How to decrypt doctor@freelinuxmail.org files

Doctor@freelinuxmail.org is severely nasty ransomware which has recently victimized lots of PC users and got huge benefit illegally all over the world. Usually, this pest can be downloaded via malicious drive-by-download scripts from corrupted porn and shareware / freeware websites, installed through spam email attachments, media downloads and social networks or executed by other threats on system. As soon as Doctor@freelinuxmail.org successfully lurks into your PC, it will automatically launch itself once the Windows starts up, then it damages your programs by running lots of dangerous and unstoppable tasks in the background. After that, it uses codes to infects all your file such as media files (images, music, videos, docs, txts, etc). The ransomware is also believed to attack Windows backup and delete the File History. And file recovery software may not help much.

Before we decrypt any files we must get rid of the ransomware. To do so just follow these steps:

Step 1:

Reboot in Safe Mode

 

Step 2:

The first thing you must do is Reveal All Hidden Files and Folders.

  • Do not skip this. Doctor@freelinuxmail.org may have hidden some of its files.

Hold the Start Key and R – copy + paste the following and click OK:

notepad %windir%/system32/Drivers/etc/hosts

A new file will open. If you are hacked, there will be a bunch of other IPs connected to you at the bottom. Look at the image below:

hosts_opt (1)

Type msconfig in the search field and hit enter. A window will pop-up:

msconfig_opt

Go in Startup —> Uncheck entries that have “Unknown” as Manufacturer.

Step 3:

Press CTRL + SHIFT + ESC simultaneously. Go to the Processes Tab. Try to determine which ones are a virus. Google them.

WARNING! READ CAREFULLY BEFORE PROCEEDING!

Right click on each of the virus processes separately and select Open File LocationEnd the process after you open the folder, then delete the directories you were sent to.

malware-start-taskbar

Step 4:

Type Regedit in the windows search field and press EnterOnce inside, press CTRL and F together and type the virus’s Name. 

Search for the ransomware  in your registries and delete the entries. Be extremely careful –  you can damage your system if you make a big mistake.

Type each of the following in the Windows Search Field:

  1. %AppData%
  2. %LocalAppData%
  3. %ProgramData%
  4. %WinDir%
  5. %Temp%

 

Now lets decrypt Your Files

Fortunately for all our sake, Kaspersky have kindly provided the users with a free decryptor. It is called RakhniDecryptor and you can download it from Kaspersky’s virus fighting utilities page.

Here is how to decode your files using RakhniDecryptor:

Step 1: Download and start the RakhniDecryptor.exe:

start scan

Step 2: Click on the “Start Scan” button. It will open a window from which you can select a file to decrypt.

Untitled

Step 3: Look for files that are more important to you first and select them to start the decryption process. This is because it may take some time. A good strategy is to attempt decrypting files that are smaller in size. This is because if the files have the same password other larger files can be automatically decrypted by the tool using the same password.

Step 4: Set your computer’s settings to prevent it from automatically shutting down. Here is how to stop your PC from shutting down.

1) Press +R and then type “powercfg.cpl”.

powercfg

2) After the power plan window has opened go to Change plan settings for your current power plan.

Power Options

3) After you are there, set everything to “Never” from the drop-down menus and then “Apply” it.

edit-plan-settings

4) Close the Change plan settings Window and reopen it. Everything should look saved to “Never“. After this is done click on the blue highlighted text saying “Change advanced power settings”.

Advanced Power Options

5) Check the Hard Disk option and if there are remaining times, switch them to never by clicking on the highlighted text like the picture above shows.

Finally, click on Apply and close it and you are done. Make sure your computer is plugged in the AC and the Power Plan with the changed settings is active. Decryption may take from several hours to several days, it really depends.

Leave a Reply

Your email address will not be published. Required fields are marked *