How to remove (uninstall) GoldenEye

Today we will talk about the ransomware family called Petya. These viruses terrorized Internet for quite a long time, but from mid-2016 the viruses such as the Cerber and Locky replaced them on the first places. However, the developers decided not to give up Petya, and released a new version of the virus, which is called Goldeneye (in continuation of the James Bond theme). In this article, we will tell you about the features of the virus, its strengths and weaknesses, and how to remove it.

What is GoldenEye ransomware

In fact, GoldenEye virus is not original, and there are many factors that indicate that in fact this virus is an attempt to rebrand known viral ligament Petya + Misha. These viruses have been designed by a hacker, known under the nickname Janus, and first began to operate in March 2016. First, the virus has only one component – Petya that codified the MBR (master boot record) and MFT (master file table). However, this method was quite unreliable, as it causes a lot of system errors that stopped the encryption process. After suchlike error, the process could only be continued by authorized administrator. To get rid of this error, developers added the second component - Misha, that encrypted the files in the usual way, in the event that Petya could not cope with the task.

GoldenEye penetrate computers via spam e-mail. So far, the virus affects only the German Internet sector, but it should be expected that soon it will spread further. Infection occurs via an Excel file that contains malicious VBA macro. The letters disguised as an employee resume, and sent to mailboxes of workers of different companies. Letters are standard, and contain several options summary, in the form of PDF files. PDF files are harmless, but in addition to them, in the letter, there is also an Excel file that is malicious. Once the user opens the file and includes mapping macro - virus enters the system. After that, the difference begins: if Petya/Misha tried first to control the hard disk and obtain administrator rights, the GoldenEye first encrypts all files in a standard way, and only then tries to install MBR bootkit, to close the user access to the hard drive. This virus does not use the "brand" extension, and assigns different extensions of a random eight-character to each file. Ransom amount is 1.33 BTC (about $ 1,000)

Thus, the virus carries biphasic scheme that aims to obtain 100% result. First phase starts "Misha", and carries normal data encryption. After that, the virus displays a message to the user with the requirements of redemption and payment information. After showing the message the virus starts the phase "Petya", that is, the MFT encryption, to prevent any operations with the data on the hard drive. This is the main difference of GoldenEye from other ransomware. Typically, viruses are only threatening to delete files when you try to decrypt them by yourself, but do not take any active steps, relying on the complexity of the encryption. GoldenEye (if Petya phase is successful), has full control of all data on a user's computer. The MFT encryption process is masked by a false chkdsk screen, and when the encryption is completed - we see the familiar "Jolly Roger", composed of yellow characters. It is also a reference to the virus Petya+Misha, but in previous versions of these characters were green or red.

How to remove GoldenEye

Unlike other ransomware, the removal of GoldenEye could cause problems, especially if the phase of "Petya" was successful, and the virus was able to encrypt the MFT. We give you instructions that work for the rest of ransomware, but in this case they might not work. However, other ways to remove GoldenEye does not yet exist. If, following our instructions, you can not remove the GoldenEye, it is only one way left - to copy the encrypted data and reinstall Windows (or use System Restore Service).

Step 1. Boot into Safe mode

Safe mode

Start -> Msconfig.exe

Safe mode. Step 1

On the tab Boot select Safe boot

Safe mode. Step 2

Step 2. Check Startup folder

Start -> Msconfig.exe ->Disable unknown programs in the Startup tab

Startup

Step 3. Check hosts file

Modify hosts file, that located in C:\Windows\System32\drivers\etc\ .

Hosts file.Step 1

Open the file with Notepad and delete suspicious strings.

Hosts file.Step 2

It has to look like this:

Hosts file.Step 3

Step 4. Scan the system with antiviral scanner

 

Antivirus scanner

Why we recommend SpyHunter antimalware as removal tool

Removes virus fully: all files and even registry keys of malware will be deleted

Protects your system in the future

24/7 free support team

bwd  Instructions 1/2  fwd

Step 5. Disable Safe mode

Start -> Msconfig.exe ->Disable Safe boot in the Boot tab

Deactivate Safe mode

Add comment

Security code
Refresh

This website uses cookies to improve your experience. If you continue using the site, we will assume that you accept our cookies policy.