A virus that encrypts files using Xorist Builder genealogy and XOR encryption algorithm has been reported to cause damage to computers by rendering their files encrypted. The files can no longer be opened after the virus known as AvastVirusinfo attacks your computer and they have a file extension added to them – .A9v9Ahu4. After encryption the virus also adds a .txt file which aims notify victims with what has happened exactly to their files and extort them to pay the sum of 15 $ to get the files back. In case you have been attacked by this ransomware infection, we advise you to read this article with care.
|Short Description||This ranosmware virus encrypts the files using XOR encryption mode and asks the victims to pay ransom to get the files back.|
|Symptoms||Files are enciphered and become inaccessible by any type of software. A ransom note with instructions for paying the ransom shows as a .txt file in english and russian.,|
|Distribution Method||Spam Emails, Email Attachments, File Sharing Networks, Malicious Executable in Torrent Trackers.|
|Detection Tool|| See If Your System Has Been Affected by AvastVirusinfo |
Malware Removal Tool
|User Experience||Join our forum to Discuss Cerber Ransomware.|
|Data Recovery Tool||Windows Data Recovery by Stellar Phoenix Notice! This product scans your drive sectors to recover lost files and it may not recover 100% of the encrypted files, but only few of them, depending on the situation and whether or not you have reformatted your drive.|
AvastVirusinfo Ransomware – How Does It Infect
Ever since it was discovered back in 2015, this ransomware infection may still resort to the very same methods of infection for which it was firstly responsible. The ransomware may infect via e-mail spam messages which carry e-mail attachments that are malicious, like the example below displays:
Another method which can spread the AvastVirusinfo ransomware infection has been reported to be via infected installers of programs which slither and execute it’s malicious files on the compromised computers. It is also a scenario that malicious game cracks or program patches and activators that are published on suspicious sites or uploaded as torrents to be carrying the AvastVirusinfo infection malware in them.
AvastVirusinfo Ransomware – Further Information
After this ransomware gets you to open a malicious files, the infection is immediate and no longer avoidable. Once infection is commenced this ransomware virus creates multiple different files on the computers infected by it. The files are as follows
- An executable, named Setup.exe.
- Another two executables, named up_date.exe and update.exe.
- A randomly named executable.
- A randomly named .tmp.exe file.
- A plugin.dll file.
- A randomly named .dll type of file.
In addition to those files the virus also drops two .txt files, named HOW TO DECRYPT FILES.txt and it’s Russian analogue, named КАК РАСШИФРОВАТЪ ФАЙЛЪI.txt.
The files are usually located in the administrative Windows user directories:
Then, this ransomware may delete any shadow volume copies on the compromised computers. This is usually achievable by using the vssadmin command in a /quiet mode.
→vssadmin.exe delete shadows /all /Quiet
The Encryption Process of AvastVirusinfo Ransomware
Regarding encryption, this ransomware uses a relatively simple encryption algorithm in comparison to the other ones – XOR. What is very particular about this infection is that regarding the encryption, it attacks a very wide variety of file types. The file extensions it is pre-configured to encrypted are over 1000:
After encryption, the files become no longer openable and have an added file extension to them, named – .A9v9Ahu4. They may appear without file icon, similar to the following:
After this has happened, the ransomware infection may drop it’s ransom note to notify the victims of this virus that they must make a ransom payoff in order to restore access to the encrypted files. The ransom note is called HOW TO DECRYPT FILES.txt and has the following content:
→ “What happened to your files?
All of your files were protected by a strong encryption.
There is no way to decrypt your files without the key.
If your files not important for you just reinstall your system.
If your files is important just email us to discuss the price and how to decrypt your files.
You can email us to [email protected]”
There is also a Russian version of the ransom note with the same message.
Remove AvastVirusinfo Ransomware and Decrypt XOR Encrypted Files
Before beginning any removal process, it is recommended that you not pay any ransom and you backup the encrypted files by creating multiple copies of them on removable drives.
For the removal of this ransomware, just like with any other, some steps must be followed. To simplify the situation for you we have created the removal manual below and we recommend that you follow it. In case you are having difficulties or lack the experience in removing this ransomware virus, experts often advise using an advanced anti-malware program. Such will surely take care of the automatic removal of this ransomware infection and future protection of your computer as well.
In case you want to restore your files, there are several alternative tools that may help you out. We have mentioned these methods with links in step “2. Restore files encrypted by AvastVirusinfo” below. Be advised that these methods are not 100% effective but fortunately they may restore at least some of your files.
Manually delete AvastVirusinfo from your computer
Note! Substantial notification about the AvastVirusinfo threat: Manual removal of AvastVirusinfo requires interference with system files and registries. Thus, it can cause damage to your PC. Even if your computer skills are not at a professional level, don’t worry. You can do the removal yourself just in 5 minutes, using a malware removal tool.