• Downloads
  • Threats
    • Adware
    • Browser Hijacking
    • Phishing
    • Ransomware
  • Questions and Answers
  • Recover Encrypted Files
  • Free Malware Removal Tools

MyAntiSpyware

Menu
  • Downloads
  • Threats
    • Adware
    • Browser Hijacking
    • Phishing
    • Ransomware
  • Questions and Answers
  • Recover Encrypted Files
  • Free Malware Removal Tools

.Meds file extension. How to remove virus. Restore .meds files.

Myantispyware team September 9, 2019    

What is a .Meds file? A file with the .meds extension is a file that has been affected by Meds ransomware that also known as crypto virus. All files with this extension become locked. Even if you remove ‘.meds’ or change this extension, file access will not be restored. The reason for this is that the files are not just blocked by changing their extension, but they are encrypted by a ransomware virus.

Files encrypted by .meds virus

Files encrypted by .meds virus

Meds virus is a new ransomware. It uses complex digital algorithm in order to encrypt (lock) users’ data. The documents, photos and music will be decrypted only if a victim pay for the private key that will unlock these files. The Meds ransomware virus encrypts almost of files, including common as:

wallet, .p7c, .xyp, .pef, .mdb, .wot, .wps, .cas, .iwd, .xlsm, .sie, .xlgc, .kdc, .xf, .wp, .mddata, .x3f, .arw, .arch00, .pkpass, .wsc, .xyw, .docm, .wpa, .wbd, .sid, .wbz, .xls, .2bp, .sidd, .kdb, .wpb, .3ds, .qdf, .csv, .bkp, .3dm, .jpe, .ptx, .zdc, .xdb, .itdb, .tor, .vdf, .sb, .ws, .iwi, .pfx, .itm, .zabw, .cdr, .odm, .vcf, .esm, .pptx, .p7b, .srf, .odp, .lbf, .lrf, .wmv, .m3u, .syncdb, .mdf, .dmp, .y, .1st, .psk, .raf, .bar, .rim, .ybk, .wcf, .wmd, .xls, .bc6, .db0, .itl, .wp4, .xlsm, .docx, .jpg, .gho, .dxg, .mov, .qic, .cfr, .xlk, .wps, .dng, .mef, .big, .wma, .svg, .litemod, .epk, .wm, .doc, .png, .wpt, .t12, .odb, .odc, .map, .snx, .sis, .t13, .xdl, .xml, .blob, .mdbackup, .ysp, .mp4, .w3x, .js, .ncf, .wav, .wdb, .3fr, .ppt, .gdb, .x, .xar, .pdf, .z, .zdb, .crt, .yal, .z3d, .p12, .slm, .sav, .xld, .pdd, .asset, .bik, .xpm, .pst, .raw, .eps, .wp6, .sidn, .sum, .cr2, .kf, .ltx, .vfs0, .hkx, .wpd, .txt, .xmind, .zip, .rofl, .xmmap, .der, .zw, .7z, .wbmp, .pem, .zi, .ibank, .ztmp, .wmv, .x3f, .fpk, .bsa, .dba, .xxx, .d3dbsp, .mrwref, .wgz, .wsh, .mpqge, .css, .bay, .dazip, .xlsx, .erf, .bc7, .xy3, .wpw, .rw2, .das, .orf, .sql, .wotreplay, .zip, .avi, .mlx, .wpd, .wb2, .mcmeta, .ff, .webp, .py, .wn, .nrw, .rtf, .1, .wp5, .xwp, .vtf, .layout, .webdoc, .dwg, .xbplate, .pak, .wp7, .wbm, .zif, .jpeg, .rwl, .wbk, .yml, .indd, .rb, .tax, .xbdoc, .odt, .hvpl, .srw, .vpk, .forge, .wri, .psd, .m2, .cer, .xx, .dcr, .wpl, .re4, .pptm, .ods, .wmo, .wbc, .wpg, .wmf, .upk, .wma, .hplg, .dbf, .rar

