.Nobu Virus


.Nobu is a very malicious file-encrypting Ransomware infection that blackmails web users in return for recovery of access to their personal files. The .Nobu infection takes hostage of digital documents, databases, archives, images, audio and video files and other commonly used information.


The .Nobu will encrypt your files

If you have been denied access to your personal records, photographs and other valuable data that you store on your PC and you have been asked to pay some money to regain access to it through a scary ransom note, then you have probably become a victim of .Nobu, Weui, Lisp or or another ransomware. The good news is that on this page you will find a guide with instructions on how to remove the infection and some free suggestions on how to possibly recover your encrypted files without paying a ransom.

The .Nobu virus

The .Nobu virus is an infection which seeks to encrypt user files with the intentions to ask a ransom for them. The victims of the .Nobu virus get notified about the attack after their files become inaccessible and a ransom-demanding message gets shown on their screen.

nobu virus

The Nobu virus will leave a ransom note with instructions

The blackmail scheme that ransomware infections like this one are using has developed into a lucrative money-extortion model for numerous hacking organisations, and every day new and more sophisticated threats of this kind emerge. Victims are typically allowed to get their encrypted documents back if they pay a certain amount of money for a decryption key. Sadly there is no assurance that if they fulfill the ransom demands they will obtain one. This is the reason why most security experts don’t advise users to go for the ransom payment and encourage them to remove the ransomware and explore alternative file-recovery solutions like those in the removal guide below.

One of the most challenging aspects about dealing with ransomware and preventing it has to do with the fact that it can remain under the radar of most antivirus programs. This means that the malware can silently complete its agenda in the background of the system without being interrupted and the victims will come to know about the attack only after it is too late.  

As soon as the malware sneaks into the targeted device, it immediately detects the files that the user is using the most and encrypts them without noticeable signs that may indicate what is happening. Just when the whole encryption process is complete does the cryptovirus expose itself. In general, the hackers do their best to scare the victim that if they don’t’ pay the required ransom they will never access the encrypted files again. They place a ransom note on the screen of the infected computer, replace the desktop background with it and put it in a folder containing encrypted files just to make the victim pay as quickly as possible.

The .Nobu file encryption

The .Nobu file encryption is a special piece of code that when applied makes your files inaccessible. The reversal of the .Nobu file encryption can be very difficult and a special decryption key is usually needed to achieve it.

Nonetheless, since there is no assurance that you will receive such a decryption key from the hackers behind .Nobu, we suggest that you first explore the free methods that can help you remove the ransomware and recover the information that it has encrypted – and we have listed them in the removal guide below.


Name .Nobu
Type Ransomware
Detection Tool

anti-malware offerOFFER *Read more details in the first ad on this page, EULA, Privacy Policy, and full terms for Free Remover.

Remove .Nobu Ransomware


One very important thing before you proceed with the removal steps below is to Bookmark this page. You will need to refer back to it, but some of the steps below will require you to quit your browser. That’s why make sure that you click the start icon before you being with the removal process of .Nobu.

The other very important thing related to the preparation for the removal of .Nobu is to enter your PC in Safe Mode. Safe Mode runs only the basic system processes and will hopefully make the removal of .Nobu easier for you.



After you have done the preparations described in step 1, use the CTRL + SHIFT + ESC key combination on your keyboard to open the Windows Task Manager.

Once in it, go to the Processes Tab. Try to find processes that could have a relation to .Nobu. Keep in mind that the malicious processes may not have the same name as the ransomware. That’s why you have to have a bit of computer knowledge to determine which of the listed processes could be malware-related and which are legitimate. Google the names of the processes that seem suspicious to you and research them.

Once you are sure they are malicious, right-click on each of them and choose Open File Location. 


