Your computer is infected with malicious software? Do you have pop-ups on your PC?
If so, search this blog for removal instructions or browse computer threats by category.

Friday, February 6, 2015 and Files Encrypted Virus Removal Guide

Tell your friends:
If you're looking to find out a little bit more information about ransom Trojan malware (ransomware) – and if, more importantly, you are looking for a couple of easy to execute tips that will help you protect yourself against becoming a victim to this unpleasant form of malware, read on and we'll hopefully answer any questions you may have, including how to restore your files.

What is ransom Trojan malware?

Ransom Trojans are the most commonly found type of malware on the Internet – which is unfortunate because they are also one of the nastiest. They are a serious threat to your computer's security and they have a nasty habit of encrypting your files. Generally speaking they are used to extract money from you or to defraud you and they can do a lot of irretrievable damage. This particular ransom Trojan encrypts pretty much every file on your computer. It simply scans your computer for files, encrypts them and gives random names to each file ending with the XTBL file extension. Then, it creates at least 10 text files with instructions on how to get your files back. It also adds a new background image with warning that your files were encrypted and that you have to read README.txt files for more information. Here's how it looks:

And here's how the README.txt reads:

Ваши файлы были зашифрованы.
Чтобы расшифровать их, Вам необходимо отправить код:
на электронный адрес или
Далее вы получите все необходимые инструкции.
Попытки расшифровать самостоятельно не приведут ни к чему, кроме безвозвратной потери информации.

All the important files on your computer were encrypted.
To decrypt the files you should send the following code:
to e-mail address or

Then you will receive all necessary instructions.
All the attempts of decryption by yourself will result only in irrevocable loss of your data.

As you can see, cyber crooks provide the same information in two languages: English and Russian. It probably means that this ransomware campaign targets not only English speaking countries but also others that understand Russian. Each victim gets a unique code that must be emailed to either or I'm pretty sure that they change email address quite often, so don't be surprised if yours are different. Cyber crooks say that they will send you all necessary information by email and that all attempts to decrypt your files will result in data loss. I haven't tried to contact them, so I can't say whether it's true or not. What I can confirm is that this ransom Trojan does encrypt files. My guess is that cyber crooks ask to pay the ransom which could be $300, $500 or even more in order to get a decryption tool and decrypt your files. That's how ransomware usually works.

Here's how encrypted files look like:

How does ransom Trojan malware get its name?

Trojan Horse malware takes its name from the ancient Greek fable (or true story?!) in which Greece defeated their enemies in the Trojan War by building a gigantic, hollow wooden horse and hiding their soldiers inside it. They wheeled the horse to the gates of the city and pretended it was a peace offering to the people of Troy. In reality, of course, it was merely a tactical attempt to infiltrate the city and attack it from the inside. And that is precisely what they did, winning the war.

And that is precisely how ransom Trojan malware works too. It is a malicious computer program that has been designed to look as if it is innocent. So when you think you are downloading a game, the latest episode of your favorite TV show shared in a peer to peer file, or even an anti-virus program, you could in fact be downloading and installing malware instead. And it's usually a combination of different Trojans. In my case, it was Worm.Korron, Trojan.Agent.XN and Trojan.Packed.28357. The last one runs from the %Temp% folder and downloads orher malware files onto your computer. It's very important to remove all malware from your computer before trying to restore your files or use any file decrytion tools.

Traits of ransom Trojan Horse

As well as causing security breaches on your operating system and deleting your files (in fact they can erase all the contents contained in your entire system), extremely scarily, they can also give the programmer of the Trojan Horse access to your computer. They will encrypt your files and then turn your PC into something called a zombie computer and use it to attack other users.

