How to remove GoldenEye virus and restore encrypted files

GoldenEye ransomware


In the beginning of 2016 Petya+Misha ransomware was one of the most dangerous viruses on the Internet, and there were no way to get rid of it. Lately it was moved from its positions by such viruses as Locky and Cerber, because they were much more dangerous and demanded much more money. Few days ago we’ve received a report about new ransomware, called GoldenEye. Lately the well-known malware analysts wrote in their twitters that GoldenEye is the new version of Petya+Misha ransomware, and it appears to be extremely dangerous. This article will help you to understand what is ransomware, and in which way GoldenEye differs from its predecessors, and from other ransomware.

What is GoldenEye


First of all, we should say that GoldenEye ransomware is, for now, the most dangerous ransomware in the world. It is, actually the combination of two blocks, one of which is responsible for the encrypting of files, and the second - for the encryption of MFT (Master File Table). In the original version of Petya+Misha, Misha was the one that encrypted data on hard drive, and Petya encrypted the MFT, to prevent user from accessing to his files. The problem was that Petya was going first, and its actions often called system crashes, BSOD and other things that cancelled the encryption process. In current version the MFT encryption goes after the usual encryption of data.

GoldenEye doesn’t use the common habit to give the encrypted files an extension, similar to the name of the virus. Each encrypted file has an extension of 8 random characters. The amount of ransom is 1,33 BTC, which is almost $1850. That’s all basic characteristics of the virus, and now we will explain how GoldenEye is being distributed, how it infects the computer and how it acts after the infection.

Usually ransomware developers use e-mail spam to distribute their products. This method is pretty simple and doesn’t require many efforts. Also it is preferred because it provides maximum safety for hackers themselves. The free e-mail services don’t ask user to specify his real name or address, or some other kind of personal info. Hackers just create hundreds of fake mailboxes and send thousands of e-mails to the users. GoldenEye uses the letters in form employee resume. The virus, for now, affects only the German users, so the letters are written in German. They have few basic templates and contain the short letter to the imaginary employer, PDF file and Excel tab. PDF file contains the resume, just to lull the user’s attention, and Excel file is actually the malicious one. As in all other cases of ransomware infection, user has to invite the virus into his system. When user clicks on an additional file, the empty Excel tab opens, and there is a message that some content can’t be seen because the macros are disabled. When user enables the macros – the process of infection begins. It is carried out by the VBA macro that downloads the DLL file onto user’s PC. That file is being established in %temp% folder and runs with help of in-built Windows program, called “rundll32.exe”. When the DLL file is executed, it starts the download and installation of virus.

When the virus is installed, it starts to encrypt all data on user’s PC. As soon as this process is over, it displays the ransom note with short info about an encryption, sum of ransom and payment method. After that, the second phase of encryption begins: the virus displays the fake chkdsk picture. It is displayed to hide the process of MFT encryption that is carried out by another part of a virus. When this process is over, GoldenEye receives a full control over the user’s data.


GoldenEye virus


How to remove GoldenEye ransomware and decrypt the files

As you see, this virus differs from other ones, and the most important difference is that it can’t be removed by usual methods, especially if the MFT encryption was done. According to this, we will provide you the instructions for manual removal, but we can’t guarantee that they will help. The most secure and reliable way to get rid of GoldenEye virus and recover data is to use the backup, or system recovery. If you have no backups and decent restoration point than all you can do is to copy all files and reinstall Windows. We hope that these instructions will help you, as well as the information about the file recovery, listed in this article.




Step 1. Boot the system into safe mode

  • Press Start
  • Type Msconfig and press Enter

Safe mode. Step 1


  • Select Boot tab

Safe mode. Step 2



  • Select Safe boot and press Ok

More information about Safe mode: What is Safe Mode and how to boot computer in Safe Mode


Step 2. Show all hidden files and folders

  • Press Start
  • Click on Control Panel

Show hidden files. Step 1


  • Select Appearance and Personalization

Show hidden files. Step 2


  • Click on Folder Options
  • Select View tab
  • Select Show hidden files, folders and drives

Show hidden files. Step 3


  • Press Ok


Step 3. Remove virus files


Check next folders to find suspicious files:

  • %TEMP%
  • %ProgramData%


Step 4. Fix hosts file

  • Go to %SystemRoot%\System32\drivers\etc\ folder



  • Open hosts file using Notepad or other text editor
  • Delete suspicious elements
  • Basic hosts file looks like this:



Step 5. Clean registry (for experienced users)

  • Click Start
  • Type Regedit.exe and press Enter
  • Clean startup registry keys
  • HKEY_LOCAL_MACHINE(HKEY_CURRENT_USER)\Software\Microsoft\Windows\CurrentVersion\Run
  • HKEY_LOCAL_MACHINE(HKEY_CURRENT_USER)\Software\Microsoft\Windows\CurrentVersion\RunOnce
  • HKEY_LOCAL_MACHINE(HKEY_CURRENT_USER)\Software\Microsoft\Windows\CurrentVersion\RunServices
  • HKEY_LOCAL_MACHINE(HKEY_CURRENT_USER)\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit

Step 6. Scan computer with antivirus


Step 7. Disable Safe Mode and restart computer

  • Press Start
  • Type Msconfig and press Enter
  • Select Boot tab
  • Remove the check near Safe boot
Share your feedback to help other people
1 1 1 1 1 1 1 1 1 1 Rating 5.00 [1 Vote]


0 #1 Ninja 2019-02-06 03:23
how u hit start if mbr overwritten

Add comment

Security code



Acronis suggestion to CrashPlans users

Around a month ago, there was an accident with CrashPlans backup software.

What is MicTrayDebugger and is it dangerous

This is a brief entry about MicTrayDebugger: what is it, how it appeared in the system, is it dangerous and how to get rid of it.

What is HoeflerText and is it dangerous?


This article is dedicated to the fraud scheme that is called HoeflerText font wasn't found. We will explain you what is this scheme and how to avoid it.

What is Wpad.dat virus and how it is used

The topic of our today's article is a script that had been unjustly called a virus. It’s Wpad.dat, and it is not a virus. We will explain what is Wpad.dat and how to prevent fraudsters to deceive yourself with its help.


Cancer virus trollware

This is an article about crazy Cancer virus and the madness that it brings to victim's computer.

This website uses cookies to improve your experience