Home / Spyware Help / PooleZoor Ransomware Removal Guide

PooleZoor Ransomware Removal Guide

by 0 Comments

Do you know what PooleZoor Ransomware is?

Reports say PooleZoor Ransomware is a malicious application created by hackers from Iran. So far it is capable of encrypting files located only on the user’s Desktop, and after doing so, it should show a ransom note written in Hindi. As usual, it explains the threat encrypted user’s files and the only way to get them back is to pay a ransom. Needless to say, putting up with any demands might be a dangerous idea as the cybercriminals behind the malware may not help users decrypt their files even if they receive their payments. Therefore, if it was possible to pay the ransom, we would still recommend deleting PooleZoor Ransomware. If you think erasing it would be for the best too we encourage you to take a look at the removal guide below this report. Naturally, for those who wish to know more about this malware, we advise reading the rest of this article.

It is difficult to say if the threat is being distributed yet as we suspect it might be still in the development stage. However, from our experience with infections like PooleZoor Ransomware, we can say a lot of them are distributed through malicious email attachments and software installers. Meaning to protect the system from it we recommend being extra cautious with attachments sent by someone you do not know or for unknown purposes. Also, it would be best to stay away from torrent and similar file-sharing websites because they might distribute installers bundled with various malicious applications, including ransomware.

If PooleZoor Ransomware gets in it should locate all data placed on the user’s Desktop folder and start encrypting it bit by bit. The files that get enciphered should be marked with the .poolezoor extension, for example, sunset.jpg.poolezoor. All other data located in different folders should be unaffected. After the encryption process, the malware is supposed to drop a text document called READ_me_for_encrypted_Files.txt (placed on the user’s Desktop directory too). Inside of it, users should find a short ransom note asking to pay a ransom in the Hindi language. The fact it is not explained how to transfer the requested sum is one more reason to think the threat is not yet finished. Nevertheless, if the infection gets updated, it could show more detailed ransom note or even encrypt more files. Even so, we would recommend deleting PooleZoor Ransomware instead of paying the ransom.PooleZoor Ransomware Removal GuidePooleZoor Ransomware screenshot
Scroll down for full removal instructions

Users who would like to erase the malicious application manually could use the removal guide available a bit below this paragraph. It will show how to find the malware’s installer and how to get rid of it at once. Another way to eliminate PooleZoor Ransomware is to employ a reputable antimalware tool. After full system scan it should provide a list of potential threats and to delete them all, you could press the provided removal button.

Erase PooleZoor Ransomware

  1. Click Ctrl+Alt+Delete simultaneously.
  2. Pick Task Manager.
  3. Take a look at the Processes tab.
  4. Locate a process belonging to this malicious program.
  5. Select this process and press the End Task button.
  6. Click Windows Key+E.
  7. Navigate to the suggested paths:
    %TEMP%
    %USERPROFILE%Desktop
    %USERPROFILE%Downloads
  8. Find a file that was executed when the system got infected, right-click the malicious file and select Delete.
  9. Erase the infection’s ransom note (READ_me_for_encrypted_Files.txt) from your Desktop directory.
  10. Leave File Explorer.
  11. Empty Recycle bin.
  12. Restart the computer.

In non-techie terms:

PooleZoor Ransomware seems to be another file-encrypting infection based on an open-source software known as Hidden Tear (a malicious program created for educational purposes). Given the malware was programmed to encrypt files from only one directory it is entirely possible the threat is only in the development stage, which means it could be yet updated. In any case, if you encountered it, you might consider yourself to be lucky because usually, such malicious applications encipher almost all user data. Under such circumstances, if the ransom note gets updated with payment instructions, we would advise against paying the ransom. Not only the files that might get encrypted may not be worth risking your savings, but there is also a possibility the infection’s developers could trick you. Consequently, we believe the smartest thing to do when encountering this test version would be to eliminate it at once. Users who want to try to delete it manually should have a look at the removal guide available above.