Your computer is infected with malicious software? Do you have pop-ups on your PC?
If so, search this blog for removal instructions or browse computer threats by category.

Wednesday, November 18, 2015

.crinf Extension / ReadDecryptFilesHere.txt Ransomware Removal Guide

Tell your friends:
It doesn't take a rocket scientist or Silicon Valley whizz kid to work out that, by the law of averages, the more time we spend online, the greater the odds of us being attacked by ransomware, a phishing scam, a virus, or a hack attack are. That's okay, you think to yourself, I have a sturdy anti-virus program installed, and I never download anything dubious or look at 'adult' websites. Well, I'm sorry to be the bearers of bad news, but in this day and age it is ransomware and its ilk that has the upper hand.

Antivirus programs and security software are sophisticated, yes, but they are created reactively, not proactively. Once a new version of some malicious file encryption software, for example CryptInfinite, which appends .crinf extension to encrypted files and leaves ReadDecryptFilesHere.txt ransom note is released, the security companies then scramble to come up with an update that can deal with the threat. What that means for you is that if you are running on an old version of your anti-virus software, you are not adequately protected. Likewise if you do not update your Windows OS or the other programs you have running on your PC, you are also vulnerable. And what about that window of opportunity (for the cyber criminals) when they have launched their new ransomware but the security companies have not yet discovered it, or have not yet been able to counteract it?

So how can I protect myself from CryptInfinite .crinf extension ransomware?

The best thing you can do is to educate yourself as well as possible so that you have a fighting chance of giving malware a wider berth as possible. And with that in mind, we are going to delve a little deeper into the murky world of ransomware.

What is CryptInfinite .crinf extension ransomware?

In a nutshell it is a type of computer software program that has been designed to extort money out of innocent end users by holding their files, data, or computer operating system hostage. This is 21st century style kidnapping: ransom notes ReadDecryptFilesHere.txt are sent in the form of emails or on screen messages and the victim is your encrypted data which will only be released to you upon payment of a ransom. Once installed, it deletes Volume Shadow Copies, disables Windows restore feature and attempts to terminate certain Windows processes like registry editor. ReadDecryptFilesHere.txt and the contents are as follows:

Your personal files have been encrypted!
Your documents, photos, databases and other important files have been encrypted using a military grade encryption algorithm.
The only way to decrypt your files is with a unique decryption key stored remotely in our servers. All your files are now
unusable until you decrypt them. You have 24h to pay for the release of your decryption key. After 24h have passed, your
decryption key will be erased and you will never be able to restore your files.
To obtain your unique decryption key you will need to pay $300 using a PayPal MyCash voucher.
If the payment is not sent within 12h the amount to obtain your decryption key will be $1000.
PayPal MyCash vouchers can be purchased at CVS, 7-Eleven, Dollar General, fred's Super Dollar,
Family Dollar and many other stores.
After obtaining your PayPal MyCash voucher code you need to send an email to or with the following information.
1. Your $300 PayPal MyCash PIN
2. Your encryption ID = [edited]
Shortly after the voucher is received and verified, all your files will be restored to their previous state.
All payments are processed and verified manually, do not try to send invalid PIN numbers.

So, as you can see, to obtain your unique decryption key you will need to pay $300 using a PayPal MyCash voucher and if you fail to do so within 12 hours cyber criminals will triple the price. Two emails addresses and are given to send them your encryption ID and PayPal MyCash PIN. In your case, email addresses can be different because cyber criminals change them often. After that, you will be able to download DecryptorMax.exe program which will decrypt your files.

So, fairly straightforward: I pay the ransom and my data is decrypted, right?

You didn't think it was going to be quite that simple did you? Just because you've handed over your hard earned cash there is no guarantee that you are going to be able to retrieve your files. This is a cyber criminal you are dealing with after all – hardly the most credible or legitimate person to enter into a business arrangement with!

How do you get infected by .crinf / ReadDecryptFilesHere.txt ransomware?

As with pretty much all forms of malware, ransomware infects you in a couple of ways: through an infected email or messenger program attachment or link, if it has been packaged with an application, download or program, or if you've visited a compromised website.

Help – I've been infected! What should I do?

Don't pay the ransom! If you have a recent backup, wipe your hard disk and reinstall your files. If you don't, try Shadow Explorer and Recuva programs or search your computer for previous versions of files. If you are lucky enough you may find files that were not encrypted and renamed to .crinf. But before restoring your files, please remove the ransomware and related malware files from your computer. To do so, please follow the steps in the removal guide below. If you have any questions, please leave a comment down below. Good luck and be safe online!

Written by Michael Kaur,

Step 1: Removing .crinf extension (CryptInfinite) ransomware and related malware:

Before restoring your files from shadow copies, make sure the ransomware is not running. You have to remove this malware permanently. Thankfully, there are a couple of anti-malware programs that will effectively detect and remove this malware from your computer.

1. First of all, download and install recommended anti-malware scanner. Run a full system scan and remove detected malware.

Important! If you can't download or run it, please restart your computer in Safe Mode with Networking or Safe Mode and try again. If you don't know how to do that, please watch this video.

2. Then, download ESET Online Scanner and run a second scan to make sure there are no other malware running on your computer.

That's it! Your computer should be clean now and you can safely restore your files. Proceed to Step 2.

Step 2: Restoring files encrypted by .crinf extension (CryptInfinite) virus:

Method 1: The first and best method is to restore your files from a recent backup. If you have been regularly performing backups, then you should use your backups to restore your files.

Method 2: Try to restore previous versions of files using Windows folder tools. To learn more, please read Previous versions of files.

Method 3: Using the Shadow Volume Copies:

1. Download and install Shadow Explorer. Note, this tool is available with Windows XP Service Pack 2, Windows Vista, Windows 7, and Windows 8.

2. Open Shadow Explorer. From the drop down list you can select from one of the available point-in-time Shadow Copies. Select drive and the latest date that you wish to restore from.

3. Righ-click any encrypted file or entire folder and Export it. You will then be prompted as to where you would like to restore the contents of the folder to.

Hopefully, this will help you to restore all encrypted files or at least some of them.