Folder Name Changed to HOW TO DECRYPT FILES.txt

Hi, I am in big trouble and I need help. After downloading a torrent file, this warning about encrypted files on my computer appears. I also noticed that all folders on my PC now have the name of “HOW TO DECRYPT FILES.txt.” Probably, the file that I downloaded has a virus in it. However, why does my anti-virus did not alarm me for this? Now that I am infected and my computer is ruined, what else can I do if my anti-virus is not working against this “HOW TO DECRYPT FILES.txt” folder or directory infection?

I cannot do anything. I even cannot rename the folders to its pervious label. When I try, the warning comes out again saying that files and folders are encrypted and it remains in “HOW TO DECRYPT FILES.txt”. I also noticed that all files are now having similar icons. Although, when I open them, it seems that they are still working. Please help me.

37 Responses

  1. Jelay says:

    Our office computers were infected with this virus. We successfully removed the EnCiPhErEd virus by downloading a file provided by DrWeb. Here is the link.

    ftp://ftp.drweb.com/pub/drweb/tools/te94decrypt.exe

    First, make a copy of the .EnCiPhErEd file on USB drive. This will serve as test file for decryption. It must work on this test file before trying it on your general files. Incorrect decryption may damage your file. So please do not use this tool without running a test.

    On the command line, type –k 85 and that will decrypt all affected files. After that, you must run a virus scan to make sure that the virus is gone. I used Trendmicro to remove the virus and it found hundreds of infected items.

  2. Alan says:

    Hi Anton, I had the same issue in my company. I tryed to do what Jelay said, but recovered files are unreadable. Did u solve the problem in some way???
    I have a huge data loss, I hope to solve this problem…

    Jelay, I didn’t make a backup copy of the files, but after launching the tools I have the 2 versions of the file: the enchiphered ones and the decrypted (but unreadable). Do you think that those enciphered files have been affected by the fix??

  3. Phil says:

    There are now 5 Versions of this Trojan in Europe.

    If key 85 doesn’t work for you, try “-k 90” without the quotes instead.

    @Anton: The enciphered files are not affected, try the key above.
    If key 90 doesn’t work for you, try asking for another one at DrWeb.com (https://vms.drweb.com/sendvirus/?lng=en). They helped me in about 30 minutes, they’re great!

  4. Jelay says:

    Alan, As per my instruction, I suggest to try the command line on sample file first before applying it on general affected files. How about trying “te94decrypt.exe -k 87”? Make sure that the te94decrypt file is on the same drive of the enciphered files. Again, run a test first.

    I think that the tool is creating a copy of the encrypted file, leaving the enciphered version intact.

  5. anton_palmer says:

    Guys, I was able to bring back all my files. I used the -k 88. That did the trick.

  6. Lost says:

    Jelay, where can I find a place to enter “-K85” in “TE94 Encoder”? Because I do not know.

  7. marcial says:

    Thanks to this guide, I was able to remove the Trojan and recover all my files.

    @LOST, copy te94decrypt.exe file on the same drive as the ecrypted files. Then Go to Start > Run.

    Type in the box “c:\te94decrypt.exe -k 87” (without the quotes). Off course, this command indicates that te94decrypt.exe is in the root of C: drive.

  8. Tony says:

    Any of you guys managed to decrypt the files after they have been deleted and unerased? Some of our engineers deleted the files and then we recovered them but, even though the tool decrypts the files, when trying to open them they seem to be corrupted! Let me know!

  9. Lost says:

    Thank you marcial, but for me it does not work code “-k 85”, “-k 87” and “-K88”. and I do not know what to do?

  10. Lost says:

    I used -k 90 and working!!! Amazing, awsome :D :D :D
    I got the code from Dr. Web e-mail. Big THX.

  11. Samo_P says:

    Hi everybody
    I had the same issue like Alan. I tryed to do with -k80 till -k95 unreadable. Did somebody solve the problem in some way???
    I have a huge data loss, I hope to solve this problem.

    Now I have the 10 versions of the file: the enchiphered ones and the decrypted (but unreadable).

