How To Remove .Zepto Virus And Decrypt Files

Zepto virus, also known as zeptojs or zepto.js is currently on the rise. It is a very aggressive ransomware usually distributed through spam emails. If users open attachment they get infected and their files become encoded bearing .zepto extension. The virus then asks you to make a payment in order to unlock the files. However, by paying the ransom you are not guaranteed that the files will be unlocked. You will also leave security holes and the attacker might repeat the attack in the future. The only way to protect you from this virus is to completely remove it, recover the files and secure the PC in order to prevent future attacks.

We have prepared two types of removal instructions for you. We recommend choosing the automatic option as it will automatically scan and repair your computer. It will also protect your computer so you will not get infected in the future. However, we have also included a manual removal guide for more experienced users.


Recommended Method: Download Zepto Virus Removal Tool

Version:   All Updated:   2 days ago Compatible OS:   All
This is the most suitable program for automatically removing the threat and repairing your PC.
Works with: Windows 10, Windows 8, Windows 7, Windows Vista, Windows XP. Read instructions here
File name Size
mb3-setup.exe 56.5 MB

Click here to download alternative tool

What is Zepto virus?

Zepto virus is distributed through spam emails. Typically the titles contain something which looks like the mail was from a real person (“Please see the attachment”, “I am sending you the image”) and so on. When you open an attachment included with the mail you get infected immediately. The virus starts encrypting your files with RSA-2048 and AES-128 ciphers, changes the file extensions to .zepto and makes them inaccessible.

There are two most common variations of the virus:

  • Files named zepto.js or anything else with .js extension. When you open such files they will silently install the virus and you will not be aware of the fact until it encrypts your files.
  • Files with .wsf or .docm. They may contain instructions requiring to enable the micro on your computer before they could be activated. However, they might infect your computer silently as well.

The best way to prevent yourself from Zepto virus as well as other ransomware is to refrain from opening suspicious email attachments. We also recommend having a full backup of all your files. This will always leave you an opportunity to recover your files should you run into a ransomware virus.

IMPORTANT: When you get infected it will take some time for the virus to encrypt your files and delete the original ones. Therefore, if you suspect that you have been infected (you have opened a suspicious file or the CPU and RAM usage is much higher than usual as well as there is less free disk space; you have found a file with .zepto extension), shut down the computer as soon as possible in order to stop the encryption process and salvage the files. Then follow our instructions below in order to remove the virus with as little damage as possible.

After the virus finishes encrypting your files, it changes your desktop background with an instructional image on how to recover your files. It also creates a lot of files containing the same instructions and named using the following template: _1_HELP_instructions.html

The attackers require you to pay a ransom in order to receive a private key and decryption program. This is a typical ransom note:

!!! IMPORTANT INFORMATION !!!!

All of your files are encrypted with RSA-2048 and AES-128 ciphers.
More information about the RSA and AES can be found here:
hxxps://en.wikipedia.org/wiki/RSA_(cryptosystem)
hxxps://en.wikipedia.org/wiki/Advanced_Encryption_Standard

Decrypting of your files is only possible with the private key and decrypt program, which is on our secret server.
To receive your private key follow one of the links:

If all of this addresses are not available, follow these steps:
1. Download and install Tor Browser:
2. After a successful installation, run the browser and wait for initialization.
3. Type in the address bar:
4. Follow the instructions on the site.

We discourage you from paying the ransom because the attackers might leave you without your money and still with all files locked. They might see you as a paying “customer” and target you in the future in order to extort even more money. Instead, follow the instructions below and remove the threat completely.

Here are some screenshots of Zepto virus in action. You might see slightly different instructions or warnings because the viruses tend to be updated quite regularly.

        


 Manual Removal Instructions:

NB: Removing the virus does not guarantee that the problem is solved permanently! Make sure you remove the potential threat source as well (e.g. suspicious files, torrent downloads, browser toolbars and similar). Also, we strongly recommend securing your computer with an antivirus software in order to avoid getting infected in the future.

Make sure you bookmark this page before you proceed because you might need to leave it or restart your computer during the removal process!

Step 1:

Restart Windows in Safe Mode.

When your computer is infected by a virus some of its features may be locked or compromised. You need to bypass this by rebooting your computer using Safe Mode. This will allow you to remove the virus.

Since Safe Mode only has the most basic features do not be scared that your Windows look completely different!

