.Odin file virus removal and decryption guide (updated)

Few days ago, we began to receive the messages about the new and extremely dangerous ransomware, named Odin, which very quickly became the most dangerous in recent weeks. To those users who are faced with this virus, we want to say that Odin is not a stand-alone program. It is a part of the most dangerous viruses of recent years - Locky ransomware, which changes the extensions of the encrypted files. First, extension of the encrypted files were .locky, then .zepto, and now .odin. If you see the files with this extension on your PC, then it is infected with the dangerous ransomware, and you should take immediate steps to remove it.


Odin is a new ransomware that became highly “popular” recent weeks. From the beginning, we thought that Odin is the brand new virus, but lately the researchers discovered that it’s the new version of Locky ransomware. We wrote about the latest update of Locky, called Zepto, and it seems that the story repeats again: the new virus adds .Odin extension to all encrypted files, and changes their names to random set of digits and letters. This time, hackers haven’t waited until their latest child’s code will be broken, and released the new one, so now you should be afraid of two extremely dangerous viruses, called Zepto and Odin. Except the name, the changes in virus behavior are minimal. The list of extensions that might be affected isn’t changed, because it is already large enough. The text of the ransom note haven’t changed from the times of first version of Locky, but the files with ransom notes now are called _HOWDO_text.html, _HOWDO_text.bmp, and _[2_digit_number]_HOWDO_text.html. Now comes the most important part for ransomware victims: the ransom asks three BTC now, so it is about $1800 on current exchange rate. We don’t know why hackers determined such high price, because even in wealthy countries not everyone will pay so much money for the files, stored on home PC. Maybe it is a kind of experiment, and the next version will ask you to pay 1 Microbitcoin (0,001 BTC) for the decryption. We don’t know that, but we assume that nobody will pay the ransom, except the cases of the network infection in some companies, etc.

Odin did not change the ways of penetration, and still uses a spam e-mail, and attachments virus files to it. The user receives such a letter, and when he opens an attachment, he downloads encrypted .dll installer. After that, it will be decrypted and executed by the program that presents in the Windows basic list of tools - Rundll32.exe. When the file is executed, it will encrypt all accessible files, change their names to random sets of letters and numbers, and add the .Odin extension to them. For example, the file Notes.txt can be renamed to 3ZXW76OP-F294-1HKQ-6U9S-7T33481P9453.odin.

There are no other changes except the names of instruction files. They are now called _HOWDO_text.html, _HOWDO_text.bmp, and _[2_digit_number]_HOWDO_text.html. These files will be shown to victim as soon as the encryption will be complete. Here’s the short list of file extensions that might be affected by Locky ransomware with .odin extension: bmp, png, gif, jpeg, jpg, tif, .tiff, psd, xlsx, docx, pdf, txt

How to remove Odin Virus from your system

You should know that the removal of Odin ransomware from your system wouldn’t change anything in the state of your files: they will still be encrypted. However, the removal must be performed to ensure the safety of your PC, and to make you able to work with new files. If you do not delete virus, even the backups can be affected. We can help you to get rid of the virus. After this follow our decryption instruction.

Attention: save the copy of _HOWDO_text.bmp, it contains one part of decryption key. This key can be important, if IT specialists try to decrypt your files manually.

Step 1. Boot into Safe mode

Safe mode

Start -> Msconfig.exe

Safe mode. Step 1

On the tab Boot select Safe boot

Safe mode. Step 2

Step 2. Check Startup folder

Start -> Msconfig.exe ->Disable unknown programs in the Startup tab


Step 3. Check hosts file

Modify hosts file, that located in C:\Windows\System32\drivers\etc\ .

Hosts file.Step 1

Open the file with Notepad and delete suspicious strings.

Hosts file.Step 2

It has to look like this:

Hosts file.Step 3

Step 4. Scan the system with antiviral scanner

Even if you decided to use the manual removal way and won’t purchase Spyhunter, we strongly advise you to use any AV-tool (even the free one) to scan the system after Odin’s removal. It is needed because during the manual removal you might miss some files or registry entries that should be deleted. Of course, if you’ll pick the software removal way, and purchased Spyhunter, this step will be performed automatically.

Special Offer

Antivirus scanner

Why we recommend SpyHunter antimalware

Detects most kind of threats: malicious files and even registry keys of malware will be found

Protects your system in the future

24/7 free support team

SpyHunter's scanner is only for malware detection. If program detects infected elements on the computer, you will need to purchase malware removal tool for $39,99 to delete threats. SpyHunter has Free Trial for one remediation and removal, subject to a 48-hour waiting period. Uninstall steps and additional information EULA , Privacy Policy and Threat Assessment Criteria.

bwd  Instructions 1/2  fwd

Step 5. Disable Safe mode

Start -> Msconfig.exe ->Disable Safe boot in the Boot tab

Deactivate Safe mode

How to decrypt (recover) files

It is sad to say, but currently there are no guaranteed ways to recover the encrypted files. The direct decryption isn’t even discussed because the cyphers used by Odin and Zepto are so strong that it will take thousands of years to decrypt them. Odin deletes the shadow copies, so the files can’t be recovered with help of ordinary recovery tools. The only 100% way to decrypt files is to use the previously made backup. If the backup was made before the infection, if it was saved on the external drive and if that drive was disconnected from the PC in the moment of infection – the backups will work properly. In all other cases, backups are compromised. Now, if your data were encrypted by Odin ransomware, you have few things to do: remove the virus, scan the system, gather the encrypted files in one folder and store it on your PC until the decent decryption tool will be developed. The news about that might appear on the websites of well-known software vendors of security researchers, like Kaspersky lab, EmsiSoft, MalwareFighterTeam or else. We hope that this article was helpful for you, and we hope that the solution of your problem will be found in short. More information about decryption method: How to restore encrypted data.

This website uses cookies to improve your experience. If you continue using the site, we will assume that you accept our cookies policy.