djvu virus was spotted on the internet in the late end of 2018. Malware researchers have identified it as one of STOP ransomware versions. However, together with the new year, the ransomware virus started using new file markers to help users find encrypted files among the untouched ones. The ransom note file is still named as _openme.txt and is placed in every folder with the encrypted data. Below you can find more information about each version:

Djvus virus

Djvus file ransomware came out right before the New Year. While virus developers haven't changed the virus much, we can see that the email address is nowrestoredjvu@firemail.cc. In addition, the virus is still offering 50% discount for those who contact its developers within 72 hours. Unfortunately, people have reported about numerous cases when they found this virus on their computer system, cloud services and even hard drives which were connected to the compromised system without much thinking. While some versions of STOP ransomware can be decrypted, unfortunately, this is not applied to the Djvus virus.

Djvuu virus

Djvuu ransomware was discovered back in December 2018. As the name suggests, it is appending the previously mentioned extension to affect users' personal data. The ransom note displayed in a text file is still named _openme.txt and displays the message encouraging victims to contact these criminals via email and contact addresses: restoredjvu@india.com and restoredjvu@firemail.cc. Djvuu virus is not decryptable, so you should use your files' backups to recover encrypted data. The virus is using RSA encryption method to make files useless. The private keys are stored on hackers' servers.

Uudjvu ransomware 

Uudjvu ransomware is a slightly different version of the same Djvu virus that appears on the targeted system by using the common PirateBay setup window and this way attempts to steal user's credentials from various accounts to use them in later scams. Developers created this variant without a ransom demand but files on the computer still get encrypted by using AES and RSA mix. The affected part of files is marked with .uudjvu file appendix. We don't recommend contacting hackers for their ransomware demands as you can be left with more damage on your computer. Remove the virus at first and then continue with the recovery of your files. Use backups or third-party software in this stage.

Djvuq ransomware

Djvuq ransomware is one of the versions that are more similar to the initial Djvu virus. It also encrypts files using the algorithm and marks encoded photos, documents or even archives with .djvuq at the end. Ransom note, in this case, also gets placed in the _openme.txt file with the discount deal on the ransom and previously used contact emails restoredjvu@india.com and restoredjvu@firemail.cc. 

Udjvuq ransomware

Udjvuq file ransomware also appeared in December 2018 following previous identical versions. Cybercriminals behind the threat still focus on the encryption and file marking process with extortion purpose. However, ransom note states about the only way to recover the files – pay up. According to developers, other decryption tools cannot give you the needed results, so they give you a half-off for the ransom if you contact them in the first 72h. These details alongside the same email addresses are delivered in the file _openme.txt.

Tfude ransomware

Tfude ransomware is one of the numerous versions of Djvu virus. Being split into several versions as well (.tfude, .tfudeq, .tfudet), the virus is actively trying to overcome computers' protection and install its malicious executable. Once active, malware encrypts files and drops _openme.txt ransom note. Unfortunately, even if your computer is offline, the virus can still continue the encryption of your files.

Additionally, cybercriminals are asking to use pdfhelp@india.com or pdfhelp@firemail.cc email addresses to reach them for files' decryption. However, making any contact with these criminals can result in money loss. If your personal ID consists of these numbers, you should be capable of using the decryptor given at the end of this post: 6se9RaIxXF9m70zWmx7nL3bVRp691w4SNY8UCir0 

Pdff ransomware

Pdff ransomware also uses AES encryption algorithm to encrypt files and was first spotted in January 2019 attacking computer users from the Middle-East. Nevertheless, the ransom note _openme.txt remains to be written in English language and contain almost identical text that is typical for Djvu file virus infection. 

However, this time crooks ask users to contact them with the help of pdfhelp@india.com and pdfhelp@firemail.cc email addresses. Another difference from the previous variants seems to be the file extension that is added – .pdff. While this version is not decryptable yet, we suggest you remove Pdff ransomware and use alternative file recovery methods.

