Guer Virus


Guer

Guer is a Windows virus of the Ransomware family – it seeks to encrypt your data in order to keep it inaccessible until you pay ransom to the attacker. The encryption Guer puts on the files can only be unlocked using a private key.

Guer

The Guer virus file ransom note

Ransomware is one of the biggest malware classes and it is a category of computer threats that are particularly difficult to fight against. The main problem when a Ransomware attacks isn’t removing the infection – it is releasing the files that the virus has locked up. To seal your files, the Ransomware uses advanced encryption that no software you may have on your computer would be able to decrypt. Some security specialists work hard to develop specialized decryptor tools for different Ransomware variants but, currently, the number of Ransomware viruses vastly outnumbers the number of decryptor tools. This means that the chances of landing a Ransomware that doesn’t yet have a corresponding decryptor tool are much higher than landing a Ransomware that has such a decryptor. This, as well as several other factors, is what makes viruses like Guer are a real pain in the neck, especially if the computer they have attacked contains lots of valuable data which hasn’t been properly backed up.

The Guer virus

The Guer virus is a Windows malware program designed to blackmail you by using encryption to lock your files. After the Guer virus encrypts your data, it will give you instructions on how to pay the hackers a ransom for the decryption key. 

As we mentioned, removing the Ransomware isn’t the biggest issue here. This means that for those of you who have backups of their important files, a Ransomware infection shouldn’t be that big of an issue. All you’d need to do in such a case is eliminate the infection which can be done in several ways. For instance, you can use the manual instructions presented in the guide below, or use the malware-removal tool that has been linked there. If you combine the two options, your chances of removing everything that the Ransomware has left in your computer would be quite high. And after the virus is gone, you simply connect your backup to the clean computer and download the files you need from it.

The Guer file encryption

The Guer file encryption is an unbreakable encryption algorithm that can turn any user file into unreadable data which no software can open. Only the attackers have the key for the Guer file encryption and their goal is to make you pay for it.

guer file

The .guer file virus

However, if you are here because Guer, Moqs or Aeur has infected your system and you don’t have a backup to restore your files from, you may want to postpone the ransom payment required by the virus for your data’s release, at least for the time being. There may still be a chance to get some of your files back – check out the suggestions in the recovery section of the guide and try them out before you decide to risk your money by sending it to the hackers in hopes that they will keep their promises and release your files.

SUMMARY:

Name Guer
Type Ransomware
Danger Level High (Ransomware is by far the worst threat you can encounter)
Symptoms Very few and unnoticeable ones before the ransom notification comes up.
Distribution Method From fake ads and fake system requests to spam emails and contagious web pages.
Detection Tool

anti-malware offerOFFER *Free Remover allows you, subject to a 48-hour waiting period, one remediation and removal for results found. SpyHunter's EULA,  Privacy Policy, and more details about Free Remover.

Before you start We recommend reading the following important points before starting the guide.
  • A Ransomware virus could potentially infect other devices connected to the computer, so before you do anything else, make sure to disconnect any USB flash sticks, external HDDs, phones, tablets, etc. from the computer.
  • You should keep the computer disconnected from the web while performing the guide to prevent the virus from communicating with its creators over the Internet.
  • Even though opting for the ransom payment is not advisable, if you are still considering it, it’s then better to delay the removal of the virus for after the money is paid and the locked data hopefully restored. If the removal is performed before that, you may never get the chance to obtain the decryption key from the hackers (even if you still pay them!).
  • Last but not least, know that some Ransomware threats automatically remove themselves from the system. If you aren’t noticing any Ransomware symptoms at the moment, it’s possible that Guer is already gone. However, even if this seems to be the case, performing the guide is still recommended.

Remove Guer Ransomware

To remove Guer, you must meticulously search your system for virus data, processes, and settings, and delete them:

  1. First, make sure that if there’s a program on the computer that may be responsible for the infection, that program gets uninstalled.
  2. Next, search the Task Manager for malicious processes that may still be running and stop them.
  3. Also check the Registry, the Hosts file, and the Startup items settings and if anything there has been modified by the Ransomware, change it back to its previous state.
  4. To remove Guer and ensure it doesn’t return, you should also explore the folders on your computer for virus files and delete any such files you may find.

To get a better idea about how to perform each of those steps, please read the next lines.

Detailed Guide

Step1

To see all programs on the computer, search for the Control Panel in the Start Menu, open it, and then open Uninstall a Program. If there you find a recently installed program (one installed just before Guer encrypted your files) that is unfamiliar to you or looks like a potential threat, go ahead and uninstall it.

