GoldenEye Ransomware Removal Guide

Do you know what GoldenEye Ransomware is?

GoldenEye Ransomware is a new infection encrypting users’ files. Even though it is a recently detected computer threat, specialists say that it might be closely associated with Petya Ransomware and Mischa Ransomware, which used to be prevalent some time ago. Just like these older threats, GoldenEye Ransomware enters computers to encrypt users’ files. If it successfully infiltrates your computer, you will find your pictures, documents, file archives, music files, and videos all encrypted. In other words, you could no longer access any of your files. Ransomware infections lock files so that they could then demand a ransom. Do not transfer money to cyber criminals even though it might seem that it is the only way to get the files back. Users should not pay money to cyber crooks if they do not want to lose their money. As the experience of our specialists has shown, users often do not get the decryption key after paying the required money, so, in the opinion of our research team, people should try to decrypt their files from a backup or try out all third-party tools available on the market rather than rushing to pay a ransom.

GoldenEye Ransomware is a nasty infection just like Petya Ransomware and Mischa Ransomware. Judging from the similarities they all share, it might be very true that cyber criminals spread one product under several different names, and GoldenEye Ransomware is its newest name. No matter how this ransomware is called, it does its dirty job the second it enters the computer, i.e. it encrypts files stored on the system by adding an extension that consists of eight characters, for example, .x1y9JSNb. Once this threat finishes encrypting files, it leaves a ransom note YOUR_FILES_ARE_ENCRYPTED.TXT. This file informs users that they have become victims of a harmful malicious application. Also, it is said there that all files on the computer “have been encrypted with an military grade encryption algorithm” and “there is no way to restore your data without a special key.” Of course, users are offered to purchase this key. To be frank, it is not worth paying a certain amount of money in Bitcoins for that special key because your files, most probably, will stay encrypted. Also, it is not very likely that changes applied to MBR (Master Boot Record) by the ransomware infection will be undone if you transfer money. Yes, just like its predecessors, GoldenEye Ransomware applies these modifications to make it impossible to use the computer.

Research carried out by our research team has revealed that GoldenEye Ransomware is being spread through spam emails at the time of writing. These emails are primarily targeting German-speaking users, but, of course, there are no guarantees that it will not appear on your PC if you live somewhere else too. It has been found that users find two attachments in a spam email promoting GoldenEye Ransomware. The first attachment is a .pdf file, whereas the second one looks like a harmless .xls file. If the user opens an excel file and enables a malicious macro, he/she immediately allows a ransomware infection to enter the computer. Users should not open spam emails even though they look harmless or contain important documents. If you get an email from a friend that ends up in the spam mail folder, you should find out first whether this email has been really sent to you before opening it too. Finally, all users should install security applications on their computers if they do not want to infect their computers with malware and thus lose their files again.

Since GoldenEye Ransomware modifies the Master Boot Record upon installation, you have to fix it first. This will allow you to access the Windows OS. After doing that, you will have to delete the executable (.exe) file belonging to a ransomware infection. Keep in mind that your files will not be decrypted for you, but you could try to recover this data yourself after eliminating the ransomware infection from the computer.

Delete GoldenEye Ransomware

Fix the Master Boot Record

Windows XP

  1. Insert the Windows XP CD.
  2. Press any key when you see Press any key to boot from CD…
  3. Press R at the Welcome to Setup screen.
  4. Enter 1 and press Enter when you see a question Which Windows installation would you like to log onto.
  5. At Type the Administrator password, enter the password and tap Enter.
  6. Type fixmbr .
  7. Press Y and hit Enter if you are asked whether you want to write a new MBR.
  8. Tap Enter.
  9. Remove the CD and type exit.
  10. Tap Enter to reboot the computer.

Windows 7/Windows 8/Windows 8.1/Windows 10

  1. Insert the DVD into the DVD-ROM.
  2. Tap F8.
  3. Go to Troubleshoot and click Advanced Options.
  4. Open the menu called Automatic Repair.
  5. Go to open Command Prompt.
  6. Type the following commands (tap Enter after each command) and then reboot the computer:
  • bootrec /RebuildBcd
  • bootrec /fixMbr
  • bootrec /fixboot
  • Exit

Windows Vista

  1. Boot from your Windows Vista CD.
  2. Select language.
  3. Click Repair your computer.
  4. Select Windows Vista.
  5. Click OK.
  6. Open the Command Prompt.
  7. Type the following commands: bootrec /FixMbr , bootrec /FixBoot , and bootrec /RebuildBcd (tap Enter after each command).
  8. Remove CD.
  9. Type Exit.
  10. Press Enter.
  11. Restart the computer.

Delete the ransomware infection

  1. Press Win+E.
  2. Type C:\Users\user\AppData\Roaming\{7fa31851-bd45-4c76-9fa0-d5c5b337c059} in the box at the top.
  3. Locate the executable file eventcreate.exe and delete it.
  4. Delete YOUR_FILES_ARE_ENCRYPTED.TXT from Desktop.
  5. Empty the Recycle bin.

In non-techie terms:

You should remove all other malicious components from your computer too because their presence might again result in the entrance of a malicious application and a loss of personal data. Since it might be hard to detect all the threats manually, specialists highly recommend scanning the computer with an automatic malware remover after the deletion of GoldenEye Ransomware. An automatic tool will also check whether there are no traces of this infection left on the computer.