Mbtf Virus

7-day Free Trial w/Credit card, no charge upfront or if you cancel up to 2 days before expiration; Subscription price varies per region w/ auto renewal unless you timely cancel; notification before you are billed; 30-day money-back guarantee; Read full terms and more information about free remover.

*Mbtf is a variant of Stop/DJVU. Source of claim SH can remove it.


Mbtf is a virus that belongs to the notorious malware category of ransomware. To be more specific, Mbtf is actually part of the file-encrypting subcategory of ransomware, which is the most dangerous of them all.

The Mbtf ransomware will leave a _readme.txt file with instructions

If Mbtf has invaded your computer, it has likely already locked a great deal of your files using encryption. As a result, you will no longer be able to access said files, as there’s not a program in existence that will be able to recognize and open them. This is what the hackers behind ransomware use as leverage in order to coerce their victims into paying a certain (usually rather hefty) sum of money as ransom.

In exchange, they promise to send a decryption key with the help of which victims are said to be able to undo the encryption and once again be able to access their files. The choice of whether to go down this route and transfer your money is certainly up to you. However, we would like to warn you that there are no guarantees where ransomware is involved. Even agreeing to the ransom payment may not necessarily give you the desired result and you may be left with nothing to show for the cash you spent.

What we can offer you is a set of alternative file-restoration methods that by the very least won’t cost you anything. But before you attempt any of those, and even before deciding to deal with the hackers, it is crucial that you first remove Mbtf from your computer. If you don’t, any files that you manage to decrypt may end up getting encrypted again, putting you back at square one. Just below this article we have included a removal guide that will show you how to handle the removal process. And in the second part of the guide you will find our suggestions regarding what you can undertake to recover your data.

The Mbtf virus

The Mbtf virus uses encryption as its main weapon, which converts valuable user files into unreadable bits of data. In addition, encryption doesn’t trigger most antivirus programs, which makes the Mbtf virus exceptionally dangerous.

Yes, you read correctly. Even if you have high-quality antivirus software running on your machine, it will likely not do anything to stop the encryption process of a virus like Mbtf, Mppn or Uyit. The reason is simple. We use encryption on a daily basis to check our emails, shop online, check our bank accounts, etc. If all of this were triggers for our antivirus systems, we’d never get anything done and all our sensitive information would essentially be exposed to prying eyes. For this reason, we cannot stress enough how important it is to prevent ransomware attacks before they happen. And better yet, keeping backups of your most valuable data on external drives is a sure way to render any ransomware attack futile.

The .Mbtf file extension

The .Mbtf file extension is the short suffix that you see at the end of each and every encrypted file. It is because of the .Mbtf file extension that no software is able to recognize the file format of the encrypted data.

mbtf file
The mbtf file virus ransomware



Detection Tool

*Mbtf is a variant of Stop/DJVU. Source of claim SH can remove it.

Before you start

Before you begin this guide, the following factors need to be taken into consideration:

  • The first thing we should mention is that it’s preferable to disconnect your PC from the web before you start completing the guide – doing so will prevent the Mbtf virus from communicating with its creators’ servers and, in turn, hopefully make the virus removal easier.
  • If there are any external devices with storage memory of their own (e.g. flash memory sticks, external HDDs, smartphones, tablets, etc.), you should immediately disconnect them from the computer – hopefully the Ransomware hasn’t gotten to them yet and the files in them are still untouched by the virus’ encryption.
  • Next, know that if you are considering the ransom payment as your way of recovering your files (something that we do not recommend), it’s probably better to first try to get your data decrypted and only then remove the virus. Otherwise, if you first remove the Ransomware, you may not be able to get the code even if you pay.
  • Lastly, know that the Ransomware may have already removed itself from the system in order to remove any traces that may help with the decryption of the locked files. Even if it seems the threat is not in the PC, however, we still recommend going through the next steps to make sure that the computer is clean.

Now that we’ve mentioned everything, let us show you the removal steps.


Remove Mbtf Ransomware

To remove Mbtf, you should complete each of the steps listed below:

  1. First, you must clean your PC from potentially rogue programs that may be connected to the infection.
  2. Next, you must make sure that no malicious processes are currently running on the computer.
  3. Thirdly, you should check for changes made by the virus to different system settings and reverse anything that the Ransomware has altered.
  4. Lastly, to remove Mbtf, you must find and delete all malware files on your computer.

Detailed instructions and tips about each of those steps are available below.

Detailed Guide


In order to search for potentially malicious programs on your computer, it is recommended that you go to the Control Panel and from there access the Uninstall a Program list, where you will see what programs are installed on your PC and have the option to uninstall the ones you deem hazardous.

Look for anything unknown or with a suspicious name, installed a bit before your files got encrypted – if you find a program that may be related to the virus, select it, then click the Uninstall option located right above the list, and proceed with the uninstallation process. Remember that you mustn’t agree to any offers from the uninstaller, such as “keep/do not delete personalized settings for the program” – everything that is related to the potentially harmful program must be removed from your PC.

This image has an empty alt attribute; its file name is uninstall1.jpg



*Mbtf is a variant of Stop/DJVU. Source of claim SH can remove it.