While performing the uninstallation, be sure to not allow any temporary data or settings related to that program to be left on the computer.

This image has an empty alt attribute; its file name is uninstall1.jpg

Step2

WARNING! READ CAREFULLY BEFORE PROCEEDING!

Next, you must use the Task Manager tool to find and quit any rogue processes that the Ransomware may still be running. To access the tool, press together the Ctrl, Shift and Esc keys. You will see what processes are running on your computer at the moment by visiting the Processes tab. In there, we suggest that you sort the shown items by order of the amount of CPU or memory that they consume since, if there’s a rogue process still running in the system, it will most likely be consuming significant amounts of the aforementioned resources.

If a process with a suspicious and/or unfamiliar name that also has unusually high RAM (memory) and/or CPU usage can be seen in the list, instead of directly quitting it, first go to the browser on your phone or another device (since the Internet on your PC should currently be stopped) and search for information regarding that process. If the process is coming from the malware program, you should immediately find online posts from users and experts that confirm this.

Another reliable way of finding out whether a process is linked to a malware threat that we recommend is to right-click the suspected process, access its File Location by clicking on the first option from the right-click menu, and then scanning everything in the folder that opens with a reliable security scanner. The scanner posted right below is perfect for the job, and you can use it for free to scan the files in the File location folder.

Each file will be scanned with up to 64 antivirus programs to ensure maximum accuracy
This scanner is free and will always remain free for our website's users.
This file is not matched with any known malware in the database. You can either do a full real-time scan of the file or skip it to upload a new file. Doing a full scan with 64 antivirus programs can take up to 3-4 minutes per file.
Drag and Drop File Here To Scan
Drag and Drop File Here To Scan
Loading
Analyzing 0 s
Each file will be scanned with up to 64 antivirus programs to ensure maximum accuracy
    This scanner is based on VirusTotal's API. By submitting data to it, you agree to their Terms of Service and Privacy Policy, and to the sharing of your sample submission with the security community. Please do not submit files with personal information if you do not want them to be shared.

    This image has an empty alt attribute; its file name is task-manager1.jpg

    If you do come across information that states the process is rogue and that information is from a reliable source and/or if you find malware in the location folder, then you must immediately end the process by right-clicking it again and selecting the End option. After that, you must also get rid of its entire location folder and not only the files that may have been detected as threats. If this isn’t possible at the moment because you are prohibited from deleting one or more of the files, then delete everything else, and return to remove what remains after the rest of the guide has been completed.

    This image has an empty alt attribute; its file name is task-manager2.jpg

    Step3

    Boot the computer into Safe Mode – this will block the virus from starting again any of its harmful processes.

    Step4

    You must now “Unhide” the hidden files and folders on your computer, so go to the Start Menu, search for Folder Options, and open the first app that shows up. Then select the tab labelled View, find the Show hidden files, folders, and drives option, check it, and click OK.

    Next, go to the folders listed below by copying their names along with the “%” symbols, placing them in the search field of the Start Menu, and hitting the Enter key or selecting the first result shown in the Start Menu.

    • %AppData%
    • %LocalAppData%
    • %ProgramData%
    • %WinDir%
    • %Temp%

    In all folders but the last one, delete everything created on and after the date of the Ransomware’s arrival. As for the last folder (Temp), simply delete all data stored in it.

    Step5

    Use the Start Menu again to search for “msconfig” and open what gets shown in the results. When you see a window labelled System Configuration on your screen, go to Startup and in there find and uncheck everything that you do not recognize and/or that has Unknown in the Manufacturer column. Then click the OK button to save whatever changes you have made.

    The next thing you must do is go to the drive where your OS is stored (that would typically be the C: drive) and navigate to the Windows/System32/drivers/etc folder. In it, you must find and open a file named Hosts. You will probably be required to pick a program with which to open it – if this happen, pick Notebad.

    When Hosts shows up, copy any text that may be below the two Localhost line and then paste it in the comments. We will determine if that text is from the virus and tell you if it needs to be deleted. If no text is present below Localhost, then simply move on to the next and final step.

    This image has an empty alt attribute; its file name is hosts2.jpg

    Step6

    Go to the Registry Editor of your system by searching for the regedit.exe executable in the Start Menu and opening it. Admin permission will be required before the Editor opens, so click on Yes when that happens.

    In the Editor, go to Edit > Find, type Guer, and press Enter. Anything that gets found should be deleted. Remember to always perform one more search after deleting an item to make sure there aren’t more result for Guer.

