Remove File Virus

How to Remove Ransomware?

Reader recently start to report the following message being displayed when they boot their computer:

Attention! Your computer was attacked by virus-encoder.
All your files are encrypted cryptographically strong, without the original key recovery is impossible!
To get the decoder and the original key, you need to to write us at the email or with the subject “encryption” stating your id.
Write in the case, do not waste your and our time on empty threats.

Those of who who’re interested in Roman history know that centurions were meant to be feared. And the file extension is indeed very frightening. This appendix is caused by  a virus. A particularly dangerous, aggressive, destructive infection. Yes, you’ve fallen victim to ransomware. There’s a reason why ransom-type programs are so immensely dreaded. Numerous reasons, actually. The virus currently on board is a new variation of the Troldesh/Shade Ransomware. It uses a complicated encrypting algorithm and RSA-2048 key to lock your data. By “all your data” we mean all personal files you’ve stored on your computer. Pictures, music, videos, MS Office documents, etc. – nothing is safe now that your machine is infected. You can tell why PC users are so afraid of ransomware, can’t you? This parasite encrypts private data and denies you access to your own files. By using the AES CBC 256-bit cipher, it turns your files into unusable gibberish. The virus firstly performs a thorough scan on your machine. That happens immediately after installation. As you could imagine, this way your personal files get located. All the virus has to do now is lock them. One more thing about this infection – it attacks all versions of Windows. Now, how does it work? The parasite copies the target file, then deletes the original. You’re left with the encrypted (and practically inaccessible copy). Once you see the malicious file extension, know you’re in trouble. Anything modified by the ransomware is completely unreadable. Your machine is unable to read the new file format. Logically, you’re unable to view/use/work with your encrypted information. It goes without saying that some immensely important, valuable data might get locked. And that’s not even the worst part. While locking your data, the parasite also drops .txt and .html files. Those contain detailed payment instructions. We’re getting to the sole reason why ransomware gets developed in the first place. Money. According to the parasite’s ransom message, your files are being held hostage. The only way to regain access to them is by using a unique decryption key. Obviously, the key doesn’t come for free. You would receive it in exchange for a certain sum of money in Bitcoin. Bitcoin is a popular online currency and the sum varies between 0.5 and 1.5. That means hackers demand between 300 and 900 USD in order to free your data. Are your pictures really worth that much? What’s even more worrisome is that you’d be making a deal with hackers. Cyber criminals. They have absolutely no reason to play by the rules, even the rules they invented. Ransomware is nothing but a clever attempt for an aggravating cyber scam. Thus, keep your money and delete the virus instead.

How did I get infected with?

The most common infiltration method involves spam messages. That means you’ve probably clicked open something dangerous in your inbox. A rule of thumb for the future – don’t be naive. Crooks are incredibly creative when it comes to spreading malware online. Keep in mind that messages from unknown senders are usually corrupted and harmful. To prevent virus installation, watch out for potential intruders on a daily basis. The key to your safety is your caution so don’t underestimate any threat. Take your time to make sure you’re aware what exactly lands on your machine. Stay away from spam emails and email-attachments. Also, avoid installing illegitimate freeware or shareware bundles. Last but not least, third-party ads and unverified torrents are unreliable as well. The Web is infested with dangerous programs. It is your job and yours only to take care of your device before it’s too late.


Why is dangerous?

This infection brings along nothing but damage. Apart from the obvious fact it attacks your files, it serves as a back door to malware. That means keeping it on your system could result in further harm. As mentioned, you’re unable to use your personal files without a decoding key. You may pay the entire ransom are still receive nothing, though. Ransomware is strictly money-oriented; its goal is to blackmail you. Yours should be to prevent that. The file extension is indeed quite a pest. However, don’t let hackers play mind games with you and don’t give your money away. In the worst possible scenario your situation might become much worse. Your PC will remain compromised, your files will remain locked and a hefty sum of your money will be gone. Don’t take any unnecessary risks with ransomware. To get rid of this infection, please follow our manual removal guide. Removal Instructions

STEP 1: Kill the Malicious Process

STEP 2: Reveal Hidden Files

STEP 3: Locate Startup Location

STEP 4: Recover Encrypted Files

STEP 1: Stop the malicious process using Windows Task Manager

  • Open your task Manager by pressing CTRL+SHIFT+ESC keys simultaneously
  • Locate the process of the ransomware. Have in mind that this is usually a random generated file.
  • Before you kill the process, type the name on a text document for later reference.


  • Locate any suspicious processes associated with encryption Virus.
  • Right click on the process
  • Open File Location
  • End Process
  • Delete the directories with the suspicious files.
  • Have in mind that the process can be hiding and very difficult to detect

STEP 2: Reveal Hidden Files

  • Open any folder
  • Click on “Organize” button
  • Choose “Folder and Search Options”
  • Select the “View” tab
  • Select “Show hidden files and folders” option
  • Uncheck “Hide protected operating system files”
  • Click “Apply” and “OK” button

STEP 3: Locate encryption Virus startup location

  • Once the operating system loads press simultaneously the Windows Logo Button and the R key.


Depending on your OS (x86 or x64) navigate to:

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run] or
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] or

  • and delete the display Name: [RANDOM]

delete backgroundcontainer

  • Then open your explorer and navigate to:

Navigate to your %appdata% folder and delete the executable.

You can alternatively use your msconfig windows program to double check the execution point of the virus. Please, have in mind that the names in your machine might be different as they might be generated randomly, that’s why you should run any professional scanner to identify malicious files.

STEP 4: How to recover encrypted files?

  • Method 1: The first and best method is to restore your data from a recent backup, in case that you have one.

windows system restore

  • Method 2: File Recovery Software – Usually when the ransomware encrypts a file it first makes a copy of it, encrypts the copy, and then deletes the original. Due to this you may try to use file recovery software to recover some of your original files.
  • Method 3: Shadow Volume Copies – As a last resort, you can try to restore your files via Shadow Volume Copies. Open the Shadow Explorer part of the package and choose the Drive you want to recover. Right click on any file you want to restore and click Export on it.

Leave a Comment