Removal of [email protected] Ransomware

Auinfo16 is a new ransomware variant that belongs to ACCDFISA type of ransomware viruses. It encrypts victims’ files and appends the extension (!! to get email id password UniqueID to [email protected] !!). The ransomware probably uses WinRar to archive the files in password-protected documents.

What Is [email protected] Ransomware?

Like the other variants of ACCDFISA ransomware, Auinfo16’s malicious payload may be concealed under the name of the legitimate Windows process svchost.exe. Probably it locates the payload in C: drive. Afterward, the ransomware may create a registry entry that will allow the malicious svchost.exe to run whenever the Windows OS is booted. The entry may be in the following location:

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run, the value “C:\Random name\svchost.exe

Other malicious executables that support the successful infection of the ransomware may hide the following locations:

Once launched on the system [email protected] ransomware will scan the drives for the existing data and then encrypt it. It may encrypt documents, videos, pictures, music files.

After the encryption process, the ransomware may use protocols from WinRar to archive the files and generate a password. The password may be then sent to cyber-criminals’ servers along with a unique ID number. The number is included in the file extension appended to the encrypted files. And the file name may looks like this:

examplefile.txt(!! to get email id password UniqueID to [email protected] !!)

Ways of Distribution of [email protected] Ransomware

Usually, the ransomware is distributed via spam email campaigns that contain its malicious executable files. [email protected] ransomware may be in a malicious attachment, malicious link in the text or hidden in the text of the email. Thus in some cases, auinfo16 ransomware may infect the system with only one opening of an email. Cyber-crooks may use authentic names of financial services like PayPal or software providers like Microsoft. [email protected] ransomware may be spread via malicious redirect links in websites or via compromised social media profiles. Another way of distribution may be through file share services.

Prehistory of Auinfo16 Ransomware

The ransomware called Anti-Child Porn Spam Protection, or ACCDFISA has been detected in the wild since 2012. It pretends to be sent from a legitimate government organization in order to mislead the victim. The ransom image claims that all files on the computer are locked because there are detections of illegal spam advertisements that contain links to child pornography sites from the infected computer. Actually, the files are converted to password protected RAR .exe files. Victims’ files may seem like this: tvshow.txt(!! to decrypt email uniqueID to [email protected] !!).exe. Apparently, passing through some modifications and several different variants this ransomware type is back again.

Restore (!! To Get Email Id Password UniqueID to [email protected] !!) Files

You can restore your data from your available backups. Most of the times ransomware delete all Shadow Volume Copies so using programs like Shadow Explorer may not help you to restore any data. Anyway, sometimes the ransomware infection may fail to dele the Shadow Volume Copies properly so it is worth a try to use Shadow Explorer software. Another approach to restoring some of the original data is to utilize reliable file recovery software.

Have in mind that the new variant of ACCDFISA ransomware has improved encryption and is using two unique decryption keys. In order to keep the chances of data restoration, we advise you to make some backups before continue with one of the suggested recovery methods above.

We came across information that the security researchers from Dr.Web may help the infected users to get the password for their corrupted files with other versions of ACCDFISA ransomware. Unfortunately, there is no information about available decryption fix tool for Auinfo16 ransomware yet. We keep follow the topic and as soon as there is an available solution we will update the information. Remember that paying the ransom is not advisable. Don’t forget that behind the attack stand criminals that blackmail the victims. Supporting them with the ransom money may lead to new improved violations.

Removal of [email protected] Ransomware

We have provided step-by-step manual instructions for the complete removal of auinfo16 ransomware. You could find them at the end of the article, follow them and delete the ransomware from the computer. In case during the removal process any questions arise we are open to help you, just leave us a comment under the article. The [email protected] ransomware may modify some registry keys so it’s nice to run software that will check the keys and clean these that are not required to be on the system. Considering the help of advanced anti-malware software is also a good approach to remove [email protected] ransomware automatically. Furthermore, it will scan for other existing threats and ensure future prevention.

Step-by-step manual instructions:

Try to Load Your PC in Safe Mode

For various Windows OS’s:
1) Hit WIN Key + R
2) A Run window will appear. In it, write “msconfig” and then press Enter.
3) A Configuration box shall appear. In it Choose the menu named “Boot”.
4) Choose the Safe Boot preference and then go to Network under it to tick it.

Eliminate the malicious processes

1) hit the following key combination: CTRL+ESC+SHIFT
2) Get over to Processes.
3) Choose the suspicious process if you have found it and then right click it after which click on “Open File Location”.
4) End the malicious process by again right-clicking and choosing “End Process”.

Delete registry objects created by the Hitler ransomware virus.

For all Windows versions:
1) Again type simultaneously the Windows Button + R. key combination.
2) In the type box, write “regedit”(without the inverted comas) and hit Enter.
3) Type the CTRL+F key combination and then write the malicious name in the search type field to locate the malicious executable.
4) In case you have discovered registry keys and values related to the name, you should delete them, but be careful not to delete legitimate keys.

Recover files encrypted by Crypto-Vriuses.

If you want to try recovering files yourself, you have several options:
Option One: By using Windows’s System Restore
1) Hit the Windows Button + R. key combination.
2) After the “Run” Window pops up, write “rstrui” and hit on the Enter button.
3) Choose a restore point and continue.

IMPORTANT: If you want to be more effective, we strongly suggest booting in safe mode if you are to do this!

Option Two: By using Windows’s Shadow Volume Copies

To access shadow volume copies you may require a program, like Shadow Explorer. Install it open it and make it scan for shadow copies. If you have them enabled, this method will work, in case the crypto-virus has not deleted them.

Option Three: By using various Recovery Software

This option will not ensure maximum effectiveness and recovery rate but still, you may restore several files. Most data recovery programs are available for free online, simply Google “Data Recovery Software”.

Prevent viruses from damaging your files in the future.

To protect your important data we suggest that you store it in the cloud. Programs that makes online backup possible also enable you to schedule auto backup on different time periods and this way, even if you lose your data, you can find it uploaded in securely encrypted account, access to which only you have.

SpyHunter anti-malware tool will diagnose all current threats on the computer. By purchasing the full version, you will be able to remove all malware threats instantly. Additional information about SpyHunter / Help to uninstall SpyHunter