All files are encrypted what to do. Virus encrypter: how to cure and decrypt files? Deciphering files after encrypter virus. Where to seek guaranteed decoding

Hello everyone today will tell you how to decrypt files after the virus in Windows. One of the most problematic malware today is a Trojan or a virus encrypting files on a user disk. Some of these files can be decrypted, and some are not yet. In the article, I will describe the possible algorithms of action in both situations.

There are several modifications of this virus, but the overall essence of the work comes down to the fact that after installing your files of documents, images and other, potentially important, encrypt with the change in expansion, after which you receive a message that all your files have been encrypted And for their decryption you need to send a certain amount of an attacker.

Files on a computer are encrypted in XTBL

One of the latest options for the wizard virus encrypts files, replacing them with files with extension. XTBL and the name consisting of a random set of characters.

At the same time on the computer there is a text file readme.txt with about the following content: "Your files have been encrypted. To decipher them, you need to send the code to the email address [Email Protected], [Email Protected] or [Email Protected] Next you will receive all the necessary instructions. Attempts to decipher files will independently lead to irrevocable loss of information "(mail address and text may differ).

Unfortunately, there is no way to decrypt. XTBL at the moment (as soon as it appears, the instruction will be updated). Some users who have really important information on the computer reported on antivirus forums that they sent 5000 rubles from the virus authors or another required amount and received an alifranger, but it is very risky: you can get anything.

What if the files were encrypted by V.XTBL? My recommendations look like this (but they differ from those that have many other thematic sites, where, for example, it is recommended to turn off the computer from the power supply immediately or remove the virus. In my opinion, it is superfluous, and at some coincidence may even be harmful, but to solve you.):

  1. If you know how to interrupt the encryption process, removing the corresponding tasks in the task manager, turning off the computer from the Internet (this may be a necessary encryption condition)
  2. Remember or write a code that attackers need to be sent to an email address (not only in the text file on the computer, just in case it is also not encrypted).
  3. Using Malwarebytes Antimalware, trial version of Kaspersky Internet Security or Dr.Web Cure It Remove the virus encrypting files (all listed tools are well coped with this). I advise you to take turns to use the first and second product from the list (however, if you have an antivirus installed, installing the second "top" is undesirable, as it can lead to problems in the computer.)
  4. Expect when a decoder from any antivirus company appears. In the forefront here Kaspersky Lab.
  5. You can also send an example of an encrypted file and the required code on [Email Protected]If you have a copy of the same file in the unencrypted form, send it too. In theory, it can accelerate the appearance of the decoder.

What should not do:

  • Rename encrypted files, change the expansion and delete them if they are important to you.

This is perhaps everything that I can say about encrypted files with extension. XTBL at the moment.

Trojan-Ransom.win32.aura and Trojan-Ransom.win32.rakhni

The next Trojan, encrypting files and establishing expansion from this list:

  • .locked
  • .crypto
  • .kraken.
  • .Aes256 (not necessarily this Troyan, there are others that establish the same expansion).
  • [Email Protected]_Com.
  • .oshit.
  • Other.

To decrypt files after the operation of the specified viruses, there is a free RakhnideCryptor utility available on the official page http://support.kaspersky.ru/viruses/disinfection/10556.

There is also a detailed instruction on the use of this utility, showing how to restore encrypted files from which I would, just in case, removed the item "Delete encrypted files after successful decoding" (although, I think, everything will be fine with the option).

If you have a DR.Web Anti-Virus license you can use the free decoding from this company on the page http://support.drweb.com/new/free_unlocker/

More options for encrypter virus

More easily, but also meet the following troyans, encryption files and requiring money for decoding. According to the above links, there are not only utilities for returning your files, but also a description of the signs that will help determine that you have this particular virus. Although in general, the optimal path: with the help of Kaspersky Anti-Virus, scan the system, find out the name of Trojan on the classification of this company, and then look for a utility by this name.

