If your personal files does not open normally, .promok file extension added at the end of their name then your computer is infected with a new .Promok ransomware from a family of file-encrypting ransomware. Once started, it have encrypted all documents, photos and music stored on a PC system drives and attached network drives.
“Promok ransomware” – ransom note
.Promok ransomware is a malicious software, which made to encrypt the personal files found on infected computer using strong encryption method, adding the .promok file extension to all encrypted personal files. It can encrypt almost types of files, including the following:
.raf, .wire, .zdb, .itm, .pdf, .odt, .wmv, .blob, .mlx, .nrw, .z3d, wallet, .gho, .ods, .png, .js, .iwd, .rw2, .xf, .epk, .psd, .pak, .p12, .vpp_pc, .pem, .jpe, .t12, .m2, .docm, .rtf, .xyp, .wn, .ysp, .fsh, .vpk, .jpeg, .py, .xml, .m4a, .asset, .mef, .rar, .p7b, .yal, .wri, .bkp, .xmmap, .hkdb, .xlk, .wpw, .zip, .wpg, .hkx, .wmo, .layout, .srw, .wdb, .kf, .map, .xlsx, .dmp, .wmv, .1, .sql, .erf, .wbc, .ppt, .y, .7z, .wp, .qic, .sie, .ibank, .yml, .wav, .pptm, .db0, .0, .wmf, .t13, .upk, .wbm, .slm, .jpg, .wps, .crt, .xpm, .flv, .dxg, .wsd, .wsh, .mdbackup, .pdd, .mddata, .odp, .wgz, .xdb, .wma, .xy3, .zw, .rofl, .bar, .wpa, .zabw, .wcf, .cas, .menu, .vfs0, .wp5, .rb, .odb, .fpk, .xls, .sum, .icxs, .fos, .rgss3a, .x, .xdl, .raw, .orf, .wotreplay, .zi, .cdr, .pfx, .der, .wp4, .apk, .forge, .iwi, .bkf, .webp, .csv, .sb, .crw, .ncf, .bc7, .wbmp, .2bp, .wdp, .wsc, .xx, .hplg, .xyw, .xbplate, .wma, .wbz, .d3dbsp, .xls, .wbk, .3dm, .dbf, .dng, .dba, .bik, .mp4, .txt, .sid, .lbf, .pst, .srf, .mov, .desc, .mpqge, .wp6, .css, .arch00, .xlsb, .bsa, .mdb, .xmind, .pkpass, .xlsx, .mcmeta, .mdf, .wmd, .cr2, .svg, .wpd, .avi, .qdf, .pptx, .arw, .dcr, .kdc, .dwg, .re4, .wpt, .tor, .big, .pef, .wpd
Once the encryption procedure is finished, it will create a ransomnote named “_readme.txt” offering decrypt all users documents, photos and music if a payment is made. An example of the ransomnote is:
ATTENTION! Don't worry my friend, you can return all your files! All your files like photos, databases, documents and other important are encrypted with strongest encryption and unique key. The only method of recovering files is to purchase decrypt tool and unique key for you. This software will decrypt all your encrypted files. What guarantees you have? You can send one of your encrypted file from your PC and we decrypt it for free. But we can decrypt only 1 file for free. File must not contain valuable information. You can get and look video overview decrypt tool: https://we.tl/t-ll0rIToOhf Price of private key and decrypt software is $980. Discount 50% available if you contact us first 72 hours, that's price for you is $490. Please note that you'll never restore your data without payment. Check your e-mail "Spam" folder if you don't get answer more than 6 hours. To get this software you need write on our e-mail: blower@india.com Reserve e-mail address to contact us: blower@firemail.cc Your personal ID:
In the steps below, I have outlined few methods that you can use to remove .Promok ransomware from your system, decrypt .promok files using STOPDecrypter and restore encrypted files from a shadow volume copies or using file recover software.
Table of contents
- How to remove .Promok ransomware virus
- How to decrypt .promok files
- Use STOPDecrypter to decrypt .promok files
- How to restore .promok files
- How to protect your computer from .Promok ransomware virus?