    This image has an empty alt attribute; its file name is 1-1.jpg

    Once there are no more Guer results left in the Registry, find these next locations in the left panel of the Editor:

    • HKEY_CURRENT_USER > Software
    • HKEY_CURRENT_USER > Software > Microsoft > Windows > CurrentVersion > Run
    • HKEY_CURRENT_USER > Software > Microsoft > Internet Explorer > Main

    In each of those locations, see if you can find any entries with names that seem random and/or are much longer than the rest. For example, anything that looks like this “389eu93u9ru9832u89tu4g9ujd9032jr90rj3” should be deleted. Still, ask us in the comments if you are not sure about anything, or else you may end up deleting an item that isn’t from the Ransomware, and this may cause further complications for the system.

    If the manual steps didn’t help Some threats of this category enter very deep into the system, and removing them manually is not an option for anyone who is not an experienced expert. Also, many Ransomware viruses are helped by other rogue programs that enable them to stay in the system even when one is trying to remove them. In either case, if you haven’t been able to delete Guer thus far, it’s best to either have a specialist take a look at the computer or use a reliable security program to clean the system. We cannot help you with the latter option, but we can offer you one such great tool that can quickly find any threat on your system and eliminate it. You can find the tool linked in the guide, so go ahead and give it a try if you are interested.

    How to Decrypt Guer files

    To decrypt Guer files, it’s recommended to opt for any alternative methods that may be available to you and leave the ransom payment as a last resort. To decrypt Guer files through alternative methods, though, you must first be certain that the computer is clean.

    We once again remind you that you can always use the free scanner tool we have on our site to test any suspicious files in order to see if there’s still malware on the computer. After you have made sure that the PC is clean, you should visit the How to Decrypt Ransomware article we have here and check the suggested alternative methods shown there. Hopefully, one of them allows you to recover your lost data without needing to pay anything to the hackers.

    What is Guer?

    Guer is a malware tool used by cyber-criminals who seek to blackmail users by locking their important files and demanding a ransom payment to free them. Guer belongs to a malware category called Ransomware – currently one of the most devastating forms of malicious software. If you have been hit by Guer, your files have probably already been rendered inaccessible, and you’ve already seen the ransom-demanding message that the virus creates on the infected computers once it finishes the file-locking process. This message serves to inform the attacked users about their current situation and also gives them instructions on how to perform the ransom payment. Unfortunately, although deleting the Ransomware is perfectly possible, doing so won’t set your files free. In fact, many Ransomware threats delete themselves automatically so that they don’t leave any traces behind, which may help any file-recovery software that the victim may use to crack the encryption code. If the Ransomware Guer didn’t automatically delete itself, it’s still important to remove it before you make any attempts at restoring your data.

    Is Guer a virus?

    Guer is a virus program categorized as file-locker Ransomware – the most sub-type of the Ransomware category. Threats like Guer are known for applying advanced military-grade encryption to the files of their victims, making it nearly impossible to unlock without a special key. That special key is offered to the users whose files have been blocked by the virus in exchange for a hefty amount of money. Usual ransom requests range anywhere between $500 to $2000. In some cases, especially when the Ransomware hackers have targeted an entire organization or business, the ransom amount might jump to five-, six-, or even seven-digit numbers. Regardless of the amount of money demanded by the attacker, it’s still always better if one could avoid paying it, especially since there’s no guarantee that performing the payment would actually do any good and not turn out to be a total waste. It is, therefore, recommended that users attacked by Guer first make sure to delete the virus and then opt for the alternative file-restoration methods that are available to them.

    How to decrypt Guer files?

    To decrypt Guer files, instead of paying the ransom, you can try some of the many free decryptor tools available on the Internet. Another potential method to decrypt Guer files is to try restoring the locked data from shadow copies stored deep within the system. Neither method guarantees success, but then again, neither does paying the hackers. The difference is that the former two options won’t require you to send money to the criminals who are blackmailing. It is, however, important to first delete the Guer Ransomware if it’s still on the computer. Unless you make sure that the virus is gone, you may end up getting your files encrypted all over again, even if you manage to release them. Also, since Ransomware threats are often helped by Trojans and Rootkits, it is recommended that you check your computer for additional threats that may be hiding in it. Last but not least, if everything else fails, and you really need your locked files back, paying is still an option, but only if the encrypted data is truly worth the risk that such an option would involve.

    blank

    About the author

    blank

    Brandon Skies

    Brandon is a researcher and content creator in the fields of cyber-security and virtual privacy. Years of experience enable him to provide readers with important information and adequate solutions for the latest software and malware problems.

    Leave a Comment