After penetrating a computer, the virus sequentially encrypts all files, even those located on connected external and network drives. When the file is encrypted, its extension changes to ‘.Meds’. This is done so that the victim immediately noticed the result of the ransomware virus. So that the victim can determine the reason why the extension was changed, why suddenly the files stopped opening in regular programs, the Meds virus, in each folder with at least one encrypted file, creates a document with the name ‘_readme.txt’. In this document, the authors of the virus report that the only way to return the files – is to pay a ransom. Text presented in the ransom note:

 ATTENTION!

Don't worry, you can return all your files!
All your files like photos, databases, documents and other important are encrypted with strongest encryption and unique key.
The only method of recovering files is to purchase decrypt tool and unique key for you.
This software will decrypt all your encrypted files.
What guarantees you have?
You can send one of your encrypted file from your PC and we decrypt it for free.
But we can decrypt only 1 file for free. File must not contain valuable information.
You can get and look video overview decrypt tool:
https://we.tl/t-ZFjRnJfc9f
Price of private key and decrypt software is $980.
Discount 50% available if you contact us first 72 hours, that's price for you is $490.
Please note that you'll never restore your data without payment.
Check your e-mail "Spam" or "Junk" folder if you don't get answer more than 6 hours.


To get this software you need write on our e-mail:
gorentos@bitmessage.ch

 

Threat Summary

Name Meds
Type Crypto malware, Filecoder, File locker, Ransomware, Crypto virus
Encrypted files extension .meds
Ransom note _readme.txt
Contact gorentos@bitmessage.ch, gerentoshelp@firemail.cc
Ransom amount $490,$980 in Bitcoins
Symptoms Your files fail to open. Your files have new extension appended at the end of the file name. Files named like ‘_readme.txt’, ‘READ-ME’, or ‘_readme” in every folder with an encrypted file. Ransom note with cybercriminal’s ransom demand and instructions.
Distribution methods Phishing email scam that attempts to scare users into acting impulsively. Drive-by downloads from a compromised web site. Social media, such as web-based instant messaging applications. Malvertising campaigns.
Removal To remove Meds ransomware use the removal guide
Decryption To decrypt Meds ransomware use the steps

 

In this article, in addition to a brief description of the virus and its harmful effects, we will also describe in detail several ways to quickly remove the virus, but more importantly, we will give instructions that will allow you to restore all your files absolutely free.

Quick links

  1. How to remove Meds ransomware virus
  2. How to decrypt .meds files
  3. How to restore .meds files
  4. How to protect your computer from Meds crypto malware?
  5. Finish words

How to remove Meds ransomware

After a detailed analysis of the ransomware virus by our team, as well as several groups of other experts, it was determined that, unfortunately, removing the Meds virus manually is very difficult. Most experts advise using special tools (malware removal software) that will quickly and easily detect, block and completely remove the virus from the computer. We advise you to do it right now, every minute that this ransomware is on your computer can lead to even greater harm. To remove Meds virus, you can use the utilities listed below. We recommend using not one program, but a minimum of two, to be sure that ransomware virus has been completely removed.




Remove Meds virus with Zemana Anti-Malware (ZAM)

Zemana AntiMalware can find all kinds of malware, including ransomware, as well as a variety of Trojans, viruses and rootkits. After the detection of the Meds crypto virus, you can easily and quickly uninstall it.

Zemana Anti-Malware (ZAM) can be downloaded from the following link. Save it on your MS Windows desktop or in any other place.

Zemana AntiMalware
Zemana AntiMalware
165082 downloads
Author: Zemana Ltd
Category: Security tools
Update: July 16, 2019

After downloading is complete, close all windows on your system. Further, start the set up file called Zemana.AntiMalware.Setup. If the “User Account Control” dialog box pops up as displayed on the image below, click the “Yes” button.

