Tury Virus

*Tury is a variant of Stop/DJVU. Source of claim SH can remove it.


Tury has been invading the computers of unsuspecting users lately and denying those users access to their very own computer files. Tury is therefore a representative of the ransomware cryptovirus malware category.

The Tury ransomware will leave a _readme.txt file with instructions

What this means is that this malicious piece of programming denies users access to their data by means of encrypting said data. Hence, the affected files become unreadable and cannot be opened by any software unless a special decryption key is applied. Here is where the ransomware part comes in.

In order to obtain this decryption key, which you could say that the hackers responsible for the infection hold ‘hostage’, victims are required to pay a hefty sum in ‘ransom’. This is an age-old blackmail scheme that, unfortunately, in recent years has only gained momentum and doesn’t appear to be slowing down any time soon.

In this post we will aim to outline the means by which Tury is distributed and what tools are available to combat it with. Specifically, we have developed a removal guide which will show you how to remove this virus from your PC. And in the second part of the guide you will also find information regarding the restoration process of your data.

The Tury virus

The Tury virus uses complex encryption in order to make user files inaccessible to anyone not in possession of a decryption key. This very encryption process also makes the Tury virus invulnerable to most antivirus software out there.

The thing is that antivirus programs aren’t triggered by encryption, as it is not an inherently malicious process. And this fact enables variants like Tury, Tuis, Powz to operate directly under their radars without being interrupted. For this reason, the best possible way to battle such attacks is by preventing them. And the way to do that is by knowing how ransomware is distributed, which we will reveal in just a little bit.

But an even more reliable way to render a ransomware attack like this one practically harmless is by backing up whatever valuable data you would fear losing. Furthermore, keep the copies of your files stored on a cloud service or better yet on a separate hard drive that is not constantly connected to your computer or to any network.

The Tury file distribution

The Tury file distribution usually takes place with the help of spam messages. You can also download the Tury file if you happen to click on a compromised or infected online ad.

Tury File

The latter is commonly referred to as malvertising and is a very common way of distributing various malicious prices of programming, including ransomware like Tury. That being said, it’s important to note that oftentimes ransomware relies on the help of backdoor viruses (usually Trojans) to infect a given computer as well.

How it works is basically first you will get infected with the Trojan, which is an expert at detecting and exploiting vulnerabilities in your system. And once that happens, it will proceed to let the ransomware in as well. Hence, it’s certainly a good idea to scan your computer for Trojans as soon as you’ve handled Tury.


Detection Tool

*Tury is a variant of Stop/DJVU. Source of claim SH can remove it.

Remove Tury Ransomware


Type Task Manager in the Start Menu and select the first item from the results and go into its Processes tab. In there, you must find the process or processes that are run by the Tury virus. Those processes may have the same name as the threat but in most cases they’d be named differently so use your own discretion to spot them. Look for resource-intensive processes with unfamiliar/suspicious names that consume large portions of the RAM memory of the computer or its CPU power.


If you suspect a given process, conduct an online search with its name to see what information you could find about it and to confirm that the suspected process is not one run by Windows.

Once you’ve done your research and have confirmed that the suspicious process is not from Windows, you must right-click on it from the Task Manager and select the open File Location option. The files located in the folder that opens next must be scanned for malware. Use the next free online scanner and/or an antivirus/anti-malware tool of your own to test the files.

Each file will be scanned with up to 64 antivirus programs to ensure maximum accuracy
This scanner is free and will always remain free for our website's users.
This file is not matched with any known malware in the database. You can either do a full real-time scan of the file or skip it to upload a new file. Doing a full scan with 64 antivirus programs can take up to 3-4 minutes per file.
Drag and Drop File Here To Scan
Drag and Drop File Here To Scan
Analyzing 0 s
Each file will be scanned with up to 64 antivirus programs to ensure maximum accuracy
    This scanner is based on VirusTotal's API. By submitting data to it, you agree to their Terms of Service and Privacy Policy, and to the sharing of your sample submission with the security community. Please do not submit files with personal information if you do not want them to be shared.

    If a file is detected as malware, go back to the suspicious process, right-click on it again, and then click on End Process Tree.

    Next, delete the folder where the malware files are located – in some cases, you may not be allowed to do that because some of the files in it cannot be deleted at the moment. If this happens in your case, delete whatever files you can from the file location folder and then move on to the next steps. Once you are done with them, you should try again to delete the file location folder.



    *Tury is a variant of Stop/DJVU. Source of claim SH can remove it.

    Next, you must start the computer in Safe Mode – the provided link will get you to a page with detailed instructions on how to access Safe Mode.


    *Tury is a variant of Stop/DJVU. Source of claim SH can remove it.


    Now go to your Start Menu, type system configuration, and press Enter. Select Startup from the window that opens and look for suspicious startup items in the displayed list. If there are any items you don’t recognize or trust, untick them and then select Apply. Do the same with items that have unknown manufacturers unless you trust those items and know they are related to safe software.

