How To Remove PyCL / Dxh26wam (.crypted) Ransomware And Recover Files

PyCL, also called Dxh26wam ransomware is a virus named after the executable file which it uses to infect the computers: dxh26wam.exe. It encrypts your files and displays a ransom note titled “YOUR PERSONAL FILES ARE ENCRYPTED“. The text instructs you to pay a ransom in BitCoins and warns that the files will otherwise be lost after a certain amount of time.

The ransomware changes encrypted files extensions to .crypted. This extension is used by many other viruses as well. However, you can distinguish PyCL / Dxh26wam from others by its multilingual ransom note displayed on a gray background and surrounded by a black and yellow border. It also has a very detailed guide on how to buy BitCoin and make the payment to the ransomware creators. The ransom notes are called “How_Decrypt_My_Files“.

We strongly discourage you from paying the ransom. Instead, you should use the automatic removal tool provided below. It will not only eliminate the threat but also protect your computer in the future by acting as an antivirus. Alternatively, you can follow our manual removal guide. However, you will still need to secure your computer afterwards if you choose this option.

We have also prepared a file recovery guide after you finish removing the threat. Remember to completely eliminate the virus first as otherwise you might cause even more damage.


Recommended Method: Download Ransomware Removal Tool

Version:   All Updated:   2 days ago Compatible OS:   All
This is the most suitable program for automatically removing the threat and repairing your PC.
Works with: Windows 10, Windows 8, Windows 7, Windows Vista, Windows XP. Read instructions here
File name Size
mb3-setup.exe 56.5 MB

Click here to download alternative tool

What is PyCL / Dxh26wam (.crypted) ransomware?

It is a newly appeared ransomware virus. Like others, it encrypts your files, makes them impossible to open and asks for a BitCoin ransom if you want to receive a decryption key and software.

While PyCL / Dxh26wam uses a common extension for locked files (.crypted) it is easily distinguishable from others. It has a multilingual ransom note which has a black and yellow border, gray background and a green “Proceed to Payment” button. Also, this ransomware has a very detailed and well made guide how to make BitCoin payment and recover files afterwards. This is probably done to convince less tech-savvy users to pay as well.

The ransomware places multiple ransom notes called How_Decrypt_My_Files across the system. One shortcut linking to payment instructions is placed on the desktop as well.

Here is the text displayed in the main ransom note:

YOUR PERSONAL FILES ARE ENCRYPTED
Your documents, photos, databases and other important files have been encrypted with strongest encryption and unique key, generated for this computer. 
Private decryption key is stored on a secret Internet server and nobody can decrypt your files until you pay and obtain the private key.
1. Pay amount BTC (about of USD) to address:
2. Transaction will take about 15-30 minutes to confirm.
Decryption will start automatically. Do not: power off computer, run antivirus program, disable internet connection. Failures during key recovery and file decryption may lead to accidental damage on files.
YOUR FILES WILL BE LOST WITHOUT PAYMENT THROUGH:

The detailed tutorial/guide also has a similar title, but with a mistake:

YOUR PERSONAL FILE ARE ENCRYPTED ! ! !

There is not much information on how this ransomware infects computers. The launch campaign utilized RIG exploit kit but other means of distribution can be used too. Most likely it also uses email spam to send fake attachments and infiltrates the system as soon as they are opened. Another possible way to spread this ransomware is by using various other exploit kits and infecting websites and advertisements.

Once Dxh26wam enters your computer it immediately makes a list of your files and starts the encryption process. Sometimes you can interrupt this and salvage at least some files by simply shutting down your computer before the ransomware finishes its job. However, if it successfully encrypts all the files on the list the original copies will be deleted and it will start placing and displaying ransom notes in the affected folders.

You should never pay ransom to the cyber criminals. There is no guarantee that they will provide you with a correct decryption key and software. Also, they might see you as a paying victim and target again in the future. Finally, the decryption software might have additional backdoors and leave your system vulnerable to other threats.

We have an automatic removal tool which is our recommended option to eliminate PyCL ransomware. It will scan your computer and detect this as well as other threats and will also work as an antivirus program in the future. We also have a manual removal guide just for this ransomware, however, you will still need to install a proper security software afterwards if you choose this option.

