Coba Virus

7-day Free Trial w/Credit card, no charge upfront or if you cancel up to 2 days before expiration; Subscription price varies per region w/ auto renewal unless you timely cancel; notification before you are billed; 30-day money-back guarantee; Read full terms and more information about free remover.

*Coba is a variant of Stop/DJVU. Source of claim SH can remove it.


Coba is a harmful virus for Windows computers that blocks access to important files stored on the attacked machine’s hard drive. Coba then asks its victims to send money to a given online purse in order to receive the key for unlocking their files.

The Coba ransomware will leave a _readme.txt file with instructions

This nefarious cyber-crime scheme is especially common nowadays. Ransomware viruses like Coba (Ransomware is the umbrella term used to describe those viruses) are everywhere and what’s even worse about them is that every week dozens of new versions are made. Newer versions of Ransomware tend to be more complex and advanced in order to be more difficult to deal with effectively. Older solutions for Ransomware attacks oftentimes do not work against newer representatives of this malware category.

The main factor that makes Ransomware infections so problematic is the encryption method they use to block their victims’ access to the important data on their computers. Encryption is not an inherently harmful process – it is, in fact, a commonly applied form of data protection. However, hackers who make Ransomware viruses like Cosw, Coaq, have found a way to turn this otherwise highly useful process against web users. Once ransomware encrypts your files, the only thing that can guarantee the restoration of you access to those files is the matching decryption key. When encryption is not used maliciously, the owner of the files should be the only one who possesses the decryption key. However, when Ransomware locks your files, the people in possession of the key are the hackers who’ve created the infection. They offer you the key in exchange for money that you are supposed to pay withing a given deadline. Payment instructions are usually provided in a notepad file or a pop-up banner generated by the virus itself, once it has finished locking up the files.

The Coba virus

The Coba virus is an advanced form of malware capable of placing encryption on all of your important files in order to keep them inaccessible. The Coba virus is programmed to extort money from you by blackmailing you for the access to your data.

You, however, are not advised to pay the ransom sum because you have no way of knowing what will happen afterward. You may receive the key promised by the hackers but you may also be left with no way of regaining access to your files. Due to this, it is better to first try some of the possible alternatives that could help you with this situation.

The Coba file encryption

The .Coba file encryption is a file-locking process that locks all data present in the infected computer. The decryption key for the .Coba file encryption is in the hands of the hackers that have created this virus and they want you to pay for it.

Coba File

As we pointed out above, the payment option really isn’t an advisable course of action to follow, at least not before you try out the other potential solutions. We will show you some possible ways you may be able to bring back some of your data without making the ransom payment, but you will first need to remove the virus by following the removal steps below.


Danger LevelHigh (Ransomware is by far the worst threat you can encounter)
Data Recovery ToolNot Available
Detection Tool

anti-malware offerOFFER Read more details in the first ad on this page, EULA, Privacy Policy, and full terms for Free Remover.

*Coba is a variant of Stop/DJVU. Source of claim SH can remove it.

Remove Coba Ransomware


As a first step in this guide, please add this page to your bookmarks so that you do not have to go searching for the Coba removal instructions each time your computer restarts. This will save you some time. In addition, before moving on to the next step, it is strongly recommended that you do a restart of your computer in Safe Mode by following the directions provided in the link. In Safe Mode, the system will be restricted to executing just the most important processes and programs, making it much easier to identify anything that is unusual.



*Coba is a variant of Stop/DJVU. Source of claim SH can remove it.

You can start Task Manager by typing CTRL+SHIFT+ESC on your keyboard. Once it’s open, choose the Processes tab to look for any unusual processes that could be running on your computer. If any of these processes is consuming an excessively high amount of CPU and RAM resources for no apparent reason, right-click on each of them, and from the choices that show in the context menu, choose Open File Location. This will allow you to view the files related to that specific process.


Use the free online virus scanner that is given below to check for potentially harmful code in the files that are associated with the process that seems suspicious. To initiate the scanning operation, just drag and drop the contents of the File Location folder of the suspicious process into the scanner box. 

Each file will be scanned with up to 64 antivirus programs to ensure maximum accuracy
This scanner is free and will always remain free for our website's users.
This file is not matched with any known malware in the database. You can either do a full real-time scan of the file or skip it to upload a new file. Doing a full scan with 64 antivirus programs can take up to 3-4 minutes per file.
Drag and Drop File Here To Scan
Drag and Drop File Here To Scan
Analyzing 0 s
Each file will be scanned with up to 64 antivirus programs to ensure maximum accuracy
    This scanner is based on VirusTotal's API. By submitting data to it, you agree to their Terms of Service and Privacy Policy, and to the sharing of your sample submission with the security community. Please do not submit files with personal information if you do not want them to be shared.

    After the scanning process is complete, carefully remove all files that have been identified as potentially hazardous. It is possible that you will need to end the questionable process before removing the files. To end a process, right-click on it in the Task Manager and select End Process from the quick menu.