Use the scanner below to scan all the files found in that location folder:

Each file will be scanned with up to 64 antivirus programs to ensure maximum accuracy
This scanner is free and will always remain free for our website's users.
This file is not matched with any known malware in the database. You can either do a full real-time scan of the file or skip it to upload a new file. Doing a full scan with 64 antivirus programs can take up to 3-4 minutes per file.
Drag and Drop File Here To Scan
Drag and Drop File Here To Scan
Analyzing 0 s
Each file will be scanned with up to 64 antivirus programs to ensure maximum accuracy
    This scanner is based on VirusTotal's API. By submitting data to it, you agree to their Terms of Service and Privacy Policy, and to the sharing of your sample submission with the security community. Please do not submit files with personal information if you do not want them to be shared.

    In case that the scanned files get flagged as dangerous by the scanner, go back to the Task Manager’s Process tab, find the processes that are related to these files, right-click on them and choose the End Process Tree option. After you do that, delete the folders that contain the flagged files with all the content in them.


    When you complete the instructions in step 2, open a Run box on your screen (Start and R key combination) and copy this in the text field:

    notepad %windir%/system32/Drivers/etc/hosts

    Then, click Ok to run it.

    You should see a new simple text file named Hosts on your screen after the command is executed. In the file, pay attention to the Localhost section just as it is shown on the image below:

    hosts_opt (1)

    If you see that a lot of IP’s have been found below “Localhost“, this might be an indication that the computer has been hacked and we advise you to write to us in the comments section below this post so we can advise you further.

    Next, open the System Configuration app (you can type its name in the Start Menu search field and open the result). In the window that opens, head to the Startup tab.


    Find the Startup Items that could have a relation to .Nobu and remove the checkmark from the checkbox that corresponds to them. Also, don’t hesitate to remove the checkmark for any other “Unknown” items, especially those that have an unnamed or questionable Manufacturer.

    Attention! A ransomware like .Nobu may use a different name for coverage and may even include a fake Manufacturer name to its process. That’s why don’t forget to check the legitimacy of every single process by googling it.


    The Registry Editor is the most important place where you have to seek for .Nobu-related entries. To complete this step, open the Registry Editor app (Type Regedit in the search field of your Start menu and open the result)

    When the Registry Editor window opens, use the CTRL and F key combination to open a Find dialog box. In its text field write the name of the ransomware, which in your case is .Nobu. After that, click on Find Next to perform the search.

    Delete every result that corresponds to that name. However, be very careful not to delete anything else that is not linked to .Nobu, as this may cause serious system corruption.

    After that, go to your Start Menu and type each of the five items below in the Windows Search Field:

    1. %AppData%
    2. %LocalAppData%
    3. %ProgramData%
    4. %WinDir%
    5. %Temp%

    Check if there is anything that has been added recently in these locations by filtering the files in them by date.

    When you reach the 5th %Temp% location, delete everything there. If you are not sure what exactly needs to be removed, don’t hesitate to leave us a comment and ask us for help.


    How to Decrypt .Nobu files

    In many cases, it is not enough to remove .Nobu to make the files that it has encrypted accessible. That’s why in this final step we have included a link to a guide that is aimed at helping you decrypt some of your files. You can find it out here.

    Remember that no matter how carefully you follow the steps in this guide, the ransomware may be much more persistent than you are expecting. That’s why if you run into trouble, drop us a comment below this post or use the automatic removal tool recommended above in the article.


    About the author


    Lidia Howler

    Lidia is a web content creator with years of experience in the cyber-security sector. She helps readers with articles on malware removal and online security. Her strive for simplicity and well-researched information provides users with easy-to-follow It-related tips and step-by-step tutorials.


      • Hi Havya Pandya, it’s perfectly fine to delete everything in the %temp% folder, Windows will repopulate the folder with files it needs.

      • Hi vicky, if your files are encrypted with the .nobu extension then that means it is impossible to decrypt them yet. Clean your computer from any viruses and then it’s ok to transfer any encrypted files on a different hard drive.

    Leave a Comment