  • Trojan-Ransom.Win32.Rector - Free RectORDECRYPTOR utility for decoding and use manual Available here: http://support.kaspersky.ru/viruses/disinfection/4264
  • Trojan-Ransom.win32.xorist is a similar Trojan, displaying a window with a request to send a paid SMS or contact an email to receive instructions for decoding. Instructions for restoring encrypted files and the XoristDecryptor utility for this is on the page http://support.kaspersky.ru/viruses/disinfection/2911
  • Trojan-Ransom.win32.rannoh, Trojan-Ransom.win32.fury - RannoHDecryptorhttp: //support.kaspersky.ru/viruses/disinfection/8547
  • Trojan.Encoder.858 (XTBL), Trojan.Encoder.741 and others with the same name (when searching through Dr.Web Anti-Virus or Cure IT utility) and different numbers - try search on the Internet named Trojan. For a part of them there are decryption utilities from Dr.Web, as well, if you failed to find a utility, but there is a DR.Web license, you can use the official pageHttp: //support.drweb.com/new/free_unlocker/
  • Cryptolocker - To decrypt files after working Cryptolocker, you can use the siteHttp: //decryptcryptolocker.com - after sending an example of the file, you will receive a key and utility to restore your files.

Well, from the latest news - Kaspersky Lab, together with law enforcement officers from the Netherlands, developed Ransomware Decryptor (http://noransom.kaspersky.com) to decipher files after CoinVault, but in our latitudes this extortion is not found.

By the way, if suddenly it turns out that you have something to add (because I can not have time to monitor what is happening with the methods of decryption), report in the comments, this information will be useful to other users who collided with the problem.

Usually the work of malware is aimed at obtaining control over the computer, including it in the zombie network or theft of personal data. The inattentive user may not notice for a long time that the system is infected. But encryption viruses, in particular XTBL, work quite differently. They make unsuitable user files, encrypting them with the most complex algorithm and demanding a large amount from the owner for the ability to restore information.

Cause of the problem: XTBL virus

The XTBL virus encrypter received its name due to the fact that the custom documents encrypted by them receive extension. Ytbl. Typically, encoders leave the key in the body in the body so that the universal decoder program can restore the information in its original form. However, the virus is intended for other purposes, so instead of a key, a proposal appears on the screen to pay some amount of anonymous details.

How the XTBL virus works

The virus enters the computer using email letters with infected attachments, representing the files of office applications. After the user opened the contents of the message, the malicious program starts searching for photos, keys, video, documents, and so on, and then with the help of an original complex algorithm (hybrid encryption) turns them into XTBL storage.

To store your files, the virus uses system folders.

The virus contributes to the autoload list. To do this, he adds records in the Windows registry in the sections:

  • HKCU \\ Software \\ Microsoft \\ Windows \\ CurrentVersion \\ Runonce;
  • HKCU \\ SOFTWARE \\ Microsoft \\ Windows \\ CurrentVersion \\ Run;
  • HKCU \\ Software \\ Microsoft \\ Windows \\ CurrentVersion \\ Runonce.

The infected computer works stably, the system does not "fall", but in RAM constantly there is a small application (or two) with an incomprehensible name. And folders with user working files acquire a strange view.

On the desktop instead of a screensaver, a message appears:

Your files were encrypted. To decipher them, you need to send the code to the email address: [Email Protected] (hereinafter follows the code). After that you will receive further instructions. Independent attempts to decipher files will lead to full destruction.

The same text is contained in the created How to Decrypt Your Files.txt file. Email address, code requested amount may vary.

Quite often, some scammers earn on others - the electronic wallet number of extortioners who do not have no way to decrypt files is inserted into the virus body. So the gulling user, sending money, does not receive anything in return.

Why don't you pay extortioners

Agree to cooperation with extortionists, it is impossible not only because of the moral principles. This is unreasonable and from a practical point of view.

