Your computer is infected with malicious software? Do you have pop-ups on your PC?
If so, search this blog for removal instructions or browse computer threats by category.

Wednesday, May 6, 2015

Remove IAC/SOPA PIPA Virus and Restore Encrypted Files

Tell your friends:
Warning! You have a computer found pirated content! All your files are encrypted! To decrypt files you need visit the site and follow the instructions posted on it. If the site is for some reason unavailable refer to the Your id 598742.

You can enter a password 5 times. Above this limit, all files will be deleted! Independent attempts to decrypt the data can lead to their loss.

That's the ransom note (a text document inside each folder entitled HOW TO DECRYPT FILES.txt) of a new ransomware which is detected as a Trojan Horse TR/Crypt.XPACK.171354 and Win32/Filecoder.E by some anti-virus engines. So, if your files are encrypted and you got this ransom note than your computer is definitely infected with a ransom virus. The good news is that it's not the most sophisticated ransomware, actually it's not even close to CryptoWall 3.0 or CryptoLocker, but it can still cause some serious problems. Thankfully, there are a few tools that can be used to remove the virus and restore your files. You have probably have heard of ransom Trojan in the malware sense but if you want to find out a little more about this spiteful internet attacker, you've come to the right place. In order to adequately protect yourself when you]'re using your PC you should know exactly what a Trojan ransom is, how it gets on to your PC, and what it can do to you once it has installed itself. Even more crucially you need to know how you can protect yourself from being infected.

What do ransom Trojans do?

It encrypts your files (two words: back up!) and turns your computer into a zombie. Far less entertaining than the TV show, The Walking Dead, if your computer is recruited by an attacker as one of their zombie hoards it could be using your own PC to further spread its poison. For example, they could be using YOUR computer to email YOUR contacts with THEIR ransomware! Basically when your PC becomes a zombie computer this malicious third party is in control of your operating system. But that's the additional module of this infection. The main goal is to encrypt your files. Then it displays a ransom note with information and links on how to make a payment (could be $300 or more). Payment instructions are available on and Both websites provide the same information. They are regionally localized to show you the ransom instructions in your language. In the image below you can see the US ransom payment site. As you can see, it starts with the International Police Association - IAC warning claiming that you downloaded illegal files. It even shows your IP address probably to scare you into thinking that authorities will be able to find you in case you decide not the pay their fine. At the bottom of the page and in the ransom note as well there's a email which can be used in case you have some difficulties or questions.

The ransom virus can also change your desktop background image to a fake wartning that states: CONTENT Blocked by SOPA PIPA under authority granted by H.R. 3261 & S.968. That's probably just another trick to make you think that this is a real thing and you're in big trouble right now. Don't worry, you're not!

Since this / SOPA PIPA ransom virus doesn't use very sophisticated encryption algorithm, you can expect to have your files back quite easily. All the tools needed to restore your files are given below. Please note, that this ransomware appends a 6 digit extension to any encrypted file, for example work.docx.598742, so I suggest you to keep it that way. Don't try to manually change or remove the appended extension because you may corrupt the file.

How does the Trojan ransom infect your PC?

Sorry to break it to you but it's your fault! Okay, that's a little harsh maybe but the fact is that you do have a part to play in your computer being infected. And that's because Trojan Horse ransomware plays on our weaknesses, insecurities and perhaps even our boredom or our relaxed attitude to downloading software and files. Let us explain. In order for a Trojan ransom to be able to disrupt your machine it needs you to install the server part of the application yourself. That's because ransom Trojans are not viruses and don't spread themselves – they need you to do their dirty work for them. And to do this they lure you in by trying to tempt you with attractive looking apps or games, the most technically advanced antivirus tool, or any other must have software, applications, files or programs.

The name given to this is social engineering, meaning that the Trojan's programmer is trying to manipulate you into undertaking an action – in this case downloading their app or tool. You're sucked in, you simply can't live without that latest farm game, but unknown to you, it is actually a Trojan ransom in disguise.

There are a couple of other methods programmers use to ensure the best possible chance of their product making its way on to your computer, and that is by sending it you over email or in a instant chat message. You'll receive an attachment or link, which, once clicked upon or opened and run, will install the Trojan. Furthermore, it will run every single time you log on, causing more and more chaos. Which brings us to...

How to avoid becoming a victim of / CONTENT Blocked SOPA PIPA ransomware

Trojans might be cool on the big screen; on your computer, not so much. Therefore, never open attachments or click links in emails or chat messages if you don't know the sender – no matter how tempting the offer or freebie looks. And of course, make sure you have great antivirus software installed.

So what should you do your files have been encrypted? Easy to say, but try not to panic and most definitely do not pay any money unless the encrypted files are very important and you can't afford to lose them. If the encrypted files are not very important or you don't have money to pay the ransom, you can remove try to restore your files (at least some of them) using Shadow Explorer and specialized tools listed below. Please note that even of you decide to pay the ransom there's really no guarantee that cyber criminals will recover your files.

If you have any questions, please leave a comment down below. Good luck and be safe online!

Written by Michael Kaur,

Step 1: Removing IAC/SOPA PIPA and related malware:

Before restoring your files from shadow copies, make sure the ransomware is not running. You have to remove this malware permanently. Thankfully, there are a couple of anti-malware programs that will effectively detect and remove this malware from your computer.

1. First of all, download and install recommended anti-malware scanner. Run a full system scan and remove detected malware.

Important! If you can't download or run it, please restart your computer in Safe Mode with Networking or Safe Mode and try again.

2. Then, download ESET Online Scanner and run a second scan to make sure there are no other malware running on your computer.

That's it! Your computer should be clean now and you can safely restore your files. Proceed to Step 2.

Step 2: Restoring files encrypted by IAC/SOPA PIPA virus:

Method 1: The first and best method is to restore your files from a recent backup. If you have been regularly performing backups, then you should use your backups to restore your files.

Method 2: Try to restore previous versions of files using Windows folder tools. To learn more, please read Previous versions of files.

Method 3: Using the Shadow Volume Copies:

1. Download and install Shadow Explorer. Note, this tool is available with Windows XP Service Pack 2, Windows Vista, Windows 7, and Windows 8.

2. Open Shadow Explorer. From the drop down list you can select from one of the available point-in-time Shadow Copies. Select drive and the latest date that you wish to restore from.

3. Righ-click any encrypted file or entire folder and Export it. You will then be prompted as to where you would like to restore the contents of the folder to.

Hopefully, this will help you to restore all encrypted files or at least some of them.