How to remove GIBON virus and restore encrypted files

The article is dedicated to ransomware called GIBON which gets onto customers' machines around the world, and corrupts their files. Here you will see full information on GIBON's essence, and the deletion of GIBON from your system. Furthermore, we'll teach you how to get back the cyphered data, if possible.

GIBON is the unwanted software getting into PC's mostly with help of Trojans and phishing e-mails. Sometimes web-criminals use exploits to infect the computer, but they are quickly corrected. After penetration, ransomware examines the computer memory to find the files to be cyphered and their rough price. Nowadays, any new virus knows how to encrypt video, text, audio and image files in all popular formats. GIBON cyphers all folders, but those that look like business records go first. All software in the system will be untouched because hackers are interested only in information. Encryption is made through world-known encryption algorithms, and its intricacy is so high that it can't be bruteforced. This is the reason for such an incredible success of this type of viruses in last years: an ordinary user, even having a pretty high knowledge of the PC, won't ever recover the data, and will have to pay the price. When encrypting files, GIBON switches the extension of files to .encrypt. The single way to recover files is to hack the scammer's site and retrieve the encryption keys. Sometimes it is possible to get encryption keys via faults in the code of the virus itself. 


Virus changes extension of files


The computer knowledge is extremely significant in our world, because it helps you to protect the computer from harmful programs. It's sad to say, but 90% of users see the significance of computer literacy only after ransomware infection. It's very easy to decrease the chances of getting ransomware by following these rules:

    • Take notice to the pop-ups. The simplest method of information recovery is the restoration via Shadow Copies, and hackers have included the elimination of SC in the primary functionality of ransomware. However deleting of copies requires admin rights and confirmation from the operator. The second of thought before confirming the changes might save your data and your money.
    • Attentively study your mailbox, specifically the messages which have files attached to them. If such a letter comes from an unknown user and it notifies about earning any prize, a lost package or anything like that, this could be a fraud message. The other common type of fraud messages is a forgery for biz correspondence. It is OK to take an interest and click on the e-mail even if it's sent to the wrong address, but don't forget that one click on the attached file can cost you a lot of money, efforts and time.
    • Keep an eye on the performance of your machine. Information encryption is a intricate process that uses a high amount of system resources. If you notice a sudden decline in PC capacity or see a suspicious string in the Process Manager, you can shut down the laptop, boot it in safe mode, and search for ransomware. These measures, in case of infection, will save some of your data.

Malware uninstalling is not the happy end - it's only a one step from many before the complete data recovery. To get back the files you should read the advices in the special section of our article. In case of ransomware we don't provide the hand uninstall guide, since its complication and the probability of failing will be too high for common user. We do not suggest trying to delete GIBON manually, because it has numerous protection mechanisms which could counteract you. Qualitative ransomware can easily delete corrupted information, or some of it, when trying to uninstall the virus. To neutralize this, follow the instructions under this paragraph.

Removal instruction

If you are MAC user, follow this guide: how to decrypt files on MAC.




Step 1. Boot the system into safe mode

  • Press Start
  • Type Msconfig and press Enter

Safe mode. Step 1


  • Select Boot tab

Safe mode. Step 2



  • Select Safe boot and press Ok

More information about Safe mode: What is Safe Mode and how to boot computer in Safe Mode


Step 2. Show all hidden files and folders

  • Press Start
  • Click on Control Panel

Show hidden files. Step 1


  • Select Appearance and Personalization

Show hidden files. Step 2


  • Click on Folder Options
  • Select View tab
  • Select Show hidden files, folders and drives

Show hidden files. Step 3


  • Press Ok


Step 3. Remove virus files


Check next folders to find suspicious files:

  • %TEMP%
  • %ProgramData%


Step 4. Fix hosts file

  • Go to %SystemRoot%\System32\drivers\etc\ folder



  • Open hosts file using Notepad or other text editor
  • Delete suspicious elements
  • Basic hosts file looks like this:



Step 5. Clean registry (for experienced users)

  • Click Start
  • Type Regedit.exe and press Enter
  • Clean startup registry keys
  • HKEY_LOCAL_MACHINE(HKEY_CURRENT_USER)\Software\Microsoft\Windows\CurrentVersion\Run
  • HKEY_LOCAL_MACHINE(HKEY_CURRENT_USER)\Software\Microsoft\Windows\CurrentVersion\RunOnce
  • HKEY_LOCAL_MACHINE(HKEY_CURRENT_USER)\Software\Microsoft\Windows\CurrentVersion\RunServices
  • HKEY_LOCAL_MACHINE(HKEY_CURRENT_USER)\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit

Step 6. Scan computer with antivirus


Special Offer

Download Spyhunter - Anti-malware scanner

We advise downloading SpyHunter to see, if it can detect malware for you.

Spyhunter has a biggest malware database

It protects the system against all kinds of threats: Trojans, adware and hijackers

24/7 Free Support Team

SpyHunter scanner detects threats and malware for free, but to remove infected elements you need to purchase a full version of program for 39.99$. More information about Spyhunter, EULA and Privacy policy.


Step 7. Disable Safe Mode and restart computer

  • Press Start
  • Type Msconfig and press Enter
  • Select Boot tab
  • Remove the check near Safe boot

After erasing GIBON from the computer, user has to recover the corrupted information. It's impossible to reverse the encryption, but we'll get them back using Windows functionality and the particular software. There are the certain chances, but most of the time file recovery takes a lot of time and efforts. If you picked the manual file restore - take a look at this paragraph, which shows how to restore files from backups. Also, you can follow our article: How to restore files.

  • Click Start
  • Click Control Panel

Decrypt files. Step 1


  • Click System and Security

Decrypt files. Step 2


  • Select Backup and Restore

Decrypt files. Step 3


  • Select Restore files from backup
  • Select checkpoint to restore
Share your feedback to help other people
1 1 1 1 1 1 1 1 1 1 Rating 0.00 [0 Votes]

Add comment

Security code



Acronis suggestion to CrashPlans users

Around a month ago, there was an accident with CrashPlans backup software.

What is MicTrayDebugger and is it dangerous

This is a brief entry about MicTrayDebugger: what is it, how it appeared in the system, is it dangerous and how to get rid of it.

What is HoeflerText and is it dangerous?


This article is dedicated to the fraud scheme that is called HoeflerText font wasn't found. We will explain you what is this scheme and how to avoid it.

What is Wpad.dat virus and how it is used

The topic of our today's article is a script that had been unjustly called a virus. It’s Wpad.dat, and it is not a virus. We will explain what is Wpad.dat and how to prevent fraudsters to deceive yourself with its help.


Cancer virus trollware

This is an article about crazy Cancer virus and the madness that it brings to victim's computer.

This website uses cookies to improve your experience