  • Fraud. Not the fact that attackers will be able to decrypt your files. Not serves as proof and returned to you one of the alleged decoded photos - it can be just stolen before encryption. Current money will go without use.
  • The possibility of repeat. Reaffirming your willingness to pay, you will become more desirable prey for re-attack. Perhaps the next time your files will have another extension, and another message will appear on the screensaver, but the money will go to the same people.
  • Confidentiality. While the files are even encrypted, but are on your computer. Having agreed with "honest villains", you will be forced to send them all your personal information. The algorithm does not provide for a key and independent decoding, only send files to the decoder.
  • Computer infection. Your computer is still infected, so the decryption of files is not a complete solution to the problem.

    • How to protect the system from the virus

    Universal rules for protection against malicious programs and minimizing damage will help in this case.

  • To beware of random connections. No need to open letters received from unfamiliar senders, including advertising and bonus offers. In the extreme case, you can read them, after preserving the attachment on the disk and checking it with antivirus.
  • Use protection. Antivirus programs constantly replenish the libraries of malicious codes, so the actual version of the defender will not miss most of the viruses on the computer.
  • Distribute access. The virus will cause much harm if the administrator account enters. It is better to work on behalf of the user, thereby dramatically narrowing the possibility of infection.
  • Create backups. Important information must be regularly copied to external media stored separately from the computer. Also, we should not forget to create backup Windows recovery points.

    • Is it possible to restore encrypted information

    Good news: restore data is possible. Bad: it's not possible to do it yourself. The reason for this is the feature of the encryption algorithm, the selection of the key to which requires much more resources and accumulated knowledge than the usual user. Fortunately, antivirus developers consider it a matter of honor to deal with each malicious program, so even if they cannot cope with your encrypter, in a month or two will definitely find a solution. We'll have to be patient.

    Due to the need to appeal to the specialists, the algorithm for working with an infected computer is changing. The general rule: the fewer changes, the better. Antiviruses determine the method of treatment on "generic signs" of a malicious program, so infected files for them are the source of important information. You need to delete them only after solving the main problem.

    The second rule: at any cost to interrupt the virus. Perhaps he has not yet spoiled all the information, and also remained in the RAM traces of the encrypter, with which you can define it. Therefore, you need to immediately turn off the computer from the network, and turn off the laptop long by pressing the power button. This time, the standard "careful" shutdown procedure will not suit the opportunity to complete all processes correctly, since one of them is the encoding of your information.

    We restore encrypted files

    If you manage to turn off the computer

    If you have time to turn off the computer before the encryption process is completed, it is not necessary to include it yourself. Carry the "patient" immediately to the specialists, the interrupted encoding significantly increases the chances of saving personal files. Here you can safely check your media and create backup copies. With a high probability, the virus itself will be known, so treatment from it will be successful.

    If encryption ended

    Unfortunately, the likelihood of successful interruption of the encryption process is very small. Usually the virus has time to encode files and remove unnecessary traces from the computer. And now you have two problems: Windows is still infected, and personal files have turned into a set of characters. To solve the second task, you must use the help of anti-virus software manufacturers.

    Dr.Web.

    The Dr.Web laboratory provides its services for decryption free only by the owners of commercial licenses. In other words, if you are not their client, but you want to restore your files, you will have to buy a program. Given the situation, this is the necessary investment.

    The next step is to switch to the manufacturer's website and filling in the input form.

    If among encrypted files there are such copies of which are preserved on external media, their transfer will greatly facilitate the operation of decoders.

    Kaspersky

    Kaspersky Lab has developed its own decryption utility called RECTORDECRYPTOR, which can be downloaded to a computer from the company's official website.

    Each version of the operating system, including Windows 7, provides its utility. After downloading it, click the "Start Check" on-screen button.

    Services of services can delay for a while if the virus is relatively new. In this case, the company usually sends the appropriate notification. Sometimes the decoding is capable of occupying for several months.

    Other Services

    Services with similar functions are becoming more and more, which speaks of the demand for the decryption service. The actions algorithm is the same: we go to the site (for example, https://decryptcryptolocker.com/), register and send an encrypted file.