Currently there is no official decryption tool for .crypted files. It might appear in the near future as virus researchers are always working to develop such tools for various ransomware but we cannot guarantee this. Therefore, we have prepared several alternative methods to recover your ransomed files. However, you should follow the file recovery guide only after you completely remove the ransomware as otherwise you might cause even more damage.

Here are some screenshots of PyCL / Dxh26wam (.crypted) ransomware:

     


 Manual Removal Instructions:

Bookmark this page in order to access it after you restart your computer while working on the removal process! You can also open it on another device or use the button at the bottom to print it out.

Step 1:

Reboot the infected computer in Safe Mode.

When your computer is infected by a virus some of its features may be locked or compromised. You need to bypass this by rebooting your computer using Safe Mode. This will allow you to remove the virus.

Since Safe Mode only has the most basic features do not be scared that your Windows look completely different!

Click here to show how to reboot Windows 98, XP, Vista or Windows 7 in Safe Mode

  1. Restart your computer (if it is locked you can do this by physically pressing the power button on your computer).
  2. As soon as the PC starts booting begin constantly clicking F8 key on the keyboard until you get the following screen:
  3. Use arrow keys to highlight Safe Mode With Networking and press Enter.
  4. Wait for the Windows to launch.

 

Click here to show how to reboot Windows 8, 8.1 or Windows 10 in Safe Mode

F8 method (1/4):

Restarting and constantly hitting F8 might not work for this version of Windows since the booting is much faster and does not always react to the key presses. Try this method first and then proceed to other methods if this does not help.

  1. Restart your computer (if it is locked you can do this by physically pressing the power button on your computer).
  2. As soon as the PC starts booting begin constantly clicking F8 key on the keyboard.
    If it does not work try repeating the same procedure but this time holding Shift key and clicking F8.
  3. Follow instructions from Step 5 below:

Shift+Restart method (2/4):

  1. Click the Power icon at the login screen or in the settings charm.
  2. Hold Shift key on your keyboard and click Restart with your mouse while holding:
  3. Click Troubleshoot:

  4. Click Advanced options:
  5. Click Startup Settings:
  6. Click Restart:
  7. Now press F5 key on your keyboard to enable Safe Mode With Networking:

System configuration method (3/4):

  1. Press and hold Windows () key and click R key.
  2. Enter msconfig.exe and click OK:
  3. When System Configuration opens go to the Boot tab:
  4. Check the box “Safe Boot” in Boot options and click OK.
  5. When prompted, click Restart.
  6. Windows will now start in Safe Mode.

System Recovery method (4/4):

If everything above fails you can try inserting System Recovery CD or DVD (works only with Windows 8) or System Recovery USB Memory Stick (works with Windows 8 and 8.1). You will be able to choose Troubleshoot option. The steps are then identical as in Shift + Restart method starting from #3.

Step 2:

Find any processes that might be associated with the ransomware virus and terminate them.

Press CTRL + SHIFT + ESC at the same time to launch Windows Task Manager. You can also launch it by right-clicking on Windows toolbar/startbar and clicking Start Task Manager.

Go to Processes tab.

All currently running processes will be listed.

Now you will have to check each suspicious process manually.

Here are some possible process names:

ui.exe
dxh26wam.exe

Right-click on each of the processes in the list and choose Open File Location.

Go to virustotal.com and upload the opened file for a scan.

If the scan shows that the file is dangerous, right-click on the process and choose End Process, then delete that file in the location you have opened.

Repeat this until you have checked all suspicious processes.

Step 3:

Remove suspicious programs from your startup config so they would not launch as soon as you boot your computer.

Hold Windows () key and click R key.

Enter the following in the field:

msconfig.exe

Click OK.

Go to the Startup tab and uncheck all suspicious entries.

The infected or fake startup items usually have “Unknown” listed as Manufacturer. However, sometimes they might pretend to be legitimate programs.

Check process location by hovering your mouse over the “Command” column. Navigate to the location and scan the file using virustotal.com if it looks suspicious but you are not sure.

Delete the located file if it is detected as a threat.

Otherwise you can simply leave it unselected but not deleted if you are unsure.

Click OK when you are finished unselecting all potentially dangerous processes.

