Remove UIWIX Virus Ransomware and Restore Your Files

.UIWIX File Virus Restore Files

Article, designed to assist in how to remove .UIWIX ransomware infection from your computer and restore encrypted files.

New ransomware infection has been detected at the beginning of May 2017 by malware researchers. The virus uses the .UIWIX file extension which it adds to the files that have been encrypted by it on computers it infects. The .UIWIX file virus then drops behind a ransom note, named “_DECODE_FILES.txt” in which it requests victim to enter a Tor-based website that has additional instructions on how to pay the sum of 0.12 BTC to the cyber-criminals behind this virus. In case your computer has been infected by the .UIWIX ransomware infection, it is recommended to read this article carefully.

Threat Summary


.UIWIX File Virus

Short DescriptionEncrypts important files on the computers it infects and then demands 0.12 BTC ransom payoff to decrypt them.

SymptomsUses the .UIWIX file extension which it adds to the encrypted files. Then demands victims to pay a ransom in a ransom note, named _DECODE_FILES.txt
Distribution MethodVia an Exploit kit, Dll file attack, malicious JavaScript or a drive-by download of the malware itself in an obfuscated manner.
Detection Tool See If Your System Has Been Affected by .UIWIX File Virus


Malware Removal Tool

User ExperienceJoin our forum to Discuss .UIWIX File Virus.
Data Recovery ToolWindows Data Recovery by Stellar Phoenix Notice! This product scans your drive sectors to recover lost files and it may not recover 100% of the encrypted files, but only few of them, depending on the situation and whether or not you have reformatted your drive.

.UIWIX File Virus – How Does It Infect

The ransomware infection using the .UIWIX file extension is believed to be spread predominantly via e-mail spam messages. Such spam is carefully orchestrated, since it features different types of files that have been obfuscated In order to avoid antivirus detection. Such files may even be legitimate Microsoft Office documents that are embedded with malicious macros that cause an infection when their content is enable. One of them previously detected with malware can be seen below:

The e-mail messages that are sent have different type of content, all with the purpose to convince potential victims to open the attachment or click on a URL where the attachment is available.

Other methods of infection may include uploading the malicious files on torrent websites, software providing sites and others.

.UIWIX File Virus – Infection Activity

After the .UIWIX file virus has already caused an infection on a computer, it may immediately drop it’s malicious files. They may be files of the following file types:

.exe, .bat, .cmd, .vbs, .js, .tmp, .dll

The files may be under different, often random names, located in the usually targeted system folders:


After the malicious files are dropped, the .UIWIX ransomware may target the Windows Registry Editor. In it, the Run and RunOnce keys may have new value strings embedded within them. This is done with the purpose to run the malicious executable which performs the encryption of the files. The executable is usually obfuscated to avoid antivirus detection.

After modifying the Windows registry editor, .UIWIX file virus may target the backups on your computer, more specifically:

  • Windows Recovery.
  • Windows shadow copies.

Since the files can be recovered if the shadow service is enabled, the .UIWIX ransomware may deleted them by executing the following vssadmin Windows command:

.UIWIX File Encryption

The encryption process of the .UIWIX ransomware is conducted via a malicious file, that is programmed to skip system folders while scanning all other folders for different important file types, such as:

  • Documents.
  • Image file types.
  • Archives.
  • Audio files.
  • Multiple video file types.
  • Virtual drive files.
  • System image files.
  • Files associated with different important software.

After the files that match the extensions it is looking for are discovered, their structure code is altered by symbols of the encryption algorithm used by .UIWIX. The files are left looking like the following:

After the encryption process is complete the files can no longer be opened. The virus leaves behind a ransom note in a text file, named _DECODE_FILES.txt that has the following content:

>>> ALL YOUR PERSONAL FILES ARE DECODED <<< Your personal code: {uniqueID} To decrypt your files, you need to buy special software. Do not attempt to decode or modify files, it may be broken. To restore data, follow the instructions! You can learn more at this site: {TOR-based web page} If a resource is unavailable for a long time to install and use the tor browser. After you start the Tor browser you need to open this link {TOR URL}

After the TOR web page is opened, the user is presented a screen where he or she must input the unique ID to login. After login, further instructions are seen:

Remove .UIWIX Virus and Restore Encrypted Files

In order to remove this ransomware from your computer, it is strongly recommended to focus on following the removal instructions below. For maximum effectiveness of the removal, malware researchers also advise to use an advanced anti-malware program which will help remove .UIWIX file virus automatically.

For the file recovery of data encrypted by this virus, you can follow the alternative removal instructions below. They are carefully designed to help you restore as many files as possible, but may not be 100% effective. They are located in step “2. Restore files encrypted by .UIWIX File Virus” below.

Ventsislav Krastev

Ventsislav has been covering the latest malware, software and newest tech developments at SensorsTechForum for 3 years now. He started out as a network administrator. Having graduated Marketing as well, Ventsislav also has passion for discovery of new shifts and innovations in cybersecurity that become game changers. After studying Value Chain Management and then Network Administration, he found his passion within cybersecrurity and is a strong believer in basic education of every user towards online safety.

More Posts - Website

Leave a Comment

Your email address will not be published. Required fields are marked *

Time limit is exhausted. Please reload CAPTCHA.

Share on Facebook Share
Share on Twitter Tweet
Share on Google Plus Share
Share on Linkedin Share
Share on Digg Share
Share on Reddit Share
Share on Stumbleupon Share