    Decifrancy programs

    Proposals of "universal decoders" (of course, paid) in the network a lot, however, the benefits of them are doubtful. Of course, if the virus manufacturers themselves write a decoder, it will work successfully, but the same program will be useless for another malicious application. In addition, specialists who regularly encountered viruses usually have a complete package of necessary utilities, so all working programs have with a high probability. Buying such a decoder, most likely will be a waste of money.

    How to decrypt files using Kaspersky Lab - video

    Independent recovery of information

    If for some reason it is impossible to turn to third-party specialists, you can try to restore information on your own. We will negate that in case of failure, files may be lost finally.

    Restore remote files

    After encryption, the virus deletes the source files. However, Windows 7 stores all remote information in the form of a so-called shadow copy.

    Shadowexplorer

    Shadowexplorer is a utility designed to restore files from their shadow copies.

  • To install, go to the developer's website and download the archive, after unpacking which the executable module will be stored in the ShadowExplorerportable folder with the same name. A shortcut will appear on the desktop for quick launch.
  • Further, all actions intuitive. Run the program and in the left window at the top select the disk on which the data is stored, and the date of creation of the shadow copy. You need the most recent date.
  • Now find the partition in which the working files contained and click on it right-click. In the outlined context menu, select Export, then specify the way to save the recovered files. The program will find all available shadow copies in this folder and export them to intend.

    • Photorec.

    FREE PHOTOREC utility works on the same principle, but in batch mode.

  • Download the archive from the developer's site and unpack it on the disk. The executable file is called qphotorec_win.
  • After starting the application in the dialog box, the list of all available disk devices will show. Choose that the encrypted files are stored, and specify the path to save the recovered copies.

    For storage, it is better to use external media, for example, a USB flash drive, because each entry to the disk is dangerous erasing of the shadow copies.

  • By selecting the directories you need, click on the File Formats button.
  • The discontinued menu is a list of file types that the application can restore. By default, opposite each, there is a mark, however, it is possible to take extra "birds" to accelerate the work, leaving only the corresponding files of the files restored. After graduating, click on the OK button.
  • After the selection is completed, the SEARCH screen button becomes available. Click it. Recovery procedure is a time-consuming process, so be patient.
  • Having waited for the completion of the process, press the QUIT screen button and exit the program.
  • Restored files are placed in the previously specified directory and are decomposed by folders with the same names recup_dir.1, recup_dir.2, recup_dir.3 and so on. Consistently view each and return to them for the same names.

    • Removal of the virus

    Since the virus hit the computer, the installed protective programs did not cope with their task. You can try to use a third-party help.

    Important! Removing the virus treats a computer, but does not restore encrypted files. In addition, installing new software can damage or erase some shadow copies of the files necessary for their recovery. Therefore, it is better to install applications to other disks.

    Kaspersky Virus Removal Tool

    Free program of the well-known developer of antivirus software, which can be downloaded on the website of Kaspersky Lab. After the launch of Kaspersky Virus Removal Tool immediately offers to start checking.

    After pressing a large screen button "Start check", the program starts scanning a computer.

    It remains to wait for the end of the scan and remove the found unaccepting guests.

    MalwareBytes Anti-Malware

    Another developer of antivirus software that provides a free version of the scanner. The algorithm of action is the same:

  • Download from the official page of the manufacturer, the installation file for Malwarebytes Anti-Malware, after which you run the installation program, responding to the questions and clicking the "Next" button.
  • The main window will propose immediately update the program (useful procedure, refreshing the database of viruses). After that, run the scan by clicking on the appropriate button.
  • Malwarebytes Anti-Malware gradually scans the system to display intermediate results of work.
  • Found viruses, including encrypters, are demonstrated in the final window. Get rid of them by pressing the "Delete Selected" button.

    To remove some malware applications, MalwareBytes Anti-Malware will offer to reboot the system, you need to agree with this. After resuming Windows, the antivirus will continue cleaning.