Tro ransomware

Tro ransomware was observed on the web just a day after Pdff ransomware came out. It was spotted being distributed with the help of cracks, keygens or bundled software that includes adware applications.

As soon as the virus enters the machine, it encrypts all the available data (skipping system files) with the help of a secure encryption algorithm and adds .tro file extension. This time it seems that the extension is the only difference compared to its previous versions, as the ransom note is called _openme.txt and the contact emails are pdfhelp@india.com and  pdfhelp@firemail.cc.

Adobe ransomware

.adobe file extension has first been introduced by an infamous Dharma ransomware. However, Djvu ransomware has also started using this extension after encrypting victim's files and making them useless. After some time, it was changed to .adobee. The virus is still using pdfhelp@firemail.cc as the default email address which should be used by victims to contact hackers for the ransom.

Unfortunately, no matter that some of the previous versions can be recovered by using STOPDecrypter, .adobe hasn't been added to this tool's database yet. If infected, keep checking this post and hope that security researchers will soon find a cure for this malware.

Adobee ransomware

As we can see, Djvu ransomware has A LOT of other versions, the cybercriminals have released another variant lately. This one is familiar with the Adobe ransomware, however, with two e's (Adobee). It has the same operating principle. Once installed, the ransomware virus injects malicious content in the system and performs the encryption. After that, files appear with the .adobee appendix and are blocked from any access.

Additionally, Adobee ransomware, just like other Djvu versions, provides a ransom message named _openme.txt. The note shows up in the Notepad. Crooks urge for some money in order to receive the decryption tool. They provide pdfhelp@india.com and pdfhelp@ firemail.cc email addresses as a way to make contact.

Blower ransomware

Blower ransomware can enter the PC secretly just like others of its kind, for example, through infected hyperlinks, harmful attachments, etc. Once it is installed, rogue and harmful content is injected into the system and malicious activities such as data encryption are performed.

Blower is appending the .blower file extension to each encrypted file. This ransomware virus is capable of locking all kinds of data such as images, audio files, video, text documents, databases, excel sheets, powerpoint, and others. Once the encryption is performed, crooks notify their users through a text message named _readme.txt. Two emails are provided in this message: blower@india.com, blower@firemail.cc. We suggest you avoid any contact with these cruel people.

Norvas ransomware

Norvas virus is a crypto malware that is using the same _readme.txt ransom note to swindle the money from users worldwide. It is an easy task because before that the virus changes the code of target files and then appends the special extension called .norvas to every piece of data that was affected. In this case, files become useless and cannot be used as previously.

The developers of Norvas ransomware can be reached via vengisto@india.com and vengisto@firemail.cc email addresses. They also offer to provide the 50% discount for the ransom if they are contacted within 24 hours. However, do NOT believe these people as they are notorious scammers stealing users' money.

Grovat ransomware

Grovat is using AES-256 encryption code to make users' data useless. Additionally, the victim is required to make a special payment to a secret bitcoin wallet in exchange for the decryption code. Email addresses users are typically pointed to are called either merosa@india.com or merosa@firemail.cc. These addresses should be used to contact cyber criminals and get the bitcoin address for the payment. However, we do NOT recommend making any contact with these people.

To generate a unique identifier along with the decryption code assigned for each user, malware contacts its C&C server. The ransom note is called like any other used by other Djvu versions – _readme.txt. You should remove all files that belong to this malware instead of contacting cybercriminals. To recover your files, you can try using STOPDecrypter.

Djvu .tro and .pdff
The two latest variants of Djvu ransomware are .tro and .pdff, which share same contact address.

Ransomware viruses distribute via spam messages, software cracks, and adware bundles

According to cybersecurity specialists from LosVirus.es,[6] ransomware infections can appear on the computer because of an opened spam letter or its attachment. Some email messages, that are dropped by the crooks, might contain a hazardous link inserted inside the letter itself, or a dubious attachment that comes clipped to the email. Be aware of all questionable emails, do not open and if they look malicious or suspicious in some certain way. 