After you’ve removed whatever unwanted program(s) you may have found in the Uninstall a Program list, you must now make sure that there aren’t any rogue processes related to the Ransomware that are currently running in the background of your system.

You can do that from the Task Manager – to open it, press Ctrl + Shift + Esc and then select Processes to see what processes are currently running in the system. It is unlikely that there are any Ransomware processes still active on your computer but if there are, they would probably have really high RAM memory and CPU usage, so sort the items in the list based on the amount of RAM or CPU that they are using at the moment and see which are the most resource-intensive entries.

Pay attention to the names of the processes and use your own discretion to figure out if any of them may be harmful. If you suspect a given process, look it up and if the information you find online confirms your suspicions of the process being harmful, then you must delete said process and the data stored in its location folder.

Another thing you could do to check if the process is harmful is to scan its files. You can do that by right-clicking on the process’ entry from the list, selecting the open File Location option from the menu, and scanning all files in the folder that shows up with a reliable anti-malware scanner. One such powerful and reliable scanner can be found right below – you can use it for free straight from inside the browser.

Each file will be scanned with up to 64 antivirus programs to ensure maximum accuracy
This scanner is free and will always remain free for our website's users.
This file is not matched with any known malware in the database. You can either do a full real-time scan of the file or skip it to upload a new file. Doing a full scan with 64 antivirus programs can take up to 3-4 minutes per file.
Drag and Drop File Here To Scan
Drag and Drop File Here To Scan
Analyzing 0 s
Each file will be scanned with up to 64 antivirus programs to ensure maximum accuracy
    This scanner is based on VirusTotal's API. By submitting data to it, you agree to their Terms of Service and Privacy Policy, and to the sharing of your sample submission with the security community. Please do not submit files with personal information if you do not want them to be shared.

    This image has an empty alt attribute; its file name is task-manager1.jpg

    If even one single file is detected as a threat by our scanner, this means that the process it is related to is rogue and that process must be ended. To quit it, right-click on it and then click on the End Process option. After that, remember to delete everything that’s stored in the location folder of that process (and not only the file or files that were detected as threats). If you are unable to delete anything, try again at the end of the guide and/or contact us through the comments.

    This image has an empty alt attribute; its file name is task-manager2.jpg


    It is important to put your computer in Safe Mode – when it is in Safe Mode, Windows would only allow essential processes to be started automatically and so this could help prevent Mbtf from re-launching any of its processes.


    *Mbtf is a variant of Stop/DJVU. Source of claim SH can remove it.

    The next important step is to find and delete any Ransomware data saved on your PC. The good news is that there are several folders where most malware variants tend to create their files, so checking them for rogue data and deleting what you find should typically do the trick. However, before you go there, you must make sure to “unhide” any hidden files and folders on your computer, as it is likely that the virus has made its files invisible to prevent anyone from deleting them.

    First, open the Start menu and type in it Folder Options. From the search results, select the first one and then, in the next window, click on View from the top. Next, find and put a checkmark in the box of the Show Hidden files, folders, and drives option. Also find the next two options shown below, deselect/uncheck them, and then click on OK:

    • Hide extensions for known file types
    • Hide empty drives in the Computer folder

    Now, the folders you must go to are listed below – to go to them, copy their names from below as they are shown (along with the “%” symbols), paste them one by one in the Start Menu search bar, and hit Enter to go to each folder.

    • %AppData%
    • %LocalAppData%
    • %ProgramData%
    • %WinDir%
    • %Temp%

    In those folders, you must delete all data created after the on and after the date the virus infected you. Only in the Temp folder, you must simply delete everything.


    Now you must see if the virus has added any unwanted items to the Startup list of your computer. To do that, open the Start Menu, type in it msconfig, and press the Enter key. Then, in the System Configuration window that appears, select Startup and look at what items are shown in the list – if any of them are unfamiliar to you and/or are shown to have an unknown developer, uncheck them, and then select the OK button.

    The next thing you should check for changes made to it by the virus is the Hosts file. This file can be found here: Computer/(C:)/Windows/System32/drivers/etc – go to that location, open the file named Hosts using Notepad and look at the text in the file – if the virus has made any changes to the file, there would be something (probably a bunch of IPs) written under “Localhost“. If you see anything written there, you should copy it and send it to our team via the comments section under this post. Unless we see what’s below “Localhost” in your Hosts file, we cannot say for certain that it is from the virus – many regular programs also make changes to this file. Once we see your comment, we will reply to it, telling you if the text you’ve sent us must be removed from the file.

    This image has an empty alt attribute; its file name is hosts2.jpg


    For this final step, you must access the Registry Editor utility – type in the Start Menu regedit and open the regedit.exe file. Then select Yes when Windows requests your confirmation, and the Registry Editor should open. Once you are in it, press Ctrl + F and this will open the search bar of the Editor, which you must use to search for Mbtf items in the Registry, so type Mbtf and launch the search.

