MNS Cryptolocker Ransomware. How to Remove? (Removal Guide)

0
14
MNS Cryptolocker Ransomware Virus

MNS Cryptolocker is a ransomware that was created to encrypt the files and then demand money to decrypt them. The AES algorithm is used for this and there’s no tool at the moment that can return the affected data to normal for free. The Cryptolocker family has been around since 2013 and the total amount of money that was paid to its creators exceeds $300 million USD. Its developers sure know what they’re doing, and while they’ve created some variants that only lock users out of the computer and tell them about the files being encrypted, without actually doing so, this one, unfortunately, does it for real. And when it finishes, you get the following message that’s displayed in a Pop-Up window –

‘All your file locked with the MNS CryptoLocker:

send 0.2 btc to adress 19o4meegqhmdswffskcdgm8rjt16cca33xqfor decrypt your files send your uniq and btc wallet from wich paid

to email alex.vas@dr.com

after we receive bitcoins and yor email, we contact with you’

Having your computer infected with MNS Cryptolocker is certainly bad news, but you still can escape this situation without paying. Why give away your hard-earned money to random people when you can simply download a program such as Plumbytes Anti-Malware and use it to eliminate the threats from your system? We have a detailed manual on how to do it, so you’ll eventually be successful. And when your computer is cleansed, it’s time to restore the files – this can be done from backup. It may take a while, depending on the amount of affected data, but it beats sending money to the developers of MNS Cryptolocker by a mile. And you won’t have to worry about being tricked.

Going forward, delete all of the emails that come from unknown addresses. Don’t open attachments within them – those are executable files that infect your computer as soon as they’re launched. The encryption process starts immediately after that and you won’t be able to stop it. Also be on your guard while going to XXX pages and file-sharing services – those often contain corrupted links and advertisements, and clicking on them means giving the ransomware a carte blanche to enter your system.

Common symptoms of MNS Cryptolocker ransomware

  • You are not able to access any of the files you try to open.
  • Affected files have odd extensions (like .crypted, .locky, .sage, etc.).
  • You may find .txt or .html ransomware instruction files in system folders.
  • Your desktop screen might be locked, so you can’t access your PC.
  • Pop-up messages that ask you to pay “a ransom” to get access to your PC or files again.
  • Ransomware may delete important system files
  • Sluggish PC performance.
  • Your anti-virus software stops working.

Sources of MNS Cryptolocker ransomware infection

  • Spam emails that contain malicious attachments or hyperlinks.
  • Compromised websites that have exploit code injected in their web pages.
  • Vulnerabilities in unpatched Windows operating system.
  • Vulnerabilities in outdated web browsers.
  • Drive-by downloads.
  • Fake Flash Player update websites.
  • Installing pirated software or operating systems.
  • Facebook spam messages that contain malicious attachments or links.
  • Malicious SMS messages (ransomware may target mobile devices).
  • Malvertising campaigns (pop-up and banner ads).
  • Self-propagation (spreading from one infected PC to another via LAN networks).
  • Infected game servers.
  • Botnets.
  • Peer-to-peer networks.

My PC is infected with MNS Cryptolocker! What should I do?

STEP 1. Create an image of your system and back up encrypted files

Some ransomware viruses have hidden scripts that may remove or overwrite all encrypted files after a certain amount of time has passed after infiltration. We strongly recommend to create a backup of all of your encrypted files before trying to decrypt or restore them. You should find all the encrypted files that end with ransomware file extension and copy them to an external hard drive or USB flash drive.


STEP 2. Scan your computer with anti-malware software and block the ransomware activity

Restart your computer in Safe Mode with Networking. You can find step-by-step instruction here on our website – “How to start Windows in Safe Mode with Networking”.

Install one of the recommended anti-malware tools listed below and scan your computer for viruses. Anti-malware program will detect all malicious files and move them to quarantine in order to block ransomware activity on your computer. Do NOT delete any of quarantined files! They can be helpful to identify which encryption method was used in your case and if any features match known types of ransomware.

