[[email protected]].cmd Virus - How to remove

While there is no neat way to name this virus, I will refer to it as [[email protected]].cmd. The malware that renames many of your files by adding the string ” [[email protected]].cmd” is more dangerous than it might look at first glance: it changes not only the names of the files, but the files themselves on the inside. This file-encrypting ransomware is part of the Dharma family and, if you didn’t have a backup of your data, the situation is pretty bad.

Some people choose to say goodbye to their files and just reinstall the operating system after such a devastating infection. However, this isn’t an option if you need some of those corrupted files. [[email protected]].cmd breaks pictures, songs, movies, but also document, spreadsheets, archives, and other files that might be very important to the victim.

You can remove the virus and continue using your computer, but the files will remain locked. Tentatively, it might be possible to recover some data without paying the ransom. Those methods often only work partially and have mixed results, but it’s worth trying them. [[email protected]].cmd is very similar to Bkp, Pdf, and other Dharma viruses: the newer ones don’t have a free public decrypter, even though the oldest Dharma does.

Files are encrypted by [[email protected]].cmd

The goal of the [[email protected]].cmd ransomware is to lock away as much data as possible while still allowing the operating system to still function. Then, the virus displays a window to you with instructions for contacting the criminals who infected you with this virus, as well as instructions for buying cryptocurrency.

Despite them still being on your computer, [[email protected]].cmd is holding your files for ransom. It’s like having your valuables put into a safe in your home — but someone else is refusing to give you the key.

This is possible thanks to encryption. Normally, it’s a great way to keep information private while exposing it; encryption allows meaning to be encoded in random-looking ciphertext which can be decoded with only the special decryption key. However, [[email protected]].cmd is built in a way that only the criminals who spread this virus know this key.

The key is unique to you and it can’t normally be guessed, brute-forced, or otherwise broken. That’s why the methods of restoring your lost data listed in the section below don’t rely on decryption but on other methods, such as not yet overwritten data on a disk.

Should you pay?

Of course, you might be able to unlock most of your data by paying the ransom to the criminals. They even give their email in the name of every locked file — [[email protected]].cmd. There are great risks with paying, though:

• Technical difficulties usually mean that some of your files will still be broken in some way.
• The ransom is usually very large — a few thousand dollars.
• The criminals could remember you and try to target you later, believing that you’re rich enough to afford more ransom payments.
• There is actually no guarantee that the extortionists won’t ignore you — some don’t care enough to do anything after they receive their money.
• Allowing the criminals any kind of access to your computer is dangerous because they might try to extract private information or install some malicious software.
• Paying the ransom only encourages the distributors of [[email protected]].cmd to continue their activity which hurts people.

Ideally, you would have a backup from which to recover the files, but that isn’t always the case. Some victims of ransomware don’t have the luxury to make choices — they need their files. If you choose to pay the ransom, make sure to not reveal unnecessary information to the criminals, use a clean device to securely make your payments, and wipe the computer of all malware afterward.

How [[email protected]].cmd infects computers

How [[email protected]].cmd infects machines is important to know in order to avoid this sort of infection happening again. Backups will remove the real impact of the virus but each infection does still waste your time and risk you having spyware, backdoors, etc. infect your computer.

Malicious spam campaigns are used to distribute the virus. A downloader is attached to a generic email in the form of a Doc, Js, executable file, or something else. The expectation is that the recipient of this spam email will be curious enough to open the attachment, which will install the [[email protected]].cmd ransomware.

Such installers can also be accidentally downloaded when they’re hidden in files online, especially illegitimate files. If you pirate programs, ransomware is a very real danger.

Remote Desktop can be used to infect computers with [[email protected]].cmd, so if you have RDP or another remote access tool enabled, take all the usual security precautions. If you don’t, it’s only a matter of time until criminals try to break your credentials and install all kinds of malware on your machine.

How to remove [[email protected]].cmd

As for fixing the situation after an infection, you can use Spyhunter or any other competent antivirus program (your installed one might have been broken by [[email protected]].cmd, as modern ransomware often does). Most security programs will know [[email protected]].cmd, as shown by this VirusTotal report.

Automatic Malware removal tools

The locked “…[[email protected]].cmd” files should remain untouched — they are not infected, only locked. There’s very little hope that there’ll be a way to recover them, but you can keep those files just in case.

How to recover [[email protected]].cmd Virus encrypted files and remove the virus

Step 1. Restore system into last known good state using system restore

1. Reboot your computer to Safe Mode with Command Prompt:

for Windows 7 / Vista/ XP

• Start → Shutdown → Restart → OK.
• Press F8 key repeatedly until Advanced Boot Options window appears.
• Choose Safe Mode with Command Prompt.

for Windows 8 / 10

• Press Power at Windows login screen. Then press and hold Shift key and click Restart.
• Choose Troubleshoot → Advanced Options → Startup Settings and click Restart.
• When it loads, select Enable Safe Mode with Command Prompt from the list of Startup Settings.

 

2.Restore System files and settings.

• When Command Prompt mode loads, enter cd restore and press Enter.
• Then enter rstrui.exe and press Enter again.
• Click “Next” in the windows that appeared.
• Select one of the Restore Points that are available before fr] has infiltrated to your system and then click “Next”.
• To start System restore click “Yes”.

 

Step 2. Complete removal of [[email protected]].cmd Virus

After restoring your system, it is recommended to scan your computer with an anti-malware program, like Spyhunter and remove all malicious files related to fr]. You can check other tools here.  

Step 3. Restore [[email protected]].cmd Virus affected files using Shadow Volume Copies

If you do not use System Restore option on your operating system, there is a chance to use shadow copy snapshots. They store copies of your files that point of time when the system restore snapshot was created. Usually fr] tries to delete all possible Shadow Volume Copies, so this methods may not work on all computers. However, it may fail to do so. Shadow Volume Copies are only available with Windows XP Service Pack 2, Windows Vista, Windows 7, and Windows 8. There are two ways to retrieve your files via Shadow Volume Copy. You can do it using native Windows Previous Versions or via Shadow Explorer. a) Native Windows Previous Versions Right-click on an encrypted file and select Properties → Previous versions tab. Now you will see all available copies of that particular file and the time when it was stored in a Shadow Volume Copy. Choose the version of the file you want to retrieve and click Copy if you want to save it to some directory of your own, or Restore if you want to replace existing, encrypted file. If you want to see the content of file first, just click Open.

b) Shadow Explorer It is a program that can be found online for free. You can download either a full or a portable version of Shadow Explorer. Open the program. On the left top corner select the drive where the file you are looking for is a stored. You will see all folders on that drive. To retrieve a whole folder, right-click on it and select “Export”. Then choose where you want it to be stored.

Step 4. Use Data Recovery programs to recover [[email protected]].cmd Virus encrypted files

There are several data recovery programs that might recover encrypted files as well. This does not work in all cases but you can try this:

• We suggest using another PC and connect the infected hard drive as slave. It is still possible to do this on infected PC though.
• Download a data recovery program.
• Install and scan for recently deleted files.

Note: In many cases it is impossible to restore data files affected by modern ransomware. Thus I recommend using decent cloud backup software as precaution. We recommend checking out Carbonite, BackBlaze, CrashPlan or Mozy Home.