Your computer is infected with malicious software? Do you have pop-ups on your PC?
If so, search this blog for removal instructions or browse computer threats by category.

Saturday, January 31, 2015

How to Remove Threat Finder Virus and Restore Encrypted Files

Tell your friends:
Threat Finder is a ransomware Trojan that encrypts all your files, then locks your computer and asks you to pay a fee ($300) to be able to get them back. The current version, Threat Finder v2.4, is probably just a copy of the Cryptolocker ransomware. It uses the same timer as Cryptolocker stating that you have 72 hours, or 4 days, to scare you into believing that you will lose your files if you won't pay on time. There's even an exact date displayed when your private key will be destroyed. Payment information and payment options are presented in a simple to understand way even for less computer savvy users. Basically, you can pay via Bitcoin or MoneyPak. Cyber crooks provide instructions on how to pay a fee via both services. The goal, of course, is to get more money by making the payment as easy as possible for victims. But is it legit or a scare? Unfortunately, it does encrypt files, the timer is real and you have only two options: to pay a fee hoping that cyber crooks will send you a decryption tool or restore your files from a backup if you have any. That's why staying one step ahead of ransomware is crucial if you want to protect your computer, data, finances and even identity. Create backups guys!

Here's what the Threat Finder v2.4 notifications says. If you got it then it's already too late.

Threat Finder v2.4

Warning! Your personal files are encrypted!
Don't switch off your computer and/or internet, otherwise your key will be disabled

Your important files encryption produced on this computer: photos, videos, documents, etc. Here is a complete list of encrypted files, and you can personally verify this.
Encryption was produced using a unique public key RSA-2048 generated for this computer. To decrypt the files you need to obtain the private key.

The single copy of the private key, which will allow you to decrypt the files, located on a secret server on the Internet, the server will destroy the key after a time specified in this window. After that, nobody and never will be able to restore files.

To obtain the private key for this computer, which will automatically decrypt files, you need to pay 300 USD / 300 EUR / similar amount in another currency.
Any attempt to remove or damage this software will lead to immediate destruction of the private key by the server.

Threat Finder is a type of malware and, unlike adware or spyware, is one whose main purpose is to get you to pay money for your files that were encrypted using RSA 2048 cryptosystem. This threat gets in mostly via infected email attachments and drive-by downloads from infected web sites. It is also being pushed directly to infected computers that belong to certain botnets. It also uses something called social engineering to infect your computer – for example, the cyber crooks might post a link on Facebook or Twitter. You click on this link and the software will download itself on to your PC by exploiting a weak spot in your security. The pop-up window is then utilized as a scare tactic to 'engineer' you into installing, and paying for, the software.

That's not the only way you can find yourself infected however as Threat Finder is installed via a 'drive-by' download. For example, if you have visited a website that has been infected, then by default you too will become a victim. Obviously the key here is to avoid ransomware from installing itself on your computer and fooling you into spending money on a product that either doesn't work – or worse, can do you harm. The best advice is to install reputable security software and make sure it is kept up to date.

So what should you do your files have been encrypted? Easy to say, but try not to panic and most definitely do not pay any money unless the encrypted files are very important and you can't afford to lose them. If the encrypted files are not very important or you don't have money to pay the ransom, you can remove try to restore your files (at least some of them) using Shadow Explorer and specialized tools listed below. Please note that even of you decide to pay the ransom there's really no guarantee that cyber crooks will send you the private key and you will be able to decrypt your files.

If you have any questions, please leave a comment below. Last, but not least, if there's anything you think I should add or correct, please let me know. It might be a pain but the issue needs to be dealt with – and the way to do it is by not giving in, not paying up and not letting the attackers win. Good luck and be safe online!

Written by Michael Kaur,

Step 1: Removing Threat Finder and related malware:

Before restoring your files from shadow copies, make sure Threat Finder is not running. You have to remove this malware permanently. Thankfully, there are a couple of anti-malware programs that will effectively detect and remove this malware from your computer.

1. First of all, download and install recommended anti-malware scanner. Run a full system scan and remove detected malware.

Important! If you can't download or run it, please restart your computer in Safe Mode with Networking or Safe Mode and try again.

2. Then, download ESET Online Scanner and run a second scan to make sure there are no other malware running on your computer.

That's it! Your computer should be clean now and you can safely restore your files. Proceed to Step 2.

Step 2: Restoring files encrypted by Threat Finder virus:

Method 1: The first and best method is to restore your files from a recent backup. If you have been regularly performing backups, then you should use your backups to restore your files.

Method 2: Try to restore previous versions of files using Windows folder tools. To learn more, please read Previous versions of files.

Method 3: Using the Shadow Volume Copies:

1. Download and install Shadow Explorer. Note, this tool is available with Windows XP Service Pack 2, Windows Vista, Windows 7, and Windows 8.

2. Open Shadow Explorer. From the drop down list you can select from one of the available point-in-time Shadow Copies. Select drive and the latest date that you wish to restore from.

3. Righ-click any encrypted file or entire folder and Export it. You will then be prompted as to where you would like to restore the contents of the folder to.

Hopefully, this will help you to restore all encrypted files or at least some of them.


Muhammad Shoaib said...

I have not made any backup so I am supposed to use method 2 or 3... There is no previous version of any file..I downloaded Shadow Explorer and run it..It is showing only C drive's folder.When I select D drive from dropdown then it is showing blank screen and nothing else...What to do now ???

Admin said...

@Muhammad Shoaib, sometimes Shadow Explorer can't detect any other local drives than C:\. I'm not sure why. So, if you don't have backups and Windows previous version tool can't help you either then the only option left is to pay the ransom. It's up to you really. I personally wouldn't pay the ransom unless encrypted files are worth more than $300.

Muhammad Shoaib said...

I am not going to pay $300 and by the way the On screen message clearly says that if you turn your PC off,your key will be expired. I have already turned off so my key is already expired. but i was not going to pay it even my key is alive. Thank you for your help. I am trying some alternatives If got success then will post here

Anonymous said...

I have the same problem as Muhammad, no back ups at all. Was able to remove malware but left with encrypted files. Still looking for alternatives please. Thank you.

dileep kumar said...

i have been facing this threat findr issue for a while in my Personal computer.
i am not able to access internet also. so i tried downloading Spyhunter installer in my other computer and copy the file to effected compuler using flah drive. It says the file is not compatable with my OS version. Mine is a 64 bit windows 7 machine.
can someone help me with the correct version .exe file please ?