Marlboro ransomware virus. How to remove? (Uninstall guide)

removal by Olivia Morelli - -   Also known as DeMarlboro ransomware virus | Type: Ransomware
12

Marlboro ransomware gets defeated in less than 24 hours

Marlboro virus has been spotted by our experts on January 12, 2017. We must mention that this virus has a different name – DeMarlboro ransomware virus. Although this ransomware is not as dangerous as Locky virus [1], getting infected with it gives you a hint that your computer system is unprotected. As soon as it enters the system, it determines whether the system is 32 or 64 bit and uses a particular installer then. The indicated ransomware appends .oops file extension to files that the virus corrupts. However, Marlboro ransomware appeared to be a foolish ransomware variant that uses XOR encryption to lock victim’s files, although in the ransom note, the virus claims to be using RSA-2048 and AES-128 ciphers[2]. The virus leaves a ransom note, which is named _HELP_Recover_Files_.html, filled with data recovery instructions. The virus simply takes files hostage, deletes Volume Shadow Copies[3], and it demands a ransom to set encrypted files free. The ransom note commands the victim to send 0.2 BTC (more or less $155 in Bitcoins) to crooks’ Bitcoin address and then launch Decryptfiles.exe program, which the virus saves to Desktop and Documents folders. Now this is where the developers of Marlboro malware get creative. Instead of pointing the victim to Tor browser’s download site and telling to visit a personal payment website, the crooks simply leave the Marlboro decrypter on victim’s system, which gets activated automatically as soon as the victim transfers the money to criminals’ Bitcoin address[4].

Screenshot of Marlboro virus

The decrypter presents itself as “a special software – documents decrypter – which allows to recover and return control to all your encrypted files” and, what is even more unusual, the decrypter asks to retype a shown number to verify that the user is a human being. The decrypter then connects to its server to verify the payment, and, if failed, asks the victim to retry in half a hour. If you have been infected with this virus, you must remove Marlboro malware before you try to take any data recovery actions. Use a strong malware removal tool for this task, for instance, Reimage or Malwarebytes Anti Malware. At the end of this post, you can find detailed Marlboro removal guidelines that explain how to deactivate the virus and start the malware removal tool.

Updated on January 13th: Marlboro ransomware is defeated, and a free decryption tool is available. Do not even think about paying the ransom! You can download the decrypter made by Emsisoft researchers here.

Ways of distribution

The virus is obfuscated heavily and approaches victims as a DOCM document[5]. Reportedly, malevolent actors working behind Marlboro ransomware project spread this virus via phishing emails that politely ask the recipient to open attached files. All PC users should be aware of this ransomware distribution technique, because, despite its simplicity and banality, it is so far the most efficient way to infect computer systems with malware. Users should be extremely careful and protect their devices by stocking up data backups and installing anti-malware software on their computers (to block malicious programs from entering the computer system and executing harmful commands). It is believed that the virus spreads via other channels as well, for instance, compromised web ads pointing to websites hosting exploit kits, also Trojan horses and so on. If you were infected with this virus a few minutes ago, turn off the computer immediately and plug out the Internet connection cable from the compromised PC.

How can you remove Marlboro malware before using the decryption tool?

Unless you are willing to pay the ransom, you should remove Marlboro virus as quickly as you can. Just do not act hastily – read Marlboro removal instructions presented below this post to learn how to start your computer in a Safe Mode with Networking to be able to run your anti-malware or antivirus software. Otherwise, the virus might block your attempts to launch the malware removal tool (to avoid detection). Please do not try to remove Marlboro ransomware on your own because the virus makes various modifications in Windows Registry, as well as system files (.dll files), not to mention the dozen of files that it drops on the computer system.

We might be affiliated with any product we recommend on the site. Full disclosure in our Agreement of Use. By Downloading any provided Anti-spyware software to remove Marlboro ransomware virus you agree to our privacy policy and agreement of use.
do it now!
Download
Reimage (remover) Happiness
Guarantee
Download
Reimage (remover) Happiness
Guarantee
Compatible with Microsoft Windows Compatible with OS X
What to do if failed?
If you failed to remove infection using Reimage, submit a question to our support team and provide as much details as possible.
Reimage is recommended to uninstall Marlboro ransomware virus. Free scanner allows you to check whether your PC is infected or not. If you need to remove malware, you have to purchase the licensed version of Reimage malware removal tool.

More information about this program can be found in Reimage review.

More information about this program can be found in Reimage review.

Manual Marlboro virus Removal Guide:

Remove Marlboro using Safe Mode with Networking

Reimage is a tool to detect malware.
You need to purchase Full version to remove infections.
More information about Reimage.

To remove Marlboro virus successfully, you will need to reboot your computer using guidelines presented here. We suggest you read these instructions carefully. Have this tutorial by your hand when rebooting the computer (for example, open this page via your mobile phone or just print them out).

