[KB6051] How do I clean a TeslaCrypt infection using the ESET TeslaCrypt decrypter?

Issue

  • Your personal files became encrypted and the following information may be displayed in your computer, or in a .txt, .html or .png file

Figure 1-1

  • Your ESET product detects the infection Win32/Filecoder.TeslaCrypt
     
  • How to decrypt your files using the ESETTeslaCryptDecryptor.exe tool

 

Details

Win32/Filecoder.TeslaCrypt is a trojan that encrypts files on local drives. To decrypt files, the user is asked to send information/certain amount of money via the Bitcoin payment service.

Solution

NOTE:

We do not recommend running the decryptor on files located on USB flash drives. 

  1. Download the ESETTeslaCryptDecryptor.exe tool and save the file to your Desktop.
     
  2. Click StartAll Programs Accessories, right-click Command prompt and then select Run as administrator from the context menu.
    • Windows 8 / 8.1 / 10 users: press the Windows key + Q to search for applications, type Command prompt into the Search field, right-click Command prompt and then select Run as administrator from the context menu.
       
  3. Type the command cd %userprofile%\Desktop (do not replace "userprofile" with your username–type the command exactly as shown) and then press Enter.
     
  4. Type the command ESETTeslaCryptDecryptor.exe and press Enter.
     
  5. Read and agree to the end-user license agreement.
     
  6. Type ESETTeslaCryptDecryptor.exe C: and press Enter to scan the C drive. Files encryped by TeslaCrypt V.3 and V.4 will automatically be decrypted. To scan a different drive replace C: with the appropriate drive letter.

TeslaCryptDecryptor Switches

In most cases, running the decryptor tool as shown in step 6 is the best choice. If you are familiar using command line switches, you can make use of the following switches available for the TeslaCryptDecryptor tool:

  • /s— run the tool in silent mode
  • /f —run the tool in forced mode
  • /d —run the tool in debug mode
  • /n —only list files for cleaning (files will not automatically be decrypted)
  • /h or /?— show usage
  1. The TeslaCrypt cleaner tool will run and the message "Looking for infected files..." will be displayed. If an infection is discovered, follow the prompts from the TeslaCrypt cleaner to clean your system.

Figure 1-2
Click the image to view larger in new window

 

Need Assistance in North America?

If you are a North American ESET customer and need assistance, view product documentation or visit helpus.eset.com to chat with a live technician.