  12. Samo_P says:

    Alan
    try this, first delete all recovered file, leave only encrypted files. Than try with -k 88 on win. 7.
    I solve the issue in that way and I can now open all my files. :)

  13. Mandarin says:

    Hi all,
    I’ve been infected with the same virus and till now I’ve managed to stop it spreading but can’t still decipher my files correctly. The strange thing is that using te94decrypt.exe with different keys hasn’t helped me, with one exception. I did a repeated number of deciphering tests on infected files and everytime the result was: some video files from a specific directory were deciphered OK, but no other of the deciphered files could be opened, no matter what key I used.
    I’ve sent my case to DrWeb and I’m waiting for a reply. If I manage to restore my work I’ll post here the answer.

  14. ddd says:

    when i type G:\te94decrypt.exe -k {key} just to test the decryption it starts scanning the whole pc not only on the usb.
    How do you test on usb only?

  15. Mandarin says:

    I uploaded some files on the flash drive and plugged it on a clean machine and ran the program. In this way it finds only the files on the flash drive and decrypts them.

  16. aaa says:

    In my case k -103 works

  17. Mandarin says:

    Yep, seems you just need to cycle across all keys. For now -k 103 works for me too (thank heavens!!!). I’ll post when all files are deciphered if everything is OK.

  18. Valentin says:

    Hello I am also infected with that virus, but i cant understand what are these keys , and what ecxactly should i do ? please help

  19. degirman says:

    Hi, My external disk also infected with that virus. I’ve sent my case to DrWeb and they give me this link : ftp . drweb.com/pub/drweb/tools/te94decrypt.exe and I used it with commandline params -k 103 as they said.

    It works for .jpg, .nfo files. But my .avi files still unreadable. I’ve sent Dr.Web an infected .jpeg files (15kB). I think they solved this problem for only .jpegs. I’cant send .avi files to Dr.Web because they have a limit for file size (10Mb)

    What will I do?
    I don’t know :(

  20. degirman says:

    Do the following:

    1. Go to https://vms.drweb.com/sendvirus/?lng=en
    2. Upload one of your ciphered file
    3. At submission category select “request for curing”
    4. Fill in your email
    5. Write a few words at description if you like
    6. Click SEND

    Vladimir Martyanov will personally respond to your request sending you a link to the last version of the “cure” and comand line instructions.
    (Example: “Download ftp://ftp.drweb.com/pub/drweb/tools/te94decrypt.exe Start it with commandline params -k 103.Report to the Police.”)

    7.Click to link and save te94decrypt.exe to folder which contains your encrypted files.
    (Example: Your encrypted file is “Ray Charles – The Genius Of Ray Charles.jpg.EnCiPhErEd” and it’s in the C:\My Documents. So you should save te94decrypt.exe to C:\My Documents)
    8.Click START>RUN and write this to the box: C:\My Documents\te94decrypt.exe -k 103
    ATTANTION: Remember Vladimir Martyanov was sent “-k 103” on our example.

    That’s all. Infected files (encrypted files) is decrypted now.

    PS: DO NOT:
    Reinstall windows
    Delete ANY files
    Start te94decrypt without Dr.Web’s advice, it can bring you a lot of problems with decrypting files.

    PS: If it doesn’t work try this:
    Upload some encrypted files on the flash drive
    Plugged it on a clean machine
    Run the program. (Thanks Mandarin)

  21. Valentin says:

    What does it mean CAN’T FIND PASS FILE . This is the text of the window that everytime when i click continue blings

  22. ddd says:

    -K 103 works for me on Win 7

  23. Valentin says:

    Yes , -k 100 works for me on Win 7 , but what am i supposed to do with the enciphered files , should i delete them ?

  24. Alan says:

    Does this really work? I’m afraid of making it worse. Can Dr. Web be trusted?

  25. Alan says:

    Do I save it or just run it?

  26. Valentin says:

    Do i have to delete the enciphered files after they’ve been decrypted? (this tool is making copies of the EnCiPhErEd files, and my disc space is max full.

  27. ddd says:

    Run the program from command prompt like this “Path to the file\te94decrypt.exe -k 103″(note: 103 you might need different key for me on Win 7 it worked) and then it will scan whole drives and search for EnCiPhErEd files and it will decode them.Note though the program creates duplicate file which is like the original and it doesnt delete EnCiPhErEd file.You have to do it yourself but before deleting make sure the program have been in that folder\drive and decoded the files.Then you can just search in explorer for EnCiPhErEd files and delete them all at the same time.Also before starting the program make sure you got enough disk space since as i said the program creates duplicate files.Hope it helps

  28. Valentin says:

    Hi, as i said -k 100 worked for me but i cant view my photos and all of my mp3s are cut a little bit in the beginning. Should i try another key?