Furthermore, you can detect that something is wrong if the email message contains various grammar mistakes, and if it comes from an unrecognizable sender. However, not all of them look this way. Some crooks pretend to be from worldwide organizations. So, if you were not expecting to receive anything important recently, you better not access any messages. What you should do is contact the company directly if necessary.

Additionally, in some cases, ransomware viruses can distribute thru third-party networks. All pages that come from secondary sources often lack required protection and do not fit the security requirements. This leads to a high risk of getting infected by dangerous malware, e.g. ransomware. We suggest avoiding all non-original pages and suspicious hyperlinks that you might encounter while browsing the web.

With the .tro file extension, ransomware was spotted being distributed with the help of so-called “cracks” and “keygens.” These files are used to crack the original software to make it perform as a licensed version. Such activity is highly illegal, and users could face fines and legal actions if they get caught. Besides, the risk of infecting the PC with ransomware should diminish the urge to crack programs. 

Finally, researchers said that the virus is also being spread bundled with adware programs. To stop unwanted apps from entering the machine, never skip the installation steps and read through the installation instructions. Always pick Advanced/Custom installation mode instead of Recommended/Quick one and remove all the optional components that are offered.

To get rid of Djvus virus, employ recommended software 

To remove Djvu virus, use only reputable computer software. Furthermore, you can detect all malware-laden content by scanning the computer system with these tools:

Such software is created to lengthen the removal process for all users. Even though the detection process might take a while, please, be patient as you will find it incredibly useful later on.

Performing the Djvu ransomware removal requires a lot of attention. This is the main reason why you should leave the process for automatical computer tools. Furthermore, after you proceed with the elimination, make sure that you perform some system backups. All ransomware-related components need to be removed permanently for the computer to work normally again.

Offer
do it now!
Download
Reimage (remover) Happiness
Guarantee
Download
Reimage (remover) Happiness
Guarantee
Compatible with Microsoft Windows Supported versions Compatible with OS X Supported versions
What to do if failed?
If you failed to remove virus damage using Reimage, submit a question to our support team and provide as much details as possible.
Reimage is recommended to remove virus damage. Free scanner allows you to check whether your PC is infected or not. If you need to remove malware, you have to purchase the licensed version of Reimage malware removal tool.
Alternative Software
Different security software includes different virus database. If you didn’t succeed in finding malware with Reimage, try running alternative scan with Malwarebytes.
Alternative Software
Different security software includes different virus database. If you didn’t succeed in finding malware with Reimage, try running alternative scan with Combo Cleaner.

To remove Djvu virus, follow these steps:

Remove Djvu using Safe Mode with Networking

Enable Safe Mode with Networking to deactivate the Djvu ransomware virus and its malicious activities on your computer:

  • Step 1: Reboot your computer to Safe Mode with Networking

    Windows 7 / Vista / XP
    1. Click Start Shutdown Restart OK.
    2. When your computer becomes active, start pressing F8 multiple times until you see the Advanced Boot Options window.
    3. Select Safe Mode with Networking from the list Select 'Safe Mode with Networking'

    Windows 10 / Windows 8
    1. Press the Power button at the Windows login screen. Now press and hold Shift, which is on your keyboard, and click Restart..
    2. Now select Troubleshoot Advanced options Startup Settings and finally press Restart.
    3. Once your computer becomes active, select Enable Safe Mode with Networking in Startup Settings window. Select 'Enable Safe Mode with Networking'
  • Step 2: Remove Djvu

    Log in to your infected account and start the browser. Download Reimage or other legitimate anti-spyware program. Update it before a full system scan and remove malicious files that belong to your ransomware and complete Djvu removal.

If your ransomware is blocking Safe Mode with Networking, try further method.

