Remove EnCiPhErEd Trojan

EnCiPhErEd Trojan or also known as Trojan.Ransom.HM is a ransom software That will encrypt files on the infected computer and asks to pay 50 EUR for the code. This code is needed so that user may be able to decrypt affected files.

Typically, .EnCiPhErEd Trojan will target non-executable files like images, sounds and movies. Changed files will have a new extension as .EnCiPhErEd. For example, a shortcut to Notepad.exe will bear the new file name as Notepad.lnk.EnCiPhErEd. Aside from encrypting files, the Trojan also replaces default icons with identical image. After it infects all files, it will place a file called “HOW TO DECRYPT FILES.txt” which has the following messages:

Attention! All your files are encrypted!
You are using unlicensed programs!
To restore your files and access them,
send code Ukash or Paysafecard nominal value of EUR 50 to the e-mail
During the day you receive the answer with the code.
You have 5 attempts to enter the code. If you exceed this date all data is irretrievably spoiled. Be careful when you enter the code!

Victims will be asked to send proof of payment to mentioned address. When the attacker confirms the payment, he will reply with the decryption code. There is a danger in losing all your files for entering wrong code in the decryption box.

What are the Symptoms of .EnCiPhErEd Trojan Infection?

The Trojan will drop a text file on each infected folders. The file is a clean and it contents are nothing but a warning.

Files encrypted

After infecting files. This Trojan will alter the extension with ..EnCiPhErEd and also replaces icon with a common pink image as show in the image below.

EnCiPhErEd files

If user attempt to run any encrypted files, a warning will be shown stating this messages: “Attention! All your files were encrypted! To decrypt files, please enter correct password!”

Enciphered Warning

How to Remove .EnCiPhErEd Trojan Manually

1. Restart your computer in SafeMode
– After Power-On the computer, just before Windows start, press F8
– From the selections, Select SafeMode

2. Remove Registry entries that the threat added. You MUST BACKUP YOUR REGISTRY FIRST.
– Click Start > Run
– Type in the field, regedit
– Navigate and look for the registry entries mentioned above and delete if necessary

3. Delete malicious files that the threat added:
– Base on the given location above, browse and delete the file
– If no location is given, click Start>Search> and search for the files.
– If cannot be deleted, press Ctrl+Alt+Del to access Task Manager, see if the file is running in the process. If it is, select the file and click End Process. Perform file delete again.

4. Scan computer with Antivirus Program
– Update antivirus program
– Scan computer and delete all detected threats.

Automatic Removal of .EnCiPhErEd Trojan

1. Download and run MalwareBytes AntiMalware to remove .EnCiPhErEd Trojan. Click this link to begin the download.

How to Remove File Encryption

1. Download the tool from this link:

2. Save a copy of encrypted file to a USB drive. Test the tool to more than 3 affected files that has .EnCiPhErEd extensions.

3. Copy the file on the root of your USB drive.

4. Press {Windows Key} + {R} on your keyboard or open the Run command from Start Menu.

5. Type and try these two parameters one at a time. If the first parameter did not work properly, delete the copied .EnCiPhErEd files files from the USB drive and copy new ones from the infected computer.

E:\te94decrypt.exe -k 87
E:\te94decrypt.exe -k 85

6. If you have an existing antivirus program, please update it and run a complete scan to be sure that computer is already free from viruses and Trojans.

16 thoughts on “Remove EnCiPhErEd Trojan

  1. dave_simple says:

    I decrypt my files using -k 88. Then I scan the computer with malwarebytes and found dozens of threats. My Norton also found 76 Trojans all over the place. Thanks for this guide.

  2. tryhard says:

    Yes, samo is right, -k 88 gives a “wrong key” message. I tried -k 87 and it worked on my sample files. Im hesitate to run it on all my files. Maybe I will decrypt per batch of files or I will create a full backup first.

    With -k 87 working on my Vista, I guess there are level of encryption for each type of Windows? Just my guess!

  3. semp says:

    od paru dni próbowałem i dopiero najnowszy z dzisiaj 19.04.2012 mi pomógł :)
    te94decrypt.exe -k 87
    AVG określiło tego virusa jako idp.trojan.fc44335e

    wielkie dzieki :)


  4. Larry says:

    Thank you all for posting!
    It seems -k 106 works for me on .QWCiPhErEd files, but the problem is that when decrypting, the decrypted files are generated beside the encrypted files, which leads to disk overload (there is only 10% of free space left in every of my PC disk). How can I deal with this issue? Will the encrypted files be deleted after decrypted?

  5. stingray6w9 says:

    Thank you for the code!
    I can confirm that -k 106 is working with the .QWCIPHERED extension. Be careful if you have any strange permissions. The user the encryption virus runs under needs “write extended attributes” to encrypt the file, but if the user does not have “modify” rights, the file is encrypted and the copy with the extension is not created. The file looks ok, but indicates it is corrupted when opening. It can be decrypted using the tool, if you add the .QWCIPHERED extension. CAUTION: If the file is not encrypted and you add the extension and run the tool, it encrypts it.
    Larry, you could move (not copy) all the files with the .QWCIPHERED extension to an external drive (this should give you some space to work with) then copy the files back in groups, decrypting then deleting the encrypted ones. It is a process, but should work.

  6. Nik says:

    I wrote a e-mail to Dr WEB team and they made update of his te94decrypt.exe to a new version and with this tool started with -k 103 key all my ENCIPHERED files was saved!

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>