Merl File Virus - How to remove

Merl – a file-locking virus – is ransomware. It prevents you from accessing your files by encrypting them. Pictures, documents, various other files – are locked by the Merl virus and a ransom is demanded of the victim ($490). The criminals who are responsible for this scheme created Merl to make them money and it seems to be working – Merl is just a new variant of a long-going ransomware family called Djvu. Whether you can fix your files depends on your circumstances, but it’s not impossible, even without paying the ransom.

Short memo on the Merl file virus:

Main features	Renames files to include the second extension “.merl”, creates _readme.txt files, installs Azorult, VirusTotal link to Merl
How to unlock the files	Restore from a backup, restore in other ways, use the free decrypter
How to delete the Merl file virus	Unblock cybersecurity sites, use good-quality anti-malware scanners (SpyHunter) to delete the infections, change your passwords
How the file virus is distributed	Infects pirating tools, infects pirated software and other files

How to remove Merl and fix the files

The Merl file virus needs to be removed to stop it from encrypting new files, plus, it might have installed a spyware trojan on your computer, which makes the cleaning of it quite urgent. You can use any competent anti-malware program, like SpyHunter, for this task. You can also delete Merl’s files manually or just reinstall Windows. This will not fix your files, though. They will remain locked, just know that they’re not dangerous this way. It’s fine to leave them undeleted.

Now you need to decide how you will move forward with getting your files back.

• If you don’t really need the lost files, you can just delete them and start from scratch.
• If you have a file backup, you can also delete the locked Merl files and repopulate your computer with your files taken from the backup.
• If you don’t have a backup, you can try using data recovery tools. For that, you need to have been using a hard disk and to not have used the infected computer a lot. You might be able to recover the data lost when Merl was encrypting your files, but the results depend on a lot of factors. Similarly, some data in big files (like songs, movies, archives) remains unencrypted, so you might be able to extract something useful from them.
• Check if the Merl virus used the offline key on your files because if it did, you might get the chance to decrypt them for free. Usually, the indication is a personal ID that ends with “t1″. Check your _readme.txt” files or your C:\SystemID\PersonalID.txt file – these were created by the Merl virus. The files encrypted with the offline key might be decryptable at some point using Emsisofts decrypter for Djvu.

There is another possibility: you could pay the criminals. However, that’s not advised by experts or by law enforcement. The main reasons are that giving criminals money is supporting their endeavors and encouraging them to hurt more people in the future. The Merl file virus would not exist if no victims of ransomware paid the ransom. There is also the fact that, sometimes, criminals trick and abuse victims – they take the money and ask for more, they fail to send the correct decryption key, etc.

If you do decide to pay the ransom, be very careful. Because Merl spreads with a spyware trojan (it’s called Azorult), anything sensitive you do on the infected computer could be exposed to cyber-criminals. So use another device or clean your computer first. And make backups of the files locked by the Merl file virus. Always have redundant copies of the locked files until you manage to decrypt them. And if you get decryption keys from the criminals, consider using Emsisoft’s decrypter – it’s better, safer, and easier to use than the criminals’ tool.

How Merl works

Encryption

The Merl file virus is recognized by how your files get the “.merl” extension appended to their names. For example, “picture.jpg.merl” could be the name of a file attacked by Merl. The files can’t be opened.

The Merl virus locks your files by using cryptography. Cryptography is basically a way to hide information by rearranging data in a reversible way. Merl uses an asymmetric algorithm with a unique encryption key for each victim, with only the cyber-criminals knowing the keys. So the only way to reverse the damage that this file virus did is to get the keys. I mentioned in the previous section the offline key – that’s a key that Merl should use to lock your files if it can’t download a unique key from the criminals’ command and control server. But someone still needs to buy this key from the criminals.

This knowledge is based on the previous Djvu viruses, including Gesd, Righ, and Hets.

Distribution

The Merl virus spreads in piracy sites. Cracking and activating tools can be infected – these are programs that can let you use a commercial and paid program without paying for a license (illegally, of course). Activated software products and various free programs are infected with Merl and distributed online. Usually, this is done on low-quality sites, but even those with good security get infiltrated by the people responsible for Merl.

When it’s downloaded, the Merl file virus tries to disable your security software and delete restore points, shadow volume copies, and backup folders. It also blocks a lot of cybersecurity sites, which makes searching for information about the infection difficult. And then, Merl creates a bunch of “_readme.txt” files that demand a ransom for the files.