    • What should not be done

    The XTBL virus, like other encryption viruses, is detrimental to the system and user information. Therefore, to reduce possible damage, some precautions should be observed:

    1. Do not wait for the end of encryption. If the file encryption has begun on your eyes, you should not wait for everything to end, or try to interrupt the process by software. Immediately disconnect the power of the computer and call the specialists.
    2. Do not try to remove the virus yourself, if you can trust professionals.
    3. Do not reinstall the system before the end of treatment. The virus safely infects the new system.
    4. Do not rename encrypted files. This will only complicate the work of the decoder.
    5. Do not attempt to read infected files on another computer until the virus is removed. This can lead to the spread of infection.
    6. Do not pay extortioners. It is useless, and encourages the creators of viruses and fraudsters.
    7. Do not forget about the prevention. Installing an antivirus, regular backup, the creation of recovery points will significantly reduce possible damage from malicious programs.

    Treatment of a computer infected with a virus-encrypter is a long and not always successful procedure. Therefore, it is so important to comply with precautions when receiving information from the network and work with unverified external carriers.

    - This is a malicious program that, with its activation, encrypt all personal files, such as documents, photos, etc.. The number of similar programs is very large and it increases with each day. Only recently, we are faced with dozens of options cipher: CryptoLocker, Crypt0l0cker, Alpha Crypt, TeslaCrypt, CoinVault, Bit Crypt, CTB-Locker, TorrentLocker, HydraCrypt, better_call_saul, crittt, .da_vinci_code, toste, fff, etc. The goal of such encrypter viruses to force users to buy, often for a large amount of money, the program and the key you need to decrypt your own files.

    Of course, you can restore encrypted files by simply by following the instructions that the creators of the virus leave on the contaminated computer. But most often the price of the decryption is very significant, you also need to know that part of encryption virusers so encrypt files that it is simply impossible to decrypt them. And of course, it's just unpleasant to pay for the restoration of your own files.

    Below we will describe in more detail about encryption viruses, the way to penetrate the victim to the computer, as well as to remove the virus-encrypter and restore the files encrypted them.

    As a virus encrypter penetrates the computer

    The encryption virus is usually distributed via email. The letter contains infected documents. Such letters are sent on a huge database of email addresses. The authors of this virus use misconceptions the headers and the content of letters, trying to make a deception to open the document invested in the letter. Part of the letters report the need to pay the account, others offer to see a fresh price list, others open a fun photo, etc. In any case, the result of the opening of the attached file will be a computer infection with a virus-encrypter.

    What is virus encrypter

    The virus encryption is a malicious program that affects modern versions of Windows family operating systems, such as Windows XP, Windows Vista, Windows 7, Windows 8, Windows 10. These viruses are trying to use as resistant encryption modes, for example RSA-2048 with The key length is 2048 bits, which practically eliminates the possibility of selecting the key to independently decrypt files.

    While infected with a computer, the virus encrypter uses the% AppData% system directory to store its own files. To automatically start yourself with a computer enabling, the encrypter creates an entry in the Windows registry: sections HKCU \\ Software \\ Microsoft \\ Windows \\ CurrentVersion \\ Run, HKCU \\ Software \\ Microsoft \\ Windows \\ CurrentVersion \\ Runonce, HKCU \\ Software \\ Microsoft \\ Windows \\ Currentversion \\ Immediately after starting, the virus scans all available discs, including network and cloud storage, to define files that will be encrypted. The encryption virus uses the file name extension as a method for defining a group of files that will be encrypted. Almost all types of files are encrypted, including those common as:

