A ransomware called Ntuseg file virus is another development of scammers. The principle of its functioning and the method of distribution is the same as in the case of Novasof and Bopador, the only difference is the .ntuseg extension appended to the documents, photos and music that are affected by it.
Files encrypted by Ntuseg virus
The Ntuseg file virus is developed to encrypt files on the computer. It belongs to the list of ransomware. Such as other ransomware, it is able to block files like archives, movies, web application-related files, photos, documents, drawings and databases, and other files that are important to the user and stop the operation of which is unacceptable to him. The victim will not be able to use them even if he tries to do it through various apps. Ntuseg virus locks up almost of files, including common as:
.xpm, .pdd, .css, .itm, .pst, .mpqge, .sav, .odm, .wp6, .cfr, .pak, .wp4, .ntl, .qic, .mrwref, .hplg, .fsh, .wire, .wmf, .wmd, .xll, .rofl, .png, .layout, .wn, .wcf, .wp7, .mef, .lvl, .cer, .ybk, .pef, .sidd, .wma, .wb2, .odt, .ztmp, .snx, .odc, .m3u, .mdf, .hkx, .esm, .dxg, .wpa, .ff, .ws, .wbm, .p7b, .ltx, .wsh, .zip, .bkp, .wmv, .vpk, .xls, .x, .xlsm, .wpd, .cdr, .dba, .lrf, .icxs, .wpg, .slm, .psd, .kdb, .sum, .txt, .mov, .wpb, .p12, .cas, .dcr, .mcmeta, .iwi, .wotreplay, .xx, .crw, .bc7, .wbmp, .pptx, .pkpass, .1st, .pptm, .mdbackup, .p7c, .ncf, .xwp, .pdf, .docm, .jpe, .xmind, .db0, .upk, .wps, .litemod, .x3d, .sql, .syncdb, .desc, .avi, .erf, .nrw, .x3f, .t12, .bay, .arw, .wot, .z3d, .doc, .srw, .w3x, .xlsm, .wdp, .dmp, .js, .bar, .0, .sidn, .xyw, .2bp, .blob, .zw, .mp4, .xlsb, .ai, .vcf, .t13, .py, .webdoc, .dazip, .kf, .3ds, .zabw, .wbd, .kdc, .wm, wallet, .wps, .wbc, .pfx, .der, .bik, .wgz, .crt, .xdb, .7z, .tor, .rb, .3fr, .re4, .wpl, .wri, .xlgc, .webp, .arch00, .wmo, .rim, .fpk, .wsd, .forge, .sie, .odb, .menu, .itdb, .gdb, .xar, .wsc, .xf, .bkf, .big, .rgss3a, .d3dbsp, .m2, .psk, .mddata, .xlsx, .qdf, .wp5, .iwd, .xbplate, .ptx, .raf, .asset, .zif, .wpt, .flv, .bc6, .vdf, .wma, .xy3, .x3f, .hvpl, .y, .gho, .epk, .rar, .wpd, .sr2, .apk, .accdb, .wmv, .ods, .srf, .vfs0, .orf, .z, .sid, .wbz, .odp, .ysp, .vtf, .raw, .yml, .zi, .bsa, .csv, .vpp_pc, .wp, .zdb, .xxx
Upon encryption, all affected documents, photos and music will then be appended with the .ntuseg extension (e.g., ‘photo.jpg is renamed to ‘photo.jpg.ntuseg’). Ransomware leaves a ransom demanding message called ‘_readme.txt’ with instructions for extortion and ransom payment, threatening destruction of files if payment is not made. The ransomnote directs victims to make payment online in Bitcoins.
Ntuseg virus ransomnote
Threat Summary
| Name | Ntuseg file virus |
| Type | Ransomware, File locker, Crypto malware, Filecoder, Crypto virus |
| Encrypted files extension | .ntuseg |
| Ransom note | _readme.txt |
| Contact | gorentos@bitmessage.ch |
| Ransom amount | $490, $980 in Bitcoins |
| Symptoms | Your files fail to open. Windows Explorer displays a blank icon for the file type. Your file directories contain a ‘ransom note’ file that is usually a .txt file. |
| Distribution ways | Malicious links in emails. Malicious downloads that happen without a user’s knowledge when they visit a compromised web site. Social media, like web-based instant messaging programs. Malvertising campaigns. |
| Removal | Ntuseg file virus removal guide |
| Decryption | Ntuseg decryption tool |
After reading this article, you will know how to deal with the Ntuseg file virus. It is important for you to remember that we also cannot guarantee you an absolute solution to all your Ntuseg problems. We can offer you a method that might help. Nevertheless, this solution is worth your attention because there is still a possibility that it will help you remove Ntuseg virus and unlock photos, documents and music which have been locked by crypto virus.
Quick links
- How to remove Ntuseg file virus
- How to decrypt .ntuseg files
- Ntuseg decryption tool
- How to restore .ntuseg files
- How to protect your PC from Ntuseg file virus?