    Finally, click on OK to finish this step and move on to the next one.


    Paste this line “notepad %windir%/system32/Drivers/etc/hosts” in the Start Menu (without the quotations) and hit enter.

    hosts_opt (1)

    A notepad file named Hosts should appear on your screen – at its bottom, there is a line that reads LocalHost – if there are any IP addresses or other text written below it, you must copy those addresses/text and put them in the comments below. We will have a look and tell you if anything needs to be done about them.

    If we tell you that the IPs you’ve sent us are from the Tury virus, you will have to remove them from your Hosts file and then click on File > Save to save the changes.


    Warning!: To complete this step, you will have to make changes to your computer’s Registry by deleting malware entries from it. Be very careful and only delete items you are certain are from Tury. In case you are in doubt, it is preferable if you consult us via the comments section before you go on to delete anything. Otherwise, you may end up deleting an item you aren’t supposed to, this causing more problems to your system.

    Press Windows Key + R and type regedit in the Run box. Hit Enter and when Windows asks for your Admin approval, click on Yes to continue.

    When the Registry Editor opens, click on its Edit menu and then go to Find. Type the virus name in the Find box and click on Find Next. You will be taken to the first item in the Registry that carries the name of the virus. Delete that item, repeat the search, and if another item is found, delete that one too. Keep searching and deleting until there are no more items in the Registry Editor with the Tury name.

    Next, find the following three directories from the left panel of the Registry Editor.

    • HKEY_CURRENT_USER > Software
    • HKEY_CURRENT_USER > Software > Microsoft > Windows > CurrentVersion > Run
    • HKEY_CURRENT_USER > Software > Microsoft > Internet Explorer > Main

    In them, your job is to find and delete any suspicious folders that draw your attention and could be linked to the malware. Such folders would typically have long names that consist of randomly arranged letters and numbers. In case you see such a folder, delete it, but only if you are certain it is not supposed to be there. As we said, you can always ask us in the comments about a given Registry entry before you delete it.


    Copy-paste each of the following lines in the Start Menu and hit enter after each to go to the folder it corresponds to.

    1. %AppData%
    2. %LocalAppData%
    3. %ProgramData%
    4. %WinDir%
    5. %Temp%

    Delete the most recent files in those folders – everything from the moment the virus infected you to the current moment. In the folder named Temp, you must delete everything.

    Finally, go back to the File location folder from the first step and try to delete it – this time you should have no problem removing that folder alongside any files that may be left in it.

    How to Decrypt Tury files

    This guide should help you delete Tury, but it will not be enough to decrypt the files that have already been encrypted by the virus. If you want to restore your encrypted data without paying the ransom, we suggest you take a look at the instructions below and try the suggested alternative recovery methods included there.

    However, before you attempt to recover any of the locked files, you must be absolutely sure that the virus is fully gone from your computer or else the data you may have managed to restore could get encrypted all over again by the threat. To check if any suspicious files on your computer contain malware, you can use the free online malware scanner available on our site.

    Data encrypted by ransomware may be challenging to decipher, even for experienced cyber security professionals. Furthermore, the ransomware decryption methods may vary depending on the ransomware variant, further complicating data recovery. To avoid confusion, you can look at the file extensions of the encrypted files to figure out which type of ransomware infected your system.

    An advanced anti-virus program, such as the one available on this page, must be used to do a complete virus scan before any data recovery can begin. You should not look into file recovery options until the virus check comes back clean.

    New Djvu Ransomware

    STOP Djvu ransomware is a new type of ransomware that has been found to encrypt files in secret and demand money from victims. There have been reports of this threat from all over the world, and victims have noted that it appends the Tury suffix to encrypted files. People who have lost data shouldn’t pay the ransom because decryptors like the one in the link below may be able to help them get their files back.


    You may decrypt files by downloading the STOPDjvu program from the URL and running it, but first you should read the license agreement and the instructions for use from the page. Even though this program seems very promising, it does have some limitations. Not all encrypted files will be able to be decrypted by the tool, especially if they were encrypted online or with an unknown offline key. 

    Final Notes

    To conclude, we sincerely hope that the steps included in the guide above have or will help you delete Tury. If, for some reason, the malware still seems to be present on the computer after you are finished with the guide, be sure to give a try to the recommended anti-malware tool present on the current page – it can quickly locate and take care of any malware files in your system as well as ensure the future safety of your computer against other incoming threats.

    About the author


    Violet George

    Violet is an active writer with a passion for all things cyber security. She enjoys helping victims of computer virus infections remove them and successfully deal with the aftermath of the attacks. But most importantly, Violet makes it her priority to spend time educating people on privacy issues and maintaining the safety of their computers. It is her firm belief that by spreading this information, she can empower web users to effectively protect their personal data and their devices from hackers and cybercriminals.

    Leave a Comment