- To sum up
How to remove .Promok ransomware virus
In order to delete .Promok ransomware virus from your machine, you need to stop all virus processes and delete its associated files including Windows registry entries. If any ransomware virus components are left on the computer, ransomware virus can reinstall itself the next time the machine boots up. Usually ransomware uses random name consist of characters and numbers that makes a manual removal procedure very difficult. We recommend you to run a free ransomware removal tools, which will allow remove Promok ransomware virus from your computer. Below you can found a few popular malware removers that detects various ransomware.
Run Zemana Anti-malware to get rid of .Promok ransomware virus
We suggest you to use the Zemana Anti-malware that are completely clean your personal computer of this ransomware virus. Moreover, the utility will allow you to delete PUPs, malicious software, toolbars and adware that your system can be infected too.
Visit the following page to download the latest version of Zemana Free for Microsoft Windows. Save it to your Desktop so that you can access the file easily.
164990 downloads
Author: Zemana Ltd
Category: Security tools
Update: July 16, 2019
When the download is finished, run it and follow the prompts. Once installed, the Zemana will try to update itself and when this process is finished, press the “Scan” button . Zemana Free program will scan through the whole machine for the .Promok ransomware virus and other kinds of potential threats like malicious software and potentially unwanted applications.
Review the report and then click “Next” button.
The Zemana Free will remove .Promok ransomware virus and other malicious software and PUPs.
How to delete .Promok ransomware with MalwareBytes AntiMalware
You can remove .Promok ransomware virus automatically through the use of MalwareBytes AntiMalware (MBAM). We recommend this free malware removal tool because it may easily remove ransomware, adware, malicious software and other unwanted apps with all their components such as files, folders and registry entries.
Download MalwareBytes Anti Malware (MBAM) from the following link.
327227 downloads
Author: Malwarebytes
Category: Security tools
Update: April 15, 2020
After the download is finished, close all programs and windows on your personal computer. Double-click the install file called mb3-setup. If the “User Account Control” dialog box pops up as on the image below, click the “Yes” button.
It will open the “Setup wizard” which will help you install MalwareBytes AntiMalware on your computer. Follow the prompts and don’t make any changes to default settings.
Once installation is complete successfully, press Finish button. MalwareBytes will automatically start and you can see its main screen as shown on the screen below.
Now press the “Scan Now” button . MalwareBytes application will scan through the whole system for the .Promok ransomware virus and other malware. A system scan can take anywhere from 5 to 30 minutes, depending on your computer.
Once MalwareBytes Anti-Malware (MBAM) has finished scanning, MalwareBytes Free will produce a list of malware. Review the scan results and then click “Quarantine Selected” button. The MalwareBytes Anti Malware will remove .Promok ransomware virus and other kinds of potential threats. When disinfection is done, you may be prompted to restart the PC.
We recommend you look at the following video, which completely explains the procedure of using the MalwareBytes Anti Malware to remove adware, hijacker and other malware.
If the problem with .Promok ransomware is still remained
KVRT is a free portable application that scans your PC for malware and ransomware like the Promok ransomware and helps delete them easily. Moreover, it will also allow you remove any harmful browser extensions and add-ons.
Download Kaspersky virus removal tool (KVRT) by clicking on the link below.
129280 downloads
Author: Kaspersky® lab
Category: Security tools
Update: March 5, 2018
Once the download is done, double-click on the KVRT icon. Once initialization process is finished, you will see the Kaspersky virus removal tool screen as displayed on the image below.
Click Change Parameters and set a check near all your drives. Click OK to close the Parameters window. Next press Start scan button . Kaspersky virus removal tool utility will begin scanning the whole PC system to find out .Promok ransomware virus and other trojans and malicious apps. During the scan KVRT will locate threats present on your computer.
After the scan get finished, Kaspersky virus removal tool will produce a list of unwanted programs adware as shown below.
Next, you need to click on Continue to begin a cleaning task.
How to decrypt .promok files
The .Promok ransomware virus offers to make a payment in Bitcoins to get a key to decrypt personal files. Important to know, currently not possible to decrypt .promok files without the private key and decrypt application.
There is absolutely no guarantee that after pay a ransom to the makers of the .Promok ransomware virus, they will provide the necessary key to decrypt your files. In addition, you must understand that paying money to the cyber criminals, you are encouraging them to create a new ransomware virus.