    0, .1, .1st, .2bp, .3dm, .3ds, .sql, .mp4, .7z, .rar, .m4a, .wma, .vi, .wmv, .csv, .d3dbsp ,.zip, .sie, .sum, .ibank, .t13, .t12, .qdf, .gdb, .tax, .pkpass, .bc6, .bc7, .bkp, .qic, .bkf, .sidn, .sidd, .mdata , .itl, .itdb, .icxs, .hvpl, .hplg, .hkdb, .mdbackup, .syncdb, .gho, .cas, .svg, .map, .wmo, .itm, .sb, .fos ,. mov, .vdf, .ztmp, .sis, .sid, .ncf, .menu, .layout, .dmp, .blob, .esm, .vcf, .vtf, .dazip, .fpk, .mlx, .kf, .iwd, .vpk, .tor, .psk, .rim, .w3x, .fsh, .ntl, .Rarch00, .lvl, .snx, .cfr, .ff, .vpp_pc, .lrf, .m2, .mcmeta , .vfs0, .mpqge, .kdb, .db0, .dba, .rofl, .hkx, .bar, .upk, .das, .iwi, .litemod ,.asset, .forge, .ltx, .bsa ,. apk, .re4, .sav, .lbf, .slm, .bik, .epk, .rgss3a, .pak, .big, wallet, .wotreplay, .xxx, .desc, .py, .m3u, .flv ,. js, .css, .rb, .png, .jpeg, .txt, .p7c, .p7b, .p12, .pfx, .pem, .crt, .cer, .der, .x3f, .srw, .pef, .ptx, .r3d, .rw2, .rwl, .raw, .raf, .orf, .nrw, .mrwref, .mef, .erf, .kdc, .dcr, .cr2, .crw, .bay, .sr2 , .srf, .arw, .3fr, .dng, .jpe, .jpg, .cdr, .indd, .ai, .eps, .pdf, .pdd, .psd, .dbf, .mdf, .wb2, .rtf, .wpd, .dxg, .xf, .dwg, .pst ,.accdb , .mdb, .pptm, .pptx, .ppt, .xlk, .xlsb, .xlsm, .xlsx, .xls, .wps, .docm, .docx, .doc, .odb, .dc, .odm ,. ODP, .ods, .odt, .wav, .wbc, .wbd, .wbk, .wbm, .wbmp, .wbz, .wcf, .wdb, .wdp, .webdoc, .webp, .wgz, .wire, .wm, .wma, .wmd, .wmf, .wmv, .wn, .wot, .wp, .wp4, .wp5, .wp6, .wp7, .wpa, .wpb, .wpd, .wpe, .wpg , .wpl, .wps, .wpt, .wpw, .wri, .ws, .wsc, .wsd, .wsh, .x, .x3d, .x3f, .xar, .xbdoc, .xbplate, .xdb ,. xdl, .xld, .xlgc, .xll, .xls, .xlsm, .xlsx, .xmind, .xml, .xmmap, .xpm, .xwp, .xx, .xy3, .xyp, .xyw ,.y, .yal, .ybk, .yml, .ysp, .z, .z3d, .zabw, .zdb, .zdc, .zi, .zif, .zip, .zw

    Immediately after the file is encrypted, it receives a new extension, which is often able to identify the name or type of encrypter. Some types of these malicious programs can also change the names of encrypted files. The virus then creates a text document with the names like Help_your_files, Readme, which contains the instructions for deciphering encrypted files.

    During his work, the virus encryption officer tries to close the ability to restore files using the SVC system (shadow copies of files). For this, the virus in the command mode calls the shadow copies utility to the key files with the key to start the procedure for their complete removal. Thus, almost always, it is impossible to restore files by using their shadow copies.

    The virus encryption is actively using intimidation tactics, giving a sacrifice to the description of the encryption algorithm description and showing the threatening message on the desktop. It tries to force a user of an infected computer without thinking, send a computer ID to the email address of the virus, to attempt to return its files. The answer to such a message is most often the amount of redemption and the address of the electronic wallet.

    My computer is infected with a virus-encrypter?

    Determine the computer is infected or no virus-encrypter is quite easy. Pay attention to the expansion of your personal files, such as documents, photos, music, etc. If the extension has changed or your personal files disappeared, leaving behind many files with unknown names, then the computer is infected. In addition, a sign of infection is the presence of a file with the name Help_your_files or Readme in your catalogs. This file will contain instructions for decoding files.

    If you suspect that you have discovered a letter infected with a virus encrypter, but there are no symptoms of infection yet, then do not turn off and do not restart the computer. Follow the steps described in this instruction, section. I repeat once again, it is very important not to turn off the computer, in some types of encrypters, the process of encryption files is activated when the first, after infection, turn on the computer!

    How to decrypt files encrypted by a virus-encrypter?

