Nerz Virus

7-day Free Trial w/Credit card, no charge upfront or if you cancel up to 2 days before expiration; Subscription price varies per region w/ auto renewal unless you timely cancel; notification before you are billed; 30-day money-back guarantee; Read full terms and more information about free remover.

*Nerz is a variant of Stop/DJVU. Source of claim SH can remove it.


Nerz is a form of money-extortion malware that keeps users from accessing their files until the hackers behind the virus are paid a ransom. Nerz applies an advanced encryption algorithm to the files of its victims that cannot be broken through conventional means.

The Nerz ransomware will leave a _readme.txt file with instructions

If all of the data on your computer has suddenly become inaccessible, with all the files receiving some new and unfamiliar file extension that no software you have can recognize, then you have most definitely gotten your computer attacked by a Ransomware and this Ransomware has encrypted your files. This is how those nasty viruses operate – upon infiltrating their victims’ computers, they scan the hard-drives for files that may be important and valuable to the user and then they lock them with the help of their advanced encryption algorithms. Usually, it all happens without visible symptoms and signs and most users only find out about the malware infection once they realize that their files cannot be opened any more. Nerz and Weon are an example of such an encryption-based infection that was recently reported. Though it is a very new threat, the number of users attacked by it is already quite big and more and more are getting infected as we are writing this post.

The Nerz virus

The Nerz virus is representative of the most advanced form of Ransomware viruses, namely, the file-locking type of Ransomware. The Nerz virus’ encryption will keep your data locked even after the infection itself has been removed from the computer.

Nerz Virus
The Nerz virus will encrypt your files

Since you are probably on our site, reading this article about Nerz, because you are yet another victim of this insidious infection, it would be a good idea if you read the whole write-up and then have a look at the Nerz removal guide available on this page. The instructions there and the linked removal tool should enable you to get rid of this infection and liberate your computer. Removing the cryptovirus, however, is not the same as getting your files back – it is only the first step towards recovering your data. In order yo restore some of the files, you will need to try some specific data-restoration methods. Some such methods can be found in our guide but we can give no promises or guarantees with regard to the effectiveness of those methods. A big problem with Ransomware cryptoviruses like this one is that a method that may have worked against an older version may not be all that effective against a newer one.

The .Nerz file

The .Nerz file can be any regular user file that has fallen under the encryption of the virus and has had its extension changed. The changed extension of the .Nerz file means no program can recognize the file format and access the files, which is why you cannot open any of the encrypted files.

Once the files get locked, there is only thing left that the cryptovirus is supposed to do – it is supposed to present you with a note from the hackers, in which they state that there is a special decryption key in their possession, which key can restore your files. And all that they want in exchange for this key is for you to pay them a certain amount of money. Needless to say, the note also includes instructions on how to pay the said money. Of course, this is the end-goal of all such infections – to extort money from their victims through blackmailing. However, if this can restore your files and the demanded sum is manageable, why shouldn’t you pay? Well, the simple answer is, that you can’t know if you are really going to get that promised key from the hackers. Many users have lost their money in this way only to realize in the end that they are still not getting their files back. Therefore, we believe that you should first exhaust all other alternatives before considering trying this one last option.


Detection Tool

*Nerz is a variant of Stop/DJVU. Source of claim SH can remove it.

Remove Nerz Ransomware


If you’ve been attacked by Nerz, the first thing you should do is to save this page as a bookmark for quick reference. In addition to that, you’ll need to switch the Safe Mode of the infected computer, just as it is described in the link here. Once you do that, Nerz can be safely removed from your computer with the help of the instructions in the next steps.



*Nerz is a variant of Stop/DJVU. Source of claim SH can remove it.

In this step, you should check your Task Manager’s Processes tab (press CTRL + SHIFT + ESC to open it) for any processes related to the ransomware that has compromised your computer. These processes can typically be identified by looking at how much CPU or memory they use, or by looking at their names. You should also look for processes that don’t appear to be related to any of the apps you have on your computer.

A suspicious process can be quickly checked for malicious code by right-clicking on it and selecting Open File Location, as shown in the example image below:


An antivirus scan is required to ensure the safety of these files. Below, there is a free online virus scanner available for those who do not have access to a reliable anti-virus program:

Each file will be scanned with up to 64 antivirus programs to ensure maximum accuracy
This scanner is free and will always remain free for our website's users.
This file is not matched with any known malware in the database. You can either do a full real-time scan of the file or skip it to upload a new file. Doing a full scan with 64 antivirus programs can take up to 3-4 minutes per file.
Drag and Drop File Here To Scan
Drag and Drop File Here To Scan
Analyzing 0 s
Each file will be scanned with up to 64 antivirus programs to ensure maximum accuracy
    This scanner is based on VirusTotal's API. By submitting data to it, you agree to their Terms of Service and Privacy Policy, and to the sharing of your sample submission with the security community. Please do not submit files with personal information if you do not want them to be shared.