Zemana Anti-Malware uac

It will show the “Setup wizard” that will assist you install Zemana AntiMalware (ZAM) on the machine. Follow the prompts and do not make any changes to default settings.

Zemana SetupWizard

Once installation is done successfully, Zemana Free will automatically launch and you may see its main window similar to the one below.

Next, click the “Scan” button to perform a system scan with this tool for the Meds ransomware, other malware, worms and trojans. During the scan Zemana Anti-Malware (ZAM) will find threats exist on your machine.

Zemana Anti-Malware (ZAM) search for Meds crypto virus related folders,files and registry keys

When the checking is done, Zemana will display a list of all threats found by the scan. Make sure to check mark the threats which are unsafe and then click “Next” button.

Zemana Anti Malware (ZAM) scan is finished

The Zemana will remove Meds ransomware virus and other security threats and add threats to the Quarantine. After that process is finished, you may be prompted to restart your personal computer.

Remove Meds ransomware virus with MalwareBytes AntiMalware (MBAM)

Remove Meds crypto malware manually is difficult and often the ransomware is not completely removed. Therefore, we recommend you to use the MalwareBytes that are completely clean your PC. Moreover, this free program will help you to remove malicious software, PUPs, trojans and worms that your system can be infected too.
MalwareBytes Anti-Malware (MBAM) for Windows, scan for crypto virus is done

  1. MalwareBytes Anti Malware can be downloaded from the following link. Save it on your Windows desktop.
    Malwarebytes Anti-malware
    Malwarebytes Anti-malware
    327301 downloads
    Author: Malwarebytes
    Category: Security tools
    Update: April 15, 2020
  2. At the download page, click on the Download button. Your browser will show the “Save as” dialog box. Please save it onto your Windows desktop.
  3. When downloading is complete, please close all programs and open windows on your computer. Double-click on the icon that’s called mb3-setup.
  4. This will start the “Setup wizard” of MalwareBytes Anti-Malware onto your computer. Follow the prompts and don’t make any changes to default settings.
  5. When the Setup wizard has finished installing, the MalwareBytes Anti-Malware (MBAM) will launch and show the main window.
  6. Further, click the “Scan Now” button to scan for Meds ransomware related folders,files and registry keys. A scan can take anywhere from 10 to 30 minutes, depending on the number of files on your system and the speed of your personal computer. When a threat is detected, the count of the security threats will change accordingly.
  7. Once MalwareBytes has completed scanning, it will display the Scan Results.
  8. Once you’ve selected what you want to remove from your PC press the “Quarantine Selected” button. Once disinfection is finished, you may be prompted to restart the computer.
  9. Close the Anti-Malware and continue with the next step.

Video instruction, which reveals in detail the steps above.

Scan your PC and uninstall Meds ransomware virus with KVRT

KVRT is a free removal utility that may be downloaded and use to delete crypto viruses, adware software, malware, potentially unwanted software, trojans and other threats from your machine. You can use this utility to search for threats even if you have an antivirus or any other security program.

Download Kaspersky virus removal tool (KVRT) on your personal computer from the following link.

Kaspersky virus removal tool
Kaspersky virus removal tool
129307 downloads
Author: Kaspersky® lab
Category: Security tools
Update: March 5, 2018

After downloading is done, double-click on the Kaspersky virus removal tool icon. Once initialization procedure is finished, you will see the KVRT screen like below.

KVRT main window

Click Change Parameters and set a check near all your drives. Click OK to close the Parameters window. Next click Start scan button . KVRT utility will begin scanning the whole personal computer to find out Meds ransomware virus and other known infections. Depending on your computer, the scan may take anywhere from a few minutes to close to an hour. While the utility is scanning, you may see how many objects and files has already scanned.

Kaspersky virus removal tool scanning

When the checking is done, a list of all items detected is prepared as displayed in the figure below.

Kaspersky virus removal tool scan report

Next, you need to click on Continue to begin a cleaning procedure.