With some variants of .Promoz Ransomware, it is possible to decrypt or restore encrypted files using free tools such as STOPDecrypter, ShadowExplorer and PhotoRec.
Use STOPDecrypter to decrypt .promok files
Michael Gillespie (@) released a free decryption tool named STOPDecrypter (download from download.bleepingcomputer.com/demonslay335/STOPDecrypter.zip).
STOPDecrypter by Demonslay335
STOPDecrypter has been updated to include decryption support for the following .djvu* variants (.djvu, .djvuu, .udjvu, .djvuq, .djvur, .djvut, .pdff, .tro, .tfude, .tfudeq, .tfudet, .rumba, .adobe, .adobee, .blower, .promos. STOPDecrypter will work for any extension of the Djvu* variants including new extensions (.promok).
Please check the twitter post for more info.
How to restore .promok files
In some cases, you can recover files encrypted by .Promok ransomware virus. Try both methods. Important to understand that we cannot guarantee that you will be able to recover all encrypted photos, documents and music.
Recover .promok encrypted files using Shadow Explorer
In some cases, you have a chance to recover your photos, documents and music which were encrypted by the .Promok ransomware. This is possible due to the use of the utility named ShadowExplorer. It is a free program that developed to obtain ‘shadow copies’ of files.
Download ShadowExplorer by clicking on the link below.
439627 downloads
Author: ShadowExplorer.com
Category: Security tools
Update: September 15, 2019
When the downloading process is finished, open a directory in which you saved it. Right click to ShadowExplorer-0.9-portable and select Extract all. Follow the prompts. Next please open the ShadowExplorerPortable folder like below.
Start the ShadowExplorer tool and then select the disk (1) and the date (2) that you wish to recover the shadow copy of file(s) encrypted by the .Promok ransomware virus as displayed in the figure below.
Now navigate to the file or folder that you wish to recover. When ready right-click on it and press ‘Export’ button as on the image below.
Restore .promok files with PhotoRec
Before a file is encrypted, the .Promok ransomware virus makes a copy of this file, encrypts it, and then deletes the original file. This can allow you to restore your personal files using file recover software such as PhotoRec.
Download PhotoRec from the link below.
Once the downloading process is done, open a directory in which you saved it. Right click to testdisk-7.0.win and choose Extract all. Follow the prompts. Next please open the testdisk-7.0 folder as displayed below.
Double click on qphotorec_win to run PhotoRec for MS Windows. It’ll show a screen as shown on the screen below.
Choose a drive to recover as on the image below.
You will see a list of available partitions. Select a partition that holds encrypted files as displayed on the screen below.
Press File Formats button and specify file types to recover. You can to enable or disable the recovery of certain file types. When this is finished, click OK button.
Next, click Browse button to select where recovered files should be written, then click Search.
Count of recovered files is updated in real time. All restored personal files are written in a folder that you have selected on the previous step. You can to access the files even if the restore process is not finished.
When the recovery is done, press on Quit button. Next, open the directory where recovered photos, documents and music are stored. You will see a contents like below.
All recovered files are written in recup_dir.1, recup_dir.2 … sub-directories. If you’re searching for a specific file, then you can to sort your recovered files by extension and/or date/time.
How to protect your computer from .Promok ransomware virus?
Most antivirus programs already have built-in protection system against the ransomware. Therefore, if your computer does not have an antivirus program, make sure you install it. As an extra protection, run the CryptoPrevent.
Use CryptoPrevent to protect your system from .Promok ransomware
Download CryptoPrevent on your personal computer from the link below.
www.foolishit.com/download/cryptoprevent/
Run it and follow the setup wizard. Once the installation is complete, you’ll be displayed a window where you can choose a level of protection, as on the image below.
Now click the Apply button to activate the protection.
To sum up
Now your machine should be free of the .Promok ransomware virus. Delete MalwareBytes AntiMalware and KVRT. We suggest that you keep Zemana (to periodically scan your system for new malicious software). Moreover, to prevent ransomware virus, please stay clear of unknown and third party apps, make sure that your antivirus program, turn on the option to stop or look for ransomware.
If you need more help with .Promok ransomware virus related issues, go to here.
