[KB7083] Clean a Trustezeb.A or Matsnu infection using the Trustezeb.A cleaner

Issue

  • Your personal files became encrypted
  • Your files are prefixed by a string "locked-" and an additional file extension is appended to your files
  • Your ESET product detects the infection Win32/Trustezeb.A or your third-party security products says "Matsnu"
  • Users are told they have pay 50 or 100 Eur via Paysafecard or Ukash payment services
  • Decrypt your files using the ESETTrustezebAdecoder.exe tool
  • You receive the following message on your computer (for example in German):

    "Die von Ihnen verwendete Windows Lizenz ist abgelaufen."
    "Achtung. Schalten Sie in der Zeit Ihren PC nicht aus und halten Sie diet Internetverbindung aufrecht,..."

Click the image to view larger in new window

Details

See also our detailed information about this malware at welivesecurity.com in German:

Solution

USB flash drives

We do not recommend running the decryptor on files located on USB flash drives. 

  1. Download the ESETTrustezebAdecoder.exe tool and save the file to your Desktop.
     
  2. Double-click ESETTrustezebAdecoder.exe on your Desktop to run the cleaner.
     
  3. Click the Decode button.
     
  4. When prompted, select your Desktop folder to decrypt all encrypted files in your Desktop and Desktop's subdirectories. To decrypt a different folder, for example, all in the C drive, select C:.

Decode using clean file

If you receive the message "Can't find window's original wallpaper file. Try to decode with clean file.":

  1. Click Decode using clean file.
     
  2. When prompted, select a clean file and click OK.
     
  3. When prompted, select an encrypted version of the same file and click OK.

    For example, a document or photo (step 2) in your backup or sent emails which was encrypted by Trustezeb.A. Decryptor requires you to select both versions of the file in order to decrypt all other files correctly.
     
  4. When prompted, select a directory to decrypt all its files and subdirectories and click OK.
  1. The FilecoderAR cleaner tool will run. If an infection is discovered, TrustezebA cleaner will decode the file and display the "Decoded and written: x file(s)" message.

Figure 1-1

 

Need Assistance in North America?

If you are a North American ESET customer and need assistance, view product documentation or visit helpus.eset.com to chat with a live technician.

További segítségnyújtás