.promok Files Virus (STOP/DJVU) – How to Remove It

.promok Files Virus (STOP/DJVU) – How to Remove It

This is an instructive article, created to give you insight on what is the .promok file ransomware, how to remove it and how you can try and get back .promok encrypted files.

A new version of the STOP/DJVU ransomware strain has been reported by security professionals to significantly increase it’s infection rate. The virus uses the .promok file extension which is added to the encrypted files on compromised computer. In addition to this, it also adds the _readme.txt ransom note file. It aims to threaten users that they must pay ransom to get their files back, but if your computer has been infected by this virus, we strongly advise you against paying. Instead, read this article as it contains more information on how you can remove the .promok version of STOP ransomware and how you can try to restore your encrypted files.

Threat Summary

Name.promok Ransomware
TypeRansomware, Cryptovirus
Short DescriptionAims to render the files on the compromised computers by it to no longer be able to be opened In order to extort victims into paying ransom to get their files back.
SymptomsFiles cannot be opened and have the .promok file extension. The ransomware drops a _readme.txt ransom note, containing the extortionists’ message.
Distribution MethodSpam Emails, Email Attachments, Executable files
Detection Tool See If Your System Has Been Affected by .promok Ransomware


Malware Removal Tool

User ExperienceJoin Our Forum to Discuss .promok Ransomware.
Data Recovery ToolWindows Data Recovery by Stellar Phoenix Notice! This product scans your drive sectors to recover lost files and it may not recover 100% of the encrypted files, but only few of them, depending on the situation and whether or not you have reformatted your drive.

.promok File Ransomware – Distribution

There are two objects which are used in the infection process of .promok Ransomware:

  • Malicious files.(.js, .docx, .pdf, .exe, .bat, .cmd)
  • Malicious web links.

If the infection is conducted via malicious files, the .promok ransomware virus may be spread either by having the file uploaded on websites, where it may seem as if it is a crack, patch, portable program, setup of software or any other executable software, which the victim should download and execute.

Another infection method via malicious files is e-mail spam. Spam messages are constantly being sent by cyber-criminals and often account to more than half of the infection of ransomware viruses out there. Such malicious spam e-mails may contain the infection file, pretending to be some sort of important document, like an invoice, a receipt for a purchase or any other form of “must read” files.

If the infection is conducted via malicious web links then it may happen via a lot of different ways. The web links may be opened on your computer automatically as a result of a web browser redirection, they may be executed by you clicking on an ad or may even be sent to you via messaging services, like Facebook Messenger, Skype, Viber for PC and several other services. Once links are opened, they could trigger JavaScript infection that may download and execute the payload of .promok ransomware on your computer.

.promok Files Virus – More Information

After an infection with .promok ransomware occurs on your computer system, then be advised that the virus files of this ransomware may be created in the following Windows directories:

  • %ProgramData%
  • %system32%
  • %Roaming%
  • %Temp%
  • %Windows%
  • %SystemDrive%
  • %Local%
  • %LocalLow%

When the files are dropped, the .promok virus may perform several pre-checks before being officially activated.

  • Check if it’s running on a real computer and if not, self-delete itself.
  • Check your IP address and location.
  • Check region and language settings.
  • Check if STOP Ransomware has infected your PC before and if so self-deletes its files.
  • Steal any saved passwords.
  • Obtain read and write permissions and create mutexes.
  • Obtain rights as an Administrator.

The .promok ransomware is part of the STOP Ransomware family of viruses, which also introuced another variant, close to it, using the

What are .promorad files? What is .promorad file ransomware? How to remove the .promorad files virus? How to try and restore .promorad encrypted files?
.promorad file extension.

The .promok files virus may also modify and create registy entries in the following Windows Registry sub-keys:

→ CurrentVersion\Run
\Control Panel\Desktop

In addition to this, the .promok virus also aims to make sure that the files on your computer cannot be recovered. To do this, the virus may execute several commands as an Administrator in Windows Command Prompt. These commands may disable Windows Recovery services and delete the shadow volume copies, if entered:

→ sc stop VVS
sc stop wscsvc
sc stop WinDefend
sc stop wuauserv
sc stop BITS
sc stop ERSvc
sc stop WerSvc
cmd.exe /C bcdedit /set {default} recoveryenabled No
cmd.exe /C bcdedit /set {default} bootstatuspolicy ignoreallfailures
C:\Windows\System32\cmd.exe” /C vssadmin.exe Delete Shadows /All /Quiet

.promok Ransomware – Encryption Process

To encrypt files on your infected computer, .promok ransomware may first scan it for them. The files that may be scanned for are usually commonly used document, image, audio and other file types.

The virus may look for files, based on a pre-set list of file extension, that usually are the following:


After the files are detected, they are appended the .promok file extension to their original one. The files may assume the following appearance:

Remove .promok Files Virus and Try Restoring Data

Before removing the .promok ransomware from your computer, we urge you to backup your files first, since such viruses often use Cipher Block Chaining(CBC) mode, that interlinks the files and breaks them indefinitely if you try to tamper with them. This is why it is best to stay safe and make an image of Windows for later, when a decryptor is released.

If you want to remove the .promok ransomware infection we recommend that you follow the removal steps below. They aim to help you remove this virus either automatically or manually. Be advised that if you try to remove this virus by yourself, it is stronlgy reccomended to be very careful, since .promok virus may also be attached to system files of Windows and may damage your system if you delete the wrong file. This is why, security experts strongly recommend that you download and run a scan, using an advanced anti-malware software. This program aims to detect and remove all files and objects, related to .promok ransomware and protects your computer against infections in the future as well.

If you want to try and restore files, encrypted by .promok file ransomware, we strongly suggest that you give the methods in the “Try to Restore” installation step below a try, since they are created to help you restore as many encrypted files as possible without damaging your data, even though they may not work at a 100%.

Ventsislav Krastev

Ventsislav has been covering the latest malware, software and newest tech developments at SensorsTechForum for 3 years now. He started out as a network administrator. Having graduated Marketing as well, Ventsislav also has passion for discovery of new shifts and innovations in cybersecurity that become game changers. After studying Value Chain Management and then Network Administration, he found his passion within cybersecrurity and is a strong believer in basic education of every user towards online safety.

More Posts - Website

Leave a Comment

Your email address will not be published. Required fields are marked *

Time limit is exhausted. Please reload CAPTCHA.

Share on Facebook Share
Share on Twitter Tweet
Share on Google Plus Share
Share on Linkedin Share
Share on Digg Share
Share on Reddit Share
Share on Stumbleupon Share