How to decrypt .meds files

As we already wrote in our article, at the moment there is no way to decrypt .meds files without using a special program and encryption key. This program and key can only be obtained from virus developers. If you try to pick up the key yourself, use programs to find the key, try decryptors from other ransomware, all this will lead to only one thing, you will completely damage your files.

Should you pay the ransom

Even if you are in a panic state now, you are faced with the fact that your files are locked. Photos and documents suddenly became unavailable – this is not a reason to follow the instructions of fraudsters. All experts say one thing – never pay the ransom! If you transfer money to the developers of the virus, then you will push them to create a new virus. In addition, there is no guarantee that after receiving a ransom from you, scammers will send you decryptor and a key to decrypt .meds files.

Files encrypted by .meds virus

Files encrypted by .meds virus

Therefore, we recommend that you do the following (all steps are described in our manual). Place all the important encrypted files on a separate disk (make sure that it also has a ransom demand file), completely remove the virus, and then try to restore the files using several methods developed by our team.

How to restore .meds files

To recover encrypted .meds files, our team has developed detailed instructions, which are given below. To follow them, you do not need any in-depth knowledge of computer technology, you just need to use several free and well-known programs.




Restore .meds encrypted files using Shadow Explorer

In order to recover .meds photos, documents and music encrypted by the Meds crypto virus from Shadow Volume Copies you can run a tool named ShadowExplorer. We recommend to use this way as it is easier to find and restore the previous versions of the encrypted files you need in an easy-to-use interface.

Download ShadowExplorer on your computer by clicking on the following link.

ShadowExplorer
ShadowExplorer
439693 downloads
Author: ShadowExplorer.com
Category: Security tools
Update: September 15, 2019

When the downloading process is done, open a directory in which you saved it. Right click to ShadowExplorer-0.9-portable and select Extract all. Follow the prompts. Next please open the ShadowExplorerPortable folder as shown on the image below.

ShadowExplorer folder

Double click ShadowExplorerPortable to start it. You will see the a window as displayed in the following example.

ShadowExplorer

In top left corner, choose a Drive where encrypted personal files are stored and a latest restore point as on the image below (1 – drive, 2 – restore point).

ShadowExplorer

On right panel look for a file that you wish to restore, right click to it and select Export as displayed below.

ShadowExplorer recover file

Use PhotoRec to restore .meds files

Before a file is encrypted, the Meds ransomware virus makes a copy of this file, encrypts it, and then deletes the original file. This can allow you to recover your photos, documents and music using file restore apps like PhotoRec.

Download PhotoRec from the link below. Save it directly to your Microsoft Windows Desktop.

PhotoRec
PhotoRec
221340 downloads
Author: CGSecurity
Category: Security tools
Update: March 1, 2018

Once the download is done, open a directory in which you saved it. Right click to testdisk-7.0.win and select Extract all. Follow the prompts. Next please open the testdisk-7.0 folder as shown in the figure below.

testdisk photorec folder

Double click on qphotorec_win to run PhotoRec for Microsoft Windows. It’ll display a screen as shown in the following example.

PhotoRec for windows

Choose a drive to recover as on the image below.

photorec select drive

You will see a list of available partitions. Select a partition that holds encrypted personal files as displayed in the following example.

photorec select partition

Click File Formats button and choose file types to recover. You can to enable or disable the restore of certain file types. When this is complete, click OK button.

PhotoRec file formats

Next, click Browse button to choose where recovered photos, documents and music should be written, then click Search.

photorec

Count of recovered files is updated in real time. All recovered personal files are written in a folder that you have selected on the previous step. You can to access the files even if the restore process is not finished.

When the restore is done, click on Quit button. Next, open the directory where recovered personal files are stored. You will see a contents like the one below.

PhotoRec - result of recovery

All recovered files are written in recup_dir.1, recup_dir.2 … sub-directories. If you’re looking for a specific file, then you can to sort your restored files by extension and/or date/time.

