Severity scale:  

NMoreira ransomware virus. How to remove? (Uninstall guide)

removal by Julie Splinters - -   Also known as XRatTeam, XPan | Type: Ransomware

Updated NMoreira ransomware keeps attacking unsuspecting victims in 2017

NMoreira virus has been spotted in the end of 2016, but it steps into 2017 with a brand new version known as Nmoreira 2.0 ransomware virus. These viruses are meant to extort money from victims after encrypting their personal files. Needless to say, that money remains the main driving force for gearheads to engage in this business [1]. This ransomware virus can also be detected as XPan and XRatTeam virus. The most affected users are considered people residing in Portugal and English-speaking countries. Typically, ransomware appends .maktub, .__AiraCropEncrypted!, .m4ktub or____xratteamLucked extension to each of affected files. Luckily, it is quite easy to remove Nmoreira virus if you opt for the automatic solution. However, the file decryption is another matter. Since the virus is not an ordinary computer pest, recovering the files might be a complicated task. In this regard, you may also find some recommendations how to retrieve the data below the article. The ransomware has been spotted traveling via a trojan [2], so the entire NMoreira removal process should not be delayed. Malicious elements might accelerate the further infection of the operating system. While you are reading, launch Reimage to start the process.

the screenshot of NMoreira virus

When it comes to ransomware, the identity of its developers often remains in secret. Nonetheless, certain peculiarities help guess the nationality of the cyber criminals. In the case of this ransomware, IT experts speculate that this virus is the creation of Brazilian hackers who specialize in banking trojans. Interestingly, there have been a couple of file-encrypting malware created by these crooks, for example, TorLocker. Therefore, they decided to advance to the new level by combining their knowledge and experience and launch the ultimate virus. NMoreira ransomware has been detected roaming on the Web and is believed to be the constituent part of a major TeamXRat cyber campaign [3]. A menacing trojan, under the title of Trojan-Ransom.Win32.Xpan, helps to distribute this virtual threat. What is more, this virus seems to be highly improved in comparison to previous versions. The original version of the ransomware exploited the standard encryption method while the latter variant shifted toward AES-256 and RSA-2048.

Questions about NMoreira ransomware virus

Previously, the infection would be executed right after the computer was turned on, now – the virus might activate at any time. What is more, NMoreira ransomware has been written in C++ programming language. Unfortunately, the virus targets a wide range of files, including .doc, .zip, .rar, .jpeg, etc. It only avoids affecting .exe, and .dll files. After the successful infiltration, the virus appends its extensions at the beginning of the files and starts showing its ransom note which is displayed below:

Encrypted Files!

All your files are encrypted. Using encryption AES256-bit and RSA-2048-bit.
Making it impossible to recover the files without the correct private key.
If you are interested in getting is key, and retrieve your files 

For information on how to reverse the file encryption
send email to:
enter your KEY in the subject or email body.

Remember your email is not answered within 24 hours,
visit one of the link below to get a new mail contact

Interestingly, that the former version, with the three characters, encrypts the files with a single 255-symbol password, while the latter variant creates a distinctive password for each file. Later on, it is encoded with RSA-2048 key and inserted in the ransom instructions. Even though that the key might be located, it does not help to decrypt the files easily. In any case, we do not recommend paying the money and addressing the crooks via

Update January 2017: Nmoreira 2.0 version emerges

In response to the released decryption software by the “good guys,” the creators of this threat uploaded a new improved version of the threat. Nmoreira 2.0 virus is a slightly modified copy of the initial virus’ version, however, it goes without saying that this one is a more sophosticated one. NMoreira 2.0 ransomware sticks to using the same ransom message (Recupere seus arquivos.Leia-me!.txt). There are slight modifications in the appendable file extension. In comparison with the previous edition, now the malware attaches .m4ktub file extension. NMoreira 2 virus keeps spreading via trojans. Surprisingly, that well-known security applications do not have updated virus databases which results in overlooking the infection. On the contrary, less known products were able to detect the ransomware in its disguise as a trojan. It was spotted as FileCryptor.NDJ, Win32/Filecoder.XRatLocker.B, and Trojan.Win32.Generic. Besides visible modifications, it also contains key internal changes. The virus starts multiple tasks and functions at the same time covering its tracks. Improved Nmoreira malware also meddles with important registry changes. In addition, the ransomware gets access to personal data and technical information containing specifications about the device and the user. One of the most destructive features has been spotted as the ability to access administration rights and delete critical files. 

How the ransomware spreads?

NMoreira hijack might have happened during your stay in suspicious domains such as P2P file sharing websites or gambling web pages. These domains may also disguise exploit kits [4]. Gaming web pages also happen to be the frequent haven for a variety of virtual threats. Keep in mind that some perpetrators might infect outdated applications, forge their ratings, and then distribute them online. In this case, check the original publisher of the program and try to find out certain information about the original application to distinguish the hoax from the original version. In addition, you should boost up your security level by installing a proper security application to avoid the trojans carrying the ransomware content.

