Decryption from Trojan Encoder 293. Dr.Web is a library of free utilities. As the infection occurs

Frankly, I didn't expect anything to face, perhaps, one of the last modification of this virus. Not so long ago, I'm a little about it on my site - it's time to tell more :)

As I said, Trojan.encoder is a Trojan program that encrypts user files. Sygo horror varieties are more and more and all of them, according to exemplary calculations, about 8, namely: Trojan.encoder.19, Trojan.Encoder.20, Trojan.encoder.21, Trojan.Encoder.33, Trojan.Encoder - 43, 44 and 45 and the last still, as I understood, not numbered. The author of the virus is a certain "corrector".

Some information on versions (information is taken part from the site and partly from the site):

Trojan.Encoder.19 - infecting the system, the Trojan leaves the text file Crypted.txt with the requirement to pay $ 10 per program of the decoder.

Another type of Trojan.Encoder.19 bypass all non-coordinated media and encrypts files with extensions from the following list:
.jpg, .jpeg, .psd, .cdr, .dwg, .max, .mov, .m2v, .3gp, .asf, .doc, .docx, .xls, .xlsx, .ppt, .pptx ,.rar , .zip, .db, .mdb, .dbf, .dbx, .h, .c, .pas, .php, .mp3, .cer, .p12, .pfx, .kwm, .pwm, .sol ,. JBC, .txt, .pdf.

Trojan.Encoder.20 - a new version of the Trojan-extortioner program, in which the mechanism of encryption and key generation is changed compared to Trojan.Encoder.19.

Trojan.Encoder.21 - a new modification of the Trojan in the Crypted.txt file that requires to translate money ($ 89) only with a specific payment system specified by the virus author, and not use such systems as PayPal and cash. To distribute Trojan.Encoder.21 uses sites that are known as active distributors of the Trojans. Former modifications used disposable links or links with a short time. This feature of Trojan.encoder.21 may dramatically increase the pace of its distribution.

Trojan.Encoder.33 encrypts user data, but it uses new mechanisms. Dangers are exposed to * .txt, *. Jpg, *. Jpeg, *. Doc, *. Docx, *. XLS, which Trojan carries to folders:
C: \\ Documents and Settings \\ Local Settings \\ Application Data \\ CDD
C: \\ Documents and Settings \\ Local Settings \\ Application Data \\ FLR
At the same time, the original files are replaced with the message "FileError_22001".

Unlike previous modifications, Trojan.encoder.33 does not withdraw any messages demanding to pay different amounts of money. At the same time, the user encryption function is carried out by this Trojan only if he manages to contact an external server.

The latter differ from the previous new key encryption documents, as well as new attacker contact data. Dr. Web Specialists promptly created utilities that allow you to decipher files that have been blocked by new Trojan.Encoder modifications. But one more, the most "fresh" modification of Trojan.encoder is especially interesting. This version of the Trojan program adds an encrypted extension file.drweb. Due to the successful counteraction of Trojan.encoder by the Antivirus of Dr.Web, the author, apparently, originated the desire to "early" with the help of the mention of our brand in the title of encrypted files.

In addition, at the disposal of Dr. Web specialists, a reference to one of the buildings of the author's current modifications Trojan.Encoder. Interestingly, the owner of this resource is trying to associate himself with the "Dr. Web", using the images of a spider and a doctor, while the company has nothing to do with such sites. Obviously, such design is used to confuse inexperienced users and compromise the company "Doctor Web".

The attacker is trying in every way to appear before the victims of the positive side - as a person who helps restore user documents. On his site, he offers to view a video, which demonstrates the work of the document decryption utility, for which money is extruded.

According to available information, one person is engaged in extorting money after encryption of files.

The analysts of the company "Doctor Web" have developed a decryption utility and offer all users free of charge to restore their files. For the convenience of users, the new version of the utility is equipped with a graphical interface module and is called Trojan.Encoder Decrypt.

Today I encountered some other one (it is possible that the most new one) version of this dirtary, which is not enough that all nafig was encrypted - it also does not have a Crypted.txt file that is necessary for the decryption program from Dr.Web in order To reproduce files back. Moreover, this is (or not this, and some other) thing completely blocked access to Avz and does not give any way to run it on the computer. It is impossible to unpack the downloaded archive with nor pour a direct folder to the computer, shorter rests on his legs and hands, cutting off the AVZ -The base that live in the Base folder and have extension .avz. The trick with renaming expansion or remote launch also did not occur. I had to spin. After turning on the computer of the software package + and thoroughly clean it, without a single reboot of the computer (this is important), as well as after the manual discreposition of the left processes, the elements of the autoloading, the modules of the kernel space and other horrors of the AVZ life, they managed to run. Comprehensive analysis of the system across the tool revealed a whole tucca of the troubles, brought a number of viruses (ENCODER itself was cleaned by DrWeb "Ohm), but .. decrypt files with a special program does not go out due to the lack of Crypted.txt or any other close to it. And another solution I do not know yet.