    This image has an empty alt attribute; its file name is 1-1.jpg

    Delete the item that gets found and then perform a second search as there will likely be more items that need to be deleted. Once you’ve made sure all items related to Mbtf are gone from the Registry, visit the next three locations by finding them in the left panel of the Editor.

    • HKEY_CURRENT_USER > Software
    • HKEY_CURRENT_USER > Software > Microsoft > Windows > CurrentVersion > Run
    • HKEY_CURRENT_USER > Software > Microsoft > Internet Explorer > Main

    There, search for anything with a suspicious name that looks like this “392ud9382j894f984jr9j293jd” and if you come across any such items, delete them. If you are not certain about whether a given odd-looking item in the Registry should be removed, it is advisable to consult us by leaving us a comment in which you request our assistance.

    If the manual steps didn’t help

    Sometimes it may turn out that the manual steps are not enough to get rid of a Ransomware virus such as Mbtf. It could be because the virus has infiltrated the system on a very deep level or that it is being helped by another threat (a Trojan, a Rootkit, etc.) that is interfering with your attempts to remove it. Whatever the case, if you are in such a predicament, we advise you to try using a professional removal program to scan your entire system and delete any rogue data and settings it may find. In some instances, this and taking your PC to a specialist are your only viable options.

    Throughout his guide, you can find a powerful anti-malware tool capable of helping you with this issue, and we recommend trying it out if you have thus far been unable to fully remove Mbtf.

    How to Decrypt Mbtf files

    To decrypt Mbtf files, the user first needs to clean their computer from the virus to prevent secondary encryption of whatever data gets recovered. Then, to decrypt Mbtf files, one can try several alternative recovery methods that do not involve a ransom payment.

    Mae sure that your system is clean by scanning any files you think are suspicious with the free scanner provided on our site. After you are certain that the threat is gone, have a look at the suggested methods and the instructions for them available on our specialized How to Decrypt Ransomware post.

    What is Mbtf?


    Mbtf is a hazardous computer program of the Ransomware type that locks user files using encryption and then blackmails the user for the private key that can unlock them. Threats like Mbtf are oftentimes distributed with the help of disguised Trojan Horses and spam emails.
    During the time Mbtf is busy encrypting the files of its victims, it usually doesn’t show any visible symptoms of its presence and security programs typically don’t detect it (because it isn’t harming anything). Once it finishes with the encryption, it creates a notepad file or generates a banner on the user’s screen, where it details the conditions of its creators. The note/banner informs the user about the encrypted state of their files, the ransom sum that is required of them, and the exact way it’s supposed to be paid.
    Usually, the ransom payment is required in some form of cryptocurrency, such as Bitcoin, in order to prevent the authorities from tracking down the blackmailers. Oftentimes, there’s a “discount” period, after which the demanded sum is doubled.

    Is Mbtf a virus?


    Mbtf is a virus program recognized as a file-locking Ransomware that applies military-grade encryption to its victims’ files to keep them inaccessible. According to the hackers, the only way to access the files locked by the Mbtf virus is through a special private key.
    The main threat that the Mbtf virus represents is its potential to lock up files that are important to you. If for some reason the virus doesn’t lock any important files or if there aren’t such files in the system, the hackers would have no leverage that they can use to blackmail you. The Ransomware itself can’t damage the computer in any way.
    To increase its chances of encrypting valuable files, the hackers behind Mbtf set the virus to seek and encrypt files that belong to a list of commonly used file formats (image, text, audio, video file formats, spreadsheets, and more).
    Once the encryption is complete and the ransom note gets displayed, the user has to choose between paying the requested sum or seeking alternative methods.

    How to decrypt Mbtf files?


    To decrypt Mbtf files, you can use free Ransomware decryptor tools, try to extract your files from shadow copies, or use your own data backups. It is not recommended to try to decrypt Mbtf files by paying the demanded sum to the hackers.
    There are many things that could go wrong if you choose to go for the ransom payment option. The first and most obvious issue that could occur is if the hackers simply refuse to give you the key, yet keep whatever money you send them. Another option is if there’s a problem with the key, they may send you, making it useless for decrypting your files. It’s also possible that the virtual wallet included in the ransom note (to which you are supposed to transfer the money) may no longer belong to the hackers, and so sending money to it would be a total waste.
    Sadly, none of the possible alternatives guarantee success, but they at least do not involve dealing with cybercriminals and risking large amounts of money without knowing if it would eventually be worth it.



    About the author


    Violet George

    Violet is an active writer with a passion for all things cyber security. She enjoys helping victims of computer virus infections remove them and successfully deal with the aftermath of the attacks. But most importantly, Violet makes it her priority to spend time educating people on privacy issues and maintaining the safety of their computers. It is her firm belief that by spreading this information, she can empower web users to effectively protect their personal data and their devices from hackers and cybercriminals.

    Leave a Comment

    We are here to help! Use SpyHunter to remove malware in under 15 minutes.

    Not Your OS? Download for Windows® and Mac®.

    * See Free Trial offer details and alternative Free offer here.

    ** SpyHunter Pro receives additional removal definitions and manual fixes through its HelpDesk in cases where they are needed.

    Spyware Helpdesk 1