How To Remove .imme Ransomware Virus And Decrypt Files

Imme is a ransomware which seems to come from another file-encrypting virus called Xorist. This malware makes your files unopenable and appends either a “.imme” or “.imme.teras.completecrypt” extensions as well as places ransom notes called “HOW TO DECRYPT FILES.txt” in all folders.

This ransomware asks for an unconventionally high ransom of 2 BitCoins (approximately $2000) if you want to receive a file decryption key and recover the compromised data. The virus creators provide two emails to contact them after you make a payment: [email protected] and [email protected].

Luckily, the chances of recovering your files after Imme attack are higher than after most other ransomware types. A Xorist decryption tool has already been developed by the virus researchers earlier and it might work for this version as well. We also have other file recovery methods listed if the decrypter fails.

However, firstly you need to remove the ransomware infection from your computer. We strongly recommend using the automatic tool as it will correctly eliminate the threat and protect your system in the future.


Recommended Method: Download Imme Ransomware Removal Tool

Version:   All Updated:   2 days ago Compatible OS:   All
This is the most suitable program for automatically removing the threat and repairing your PC.
Works with: Windows 10, Windows 8, Windows 7, Windows Vista, Windows XP. Read instructions here
File name Size
mb3-setup.exe 56.5 MB

Click here to download alternative tool

What is Imme ransomware?

This ransomware is another version of a very popular virus called Xorist (another closely related ransomware is called XRat). While the former one managed to infect many computers and extort money from people and business entities, this one is only starting the journey. However, it seems that Imme successfully convinces users to pay the ransom even if the amount is unconventionally high and is currently set at 2 BitCoins (more than $2000). We have checked some of the ransomware BitCoin addresses and noticed that they have already received payments.

At the moment this virus uses two extensions, .imme.teras.completecrypt and .imme. It states that documents, photos, databases and other important files are targeted. However, some users have reported that only database files were encrypted on their computers.

When the encryption process finishes, Imme places ransom notes called “HOW TO DECRYPT FILES.txt” across the computer and asks for a payment. It instructs to firstly send the BitCoins and then contact the criminals via email [email protected] or [email protected]. A 72-hour limit is given and the price is expected to increase afterwards.

Here are the contents of ransom note text file:

ATTENTION !
All your documents ,photos,databases and other important personal files were encrypted using strong algorithm with a unique key.
TO RESTORE YOUR FILES YOU HAVE TO PAY 2 BITCOINS to this address : 33xW5MK21r6drd2L1bvD4Jso6mTJs8T7ag
If you are not familiar with bitcoin you can open an wallet here:  www.localbitcoin.com
After you've made payment you have to contact us with your private ID alocated to you :  DECRYPT-X2NCEUPROCRYPT
at this email address: [email protected] if we do not respond within 4 hours please use the second email: [email protected]
We will confirm payment and send to you decrypt key + tutorial
REMEBER YOU HAVE A 72 HOURS LIMIT!
After that : 1- Your KEY and Software price will be higher
ATTENTION : all your attempts to decrypt your PC without our software and key can lead to irreversible destruction of your files !

It is currently unclear how this ransomware appears on your computer. However, most likely it employs well known methods and either infiltrates through spam email attachments or uses exploit kits. Therefore, you should always refrain from opening suspicious files sent in mail as well as avoid unknown websites and links.

If you think that you have just been infected by the ransomware but still not all files are encrypted, you should immediately shut down your computer in order to stop the process and salvage at least some of you data. Good indicators that file encryption is in progress are high computer resource usage and decreased hard disk space.

We strongly discourage paying the ransom if your files have been encrypted by Imme ransomware. There is no guarantee that the criminals will actually provide you with the decryption key and software. Also, there is a risk that they will leave additional backdoors and target you in the future since they will see you as a paying victim. Therefore, the best way to combat Imme ransomware is to completely remove the infection from your system and then use the file recovery methods listed at the end of this article.