How to protect your computer from Meds crypto malware?

Most antivirus applications already have built-in protection system against the ransomware. Therefore, if your system does not have an antivirus application, make sure you install it. As an extra protection, use the HitmanPro.Alert.

Use HitmanPro.Alert to protect your computer from Meds ransomware virus

HitmanPro.Alert is a small security utility. It can check the system integrity and alerts you when critical system functions are affected by malware. HitmanPro.Alert can detect, remove, and reverse ransomware effects.

Click the following link to download HitmanPro Alert. Save it to your Desktop so that you can access the file easily.

HitmanPro.Alert
HitmanPro.Alert
6880 downloads
Author: Sophos
Category: Security tools
Update: March 6, 2019

Once downloading is complete, open the file location. You will see an icon like below.

HitmanPro.Alert file icon

Double click the HitmanPro.Alert desktop icon. Once the utility is launched, you’ll be shown a window where you can choose a level of protection, like below.

HitmanPro.Alert install

Now press the Install button to activate the protection.

Finish words

Once you have finished the tutorial outlined above, your computer should be clean from Meds ransomware virus and other malware. Your computer will no longer encrypt your photos, documents and music. Unfortunately, if the steps does not help you, then you have caught a new variant of crypto malware, and then the best way – ask for help here.

 

Virus

 Previous Post

How to remove Sibewithheprep.pro pop ups virus [Chrome, Firefox, IE, Edge]

Next Post 

How to remove Wwnc.xyz pop-ups virus [Chrome, Firefox, IE, Edge]

Author: Myantispyware team

Myantispyware is an information security website created in 2004. Our content is written in collaboration with Cyber Security specialists, IT experts, under the direction of Patrik Holder and Valeri Tchmych, founders of Myantispyware.com.

Leave a Reply Cancel reply

New Guides

Jezidexp.com MrBeast $1111? Fake Promo Code Scams Exposed
scam alert
Feastax.com Review, FREE $3,000 Scam, Fake MrBeast Promo Codes
Anchomoross.com Virus Removal Guide
scam alert
Fake or Real? You Visited Some Hacked Websites With Exploit Email Scam Explained
scam alert
Spotify Can’t Process Your Payment Scam Alert: A Phishing Email to Avoid

Follow Us

Search

Useful Guides

ads by adware
How to remove Adware from Windows 10 (Virus removal guide)
How to reset Google Chrome settings to default
Malwarebytes won’t install, run or update – How to fix it
How to remove pop-up ads [Chrome, Firefox, IE, Opera, Edge]
remove android virus
How to remove virus from Android phone

Recent Guides

Sibewithheprep.pro
How to remove Sibewithheprep.pro pop ups virus [Chrome, Firefox, IE, Edge]
1FGR4QEoNneYMN4FMSHykqzGuqWsVmKvJ Bitcoin Email Scam
1FGR4QEoNneYMN4FMSHykqzGuqWsVmKvJ Bitcoin Email Scam
13ajfLBScsUNSJ3t65fsCmT1TRkQCUMYA1 bitcoin email scam
13ajfLBScsUNSJ3t65fsCmT1TRkQCUMYA1 Bitcoin Email Scam
1PuxZLDEz2as13NKcTzC2BGadF2g2zhdfo Bitcoin Email Scam
1PuxZLDEz2as13NKcTzC2BGadF2g2zhdfo Bitcoin Email Scam
Ratenderenhers.pro
How to remove Ratenderenhers.pro pop-ups [Chrome, Firefox, IE, Edge]

Myantispyware.com

Myantispyware has been a trusted source for computer security and technology advice since 2004. Our mission is to provide reliable tech guidance and expert, practical solutions to help you stay safe online and protect your digital life.

Social Links

Pages

About Us
Contact Us
Privacy Policy

Copyright © 2004 - 2024 MASW - Myantispyware.com.