    If any malicious files are found during the scan, right-click on the process that relates to them and select End Process. The last step is to remove all potentially harmful files from the File Location folder.


    Look for any changes in the Hosts file of your system that can suggest a hack. To open the Hosts file, you need to press Windows key and R together, then copy/paste the command below in the Run box and press Enter:

    notepad %windir%/system32/Drivers/etc/hosts

    Search for anything unusual under Localhost in the text of the file, just as shown on the image below:

    hosts_opt (1)

    The comments section below this post is a great place to report any strange IP addresses that you find under “Localhost”. A member of our team will take a look at them and advise you on what to do if anything alarming is detected.

    If your Hosts file does not contain anything disturbing in terms of unauthorized changes, there is no need to alter it, just close it.

    Next, go back to the Windows, type msconfig and then press Enter.


    Select “Startup” from the top-level tabs. Before disabling any “unknown” or “randomly named” startup items, make sure you research them online.

    Unchecking the boxes next to any items you don’t want to start with your system and clicking OK will disable them.


    *Nerz is a variant of Stop/DJVU. Source of claim SH can remove it.

    Ransomware like Nerz may be able to gain persistence and create harmful registry entries once it has infiltrated the system. If these registry entries aren’t removed, the infection has a possibility of surviving any ransomware cleanup attempts. For this reason, if you want to remove Nerz for good, you’ll need to carefully search your registry and delete the dangerous files.

    Warning! When critical registry files and applications are altered or deleted, there is a risk of system corruption. Therefore, victims of ransomware are advised to remove potentially harmful files from critical system locations such as the registry using specialized malware removal software.

    If you insist on proceeding with the manual Nerz removal and you know what you are doing, please open the Registry Editor and look for any Nerz-related entries that need to be removed in there.

    To open the Registry Editor, type regedit in the Windows Search field and hit Enter.

    You can save time by pressing CTRL and F together and opening the Editor’s Find window, where you can type the ransomware’s name and start a search. Use the Find Next button to search for files with that name. Registry entries with the same name as Nerz should be carefully removed.

    Next, close the registry and use the Windows Search field once more to manually search each of the five locations indicated below. Enter their names into the Windows search field and press Enter to open them.

    1. %AppData%
    2. %LocalAppData%
    3. %ProgramData%
    4. %WinDir%
    5. %Temp%

    It’s best to remove any Nerz-related files that were recently added to these locations. Do not make any modifications if there are no suspicious files or subfolders, but if there are, you should get rid of them. The ransomware’s temporary files should also be deleted by simply removing everything in the Temp folder.


    How to Decrypt Nerz files

    When a ransomware encrypts your files, you have no way of getting them back unless you figure out how to decrypt them. This file recovery guide will teach you the latest file recovery methods and best practices for minimizing the harm caused by the Nerz attack.

    New Djvu Ransomware

    STOP Djvu ransomware, which is a new variant of the Djvu ransomware, has recently piqued the interest of security researchers. This variant encrypts files and adds the suffix .Nerz to the end of each file it targets. In certain cases, regaining access to the encrypted data may be possible via the use of certain techniques. In order to decrypt data that has been encrypted by this ransomware, we recommend that you use an offline key decryptor such as the one provided at the URL below.

    Begin by downloading the STOPDjvu.exe application from the linked URL, then choosing “Run as Administrator” and then “Yes” from the pop-up window that appears. You can start the data decryption procedure once you have read the license agreement and any short instructions that have been included with it. Please keep in mind that this application may not be able to decode data that has been encrypted using unknown offline keys or using online encryption methods.

    Before using any of the file-recovery options in it, however, be sure that the system is fully free of Nerz. A comprehensive system scan can be done quickly and easily by using the free online virus scanner or the anti-virus software recommended on this page. Let us know if you need help with any of the stages in this Nerz removal guide by commenting below.


    About the author


    Brandon Skies

    Brandon is a researcher and content creator in the fields of cyber-security and virtual privacy. Years of experience enable him to provide readers with important information and adequate solutions for the latest software and malware problems.

    Leave a Comment

    We are here to help! Use SpyHunter to remove malware in under 15 minutes.

    Not Your OS? Download for Windows® and Mac®.

    * See Free Trial offer details and alternative Free offer here.

    ** SpyHunter Pro receives additional removal definitions and manual fixes through its HelpDesk in cases where they are needed.

    Spyware Helpdesk 1