TBlocker virus - How to remove

TBlocker virus is a threatful ransomware infection that will try to rip you off for $300. It serves both as files locker and a screenlocker, so if you get infected with this virus – a lot of problems to deal with will be ahed of you.

In case your computer is suffering from TBlocker or you simply want to learn more about this virus, please proceed reading the article. We ill provide our readers with valuable information about this malware as well as with best methods to remove the virus itself and restore locked files.

TBlocker virus remove

“_” extension used to encrypt the files

It is almost a common trait for ransomware viruses to be distributed using spam email campaigns. We have seen viruses like MBRlock ransomware or Defender ransomware to infect computers this way and this time is not different.

The scheme of this infection method is plain simple – hackers send out millions and millions of emails with files of ransomware attached to them to random email addresses. Some users fail to recognise and identify the threat that lies ahead and opens those attached files.

If the TBlocker manages to get inside of your computer, it will automatically scan it for files that can be locked. Sadly, this virus is advanced and is capable of encrypting most of the common file types, including text documents, audio and video files. images and so on.

It employs strong RSA 2048 encryption to lock those files and adds unique “_” extension to the end of single one of them. So let’s say you had a file named “document.docx”, eventually it will be renamed to “document.docx_”. That’s it – from this moment you will be not able to open or use this file in any other way.

After successful encryption, this virus will establish a connection with remote server owned by cyber criminals and send there the information about infected computer. They will also generate and assign unique ID to the infected computer in order to manage their data. The ID is also needed to generate decryption key that is supposed to unlock the files after successful payment of the ransom.

Immediately after that TBlocker will lock your screen and display this message on it:

Deveice blocked by TBlocker
All your files have been encrypted with a key that we only have. If you want to retrieve the files pay by bitcoin to: 19f8a8va89v8aim2f9a the sum of $ 250. The system has been compromised, it is not possible to exit. At the expiration of time all your files will be made public on the internet, and the PC will be permanently locked! PWD BY TOM580933 (WHITE54BIT) – VISIT TOMH.IT

You can see that cyber criminals behind TBlocker infection are good in social engineering – they create tension by limiting the time in which the ransom needs to be paid. According to the message, if you fail to do that within next 24 hours, your personal files will be published online and your computer will be locked permanently.

The ransom is $250 and it should be paid in Bitcoins (due to anonymity). Even though couple of hundreds of dollars might seem not like a big deal, we do not recommend to pay the ransom. There is no guarantee that your files will be unlocked even if you do pay the ransom, so it’s better not to take the risk.

There are other methods to remove TBlocker virus and retrieve your files. First of all, you need to unlock your computer and remove malicious files of the virus. You can do that by following instructions provided below this article. To get ahead of the things, we would like to say that you will have to download Spyhunter for this task. Feel free to choose which program you do prefer.

Next, in order to unlock files, you will have to perform a system restore. There is one condition though – you need to have a valid copy of your hard drive that was made before the date of infection and was not corrupted by the virus.

How to recover TBlocker virus encrypted files and remove the virus

Step 1. Restore system into last known good state using system restore

1. Reboot your computer to Safe Mode with Command Prompt:

for Windows 7 / Vista/ XP
  • Start Shutdown RestartOK.
  • Press F8 key repeatedly until Advanced Boot Options window appears.
  • Choose Safe Mode with Command Prompt. Windows 7 enter safe mode

for Windows 8 / 10
  • Press Power at Windows login screen. Then press and hold Shift key and click Restart. Windows 8-10 restart to safe mode
  • Choose TroubleshootAdvanced OptionsStartup Settings and click Restart.
  • When it loads, select Enable Safe Mode with Command Prompt from the list of Startup Settings. Windows 8-10 enter safe mode

2.Restore System files and settings.

  • When Command Prompt mode loads, enter cd restore and press Enter.
  • Then enter rstrui.exe and press Enter again.CMD commands
  • Click “Next” in the windows that appeared. Restore point img1
  • Select one of the Restore Points that are available before TBlocker virus has infiltrated to your system and then click “Next”. Restore point img2
  • To start System restore click “Yes”. Restore point img3

Step 2. Complete removal of TBlocker virus

After restoring your system, it is recommended to scan your computer with an anti-malware program, like Spyhunter and remove all malicious files related to TBlocker virus. You can check other tools here.  

Step 3. Restore TBlocker virus affected files using Shadow Volume Copies

If you do not use System Restore option on your operating system, there is a chance to use shadow copy snapshots. They store copies of your files that point of time when the system restore snapshot was created. Usually TBlocker virus tries to delete all possible Shadow Volume Copies, so this methods may not work on all computers. However, it may fail to do so. Shadow Volume Copies are only available with Windows XP Service Pack 2, Windows Vista, Windows 7, and Windows 8. There are two ways to retrieve your files via Shadow Volume Copy. You can do it using native Windows Previous Versions or via Shadow Explorer. a) Native Windows Previous Versions Right-click on an encrypted file and select PropertiesPrevious versions tab. Now you will see all available copies of that particular file and the time when it was stored in a Shadow Volume Copy. Choose the version of the file you want to retrieve and click Copy if you want to save it to some directory of your own, or Restore if you want to replace existing, encrypted file. If you want to see the content of file first, just click Open.
Previous version
b) Shadow Explorer It is a program that can be found online for free. You can download either a full or a portable version of Shadow Explorer. Open the program. On the left top corner select the drive where the file you are looking for is a stored. You will see all folders on that drive. To retrieve a whole folder, right-click on it and select “Export”. Then choose where you want it to be stored.
Shadow explorer

Step 4. Use Data Recovery programs to recover TBlocker virus encrypted files

There are several data recovery programs that might recover encrypted files as well. This does not work in all cases but you can try this:
  • We suggest using another PC and connect the infected hard drive as slave. It is still possible to do this on infected PC though.
  • Download a data recovery program.
  • Install and scan for recently deleted files. Data Recovery Pro
Note: In many cases it is impossible to restore data files affected by modern ransomware. Thus I recommend using decent cloud backup software as precaution. We recommend checking out Carbonite, BackBlaze, CrashPlan or Mozy Home.
Leave a Reply

Your email address will not be published. Required fields are marked *