[SOLVED] Ransomware Antivirus Remove .coot

last month my friend’s laptop was attacked with ransomware antivirus, Extensions of all the files (pic, video, exe…etc) were changed to .coot extensions. He than install new version of windows 10, but his problem were not solved , he then ask me about this now i’ve searched a lot but nothing find helpful.
so i thought to ask this about here.

Note: One way of removing it to restore windows to previous pint. but since he’s installed new windows all the restore points were deleted.

so does there any way to remove this. Anyway to decrypt it.

1 Like

Let me make it easy as your friend already changed the OS, so better let’s try to go with an easy method to get rid of it first, instead of making any restore point or considering to go with decrypt option (it may cost to buy the tool freeware won’t do much).

Just mentioning this for your knowledge, Until unless you wipe the entire partitions or deleted the one which an OS installed in it, Restore point ain’t going anywhere, it’s just another method to get them started, normally unless anyone set the restore point it won’t get started to restore at any stage, especially, windows 10, user has to enable restore point setting because by default it’s disabled.

Anyways, let’s move on to the basic point. Just do as I’m going to mention below, it’s not that tough.

1. Download these programs once via another PC/Laptop and keep them into USB/Flash.

2. Now connect the USB (Do not auto-play or open the USB by double-clicking) just open ‘‘File Explorer’’ from left side list, Right-click on USB and open it into ‘‘Open in a new window’’. now install SpyHunter, scan the whole system. trash ransomware. now install HitmanPro, do the same, after that install the Malwarebytes, do the same. While you do that Do not open any drive or partition. Hopefully, you have scanned the whole system and trashed the entires.

3. Now Install a Fresh clean OS installation. actually fresh clean install meant to delete the partition and create it over again, this method is used by Pirates (Me as well), because they never Bot system from the same HDD which has personal files data among. there is always a separate HDD for internal use (SSD as well) and other Drive as in External use. So if your friend has the same things, then do as I mentioned above, otherwise, just Format the partition and install OS if he has 1 HDD with specific partitions.

4. Like I said, above, install a fresh OS, once it gets done, Do not open any partition or a file from PC. do the same method that mentioned above, connect USB, open in a new window, install those 3 programs one by one and scan system. and reboot. (It’s double-check thing) I’m sure after installing an OS and using the program before and after, your friend will get rid of those extensions.

Do let me know once you do all this. :+1:

I’m marking the thread as solved because it’s under our consideration and we will keep discussing unless problem get fixed.

EDITED: decrypting method and guide added below by @TheJoker!


It’s not possible for anyone to decrypt properly, the files will get corrupt eventually, so you need to format your system and re-install again imo, but there are some useful guides which you can take a look at it and try to get as much files decrypted as you can… Without corrupting the base!


What is Coot?

Coot is one of the many malicious programs that belong to the Djvu ransomware family. Ransomware is a type of software that blocks access to data by encrypting it, victims who have their files encrypted by ransomware cannot use their files unless they decrypt them with a decryption tool or/and key. To get tools that can decrypt encrypted files victims are forced to pay cyber criminals a ransom. Instructions on how to decrypt files encrypted by Coot can be found in a text file named " _readme.txt ". Coot places it in folders that contain locked files. Also, this ransomware renames every encrypted file by adding the " .coot " extension to its filename. For example, it renames " 1.jpg " to " 1.jpg.coot ", and so on.

Screenshot of a message encouraging users to pay a ransom to decrypt their compromised data:


Thanks @SAM I’ll soon try it , then inform it to you, once i have done.