NMoreira removal instructions

You can remove NMoreira virus with the help of an anti-spyware tool, Reimage or Plumbytes Anti-MalwareMalwarebytes Malwarebytes, for instance. Check its update status and launch the full scan to detect every malicious file on your computer. After the process is complete, you can check our data recovery options provided in “Data Recovery” section. In relation to this, there are a couple of programs which might be able to help you retrieve your valuable files and any other information. If by any chance, you encounter difficulties in NMoreira removal process (the ransomware can try to block programs given above), you can use the below-displayed guidelines to regain full control of the device. On the final note, cautiousness still remains to be of key importance while escaping cyber threats [5].

do it now!
Reimage (remover) Happiness
Reimage (remover) Happiness
Compatible with Microsoft Windows Supported versions Compatible with OS X Supported versions
What to do if failed?
If you failed to remove virus damage using Reimage, submit a question to our support team and provide as much details as possible.
Reimage is recommended to remove virus damage. Free scanner allows you to check whether your PC is infected or not. If you need to remove malware, you have to purchase the licensed version of Reimage malware removal tool.
Alternative Software
Different security software includes different virus database. If you didn’t succeed in finding malware with Reimage, try running alternative scan with Malwarebytes.
Alternative Software
Different security software includes different virus database. If you didn’t succeed in finding malware with Reimage, try running alternative scan with Combo Cleaner.

To remove NMoreira virus, follow these steps:

Remove NMoreira using System Restore

  • Step 1: Reboot your computer to Safe Mode with Command Prompt

    Windows 7 / Vista / XP
    1. Click Start Shutdown Restart OK.
    2. When your computer becomes active, start pressing F8 multiple times until you see the Advanced Boot Options window.
    3. Select Command Prompt from the list Select 'Safe Mode with Command Prompt'

    Windows 10 / Windows 8
    1. Press the Power button at the Windows login screen. Now press and hold Shift, which is on your keyboard, and click Restart..
    2. Now select Troubleshoot Advanced options Startup Settings and finally press Restart.
    3. Once your computer becomes active, select Enable Safe Mode with Command Prompt in Startup Settings window. Select 'Enable Safe Mode with Command Prompt'
  • Step 2: Restore your system files and settings
    1. Once the Command Prompt window shows up, enter cd restore and click Enter. Enter 'cd restore' without quotes and press 'Enter'
    2. Now type rstrui.exe and press Enter again.. Enter 'rstrui.exe' without quotes and press 'Enter'
    3. When a new window shows up, click Next and select your restore point that is prior the infiltration of NMoreira. After doing that, click Next. When 'System Restore' window shows up, select 'Next' Select your restore point and click 'Next'
    4. Now click Yes to start system restore. Click 'Yes' and start system restore
    Once you restore your system to a previous date, download and scan your computer with Reimage and make sure that NMoreira removal is performed successfully.

Bonus: Recover your data

Guide which is presented above is supposed to help you remove NMoreira from your computer. To recover your encrypted files, we recommend using a detailed guide prepared by security experts.

If your files are encrypted by NMoreira ransomware, you should use optional methods that are given below to recover the access to them. Fortunately, security experts have just presented NMoreira decrypter that you can use as well.

If your files are encrypted by NMoreira, you can use several methods to restore them:

Use Data Recovery Pro to recover your files encrypted by NMoreira ransomware

File encrypted by NMorera could be restored with the help of Data Recovery Pro software. You ned to download this program, install it on your computer and follow the wizard to recover at least some of your files. 

  • Download Data Recovery Pro;
  • Follow the steps of Data Recovery Setup and install the program on your computer;
  • Launch it and scan your computer for files encrypted by NMoreira ransomware;
  • Restore them.

Retrieve your files using Windows Previous Versions feature

Windows Previous Versions feature is another solution to solve your problem. There is a chance that you might retrieve the previously saved copies of your valuable data. Keep in mind that this functionality only works when System Restore function is activated.

  • Find an encrypted file you need to restore and right-click on it;
  • Select “Properties” and go to “Previous versions” tab;
  • Here, check each of available copies of the file in “Folder versions”. You should select the version you want to recover and click “Restore”.

Using ShadowExplorer when infected with NMoreira

This utility succeeds recreating the files only in that case if the malware does not delete the copies in advance.

  • Download Shadow Explorer (;
  • Follow a Shadow Explorer Setup Wizard and install this application on your computer;
  • Launch the program and go through the drop down menu on the top left corner to select the disk of your encrypted data. Check what folders are there;
  • Right-click on the folder you want to restore and select “Export”. You can also select where you want it to be stored.

Use NMoreira decrypter to release your files

Recently, security experts from Emsisoft Company presented NMoreira decrypter. You can download it from here.

Finally, you should always think about the protection of crypto-ransomwares. In order to protect your computer from NMoreira and other ransomwares, use a reputable anti-spyware, such as Reimage, Malwarebytes MalwarebytesCombo Cleaner or Plumbytes Anti-MalwareMalwarebytes Malwarebytes

About the author

Julie Splinters
Julie Splinters - Malware removal specialist

If this free removal guide helped you and you are satisfied with our service, please consider making a donation to keep this service alive. Even a smallest amount will be appreciated.

Contact Julie Splinters
About the company Esolutions


Removal guides in other languages