    If this trouble happened, then you do not need to panic! But you need to know that in most cases there is no free decoder. Similar to this, persistent encryption algorithms used by such malicious programs. This means without a personal key to decipher the files are almost impossible. Use the key selection method is also not output, due to the long key length. Therefore, unfortunately, only payment by the authors of the virus of the entire requested amount is the only way to try to get the decryption key.

    Of course, there is absolutely no guarantee that after payment the authors of the virus will come to communicate and provide the key you need to decrypt your files. In addition, you need to understand that paying money to viruses to developers, you yourself pushing them to create new viruses.

    How to remove virus encrypter?

    Before proceeding with this, you need to know that starting to remove the virus and attempt to independently restore files, you block the ability to decrypt files by paying the virus authors requested by them.

    Kaspersky Virus Removal Tool and Malwarebytes Anti-Malware can detect different types of active encryption viruses and easily delete them from a computer, but they cannot restore encrypted files.

    5.1. Remove virus encrypter using Kaspersky Virus Removal Tool

    By default, the program is configured to restore all types of files, but to speed up the work it is recommended to leave only the types of files that you need to restore. After completing the selection, click OK.

    At the bottom of the QPhotorec program window, locate the Browse button and click it. You need to select a directory in which recovered files will be saved. It is advisable to use a disc on which you are not encrypted files requiring recovery (you can use a USB flash drive or an external disk).

    To start the search procedure and restore source copies of encrypted files, click the Search button. This process lasts for quite a long time, so take patience.

    When the search is over, click the QUIT button. Now open the folder you selected to save the recovered files.

    The folder will contain directories with the names recup_dir.1, recup_dir.2, recup_dir.3 and so on. The more files find the program, the more directory will be. To search for the files you need, check all the directories. To facilitate the search for the file you need, among the large number of recovered, use the built-in Windows search system (by file content), as well as forget about the file sorting function in directories. As a sort parameter, you can select a file change date, since the QPhotorec when recovering the file tries to restore this property.

    How to prevent computer infection with a virus-encrypter?

    Most modern antivirus programs already have a built-in system of protection against penetration and activating encryption viruses. Therefore, if there is no antivirus program on your computer, then install it. How to choose to choose to read this.

    Moreover, there are specialized protective programs. For example, it is CryptoPrevent, more.

    Several final words

    By completing this instruction, your computer will be cleaned from the encrypter virus. If you have questions or you need help, then contact our.

    ATTENTION! Company ESET. It warns that recently the increased activity and danger of infection of the corporate network of a malicious program, the consequences of the actions of which is:

    1) Encryption of confidential information and files, including databases 1C., documents, images. The type of encrypted files depends on the specific modification of the encoder. The encryption process is performed according to complex algorithms and in each case encryption occurs according to a certain pattern. Thus, the encrypted data is difficult to restore.

    2) In some cases, after making malicious actions, the encoder is automatically removed from the computer, which makes it difficult to select the selection of the decoder.

    After making malicious actions, a window with information appears on the screen of the infected computer. Your files are encrypted", As well as the requirements of extortioners that need to be performed to obtain an decoder.

    2) Use antivirus solutions with the built-in firewall module ( ESET NOD32 SMART SECURITY) to reduce the likelihood of using an attacker vulnerability in RDP. Even if there is no necessary operating system updates. It is recommended to enable extended heuristics to run executable files. (Additional settings (F5) - Computer - Protection against viruses and spyware protection in real time - Additional settings. In addition, check if ESET Live Grid is enabled (Advanced Settings (F5) - Utilities - ESET Live Grid).

    3) On the mail server, prohibit reception and transmission of executable files * .exe., as well as * .js.Since often encoders are sent by attackers in the form of an investment in an email with fictional information on debt collection, information about it and other similar content that can encourage the user to open a malicious attachment from a letter from an attacker and thereby launch a encoder.