  29. Chris says:

    I have a modern variant of the virus that ends with dot block instead of encyphered. so far I have run all the keys between 85 and 200 and at least four acted like they decrypted. but must be wrong decryption as they are unreadable. Also waiting for a reply from dr web. i hope this isnt too new to have a cure. lost a lot of business files. Anyone know what the full range of available keys is?

  30. Jurgen says:

    I found another same kind one, all files (most .mp3.jpg.doc.rar.zip) files are now with extension .MICROSOFT
    I tried few numbers to but the program didn’t find any encryption on the files, its for a friend of my, all his files on all hard drives are infected with those encryption.
    Hope someone knows or maybe Dr web knows it.
    Sadly he did already a fresh install of windows, so i don’t know what cause the infection of what kind of trojan/virus he had.
    please help.
    many thanks.

  31. Turbofrenkie says:

    Also i’ve find a new kind one .mp3.jpg.doc.rar.zip was CRYPTED! and there are a .MICROSOFT extension
    Please Help me.
    Thank You!
    Turbofrenkie

  32. Jes says:

    All my files are crypted and have .html at the end. Any help please?

  33. Alberto says:

    En caso de desinfeccion correcta…un antivirus para evitar que entre de nuevo? CLAM WIN no lo ha parado, hay alguno?

  34. Samer says:

    Hello guys,

    I have also the same problem and my files show this message :

    File is encrypted
    This file can be decrypted using the program DirtyDecrypt.exe
    Press CTRL+ALT+D to run DirtyDecrypt.exe

    If DirtyDecrypt.exe not opened ?heck the paths:
    C:\Program Files\Dirty\DirtyDecrypt.exe
    C:\Program Files (x86)\Dirty\DirtyDecrypt.exe
    C:\Users\[YOUR USER]\AppData\Roaming\Dirty\DirtyDecrypt.exe
    C:\Documents and Settings\[YOUR USER]\Application Data\Dirty\DirtyDecrypt.exe
    C:\Documents and Settings\[YOUR USER]\Local Settings\Application Data\Dirty\DirtyDecrypt.exe

    And I really want my files back… please if you know how , just tell me and please guide me step by step because I am not that pro with those stuff

    Thank you all in advance

  35. JB75 says:

    Does the te94decrypt.exe work in XP pro?

  36. snezy says:

    In the hope that it may help someone else make the decision.
    One of our corporate sites had Symantec AV installed. 1 user browsed garbage on their laptop out of hours and it synced with dropbox and infected their local desktop inside the network.
    Symantec didn’t pickup the virus or remove it.
    The virus had infected about 1/2dozen desktops before we caught it on the network and removed it the following day. We uninstalled Symantec network wide and installed Trend and cleaned all virus’ / malware from the network.
    Still we had 6 desktops infected/encrypted + a whole bunch of network drives, dropbox accounts etc affected.
    We were able to restore the network drives quick and easy from backups and get the dropbox accounts up and running no probs but users being users, they save critical data to desktops and docs folder.
    After 2 days of agonising we ended up paying (although this went beyond all fibres of our beliefs) $400AUD was such a little to pay for the remote possibly of getting our files back again. This gave us the decryptor exe within 48hrs, after which we had all desktops almost back to 100% normal – certainly all files that had the ultracode extension were restored back to normal.

    I suppose, what I’m trying to say is that – although it totally sucks, and the creators of this virus will likely have a serious karma issue. For $400, to restore 10’s of thousands of dollars worth of man hours it was without question worth it.
    Lesson learned tho, make sure you have decent AV + malware software on your corporate network, don’t allow dropbox, backup all desktops to drives that are not connected to the network permanently (i.e NAS)

  37. Anthony Mckenzie says:

    Hi snezy

    We have the same problem and have tried to contact them but the email keeps bouncing back as undelivered.

    How did you manage to get in contact with them, what email did you send it to. Its been 9 days since our server was infected and we need to get the data back. Could you please list step by step what you did to solve your problem.