How to remove Sobig virus and restore encrypted files

Sobig ransomware virus

The page is about virus called Sobig that gets onto users' computers in different countries of the world, and cyphers their files. In this entry we've compiled full information about what is Sobig, and the removal of Sobig from your workstation. Besides, we will tell you how to recover the encrypted data, if possible.

Sobig ransomware had infected hundreds of machines around the world via basic manner: fraud messages with dangerous attachments. Also, scammers use exploits to infect the PC, but they are promptly fixed. After the infection, the virus inspects the hard disc to find the folders for encryption and their general price. Currently, any modern ransomware knows how to encrypt image, video, text and audio information in all most used extensions. Special attention is attracted to businesslike files, since medium and large companies are the priority target for scammers. All software on computer will be unaffected since criminals are interested only in information. The operation is carried out via well-known RSA and AES algorithms, and it is so complex that that it cannot be bruteforced. Such complexity gives ground for unbelievable efficiency of ransomware in recent years: usual PC operator, even if he has a very good knowledge of the computer, will never be able to decrypt the files, and will be forced to pay the price. The only way to get back the information is to find the fraudster's site and get the master key. Some experienced hackers can obtain the keys via flaws in viruse's program code.

For all kinds of computer viruses, one thing is true: it is way simpler to prevent it than to cure it. For encrypting programs this is most important, because, unlike common unwanted software, when you uninstall ransomware from the system, the effects of its actions won't disappear anywhere. To defend yourself, you have to remember these few simple regulations:

    • Don't admit any alterations to your computer, coming from unknown software. If the laptop is penetrated by ransomware, it will attempt to delete all copies of your data, to make the recovery less possible. However removal of shadow copies needs administrator rights and operator's confirmation. So, not confirming alterations from a strange software at the proper time, you will reserve the opportunity to restore all lost information for free.
    • Be cautious with the e-mails that contain files. If this letter was sent from an unknown user and it is about earning any prize, a lost package or something like that, this is most likely a scam letter. The second very common kind of such letters is a forgery for business correspondence. Bills for products and services, summaries, lawsuits, claims and other sensitive files cannot be sent without warning, and you, as a minimum, should know the sender. In all other cases it is a fraud.
    • Monitor the condition of your workstation. Information encryption is a sophisticated act that consumes a significant amount of PC resources. If you observe a noticeable drop in laptop power or detect a unwanted process in the Process Manager, you need to shut down the workstation, load it in safe mode, and run the anti-malware. This, if the computer is really infected, will guard a lot of your information.

Sobig uninstalling isn't the happy end - it's just a first step on the long road until the total file restoration. If you remove virus, you won't return the data instantly, it will need more actions described in the next part. To uninstall Sobig, you have to boot the system in safe mode and check it through antivirus. We don't recommend trying to delete the virus in manual mode, because it has different defensive mechanics that can counteract you. Modern malware can totally erase encrypted information, or some of it, when trying to delete the program. To avoid this, abide to the advices under this paragraph.

Removal instruction

Step 1. Boot into Safe mode

Safe mode

Start -> Msconfig.exe

Safe mode. Step 1

On the tab Boot select Safe boot

Safe mode. Step 2

Step 2. Check Startup folder

Start -> Msconfig.exe ->Disable unknown programs in the Startup tab


Step 3. Check hosts file

Modify hosts file, that located in C:\Windows\System32\drivers\etc\ .

Hosts file.Step 1

Open the file with Notepad and delete suspicious strings.

Hosts file.Step 2

It has to look like this:

Hosts file.Step 3

Step 4. Scan the system with antiviral scanner

Special Offer

Antivirus scanner

Why we recommend SpyHunter antimalware

Detects most kind of threats: malicious files and even registry keys of malware will be found

Protects your system in the future

24/7 free support team

SpyHunter's scanner is only for malware detection. If program detects infected elements on the computer, you will need to purchase malware removal tool for $39,99 to delete threats. SpyHunter has Free Trial for one remediation and removal, subject to a 48-hour waiting period. Uninstall steps and additional information EULA , Privacy Policy and Threat Assessment Criteria.

Step 5. Disable Safe mode

Start -> Msconfig.exe ->Disable Safe boot in the Boot tab

Deactivate Safe mode

If you performed all steps, described in above part of an entry - it's time to recover the information. In fact, this is not literally decipherment, since the encryption manners used by web-criminals are too complex. Ordinarily, to get back the information, the victim has to ask for support on targeted communities or from renowned ransomware fighters and antivirus software manufacturers. If you can't wait and are willing to get back the information by hand - here's the useful article on that topic.

To restore information, follow the article about files decryption.

This website uses cookies to improve your experience. If you continue using the site, we will assume that you accept our cookies policy.