[KB7081] Clean a Filecoder.AR infection using the Filecoder.AR cleaner

Issue

  • Your personal files were encrypted
  • Your ESET product detected the Win32/Filecoder.AR infection
  • Decrypt your files using the ESETFilecoderARcleaner.exe tool

Details

  • Your personal files were encrypted without a notification in your computer or in a .txt, .html or .png file
  • File extensions are not being renamed as they are in other ransomware variant infections

Solution

Not for use on USB flash drives

We do not recommend running the decryptor on files located on USB flash drives. 

  1. Download the ESETFilecoderARcleaner.exe tool and save the file to your Desktop.
     
  2. Click StartAll Programs Accessories, right-click Command prompt and then select Run as administrator from the context menu.
    • Windows 8 / 8.1 / 10 users: press the Windows key + Q to search for applications, type Command prompt into the Search field, right-click Command prompt and then select Run as administrator from the context menu.
       
  3. Type the command cd %userprofile%\Desktop (do not replace "userprofile" with your username–type the command exactly as shown) and then press Enter.
     
  4. Type the command ESETFilecoderARcleaner.exe and press Enter.
     
  5. Read and agree to the end-user license agreement.
     
  6. Type ESETFilecoderARcleaner.exe C: and press Enter to scan the C drive. To scan a different drive replace C: with the appropriate drive letter.

ESETFilecoderARcleaner Switches

In most cases, running the decryptor tool as shown in step 6 is the best choice. If you are familiar using command line switches, you can use the following switches available for the tool:

  • /s— run the tool in silent mode
  • /f —run the tool in forced mode
  • /d —run the tool in debug mode
  • /n —only list files for cleaning (files will not automatically be decrypted)
  • /h or /?— show usage
  1. When prompted to make a backup of every cleaned file, select Yes by pressing the y key.
     
  2. When prompted to overwrite files to be cleaned in the C drive, select Yes by pressing the y key again.
     
  3. The FilecoderAR cleaner tool will run and the message "Looking for infected files..." will be displayed. If an infection is discovered, follow the prompts from the FilecoderAR cleaner to clean your system.

Figure 1-1
Click the image to view larger in new window

 

Need Assistance in North America?

If you are a North American ESET customer and need assistance, visit helpus.eset.com to chat with a live technician, view product documentation or schedule a consultation with an ESET Home Advisor.