Skip to content
  • Active
  • Severity: High
  • Ransomware
  • Windows
  • Verified · May 2021

How to remove CainXPii ransomware virus

A step-by-step removal guide for affected devices. Follow the verified procedure below — most readers complete it in under 10 minutes.

Ugnius Kiguolis · The mastermind

CainXPii ransomware is the virus that asks victims to pay ransom in PaysafeCard codes

CainXPii virus

CainXPii (or the Todce ransomware) is a lock screen virus [1] that does not encrypt files but prevents victims from accessing them by intervening system boot up. The virus working mechanism is based on one of last year’s screenlocker highlights, the Hitler ransomware. Just like its predecessor, this parasite infiltrates computers in deceptive ways, most likely obfuscating its malicious payload under Minecraft.exe – a file that looks like an executable of the popular sandbox game. This is the cryptocurrency is the main goal for the virus creators, so do not fall for the tricks of these extortionists.

Name CainXPii ransomware
Type Cryptocurrency-extortion virus
Ransom note Is presented in the German language as a pop-up program
Malicious file Minecraft.exe
Distribution File attachments from emails, malicious pages, torrent platforms, other malware
Elimination Anti-malware tools are needed for the removal process, so all the pieces of this virus get detected
Repair FortectIntego can find and fix virus damage

Unfortunately, by opening this file, the unsuspecting victim will also activate the ransomware download process. The screenlocker will then modify the Windows registry, disable Task Manager functionality, and carry out other stealthy procedures on the infected system to set up the ground for the attack and prevent CainXPii removal. After it’s done, the virus will wait until the computer is rebooted and then drop its ransom note before the PC even reaches the home screen.

The ransom note is written in German and roughly translates as:

Warning: Your PC has been infected by TODCE RASNOMWARE. All your data has been encrypted.
You have time until the end of the month.
You can decrypt your PC for € 20 if you make the payment within the given time frame.
If you try restarting or shutting down your PC, all of your data (including documents, game files, pictures, passwords, and programs) will be ERASED.
The payment confirmation and data decryption can take up to 24 hours.
Please pay 20 euro in PaysafeCard codes.

The criminals’ choice of demanding ransom in PaysafeCard codes [2] does not come as a surprise. Though the crypto-ransomware typically relies on Bitcoins as their ransom currency, screenlocker creators tend to choose this particular method because it allows generating profit quickly.

Without the victims needing to through the lengthy and complicated procedure of purchasing cryptocurrency and then transferring it to the criminals’ accounts, malicious actors can get the wanted money. We should also note that the parasite does delete random files from the computer if the victim attempts exiting the locked screen or rebooting their computer.

Thus, if you are planning to remove the CainXPii ransomware virus from the infected system, you should do it safely so that the parasite would not inflict additional damage. First, you obtain sophisticated antivirus software like SpyHunterCombo Cleaner, or MalwarebytesMalwarebytes, and then follow the professional advice at the end of this article to carry out the elimination correctly.

CainXPii ransomware virus illustration

The mechanics of system infiltration

This virus is based on the Hitler ransomware which means that it might spread the same way this infamous parasite does. As we’ve mentioned, the virus will use an obfuscated file to enter the system but how exactly do the criminals deploy Minecraft.exe on the computer? There are several options they can go for. First, they may distribute a fake version of the Minecraft application on random software-sharing websites and peer-to-peer networks.

Also, the virus may be sent to the victim’s email and be activated when the file is downloaded and launched on the computer. Finally, unsuspecting users may voluntarily or accidentally click on some deceptive ads that hide the cryptovirus download link. The chances of that happening increase when infected with adware or similar ad-based viruses.

Follow the proper termination process with these CainXPii removal options

When talking about CainXPii removal in domestic conditions, there is only one option you can go for – virus elimination using specialized software. Malware experts may approach the infection manually, but the home users should not mess with the parasite themselves. Rely on tools like SpyHunterCombo Cleaner or MalwarebytesMalwarebytes.

Of course, some manual labor may be needed when terminating the lock screen. The guidelines below explain how this procedure should be carried out without endangering your files. You need to take virus damage into consideration, so check the machine using FortectIntego.

Be the first to comment

Spyware news
Privacy preferences

We use cookies to improve your experience and analyze traffic. Some cookies enable embedded content like videos and social posts. Choose what you allow — you can change this anytime.