  • Step 1: Reboot your computer to Safe Mode with Networking

    Windows 7 / Vista / XP
    1. Click Start Shutdown Restart OK.
    2. When your computer becomes active, start pressing F8 multiple times until you see the Advanced Boot Options window.
    3. Select Safe Mode with Networking from the list Select 'Safe Mode with Networking'

    Windows 10 / Windows 8
    1. Press the Power button at the Windows login screen. Now press and hold Shift, which is on your keyboard, and click Restart..
    2. Now select Troubleshoot Advanced options Startup Settings and finally press Restart.
    3. Once your computer becomes active, select Enable Safe Mode with Networking in Startup Settings window. Select 'Enable Safe Mode with Networking'
  • Step 2: Remove Marlboro

    Log in to your infected account and start the browser. Download Reimage or other legitimate anti-spyware program. Update it before a full system scan and remove malicious files that belong to your ransomware and complete Marlboro removal.

If your ransomware is blocking Safe Mode with Networking, try further method.

Remove Marlboro using System Restore

Reimage is a tool to detect malware.
You need to purchase Full version to remove infections.
More information about Reimage.

  • Step 1: Reboot your computer to Safe Mode with Command Prompt

    Windows 7 / Vista / XP
    1. Click Start Shutdown Restart OK.
    2. When your computer becomes active, start pressing F8 multiple times until you see the Advanced Boot Options window.
    3. Select Command Prompt from the list Select 'Safe Mode with Command Prompt'

    Windows 10 / Windows 8
    1. Press the Power button at the Windows login screen. Now press and hold Shift, which is on your keyboard, and click Restart..
    2. Now select Troubleshoot Advanced options Startup Settings and finally press Restart.
    3. Once your computer becomes active, select Enable Safe Mode with Command Prompt in Startup Settings window. Select 'Enable Safe Mode with Command Prompt'
  • Step 2: Restore your system files and settings
    1. Once the Command Prompt window shows up, enter cd restore and click Enter. Enter 'cd restore' without quotes and press 'Enter'
    2. Now type rstrui.exe and press Enter again.. Enter 'rstrui.exe' without quotes and press 'Enter'
    3. When a new window shows up, click Next and select your restore point that is prior the infiltration of Marlboro. After doing that, click Next. When 'System Restore' window shows up, select 'Next' Select your restore point and click 'Next'
    4. Now click Yes to start system restore. Click 'Yes' and start system restore
    Once you restore your system to a previous date, download and scan your computer with Reimage and make sure that Marlboro removal is performed successfully.

Bonus: Recover your data

Guide which is presented above is supposed to help you remove Marlboro from your computer. To recover your encrypted files, we recommend using a detailed guide prepared by 2-spyware.com security experts.

Do you have a data backup? If so, you will be able to use it now. Do not plug the backup into the compromised computer unless you have deleted the virus with a powerful anti-malware tool. If you plugged the drive with data copies into a computer while Marlboro virus is still on it, you would lose your backup. In case you do not have a backup, we suggest you try these data recovery methods:

If your files are encrypted by Marlboro, you can use several methods to restore them:

Recover with Data Recovery Pro

If you do not have a backup, try Data Recovery Pro. It is a useful data recovery application that helps to restore deleted, corrupted and encrypted files. However, remember that Marlboro virus is sophisticated and Data Recovery Pro might not be able to recover all encrypted records.

Look for Windows Previous Versions

Have you ever enabled System Restore function? If so, you might be able to experience the benefit of it. Follow these instructions to restore individual files:

  • Find an encrypted file you need to restore and right-click on it;
  • Select “Properties” and go to “Previous versions” tab;
  • Here, check each of available copies of the file in “Folder versions”. You should select the version you want to recover and click “Restore”.

Use Marlboro decrypter

Researchers from Emsisoft managed to crack the ransomware in less than one day. You can use the tool they have released to set your encrypted files free. Simply download Marlboro decrypter here and find one encrypted file which takes at least 640 bytes of space on your PC and also an unencrypted version of it. Select both files and drag them to decrypter’s .exe file.

Finally, you should always think about the protection of crypto-ransomwares. In order to protect your computer from Marlboro and other ransomwares, use a reputable anti-spyware, such as Reimage, Plumbytes Anti-MalwareWebroot SecureAnywhere AntiVirus or Malwarebytes Anti Malware

About the author

Olivia Morelli
Olivia Morelli - Ransomware analyst

If this free removal guide helped you and you are satisfied with our service, please consider making a donation to keep this service alive. Even a smallest amount will be appreciated.

More information about the author

References


  • Sirrr

    Got infected, but also got the virus removed and files decrypted. Thanks a lot.

  • Zigmus

    Demarlboro. Thats how the ransomware is called. I found a folder with this name

  • Rembo

    Why is it named like that? Ransomware names make no sense.

    • Dany

      Malware authors make no sense at all.