We recommend using the automatic removal tool as it will correctly remove all Imme virus files and protect your computer in the future. We have also prepared a manual removal guide for more experienced Windows users who are comfortable with editing important files and settings. However, if you choose this option you will still need to remember to secure your computer with a proper antivirus software afterwards.

Move on to file recovery instructions only after you have completely removed the virus. Otherwise you might cause even more damage and make the recovery harder or impossible.

Here are some screenshots of the Imme ransomware:

  


 Manual Removal Instructions:

Bookmark this page in order to access it after you restart your computer while working on the removal process! You can also open it on another device or use the button at the bottom to print it out.

Step 1:

Reboot the infected computer in Safe Mode.

When your computer is infected by a virus some of its features may be locked or compromised. You need to bypass this by rebooting your computer using Safe Mode. This will allow you to remove the virus.

Since Safe Mode only has the most basic features do not be scared that your Windows look completely different!

Click here to show how to reboot Windows 98, XP, Vista or Windows 7 in Safe Mode

  1. Restart your computer (if it is locked you can do this by physically pressing the power button on your computer).
  2. As soon as the PC starts booting begin constantly clicking F8 key on the keyboard until you get the following screen:
  3. Use arrow keys to highlight Safe Mode With Networking and press Enter.
  4. Wait for the Windows to launch.

 

Click here to show how to reboot Windows 8, 8.1 or Windows 10 in Safe Mode

F8 method (1/4):

Restarting and constantly hitting F8 might not work for this version of Windows since the booting is much faster and does not always react to the key presses. Try this method first and then proceed to other methods if this does not help.

  1. Restart your computer (if it is locked you can do this by physically pressing the power button on your computer).
  2. As soon as the PC starts booting begin constantly clicking F8 key on the keyboard.
    If it does not work try repeating the same procedure but this time holding Shift key and clicking F8.
  3. Follow instructions from Step 5 below:

Shift+Restart method (2/4):

  1. Click the Power icon at the login screen or in the settings charm.
  2. Hold Shift key on your keyboard and click Restart with your mouse while holding:
  3. Click Troubleshoot:

  4. Click Advanced options:
  5. Click Startup Settings:
  6. Click Restart:
  7. Now press F5 key on your keyboard to enable Safe Mode With Networking:

System configuration method (3/4):

  1. Press and hold Windows () key and click R key.
  2. Enter msconfig.exe and click OK:
  3. When System Configuration opens go to the Boot tab:
  4. Check the box “Safe Boot” in Boot options and click OK.
  5. When prompted, click Restart.
  6. Windows will now start in Safe Mode.

System Recovery method (4/4):

If everything above fails you can try inserting System Recovery CD or DVD (works only with Windows 8) or System Recovery USB Memory Stick (works with Windows 8 and 8.1). You will be able to choose Troubleshoot option. The steps are then identical as in Shift + Restart method starting from #3.

Step 2:

Find any processes that might be associated with the Imme ransomware virus and terminate them.

Press CTRL + SHIFT + ESC at the same time to launch Windows Task Manager. You can also launch it by right-clicking on Windows toolbar/startbar and clicking Start Task Manager.

Go to Processes tab.

All currently running processes will be listed.

Now you will have to check each suspicious process manually.

Right-click on each of the processes in the list and choose Open File Location.

Go to virustotal.com and upload the opened file for a scan.

If the scan shows that the file is dangerous, right-click on the process and choose End Process, then delete that file in the location you have opened.

Repeat this until you have checked all suspicious processes.

Step 2:

Remove suspicious programs from your startup config so they would not launch as soon as you boot your computer.

Hold Windows () key and click R key.

Enter the following in the field:

msconfig.exe

Click OK.

Go to the Startup tab and uncheck all suspicious entries.

The infected or fake startup items usually have “Unknown” listed as Manufacturer. However, sometimes they might pretend to be legitimate programs.

Check process location by hovering your mouse over the “Command” column. Navigate to the location and scan the file using virustotal.com if it looks suspicious but you are not sure.

Click OK when you are finished unselecting all potentially dangerous processes.

Step 3:

Clean up your registry entries.

Hold Windows () key and click R key.