How to remove Ntuseg file virus
The following instructions will help you to uninstall Ntuseg virus and other malicious software. Before doing it, you need to know that starting to delete the crypto malware, you may block the ability to decrypt photos, documents and music by paying developers of the crypto virus requested ransom. Zemana Anti-malware, Kaspersky virus removal tool and Malwarebytes Anti-malware can detect different types of active ransomware infections and easily uninstall it from your machine, but they can not restore encrypted documents, photos and music.
How to delete Ntuseg file virus with Zemana
Zemana Anti Malware can search for all kinds of malicious software, including ransomware, as well as a variety of Trojans, viruses and rootkits. After the detection of the Ntuseg virus, you can easily and quickly remove it.
Installing the Zemana is simple. First you will need to download Zemana Free by clicking on the link below.
164032 downloads
Author: Zemana Ltd
Category: Security tools
Update: July 16, 2019
After downloading is finished, close all apps and windows on your machine. Double-click the setup file named Zemana.AntiMalware.Setup. If the “User Account Control” dialog box pops up as shown on the screen below, click the “Yes” button.
It will open the “Setup wizard” which will help you install Zemana Free on your system. Follow the prompts and do not make any changes to default settings.
Once installation is complete successfully, Zemana Anti Malware will automatically start and you can see its main screen as shown in the figure below.
Now press the “Scan” button to search for Ntuseg file virus, other kinds of potential threats like malware and trojans. This process may take quite a while, so please be patient. During the scan Zemana Anti Malware (ZAM) will scan for threats present on your PC.
When Zemana is done scanning your PC, it will show the Scan Results. Review the results once the tool has complete the system scan. If you think an entry should not be quarantined, then uncheck it. Otherwise, simply click “Next” button. The Zemana Free will start to remove Ntuseg file virus, other malware, worms and trojans. Once that process is finished, you may be prompted to restart the PC.
Run MalwareBytes Anti Malware (MBAM) to remove Ntuseg file virus
If you’re having problems with the Ntuseg virus removal, then download MalwareBytes Anti-Malware. It’s free for home use, and identifies and deletes various undesired applications that attacks your personal computer or degrades computer performance. MalwareBytes Free can uninstall adware, potentially unwanted software as well as malicious software, including ransomware and trojans.
Click the following link to download MalwareBytes Anti-Malware. Save it to your Desktop so that you can access the file easily.
326385 downloads
Author: Malwarebytes
Category: Security tools
Update: April 15, 2020
When downloading is complete, run it and follow the prompts. Once installed, the MalwareBytes Anti-Malware (MBAM) will try to update itself and when this process is done, click the “Scan Now” button to begin checking your computer for the Ntuseg virus related files, folders and registry keys. While the tool is scanning, you can see how many objects and files has already scanned. Next, you need to click “Quarantine Selected” button.
The MalwareBytes AntiMalware (MBAM) is a free program that you can use to remove all detected folders, files, services, registry entries and so on. To learn more about this malware removal utility, we suggest you to read and follow the tutorial or the video guide below.
Run KVRT to delete Ntuseg file virus
KVRT is a free removal tool that may be downloaded and run to delete crypto viruses, adware, malware, PUPs, toolbars and other threats from your system. You may run this tool to scan for threats even if you have an antivirus or any other security program.
Download Kaspersky virus removal tool (KVRT) by clicking on the following link.
129056 downloads
Author: Kaspersky® lab
Category: Security tools
Update: March 5, 2018
Once the downloading process is complete, double-click on the Kaspersky virus removal tool icon. Once initialization procedure is done, you’ll see the KVRT screen as on the image below.
Click Change Parameters and set a check near all your drives. Press OK to close the Parameters window. Next click Start scan button . KVRT utility will start scanning the whole personal computer to find out Ntuseg file virus, other trojans and harmful programs. A system scan can take anywhere from 5 to 30 minutes, depending on your machine. While the Kaspersky virus removal tool utility is checking, you can see how many objects it has identified as being affected by malware.
Once Kaspersky virus removal tool has completed scanning, it will open the Scan Results as shown in the figure below.
Review the results once the utility has complete the system scan. If you think an entry should not be quarantined, then uncheck it. Otherwise, simply click on Continue to begin a cleaning procedure.
How to decrypt .ntuseg files
As mentioned earlier, the ransom payment is the only way to unlock .ntuseg files, unfortunately. After the victim transfers the specified amount of money (usually $980 in Bitcoins) to the cyber frauds, they provide a private key to decrypt the affected data.
Never pay the ransom! However, the victim who will pay the money to attackers cannot be completely sure of obtaining a private key, because he is dealing with unscrupulous and dishonest people who are ready to commit any immoral actions, including hiding after receiving the ransom payment from the user, and not providing a decryption utility (key) to recover access to blocked photos, documents and music.
Files encrypted by Ntuseg virus
The Ntuseg file virus is not the only one of its kind, for some of them, there are already methods to decrypt locked files that were created by security researchers. This gives hope that the Ntuseg decryption tool can be designed for this ransomware as well. However, since each case of coding is original, victim should seek help and provide an identifier that will give the opportunity to get the private key and decryption utility.
Ntuseg decryption tool
With some variants of Ntuseg file virus, it is possible to decrypt encrypted files using free tools listed below.
