.Zixer2 File Virus – Remove and Restore Files - How to, Technology and PC Security Forum | SensorsTechForum.com

.Zixer2 File Virus – Remove and Restore Files

Article created to help you delete Zixer2 ransomware infection from your computer and try to get back files encrypted with TEA cipher and .zixer2 extension.

Ransomware virus, going by the name Zixer2 has been reported by researchers to infect computers, encrypt important files on them and then leave behind the e-mail [email protected] for contact. The infection has been detected to use the Tiny Encryption Algorithm also known as TEA to render important files on the compromised devices no longer openable. After the encryption is complete, the ransomware uses the .zixer2 file extension which is added to the encrypted files. If you have become a victim of the Zixer2 ransomware infection, our advice is to focus on reading the following article.

Threat Summary



Short DescriptionThe malware encrypts users files using the TEA encryption cipher, making direct decryption possible only via a unique 128-bit decryption key available to the cyber-criminals.
SymptomsThe user may witness ransom notes and “instructions” named HOW TO DECRYPT FILES.TXT linking to an e-mail.Changed file names and the file-extension .zixer2 has been used.
Distribution MethodVia an Exploit kit, Dll file attack, malicious JavaScript or a drive-by download of the malware itself in an obfuscated manner.
Detection Tool See If Your System Has Been Affected by Zixer2


Malware Removal Tool

User ExperienceJoin our forum to Discuss Zixer2.
Data Recovery ToolWindows Data Recovery by Stellar Phoenix Notice! This product scans your drive sectors to recover lost files and it may not recover 100% of the encrypted files, but only few of them, depending on the situation and whether or not you have reformatted your drive.

Zixer2 Ransomware – How Does It Infect

The infection process of Zixer2 ransomware virus may begin with a packed executable which is uploaded as an e-mail attachment within an archive. Such attachments are usually redistributed via e-mail spam campaigns that take advantage either of multiple different spam kits that include:

  • Spam bots.
  • Pre-registered e-mail addresses which are legitimized via different SIM-cards.
  • Pre-set list of spam e-mail templates that contain deceptive messages, like the one on the image below:

The malicious files may either be posted via web links or e-mail attachments, so users are strongly advised to learn how to protect themselves from such malicious campaigns by reading the informative related article below.

Other methods by which Zixer2 ransomware virus can spread and infect computers include the masking of the malicious files as patches, fake updates, game cracks or program activators. Sometimes the malware may reside within legitimate setups which also install it’s malicious code. The usage of modified Self-Extracting archives is also a potential scenario. Users are advised to learn how to store their data properly as well, because infection can come via unknown new methods as well.

Zixer2 Ransomware – Malicious Activity

Once the user becomes infected with a variant of Zixer2, the virus may create multiple malicious files. The files may be a different type of module and executable type of files which may have either random names or names resembling Windows system files. An example of commonly targeted folders and filenames which Zixer2 can use you can see from the image below:

After the malicious files belonging to Zixer2 Ransomware are already dropped, the virus may begin it’s malicious activity. For starters, the Zixer2 ransomware may check whether or not it is running on a virtual machine or a machine where the ransom has already been paid. If It is, Zixer2 ransomware shuts down immediately. In addition to this, Zixer2 ransomware may end system tasks that obstruct it’s encryption as well as insert malicious code in legitimate Windows processes to ensure the encryption is successful.

Another task possibly performed by the Zixer2 threat is to modify the volume shadow copies of the infected computer. This is usually performed by obtaining privileges to execute administrative commands in the Windows Command Prompt, like the vssadmin command:

After it deletes the shadow copies, the ransomware may also modify the Windows Registry Editor, possibly attacking the following Windows Registry sub-keys:

→ HKEY_CURRENT_USER\Control Panel\Desktop\
HKEY_USERS\.DEFAULT\Control Panel\Desktop\

After modifying the registry entries, the ransomware may set a file, named HOW TO DECRYPT FILES.TXT to automatically open on system startup. The file has the following content:

All Your Files Was Encrypted !
E-mail addresses: [email protected]

Zixer2 Ransomware – Encryption Process

The file encoding process by Zixer2 ransomware is conducted by an encryption algorithm known as TEA or Tiny Encryption Algorithm. This specific type of cipher employees’ encryption which encrypts blocks of the files in 64bit strength (two 32-bit integers). After the encryption is complete, the cipher generates a unique 128-bit key which may be sent to the cyber-criminal servers by using an unsecured port on the infected computer. Here is how the encryption process of Zixer2 looks like:

Source: Wikipedia

The targeted files for encryption may be widely used file types, like the following ones:


After the encryption process is complete, the files are appended the .zixer2 file expansion and can no longer be accessible. They may appear like shown on the image below:

Remove Zixer2 Ransomware and Restore .Zixer2 Encrypted Files

For the removal process of Zixer2 virus, it is important to backup the TEA encrypted files first. Then, we advise following the removal instruction steps below. They are carefully designed to help you get rid of the malicious objects by isolating the threat first and look for the settings and files second. In case of manual removal is not for you, malware researchers always outline using specific anti-malware software as a must for the automatic removal and future protection from viruses like Zixer2.

In case your files have been encrypted by Zixer2 ransomware, recommendations are to focus on trying to restore encrypted files by using the alternative methods in step “2. Restore files encrypted by Zixer2” from the instructions below.

Manually delete Zixer2 from your computer

Note! Substantial notification about the Zixer2 threat: Manual removal of Zixer2 requires interference with system files and registries. Thus, it can cause damage to your PC. Even if your computer skills are not at a professional level, don’t worry. You can do the removal yourself just in 5 minutes, using a malware removal tool.

1. Boot Your PC In Safe Mode to isolate and remove Zixer2 files and objects
2.Find malicious files created by Zixer2 on your PC

Automatically remove Zixer2 by downloading an advanced anti-malware program

1. Remove Zixer2 with SpyHunter Anti-Malware Tool and back up your data
2. Restore files encrypted by Zixer2
Optional: Using Alternative Anti-Malware Tools

Vencislav Krustev

A network administrator and malware researcher at SensorsTechForum with passion for discovery of new shifts and innovations in cyber security. Strong believer in basic education of every user towards online safety.

More Posts - Website

Leave a Comment

Your email address will not be published. Required fields are marked *

Time limit is exhausted. Please reload CAPTCHA.

Share on Facebook Share
Share on Twitter Tweet
Share on Google Plus Share
Share on Linkedin Share
Share on Digg Share
Share on Reddit Share
Share on Stumbleupon Share
Please wait...

Subscribe to our newsletter

Want to be notified when our article is published? Enter your email address and name below to be the first to know.