Enter the following in the field:

regedit.exe

Click OK.

All Windows registry entries will open.

Most of them are critical for correct system operation and deleting important entries might result in Windows failing to load. Make sure you are very careful while deleting and editing the entries!

Press keyboard buttons CTRL + F and enter:

imme

Click Find Next.

If you find any registry entries that could be associated with LLTP Locker, delete them by right-clicking on it and choosing Delete.

Repeat this search until no results are found anymore. Then repeat this step with the following search queries:

completecrypt
supfiles
procrypt

Step 4:

Clean up Windows temporary files.

Imme ransomware can operate from temporary files directory.

You can safely remove all temporary files without posing any risk to your computer.

Hold Windows () key and click R key.

Enter the following in the field:

%Temp%

Click OK.

All temporary files will be listed in the directory.

Select all temporary files by simultaneously pressing CTRL + A and delete them.

Step 5:

Check for any recent changes in all the other important system files.

Hold Windows () key and click R key.

Enter the following in the field:

%AppData%

Click OK.

Do not delete anything here! Search for any recent changes (by “Date Modified”) in the files first. Only if you see that a file has just been changed scan it with virustotal.com. Remove only files marked as dangerous. Otherwise you might remove critical system files and Windows might stop working.

Repeat this step with the following three directories while being very careful:

%LocalAppData%
%ProgramData%
%WinDir%

Remember that these directories contain many important system files! Be very careful!

 Decrypting The Files:

Start recovering your files only if you have finished all removal steps! Otherwise you might cause more damage and make it harder to recover them in the future!

We recommend making a backup of the encrypted files on a separate external media in case you are not able to recover the files using our methods.

Check for Imme ransomware file decrypter here: List of currently available decrypters. Currently there is no official Imme decryptor available but it might be added in the future so check the list before continuing. Alternatively, you can try and use the Emsisoft Xorist decrypter as Imme and Xorist share similarities in their design.

We have an extensive list of other file recovery methods available here. The instructions below are just a short version of the simplest methods.

Step 1:

Start by enabling recovery since the virus might have turned it off.

Hold Windows () key and click R key while holding to open “Run” window.

Enter the following in the field:

cmd

Click OK.

A comand prompt will open.

Copy the following:

bcdedit.exe /set {default} recoveryenabled yes

Right-click on the command prompt (black window) and select Paste.

Press Enter

Step 2:

Restore the old system settings using System Restore. The virus has changed them so you need to revert to the old ones first.

Sometimes the virus is able to remove your system restore points so this step might be unsuccessful.

Press and hold Windows () key and click R key.

Enter the following in the field:

rstrui.exe

Click OK.

A System Restore wizard will open.

Click Next.

Check Show more restore points.

If you see any restore points, restore the system. Make sure you select a point that has been created before the attack happened.

If there are no restore points you will see “No restore points have been created…” error.

Step 3:

Restore earlier file versions.

Download Shadow Explorer.

When you run the program you will see the list of all shadow copies created.

Select the drive and date that you want to restore from.

Right-click on a folder name and select Export. The folder will be restored.

Read more here about how to restore files from shadow copies.

The virus might try to delete shadow copies so this step this might be unsuccessful as well. In such case, proceed to Step 4.

Step 4:

Read more on how to restore files (including backups) on our file recovery guide. This guide includes instructions how to restore the files from a backup or shadow copies as well as how to use a professional file recovery program (which has a very high success rate) if everything else fails.

Alternatively you could make a backup with all encrypted files, store it externally and wait for a decrypter to be created. New free decrypters for various ransomware appear every week but we cannot estimate the waiting time and if it is going to be created at all.

After removing the virus

When you have finished removing the Imme ransomware virus you should protect your computer by installing a good antivirus suite. This will prevent any further infections and fix the current vulnerabilities that have been used by the ransomware to infiltrate your system.


Share your experience with us by leaving a comment!

Leave a comment to tell us about your experience removing this threat!
We can also help you if you run into any problems during the process, just don't hesitate to ask!

Leave a Reply

Your email address will not be published. Required fields are marked *