Michael Gillespie (@) released the Ntuseg decryption tool named STOPDecrypter. It can decrypt .Ntuseg files if they were locked by one of the known OFFLINE KEY’s retrieved by Michael Gillespie. Please check the twitter post for more info.
Ntuseg decryption tool
STOPDecrypter is a program that can be used for Ntuseg files decryption. One of the biggest advantages of using STOPDecrypter is that is free and easy to use. Also, it constantly keeps updating its ‘OFFLINE KEYs’ DB. Let’s see how to install STOPDecrypter and decrypt .Ntuseg files using this free tool.
- Installing the STOPDecrypter is simple. First you will need to download STOPDecrypter on your Windows Desktop from the following link.
download.bleepingcomputer.com/demonslay335/STOPDecrypter.zip - After the downloading process is done, close all applications and windows on your machine. Open a file location. Right-click on the icon that’s named STOPDecrypter.zip.
- Further, select ‘Extract all’ and follow the prompts.
- Once the extraction process is finished, run STOPDecrypter. Select Directory and press Decrypt button.
If STOPDecrypter does not help you to decrypt .Ntuseg files, in some cases, you have a chance to restore your files, which were encrypted by ransomware. This is possible due to the use of the tools named ShadowExplorer and PhotoRec. An example of recovering encrypted files is given below.
How to restore .ntuseg files
In some cases, you can restore files encrypted by Ntuseg virus. Try both methods. Important to understand that we cannot guarantee that you will be able to restore all encrypted personal files.
Use ShadowExplorer to recover .ntuseg files
In some cases, you have a chance to recover your documents, photos and music that were encrypted by the Ntuseg file virus. This is possible due to the use of the utility named ShadowExplorer. It is a free application which created to obtain ‘shadow copies’ of files.
First, visit the page linked below, then click the ‘Download’ button in order to download the latest version of ShadowExplorer.
438669 downloads
Author: ShadowExplorer.com
Category: Security tools
Update: September 15, 2019
After the downloading process is complete, open a directory in which you saved it. Right click to ShadowExplorer-0.9-portable and select Extract all. Follow the prompts. Next please open the ShadowExplorerPortable folder like below.
Double click ShadowExplorerPortable to start it. You will see the a window as shown in the figure below.
In top left corner, choose a Drive where encrypted files are stored and a latest restore point as on the image below (1 – drive, 2 – restore point).
On right panel look for a file that you want to recover, right click to it and select Export like below.
Use PhotoRec to restore .ntuseg files
Before a file is encrypted, the Ntuseg file virus makes a copy of this file, encrypts it, and then deletes the original file. This can allow you to restore your personal files using file recover software such as PhotoRec.
Download PhotoRec on your PC from the following link.
Once the downloading process is done, open a directory in which you saved it. Right click to testdisk-7.0.win and choose Extract all. Follow the prompts. Next please open the testdisk-7.0 folder such as the one below.
Double click on qphotorec_win to run PhotoRec for Microsoft Windows. It’ll display a screen as displayed on the image below.
Choose a drive to recover as on the image below.
You will see a list of available partitions. Choose a partition that holds encrypted photos, documents and music as on the image below.
Click File Formats button and select file types to recover. You can to enable or disable the restore of certain file types. When this is complete, click OK button.
Next, click Browse button to choose where recovered files should be written, then click Search.
Count of recovered files is updated in real time. All restored files are written in a folder that you have selected on the previous step. You can to access the files even if the restore process is not finished.
When the recovery is complete, click on Quit button. Next, open the directory where recovered photos, documents and music are stored. You will see a contents as displayed in the following example.
All recovered documents, photos and music are written in recup_dir.1, recup_dir.2 … sub-directories. If you’re searching for a specific file, then you can to sort your recovered files by extension and/or date/time.
How to protect your PC from Ntuseg file virus?
Most antivirus apps already have built-in protection system against the ransomware virus. Therefore, if your personal computer does not have an antivirus application, make sure you install it. As an extra protection, run the HitmanPro.Alert.
Use HitmanPro.Alert to protect your system from Ntuseg file virus
HitmanPro.Alert is a small security utility. It can check the system integrity and alerts you when critical system functions are affected by malware. HitmanPro.Alert can detect, remove, and reverse ransomware effects.
Visit the following page to download the latest version of HitmanPro Alert for Microsoft Windows. Save it to your Desktop so that you can access the file easily.
After the download is finished, open the directory in which you saved it. You will see an icon like below.
Double click the HitmanPro.Alert desktop icon. When the tool is started, you’ll be displayed a window where you can choose a level of protection, such as the one below.
Now click the Install button to activate the protection.
Finish words
Now your computer should be free of the Ntuseg file virus. Delete Kaspersky virus removal tool and MalwareBytes Anti-Malware (MBAM). We suggest that you keep Zemana AntiMalware (to periodically scan your machine for new malware). Probably you are running an older version of Java or Adobe Flash Player. This can be a security risk, so download and install the latest version right now.
If you are still having problems while trying to remove Ntuseg virus from your computer, then ask for help here.
