Remove Auinfo16 Ransomware and Restore .Zip Encrypted Files - How to, Technology and PC Security Forum |

Remove Auinfo16 Ransomware and Restore .Zip Encrypted Files

fix-your-malware-problem-sensorstechforumA ransomware variant, belonging to the ACCDFISA type of ransomware viruses has been reported to be massively spread and heavily encrypt files of compromised computers. Research shows that the ransomware adds the file extension to “(!! to get email id password {Unique ID} to !!)” to the files encrypted by it. It is also believed that this virus uses WinRar to archive the files in password-protected documents. After archiving the files, the Auinfo16 ransomware leaves them in a .zip format and may change their names. Users who have been infected by the Auinfo16 cyber-threat are strongly advised to read this article and learn how to remove this virus and try to get the files back.

Threat Summary



Short DescriptionEncrypts user files with what appears to be AES encryption and ask ransom money for decryption varying from the hundreds to thousands of dollars.
SymptomsThe user may witness various ransom notes dropped on the desktop, changed wallpaper and several legitimately looking Windows processes, like svchost.exe to be running with unknown license on the computer.
Distribution MethodVia an Exploit kit, JavaScript, other malware or PUPs.
Detection Tool See If Your System Has Been Affected by Auinfo16


Malware Removal Tool

User ExperienceJoin our forum to Discuss Auinfo16 Ransomware.

Auinfo16 Ransomware – Spread

For it to infect users, Auinfo16 ransomware virus may use process obfuscators, exploit kits, JavaScript and other tools to hide its malicious payload while it is being dropped from any real-time protection on targeted computers.

In addition to this, Auinfo16’s creators may use spamming software or spamming services to send massive spam e-mail messages which may contain:

  • Malicious URLs that can cause browser redirects to drive-by-download web links that can infect the computer with Auinfo16.
  • Malicious attachments of heavily obfuscated executables or other types of files pretending to be legitimate Microsoft Office or Adobe Reader or other documents.

Another strategy to spread this ransomware virus is by using PUPs, like browser hijackers or adware, for example. Such programs are ad-supported software that comes via bundling on the victim’s computer and in some cases may have the ability to cause browser redirects to third-party web sites and URLs. If the creators of this PUP aim to make money not only via pay-per-click schemes but also by distributing malware, you may have become a victim as a result of this.

Auinfo16 Ransomware – In-Depth Information

Once executed on the victim’s computer, like the other variants of ACCDFISA ransomware, Auinfo16, may drop it’s malicious payload under the legitimate name svchost.exe (crucial Windows process). The payload may be located in a completely random named folder in the “C:” drive, for example:

→C:\{Random name}\svchost.exe

The virus may then create the following registry entry to make the malicious svchost.exe run on Windows boot up:

In the key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run, the value “C:\{Random name}\svchost.exe”

The Auinfo16 virus may also drop support files otherwise known as modules that may be hidden in other crucial Windows folders:


Some of the files of previous variants of this ransomware have been reported to be with the following names and in the following locations by malware researchers:

→ %ProgramData%\local\ aescrypter.exe
%ProgramData%\local\ crdfoftrs.dll
%ProgramData%\local\ svchost.exe
%ProgramData%\local\ undxkpwvlk.dll
%ProgramData%\local\ vpkswnhisp.dll
%Users%\Public\Desktop\ how to decrypt aes files.lnk
%Windows%\SysWOW64\ csrsstub.exe
%Windows%\SysWOW64\ dcomcnfgui.exe
%Windows%\SysWOW64\ tcpsvcss.exe
%Windows%\SysWOW64\ tracerpts.exe
%Windows%\SysWOW64\ ucsvcsh.exe
%Windows%\SysWOW64\ wcmtstcsys.sss
%decrypt% decrypt.exe
how to decrypt aes files.lnk

After it’s encryption process runs, this virus may use protocols from WinRar to generate a unique method to archive the files with a password, which may then be sent to the servers of the cyber-criminals along with a unique identification number. This ID is mentioned in the file extension added to the files after encryption, for example, if the ID number is 111,111,111, encrypted files may look like the following:


The Auinfo16 virus primarily hunts for files that are videos, pictures, documents, database files and even large image files. It may even be set to encrypt all files besides the crucial files by which Windows can run successfully.

After encryption, similar to the other ACCDFISA viruses, the wallpaper may be changed to the following picture:

ransomware-file-encryption-sensorstechforum-ransom-note-anti-child porn spam protection

Remove Auinfo16 Ransomware and Try Restoring the Files

As a bottom line, Auinfo16 ransomware should be immediately removed, instead of paying the ransom money. To do this successfully, we strongly advise you to follow the instructions posted below and delete Auinfor16 ransomware from your computer. For maximum effectiveness, experts advise using a more automatic approach and scanning the computer with anti-malware software to detect other threats if present and remove Auinfo16 fully and permanently.

Regarding file decryption, at this moment there is no solution released, but researchers are working on cracking this ransomware. The malware writers behind Auinfo16 have stated in other variants of this ACCDFISA ransomware that they have improved it’s encryption by using not one but two unique decryption keys, which makes direct decryption a risky process. This is why we advise you to be cautious when attempting the methods for file restoration in step “3. Restore files encrypted by Auinfo16” below and to make backups in case you attempt direct decryption.


Ventsislav Krastev

Ventsislav has been covering the latest malware, software and newest tech developments at SensorsTechForum for 3 years now. He started out as a network administrator. Having graduated Marketing as well, Ventsislav also has passion for discovery of new shifts and innovations in cybersecurity that become game changers. After studying Value Chain Management and then Network Administration, he found his passion within cybersecrurity and is a strong believer in basic education of every user towards online safety.

More Posts - Website

Follow Me:

Leave a Comment

Your email address will not be published. Required fields are marked *

Time limit is exhausted. Please reload CAPTCHA.

Share on Facebook Share
Share on Twitter Tweet
Share on Google Plus Share
Share on Linkedin Share
Share on Digg Share
Share on Reddit Share
Share on Stumbleupon Share