Step 4:

Clean up your registry entries.

Hold Windows () key and click R key.

Enter the following in the field:

regedit.exe

Click OK.

All Windows registry entries will open.

Most of them are critical for correct system operation and deleting important entries might result in Windows failing to load. Make sure you are very careful while deleting and editing the entries!

Press keyboard buttons CTRL + F and enter:

dxh26wam

Click Find Next.

If you find any registry entries that could be associated with LLTP Locker, delete them by right-clicking on it and choosing Delete.

Repeat this search until no results are found anymore. Then repeat this step with the following search queries:

crypted
how decrypt

Step 5:

Clean up Windows temporary files.

This ransomware can operate from temporary files directory.

You can safely remove all temporary files without posing any risk to your computer.

Hold Windows () key and click R key.

Enter the following in the field:

%Temp%

Click OK.

All temporary files will be listed in the directory.

Select all temporary files by simultaneously pressing CTRL + A and delete them.

Step 6:

Check for any recent changes in all the other important system files.

Hold Windows () key and click R key.

Enter the following in the field:

%AppData%

Click OK.

The ransomware is known to place files in the following two AppData directories:

/cl/
/How_Decrypt_My_Files/

 

Delete all suspicious files but be very careful to not remove important system components.

Step 7:

Use Windows File Search (you can access it from Windows Start Menu by simply pressing Windows () button) in order to find the following files and, if found, delete them (some of them might have been already deleted during the earlier steps):

CreateShortcut.vbs
cl.exe
mklnk.cmd
remove.cmd
ui.exe
How Decrypt My Files.lnk

 Decrypting The Files:

Start recovering your files only if you have finished all removal steps! Otherwise you might cause more damage and make it harder to recover them in the future!

We recommend making a backup of the encrypted files on a separate external media in case you are not able to recover the files using our methods.

Check for Dxh26wam ransomware file decrypter here: List of currently available decrypters. Currently there is no official decryptor available but it might be added in the future so check the list before continuing.

We have an extensive list of other file recovery methods available here. The instructions below are just a short version of the simplest methods.

Step 1:

Start by enabling recovery since the virus might have turned it off.

Hold Windows () key and click R key while holding to open “Run” window.

Enter the following in the field:

cmd

Click OK.

A comand prompt will open.

Copy the following:

bcdedit.exe /set {default} recoveryenabled yes

Right-click on the command prompt (black window) and select Paste.

Press Enter

Step 2:

Restore the old system settings using System Restore. The virus has changed them so you need to revert to the old ones first.

Sometimes the virus is able to remove your system restore points so this step might be unsuccessful.

Press and hold Windows () key and click R key.

Enter the following in the field:

rstrui.exe

Click OK.

A System Restore wizard will open.

Click Next.

Check Show more restore points.

If you see any restore points, restore the system. Make sure you select a point that has been created before the attack happened.

If there are no restore points you will see “No restore points have been created…” error.

Step 3:

Restore earlier file versions.

Download Shadow Explorer.

When you run the program you will see the list of all shadow copies created.

Select the drive and date that you want to restore from.

Right-click on a folder name and select Export. The folder will be restored.

Read more here about how to restore files from shadow copies.

The virus also tries to delete shadow copies so this step this might be unsuccessful as well. In such case, proceed to Step 4.

Step 4:

Read more on how to restore files (including backups) on our file recovery guide. This guide includes instructions how to restore the files from a backup or shadow copies as well as how to use a professional file recovery program (which has a very high success rate) if everything else fails.

Alternatively you could make a backup with all encrypted files, store it externally and wait for a decrypter to be created. New free decrypters for various ransomware appear every week but we cannot estimate the waiting time and if it is going to be created at all.

After removing the virus

When you have finished removing the PyCL / Dxh26wam (.crypted) ransomware virus you should protect your computer by installing a good antivirus suite. This will prevent any further infections and fix the current vulnerabilities that have been used by the ransomware to infiltrate your system.


Share your experience with us by leaving a comment!

Leave a comment to tell us about your experience removing this threat!
We can also help you if you run into any problems during the process, just don't hesitate to ask!

Leave a Reply

Your email address will not be published. Required fields are marked *