Merl removal

Important -- edit the hosts file to unblock security websites

TL DR : The hosts file is edited to block security sites Before the virus can be removed, it's necessary to fix the hosts file (the file which controls which addresses connect to which IPs). That is the reason the majority of security websites is inaccessible when infected with this particular parasite. This infection edits this file to stop certain websites, including anti-malware download sites, from being accessed from the infected computer, making browsers return the "This site can't be reached" error. Luckily, it's trivial to fix the file and remove the edits that were made to it.

Find and edit the hosts file

The hosts file can be found on C:/Windows/System32/Drivers/etc/hosts. If you don't see it, change the settings to see hidden files.

1. In the Start Menu, search for Control Panel.
2. In the Control Panel, find Appearance and Personalization.
3. Select Folder Options.
4. Open the View tab.
5. Open Advanced settings.
6. Select "Show hidden files...".
7. Select OK.

Open this file with administrator privileges.

1. Open the Start Menu and enter "notepad".
2. When Notepad shows up in the result, right-click on it.
3. In the menu, choose "Run as administrator"
4. File->Open and browse for the hosts file.

The hosts file should look like this: Delete additional lines that they connect various domain names to the wrong IP address. Save the file.

Download and run the antivirus program

After that, download antivirus programs and use them to remove the ransomware, the trojan, and other malware. Spyhunter (https://www.2-viruses.com/reviews/spyhunter/dwnld/).

Automatic Malware removal tools

How to recover Merl File Virus encrypted files and remove the virus

Step 1. Restore system into last known good state using system restore

1. Reboot your computer to Safe Mode with Command Prompt:

for Windows 7 / Vista/ XP

• Start → Shutdown → Restart → OK.
• Press F8 key repeatedly until Advanced Boot Options window appears.
• Choose Safe Mode with Command Prompt.

for Windows 8 / 10

• Press Power at Windows login screen. Then press and hold Shift key and click Restart.
• Choose Troubleshoot → Advanced Options → Startup Settings and click Restart.
• When it loads, select Enable Safe Mode with Command Prompt from the list of Startup Settings.

 

2.Restore System files and settings.

• When Command Prompt mode loads, enter cd restore and press Enter.
• Then enter rstrui.exe and press Enter again.
• Click “Next” in the windows that appeared.
• Select one of the Restore Points that are available before Merl File Virus has infiltrated to your system and then click “Next”.
• To start System restore click “Yes”.

 

Step 2. Complete removal of Merl File Virus

After restoring your system, it is recommended to scan your computer with an anti-malware program, like Spyhunter and remove all malicious files related to Merl File Virus. You can check other tools here.  

Step 3. Restore Merl File Virus affected files using Shadow Volume Copies

If you do not use System Restore option on your operating system, there is a chance to use shadow copy snapshots. They store copies of your files that point of time when the system restore snapshot was created. Usually Merl File Virus tries to delete all possible Shadow Volume Copies, so this methods may not work on all computers. However, it may fail to do so. Shadow Volume Copies are only available with Windows XP Service Pack 2, Windows Vista, Windows 7, and Windows 8. There are two ways to retrieve your files via Shadow Volume Copy. You can do it using native Windows Previous Versions or via Shadow Explorer. a) Native Windows Previous Versions Right-click on an encrypted file and select Properties → Previous versions tab. Now you will see all available copies of that particular file and the time when it was stored in a Shadow Volume Copy. Choose the version of the file you want to retrieve and click Copy if you want to save it to some directory of your own, or Restore if you want to replace existing, encrypted file. If you want to see the content of file first, just click Open.

b) Shadow Explorer It is a program that can be found online for free. You can download either a full or a portable version of Shadow Explorer. Open the program. On the left top corner select the drive where the file you are looking for is a stored. You will see all folders on that drive. To retrieve a whole folder, right-click on it and select “Export”. Then choose where you want it to be stored.

Step 4. Use Data Recovery programs to recover Merl File Virus encrypted files

There are several data recovery programs that might recover encrypted files as well. This does not work in all cases but you can try this:

• We suggest using another PC and connect the infected hard drive as slave. It is still possible to do this on infected PC though.
• Download a data recovery program.
• Install and scan for recently deleted files.

Note: In many cases it is impossible to restore data files affected by modern ransomware. Thus I recommend using decent cloud backup software as precaution. We recommend checking out Carbonite, BackBlaze, CrashPlan or Mozy Home.