Remove Djvu using System Restore

Turn on the System Restore feature to disable the virus. Use these instructions if help is needed:

  • Step 1: Reboot your computer to Safe Mode with Command Prompt

    Windows 7 / Vista / XP
    1. Click Start Shutdown Restart OK.
    2. When your computer becomes active, start pressing F8 multiple times until you see the Advanced Boot Options window.
    3. Select Command Prompt from the list Select 'Safe Mode with Command Prompt'

    Windows 10 / Windows 8
    1. Press the Power button at the Windows login screen. Now press and hold Shift, which is on your keyboard, and click Restart..
    2. Now select Troubleshoot Advanced options Startup Settings and finally press Restart.
    3. Once your computer becomes active, select Enable Safe Mode with Command Prompt in Startup Settings window. Select 'Enable Safe Mode with Command Prompt'
  • Step 2: Restore your system files and settings
    1. Once the Command Prompt window shows up, enter cd restore and click Enter. Enter 'cd restore' without quotes and press 'Enter'
    2. Now type rstrui.exe and press Enter again.. Enter 'rstrui.exe' without quotes and press 'Enter'
    3. When a new window shows up, click Next and select your restore point that is prior the infiltration of Djvu. After doing that, click Next. When 'System Restore' window shows up, select 'Next' Select your restore point and click 'Next'
    4. Now click Yes to start system restore. Click 'Yes' and start system restore
    Once you restore your system to a previous date, download and scan your computer with Reimage and make sure that Djvu removal is performed successfully.

Bonus: Recover your data

Guide which is presented above is supposed to help you remove Djvu from your computer. To recover your encrypted files, we recommend using a detailed guide prepared by 2-spyware.com security experts.

If files got locked with the .djvu appendix, and you are wondering how to bring them back to their starter positions, we recommend taking a look at the below-given data recovery methods, some of which you might find helpful.

If your files are encrypted by Djvu, you can use several methods to restore them:

Use the Data Recovery Pro tool to bring important data back:

Try this third-party program if you are keen on restoring files that were encrypted by Djvu ransomware virus:

  • Download Data Recovery Pro;
  • Follow the steps of Data Recovery Setup and install the program on your computer;
  • Launch it and scan your computer for files encrypted by Djvu ransomware;
  • Restore them.

Windows Previous Versions feature might also help you restore some files:

Try this method out, however, note that it might not be successful if you did not activate the System Restore function.

  • Find an encrypted file you need to restore and right-click on it;
  • Select “Properties” and go to “Previous versions” tab;
  • Here, check each of available copies of the file in “Folder versions”. You should select the version you want to recover and click “Restore”.

The Shadow Explorer tool might recover data:

Use this tool if the virus did not eliminate Shadow Volume Copies of locked data. However, if it did, try the other above-given methods.

  • Download Shadow Explorer (http://shadowexplorer.com/);
  • Follow a Shadow Explorer Setup Wizard and install this application on your computer;
  • Launch the program and go through the drop down menu on the top left corner to select the disk of your encrypted data. Check what folders are there;
  • Right-click on the folder you want to restore and select “Export”. You can also select where you want it to be stored.

To recover files encrypted by Djvu ransomware, use STOPdecryptor.

Recently, famous virus researcher called DemonSlay355 presented an updated version of STOPdecryptor which can be used to recover files encrypted by Djvu. However, it works only for those victims whose personal ID is: 6se9RaIxXF9m70zWmx7nL3bVRp691w4SNY8UCir0. If your ID is the same, download the tool from here (direct link).

Finally, you should always think about the protection of crypto-ransomwares. In order to protect your computer from Djvu and other ransomwares, use a reputable anti-spyware, such as Reimage, Malwarebytes MalwarebytesCombo Cleaner or Plumbytes Anti-MalwareMalwarebytes Malwarebytes

About the author

Gabriel E. Hall
Gabriel E. Hall - Passionate web researcher

If this free removal guide helped you and you are satisfied with our service, please consider making a donation to keep this service alive. Even a smallest amount will be appreciated.

Contact Gabriel E. Hall
About the company Esolutions

References

Removal guides in other languages


Your opinion regarding Djvu ransomware