Therefore, everyone infected, I strongly recommend that you use Dr.Web Cureit + Spybot to start using the bundle, and then contact Dr.Web for help in decrypting files. Promise to help and completely free.

Where the user picked up this virus I, unfortunately, I do not know.

Thanks for your attention and keep your computer safe. It is important.

Hello everyone! Today I want to illuminate one problem associated with a malicious program encrypting files on a computer. There is such a problem after which requests like "Help! The virus encrypted files ", the same question gets many computer masters, which sometimes even take away help, but in the end use what is described below. And what is evident if the virus encrypted the files on the computer?! Read the article to the end, to be written, calm down and start acting. Go!

Encryptors are varieties of the Trojan Encoder family (so it is classified by Dr. Web). The program itself encrypter is often caught by antivirus after some time if he missed her. But the consequences of their work depressing. What if you have become a victim of this kind of nastiness? Let's deal with. To begin with, it is necessary to approximately know how the enemy is arranged to stop shipping with stupid questions of everyone and everything in the hope that the shaman with a tambourine will appear and decide on the moment your problem. So, the virus uses asymmetric keys, as far as I know, otherwise there would be so many problems with him. Such a system uses two keys, one of which is encrypted, the other decrypts. Moreover, the first is calculated from the second (but not vice versa). Let's try to imagine it clearly and what is called on your fingers. Consider a pair of drawings that clearly demonstrate the encryption process and decryption.

Let's not go into details about how the open key is formed. These two pictures demonstrate a visual encryption process, and then decryption, it's how to close the door, and then open it. What is really a problem with a virus-encrypter? The problem is that you have no key at all. Keys at the attacker. And encryption algorithms that use this technology are made very cunning. You can somehow get the public key, studying the file, but it does not make sense, because you need a secret key. But with him snag. Even learning the key open, the secret to get almost impossible. It is clear that in films and books, as well as the stories of friends and acquaintances, there are some super-duper hackers who will decipher everything with a maizinz over the keyboard, hack everything in the forehead, and in the real world everything is not so simple. I will say that in the forehead this task is not to solve and the point.

And now about what to do if you picked up this nastiness. You have not many options. The most banal to contact the author by email, which he kindly will provide you with new wallpaper for the desktop, and also writes in the name of each spoiled file. Be careful, otherwise you will not get any money files. Option Second - antivirus companies, in particular Dr. Web. Contact those support at https://support.drweb.ru/new/free_unlocker/for_decode/?lng\u003dru. Come on the items that are required and Waital. True there is one but! You must use the licensed antivirus from Dr. Web if you do not have it, you will need to purchase a license. In case of success, your request will go to the technical support of the company, and then expect a response. Please pay special attention that this method does not give 100% guarantees to fully decrypt all files, it is due to the fact that they are not all keys and algorithms in stock. Other antivirus companies are engaged in deciphering, on such conditions. The third option is to contact the law enforcement agencies. By the way, if you create a request to Dr. Web, even they will tell you about it. The variant of the third can be protracted and unsuccessful (however, as the first two), but if successful, the attacker will be punished and it will harm people less, and the key will be transferred to antivirus companies. There is also the fourth option - you will unsuccessfully try to find a miracle of the master, which somehow extended a super secret way. Forward guys! But think about it! If antivirus companies do not give 100% guarantees and recommend contacting the police, then what else to look for? Do not waste your time and money, be realistic.

Summary. Unfortunately, many people are offended by masters who send them to the police or to an anti-virus company, begging to help them, but our expensive users, Understand, Masters are not omnipot, and here you need excellent knowledge in cryptography, and they are unlikely to help. Therefore, use the three above methods, but with the first gentleter (extreme), it is better to contact the organs, and in parallel try to save at least something with the help of specialists from the anti-virus company.
Yes, by the way, the appeal to the police will help other victims and if everyone is trying to do so, the infection of this will become several times less, so think not only about yourself but also other people. And still be prepared for what it is possible besides the author of the virus no longer solve your problem! Therefore, make an important output for yourself and ram valuable files in multiple instances on different devices or use cloud services.

Windows Trojan.encoder.19 deciner - Decipheration utility from the company "Doctor Web" for the Trojan program Trojan.encoder.19. Infecting the system, Trojan leaves a text file Crypted.txt demanding $ 10 per flap program:

Your files are encrypted! Decifranger costs $ 10! Read more: http: //decryptor.****** E-mail: [Email Protected]****** ICQ: ******* S / N BF_3-PUCHT $ + BM5 Do not delete and do not change this file !!!

Instructions for use

1. Run the file decryption on the entire C: disk. To do this, run the program with the following command line parameters:

   For example:

2. Files to disk C: will be decrypted. Upon completion of the utility, the utility next to encrypted files. Crypt must appear decrypted files without completion. Crypt. No encrypted files are not necessary, because The possibility of incorrect decryption is not excluded.