So without further ado – here are 2 ways to protect yourself – and your PC – from ransom Trojan Horse malware
  1. Many ransom Trojans are hidden in email attachments, links in instant messenger chat apps or in shareware and P2P files, however websites are also used to download them onto your machine by use of something called a 'drive by' installation. Any website can be a potential target by a cyber crook – and therefore a potential danger – but the more disreputable the site (pornography or gambling sites for example) the bigger the danger.
  2. Back up your files on a regular basis and keep files on a hard drive, or even on another computer – anywhere safe! Backup twice if you want to doubly ensure your safety. When you have copies of all your files, documents and data you will be able to get back up and running again much quicker than if a ransom Trojan encrypted everything and you had no duplicates.
To remove this ransom Trojan and related malware from your computer, please follow the steps in the removal guide below. If you have any questions, please leave a comment below. Last, but not least, if there's anything you think I should add or correct, please let me know. It might be a pain but the issue needs to be dealt with – and the way to do it is by not giving in, not paying up and not letting the attackers win. Good luck and be safe online!

Written by Michael Kaur,

Step 1: Removing the ransom Trojan and related malware:

Before restoring your files from shadow copies, make sure the ransomware is not running. You have to remove this malware permanently. Thankfully, there are a couple of anti-malware programs that will effectively detect and remove this malware from your computer.

1. First of all, download and install recommended anti-malware scanner. Run a full system scan and remove detected malware.

Important! If you can't download or run it, please restart your computer in Safe Mode with Networking or Safe Mode and try again.

2. Then, download ESET Online Scanner and run a second scan to make sure there are no other malware running on your computer.

That's it! Your computer should be clean now and you can safely restore your files. Proceed to Step 2.

Step 2: Restoring files encrypted by ransom Trojan virus:

Method 1: The first and best method is to restore your files from a recent backup. If you have been regularly performing backups, then you should use your backups to restore your files.

Method 2: Try to restore previous versions of files using Windows folder tools. To learn more, please read Previous versions of files.

Method 3: Using the Shadow Volume Copies:

1. Download and install Shadow Explorer. Note, this tool is available with Windows XP Service Pack 2, Windows Vista, Windows 7, and Windows 8.

2. Open Shadow Explorer. From the drop down list you can select from one of the available point-in-time Shadow Copies. Select drive and the latest date that you wish to restore from.

3. Righ-click any encrypted file or entire folder and Export it. You will then be prompted as to where you would like to restore the contents of the folder to.

Hopefully, this will help you to restore all encrypted files or at least some of them.


Anonymous said...

No backup files (therefore shadow explorer is useless), files encrypted. How can I restore files now?

Admin said...

In that case you really don't have any other option than paying the ransom BUT I wouldn't do that unless those files are very very important. There's really no guarantee that cyber criminals will decrypt your files even after paying the ransom. Keep this in mind when you make the decision.

Sensei100000 said...

I also don't have a backup files, is there really no solution but to contact them for ransom?!!!
Is there any way to decrypt the files?
I'm truly devastated now.

Admin said...


Try Shadow Explorer first.

Sensei100000 said...

I tried but found out that my back settings was on for C drive only & off for D drive, so Shadow Explorer could't return the files.

Do you know another way to decrypt the files?

Admin said...


Unfortunately, I don't know any other way to get your files back.

Anonymous said...

I eliminated the virus, but I couldn´t remove the wallpaper. CCleaner has removed it, but after a restart the wallpaper of the virus appears again.
Any idea?

Anonymous said...

Payed the ransom and recieved a tool that decrypted all my files.

Sensei100000 said...

To Anonymous who payed the ransom:

would you upload the tool you received to decrypt your files? maybe it will help others to do so

wider said...

For the anonymous who payed, please upload the tool or i think you re lying and maybe u also do such things... DON'T PAY anyone, even if on your pc there was something important, try by your own but don't give money to these thieves. I m trying to decrypt my pc, if i will not then i ll format everything, but i prefer to destroy my pc while setting it on fire than give one cent to these people.

animator said...

To: wider
You're right, we should not help those hackers... If you find anything helpful about decrypting files please post it here.