Click here to show how to reboot Windows 98, XP, Vista or Windows 7 in Safe Mode

  1. Restart your computer (if it is locked you can do this by physically pressing the power button on your computer).
  2. As soon as the PC starts booting begin constantly clicking F8 key on the keyboard until you get the following screen:
  3. Use arrow keys to highlight Safe Mode With Networking and press Enter.
  4. Wait for the Windows to launch.

 

Click here to show how to reboot Windows 8, 8.1 or Windows 10 in Safe Mode

F8 method (1/4):

Restarting and constantly hitting F8 might not work for this version of Windows since the booting is much faster and does not always react to the key presses. Try this method first and then proceed to other methods if this does not help.

  1. Restart your computer (if it is locked you can do this by physically pressing the power button on your computer).
  2. As soon as the PC starts booting begin constantly clicking F8 key on the keyboard.
    If it does not work try repeating the same procedure but this time holding Shift key and clicking F8.
  3. Follow instructions from Step 5 below:

Shift+Restart method (2/4):

  1. Click the Power icon at the login screen or in the settings charm.
  2. Hold Shift key on your keyboard and click Restart with your mouse while holding:
  3. Click Troubleshoot:

  4. Click Advanced options:
  5. Click Startup Settings:
  6. Click Restart:
  7. Now press F5 key on your keyboard to enable Safe Mode With Networking:

System configuration method (3/4):

  1. Press and hold Windows () key and click R key.
  2. Enter msconfig.exe and click OK:
  3. When System Configuration opens go to the Boot tab:
  4. Check the box “Safe Boot” in Boot options and click OK.
  5. When prompted, click Restart.
  6. Windows will now start in Safe Mode.

System Recovery method (4/4):

If everything above fails you can try inserting System Recovery CD or DVD (works only with Windows 8) or System Recovery USB Memory Stick (works with Windows 8 and 8.1). You will be able to choose Troubleshoot option. The steps are then identical as in Shift + Restart method starting from #3.

Step 2:

This step is very important: you will remove the dangerous processes associated with Zepto virus.

Press three buttons at the same time: CTRL + SHIFT + ESC in order to launch Windows Task Manager and go to Processes tab. Alternatively you can launch it by right-clicking on Windows toolbar/startbar and clicking Start Task Manager.

You will have to scan all processes individually in order to find out which of them are dangerous. Right-click on each of them and choose Open File Location.

Go to virustotal.com and upload that file for a scan.

If the file is marked as dangerous, right-click on the process and choose End Process, then delete that file in the location you have opened before.

Repeat the procedure with all processes in the list.

Step 3:

Remove virus IPs from your hosts file.

Press and hold Windows () key and click R key.

Enter the following in the field:

notepad %windir%/system32/Drivers/etc/hosts

Click OK.

Your hosts.ini file will open in Notepad. If you see many suspicious IPs you will need to delete them. Here is an example:

Step 4:

Remove all unknown startup items.

Press and hold Windows () key and click R key.

Enter the following in the field:

msconfig.exe

Click OK.

Go to the Startup tab.

Uncheck all entries that have “Unknown” as Manufacturer. Sometimes the entries might have a fake manufacturer, so use your common sense and uncheck anything potentially dangerous.

Step 5:

Clean up your registry.

Press and hold Windows () key and click R key.

Enter the following in the field:

regedit.exe

Click OK.

Press keyboard buttons CTRL + F and enter:

zepto

Click Find Next.

If you find anything with the virus name, delete the registries by right-clicking on it and choosing Delete. Be careful to not delete important registry entries unrelated to the virus! Otherwise you might damage the file system!

Repeat the “Find Next” and Delete procedure by searching again and deleting until no virus entries are left.

Step 6:

Clean up your temporary files.

Press and hold Windows () key and click R key.

Enter the following in the field:

%Temp%

Click OK.

A new directory will open with with a lot of temporary files and folders.

Select all temporary files by simultaneously pressing CTRL + A and delete them. This will not affect your computer’s work since temporary files have “temporary” in their names for a reason.

Step 7:

Check for any recent changes in all the other important files.

Press and hold Windows () key and click R key.

Enter the following in the field:

%AppData%

Click OK.

You don’t need to delete anything here. Just search for any recent changes (by “Date Modified”) in the files. If you see that the files have just been changed, then scan them with virustotal.com and remove if needed. If there are no suspicious changes just leave everything as it is.