ATTENTION! We categorically we do not recommend paying reasons for redemption. In addition, we strongly please users not to try to reinstall the system and restore it from backups, but to seek help in technical support, or to the special section of the official forum of Doctor Web.

If you failed to decipher some files, please send to the address [Email Protected] The Crypted.txt file from the root of the disk C: and several samples encrypted files.

Specialists of the Dr. Web Anti-virus company have developed a method for decrypting files that have been inaccessible as a result of a dangerous Trojan-Encoder Trojan.encoder.2843 known to users under the name "Vault".

This version of the encrypter, obtained by Dr.Web classification Trojan.encoder.2843 , actively applies to intruders with the help of mass mailing. As an attachment, a small file containing a JavaScript script is used as an attachment. This file is extracting an application that performs the remaining actions necessary to ensure the work of the encoder. This version of the Trojan-encrypter is distributed from November 2, 2015.

The principle of operation of this malicious program is also very curious. A encrypted dynamic library (.dll) is recorded in the Windows registry registry, and the Trojan embeds a small code that reads the file from the memory registry, decrypts and transfers controls to it.

List of encrypted files Trojan.encoder.2843 Also stores in the system registry and for each of them uses a unique key consisting of capital Latin letters. File encryption is carried out using Blowfish-ECB algorithms, the session key is encrypted using RSA using the CryptoAPI interface. Each encrypted file is assigned extension .Vault.

Specialists of the company "Doctor Web" have developed a special technique, in many cases allowing the files damaged by this Trojan. If you have become a victim of a malicious program Trojan.encoder.2843 Take advantage of the following recommendations:

• refer to the corresponding statement in the police;
• in no case attempt to reinstall the operating system, "optimize" or "clean" it using any utilities;
• do not delete any files on your computer;
• do not attempt to restore encrypted files yourself;
• contact Dr. Web Technical Support (This service is free for DR.Web commercial licenses);
• to the ticket attach any file encrypted by the Trojan;
• wait for the Technical Support Specialist; Due to the large number of requests, it may take some time.

We remind you that services for decoding files are only the owners of commercial licenses for Dr.Web anti-virus products. Doctor Web does not give a complete warranty of decryption of all files damaged as a result of a file encoder, but our experts will make every effort to save encrypted information.

If the system is infected with a malicious program of families of Trojan-Ransom.win32.rannoh, Trojan-Ransom.win32.autoit, Trojan-Ransom.win32.fury, Trojan-Ransom.win32.crybola, Trojan-Ransom.Win32.Cryakl or Trojan-Ransom. Win32.Cryptxxx, all files on the computer will be encrypted as follows:

• When infected by Trojan-Ransom.win32.rannoh, names and extensions will change by the Locked template<оригинальное_имя>.<4 произвольных буквы>.
• When infected by Trojan-Ransom.win32.cryakl, a label is added to the end of the contents of the files.
• When infected by Trojan-Ransom.win32.autoit extension varies by template<оригинальное_имя>@<почтовый_домен>_.<набор_символов>.
  For example, [Email Protected]_.Rzwdtdic.
• When infected by Trojan-Ransom.win32.cryptxxx, the extension varies in templates<оригинальное_имя>.crypt,<оригинальное_имя>.crypz I.<оригинальное_имя>.cryp1.

The RannoHDecryptor utility is designed to decrypt files after infection Trojan-Ransom.win32.polyglot, Trojan-Ransom.Win32.rannoh, Trojan-Ransom.win32.autoit, Trojan-Ransom.win32.fury, Trojan-Ransom.Win32.Crybola, Trojan Ransom.win32.cryakl or Trojan-Ransom.win32.cryptxxx versions 1, 2 and 3.

How to cure the system

To cure an infected system:

1. Download the RannohDecryptor.zip file.
2. Run the RannohDecryptor.exe file on an infected machine.
3. In the main window, click Start check.

1. Specify the path to the encrypted and unencrypted file.
   If the file is encrypted by Trojan-Ransom.win32.cryptxxx, specify the largest files. The decoding will be available only for equal or smaller files.
2. Wait for the search and decryption encrypted files.
3. Restart the computer if required.
4. after locked-<оригинальное_имя>.<4 произвольных буквы>To delete copies of encrypted files of a successful decryption view, select.

If the file was encrypted by Trojan-Ransom.win32.cryakl, the utility will save the file in the old place with the extension. DECRYPTEDKLR. Original_Exing. If you have chosen Delete encrypted files after successful decryptionThe tray file will be saved by a utility with the original name.

1. By default, the utility displays a report to the root of the system disk (the disk on which OS is installed).

   The report name has the following form: Name Names. Device_Data_log.txt

   For example, C: \\ RannoHDecryptor.1.1.0.0_02.05.2012_15.31.43_log.txt

In the system infected by Trojan-Ransom.win32.cryptxxx, the utility scans the limited number of file formats. When a user is selected by the CryptXXX V2 file, the key recovery can take a long time. In this case, the utility shows a warning.