    4) Prohibit macros in all applications that are part of Microsoft Office.or similar by third-party manufacturers. Macros may contain a command to download and perform a malicious code that runs when the document is ordered (for example, the opening of the document with the title " Notification of debt collection.doc"From the letters from the attackers can lead to a system infection even if the server missed a malicious attachment with an executable encoder file provided that you did not disable macros in configuring office programs).

    5) carry out regularly Backup. (Backup) Important information stored on your computer. Starting with OS Windows Vista. In the composition of operating systems Windows The system protection service on all disks that creates backup copies of files and folders while archiving or creating a system recovery point. By default, this service is enabled only for the system partition. It is recommended to enable this feature for all sections.

    What if the infection has already happened?

    In case you have become a victim of attackers and your files are encrypted, do not hurry to transfer money to their account for selection of the decoder. Provided you are our client, Consult technical support, maybe we will be able to pick up a decoder for your case or such an decoder already exist. To do this, add an encoder sample and other suspicious files to the archive, if any, and send this archive to us with. Also put in the archive several samples of encrypted files. In the comments, indicate the circumstances in which the infection occurred, as well as your licensed data and contact E-mail For feedback.

    You can try to restore the original, not encrypted version of files from shadow copies, provided that this function has been turned on and if the shadow copies were not damaged by the virus encrypor. More information about this:

    For more information, contact.

    If the system is infected with a malicious program of families of Trojan-Ransom.win32.rannoh, Trojan-Ransom.win32.autoit, Trojan-Ransom.win32.fury, Trojan-Ransom.win32.crybola, Trojan-Ransom.Win32.Cryakl or Trojan-Ransom. Win32.Cryptxxx, all files on the computer will be encrypted as follows:

    • When infected by Trojan-Ransom.win32.rannoh, names and extensions will change by the Locked template<оригинальное_имя>.<4 произвольных буквы>.
    • When infected by Trojan-Ransom.win32.cryakl, a label is added to the end of the contents of the files, the label (CRYPTENDBLACKDC) is added.
    • When infected by Trojan-Ransom.win32.autoit extension varies by template<оригинальное_имя>@<почтовый_домен>_.<набор_символов>.
      For example, [Email Protected]_.Rzwdtdic.
    • When infected by Trojan-Ransom.win32.cryptxxx, the extension varies in templates<оригинальное_имя>.crypt,<оригинальное_имя>.crypz I.<оригинальное_имя>.cryp1.

    The RannoHDecryptor utility is designed to decrypt files after infection Trojan-Ransom.win32.polyglot, Trojan-Ransom.Win32.rannoh, Trojan-Ransom.win32.autoit, Trojan-Ransom.win32.fury, Trojan-Ransom.Win32.Crybola, Trojan Ransom.win32.cryakl or Trojan-Ransom.win32.cryptxxx versions 1, 2 and 3.

    How to cure the system

    To cure an infected system:

    1. Download the RannohDecryptor.zip file.
    2. Run the RannohDecryptor.exe file on an infected machine.
    3. In the main window, click Start check.
    1. Specify the path to the encrypted and unencrypted file.
      If the file is encrypted by Trojan-Ransom.win32.cryptxxx, specify the largest files. The decoding will be available only for equal or smaller files.
    2. Wait for the search and decryption encrypted files.
    3. Restart the computer if required.
    4. after locked-<оригинальное_имя>.<4 произвольных буквы>To delete copies of encrypted files of a successful decryption view, select.

    If the file was encrypted by Trojan-Ransom.win32.cryakl, the utility will save the file in the old place with the extension. DECRYPTEDKLR. Original_Exing. If you have chosen Delete encrypted files after successful decryptionThe tray file will be saved by a utility with the original name.

    1. By default, the utility displays a report to the root of the system disk (the disk on which OS is installed).

      The report name has the following form: Name Names. Device_Data_log.txt

      For example, C: \\ RannoHDecryptor.1.1.0.0_02.05.2012_15.31.43_log.txt

    In the system infected by Trojan-Ransom.win32.cryptxxx, the utility scans the limited number of file formats. When a user is selected by the CryptXXX V2 file, the key recovery can take a long time. In this case, the utility shows a warning.