Repeat this step with the following three directories:

%LocalAppData%
%ProgramData%
%WinDir%

Remember: delete something only if it has been modified recently and is infected according to VirusTotal scans. Otherwise you might remove critical system files!

 Decrypting The Files:

Now you can move on to recovering your encrypted files. The success might depend on the harm already done by the virus as well as your personal computer settings. If you have backups of your files you might simply restore them and forget the harm. However, if you do not have backups enabled there is a chance that your files might be lost forever.

Check for .zepto decryptor here first: List of currently available decryptors. To this date we have no information that .zepto decryptor is available but it might be added soon so quickly run through the list before proceeding.

We have a list of extensive file recovery methods available here. We recommend reading it. The instructions below are just a short version of the methods listed there.

Step 1:

Restore the system using System Restore. This will bring back the old system settings before the attack happened.

Some variations of Zepto virus might delete system restore points so this might be unsuccessful.

Press and hold Windows () key and click R key.

Enter the following in the field:

rstrui.exe

Click OK.

You will see a System Restore wizard.

Click Next.

Check Show more restore points.

If you see any restore points, restore the system. Make sure the restore point ahs been created before the attack happened.

If there are no restore points you will see “No restore points have been created…” error.

Step 2:

Restore earlier file versions.

Download Shadow Explorer.

When you run the program you will see the list of all shadow copies created.

Select the drive and date that you want to restore from.

Right-click on a folder name and select Export. The folder will be restored.

Read more here about how to restore files from shadow copies.

Step 3:

Read more on how to restore files (including backups) on our file recovery guide.

Alternative way is to wait for a Zepto decryptor to be created. If you can leave your PC unused, take out just the hard drive with the encrypted files or simply make a backup of them, you can wait until a decrypter appears. However, this is not a guaranteed tactic, although we see many decryptors created for popular ransomware viruses after a while.

4 comments on “How To Remove .Zepto Virus And Decrypt Files

  1. This is not working for my computer. In step 3 I can launch task manager, I can choose a file, I can open file location system 32, but in the system 32 list the file is nowhere to be found. If I go to Virus Total and click on “choose a file” it just brings up an open menu with my files and all the encrypted zepto files, nothing from task manager. So how do you get a file from task manager or system 32 into Virus Total to scan it? Now I’m wondering if the malwarebytes is any better.

    1. Hello, Malwarebytes should remove the .zepto virus completely, as it is well known variation of Locky ransomware and is detectable by most antivirus software. Just use Malwarebytes if you run into problems while removing the virus by hand.

  2. Thank you for your reply. I finally figured out how to use the Virus Total file scanner. I am not too computer literate but I’m trying. I decided to try the manual method to learn more about the computer and the virus. Virus Total does not rate files as simply “good” or “bad”, instead it rates them. In step 2 Task Manager the last process scanned below the halfway mark. I didn’t delete it. Is that rating low enough to delete it? In Step 7 %WinDir% one file was written the same day I was working on this. Is it possible that the virus wrote a new program to avoid being deleted?
    It’s named PSS boot backup and the file type is unknown. It’s rated exactly half way between good and bad. Is that bad enough to delete it?

    1. Good to hear that you are making progress. However, since you stated that you are not very experienced at this you should probably use Malwarebytes afterwards as well. The removal is free and it will make sure that nothing suspicious is left.

      Locky is a complicated virus and there is no guarantee that you will manage to remove everything by hand. The manual guide is more like guidelines rather than a 100% working linear tutorial. This is why you have to scan individual files, analyze their “modified” dates and so on. We cannot simply provide infected files’ list because the behavior of this virus varies with each case.

      As for Virus Total scans, it provides a list of results from many different antimalware programs. General rule of thumb is to look for detections from the most popular ones with biggest databases (Malwarebytes, Kaspersky, AVG, Norton and so on). If you see that most of them have marked the file in question as dangerous, you should remove it. There are always many programs at the bottom of the list which do not detect the threats but this is because they have smaller threat databases.

      As for the PSS boot backup, this might be a legitimate file, according to some sources on Windows help portal and other forums. Again, you can always make a backup of a file you are not sure about (on some separate media), delete it and see if it makes a difference.


Share your experience with us by leaving a comment!

Leave a comment to tell us about your experience removing this threat!
We can also help you if you run into any problems during the process, just don't hesitate to ask!

Leave a Reply

Your email address will not be published. Required fields are marked *