    System Configuration may be accessed by entering the command msconfig in the Windows search bar and then pressing the Enter key. Check the tab labeled “Startup” to see whether it contains any startup items linked with Coba’s startup process.


    If you find enough evidence online that leads you to believe that certain startup items may be connected to the ransomware, you should disable them by removing their checkmark.

    The next thing that we recommend you to do is, open the Hosts file, which can be done by pressing the Win key and the R key simultaneously, and then pasting the following code in the Run box:

    notepad %windir%/system32/Drivers/etc/hosts

    Click on the OK button to open the file and then find the term “Localhost” in the text. If there are any IP addresses that do not look safe, as indicated in the image below, please let us know in the comments, so that we can do more research into the matter and get back to you if any action is required.

    hosts_opt (1)

    *Coba is a variant of Stop/DJVU. Source of claim SH can remove it.

    If you want to get rid of Coba completely from your computer, the first thing you need to do is launch the Registry Editor, do a search for potentially dangerous files associated to the threat, and then delete those files. You may do this by going to the Windows search bar, typing Regedit, and then hitting the “Enter” button. When you open the Registry Editor, hold down the CTRL and F keys at the same time, and open a Find box inside the editor. In order to begin the search for ransomware-associated files and folders, you will need to type the name of the ransomware in the Find box. After doing so, you will need to click the button labeled Find Next.

    Removing search results that are connected to the ransomware requires extreme caution. It is possible that the registry contains more files related to the threat, thus, after you have deleted the files from the initial search results, you should do a second search to ensure that there are no more files with the same name.

    Attention! When deleting files on your computer that are associated with ransomware, use extreme caution. This must be done in order to protect both the operating system and any software that has been installed on it from being damaged. Bear in mind that if you do not completely delete all the registry entries associated with the threat, the ransomware may reappear on your computer. Because of this, we strongly recommend that you use an anti-virus program to scan your computer and delete any unwanted software or harmful registry entries that may have been placed on it. 

    In addition, it is recommended that the following five system locations be thoroughly checked to guarantee that their contents do not include any files that may be harmful. In order to access them, type each one in the Windows search bar exactly as they are written below (including the percent sign), and then hit the Enter key on your keyboard.

    1. %AppData%
    2. %LocalAppData%
    3. %ProgramData%
    4. %WinDir%
    5. %Temp%

    Conduct a thorough investigation of the contents of each of these folders and remove any questionable files that may have been added to them lately. You may also want to remove all the files that are located in the Temp folder on your computer by selecting the files and then pressing the Delete key on your keyboard.


    How to Decrypt Coba files

    The removal of the ransomware that has been present in the affected computer system is the first step in regaining access to any data that may have been encrypted as a result of the attack. There is more than one way to decrypt data that has been encrypted by ransomware, and the technique that is used to do so will vary depending on the variant of ransomware that has infected your computer and the data that has been encrypted. If you take a look at the file extensions that are being attached to the encrypted files, you will be able to identify the specific variant of ransomware that you are dealing with.

    However, before trying to retrieve data from the infected computer, you should make sure that the system has been carefully scanned for hidden malicious files to determine whether it contains any viruses. After you have successfully removed all traces of viruses and ransomware from your computer, you should next start looking into the various file recovery methods that are available.

    New Djvu Ransomware

    STOP Djvu ransomware, is a new variant of the Djvu ransomware that has lately drawn the attention of security experts. This variant of ransomware encrypts files and appends the extension .Coba to the end of each file that it targets. The good news is that, in some instances, it may be possible to restore access to the encrypted data that had been lost. We recommend that you utilize an offline key decryptor, such as the one that is provided at the URL below, in order to decrypt any data that has been encrypted by the ransomware that you have been infected with.

    Start by downloading the STOPDjvu.exe program from the URL that was provided, then choose “Run as Administrator”, and then select “Yes” from the confirmation window that appears. After you have finished reading the license agreement and any other brief instructions that were included with it, you will be able to begin the process of decrypting the data. Please keep in mind that this program may not be able to decode data that has been encrypted with unknown offline keys or online encryption. 

    If you find yourself in trouble during any of the steps in the guide, or if you are unable to deal with Coba manually, you should remove the ransomware by using the anti-virus software that is linked on this page. In addition, you may use the free online virus scanner provided in the URL to do a manual scan of any suspicious files that may be located on your computer.


    About the author


    Brandon Skies

    Brandon is a researcher and content creator in the fields of cyber-security and virtual privacy. Years of experience enable him to provide readers with important information and adequate solutions for the latest software and malware problems.

    Leave a Comment

    We are here to help! Use SpyHunter to remove malware in under 15 minutes.

    Not Your OS? Download for Windows® and Mac®.

    * See Free Trial offer details and alternative Free offer here.

    ** SpyHunter Pro receives additional removal definitions and manual fixes through its HelpDesk in cases where they are needed.

    Spyware Helpdesk 1