Remove Ransomware with Plumbytes Anti-Malware

1. You should download Plumbytes Anti-Malware installer to scan your computer for any ransomware and other malware that might infected your computer. Plumbytes Anti-Malware is a trusted software that can detect and remove most of security threats, including adware, ransomware, PUPs, trojans, worms and rootkits.

DOWNLOAD PLUMBYTES ANTI-MALWARE

2. Double-click the downloaded “antimalwaresetup.exe” installation file to launch it.

Plumbytes Installer

3. Click “Install” button to start the installation process. The setup wizard will automatically start to download necessary program files to your computer. Once download completed, Plumbytes Anti-Malware will be automatically installed on your computer. The entire installation process takes only 2-3 minutes.

Plumbytes Installation

4. Once installed, Plumbytes Anti-Malware will automatically update its antivirus signatures database and then start smart system scan to detect all malware, adware, spyware and other security threats.

Plumbytes System Scan

5. You will see the detailed list of security threats and potentially unwanted applications detected on your PC. Click “Remove Selected” button to clear your PC from malicious files, adware and potentially unwanted applications.

Plumbytes Detections List

If you want to purchase Plumbytes Anti-Malware license key, you can apply PLUMNGZ250 coupon code in order to get a 50% discount.


Double-Check your PC with SpyHunter 4 Anti-Malware

6. You can double-check your computer with SpyHunter Anti-Malware in order to remove any leftover malware and ransomware traces. SpyHunter 4 is considered as one of the best and most effective anti-ransomware tools today. Click the following link to download SpyHunter installation package or just click the download button below.

DOWNLOAD SPYHUNTER ANTI-MALWARE

7. Double-click the downloaded “SpyHunter-Installer.exe” file to start the installation process.

Spyhunter Anti-Malware Installer

8. When the installation starts, the Setup Wizard will offer a few options and settings that you may want to configure. We recommend just clicking “Next” button to accept the default application settings. You can check out our detailed SpyHunter 4 Anti-Malware Setup & User Guide which can help you to go through the installation process and provide important information about malware scans and program settings.

Spyhunter Installation

9. Once the installation completed, SpyHunter 4 will automatically update antivirus database and latest virus definitions. Next, SpyHunter 4 Quick Scan will automatically check your computer for any malware, adware, spyware and other security threats.

Spyhunter Scan Started

10. You will see the detailed list of viruses and potentially unwanted applications detected on your PC. Click “Next” button to clear your PC from malicious files, adware and PUPs.

Spyhunter Scan Results


Alternate Recommended Anti-Malware Tools

The following awesome full-scale anti-malware products also have proved their effectiveness against all types of malware and adware. However, some of these anti-malware programs don’t provide a free trial version, and you’ll have to purchase a license key in order to clean your computer from the detected malware and PUPs.

1. Ransomware DefenderDownload | Our Review – 30-Day Free Trial

2. HitmanPro.AlertDownload | Our Review – 30-Day Free Trial

3. Malwarebytes Anti-Malware Download | Our Review – 14-Day Free Trial

4. Emsisoft Anti-MalwareDownload | Our Review – 30-Day Free Trial

5. WiperSoft AntispywareDownload | Our Review


STEP 3. Identify the type of ransomware virus

If you don’t know what type of ransomware has infected your PC, you should try ID Ransomware free online service. Visit ID Ransomware website and upload a ransom note or a sample encrypted file to identify the ransomware strain.

ID Ransomware

You can also give a try to the VirusTotal.com free service the same way in order to determine which ransomware family you are dealing with.

STEP 4. Find out if there is a decryption tool

Once you’ve identified the exact type of ransomware, you should try to find if there is an effective decrypter available for your encrypted files. In this case, you’ll be lucky to recover your important data withour spending your money on paying the ransom.

You can find the most complete list of current ransomware decryption tools in our “10 Free Tools to Defeat Ransomware in 2017” review.

No More Ransom! Project

NoMoreRansom Crypto Sheriff

Nomoreransom.org website was launched in 2016 and is backed by reputable top security companies and security institutions in many countries. Visit the Crypto Sheriff https://www.nomoreransom.org/crypto-sheriff.php page at Nomoreransom.org, upload one of your encrypted files, and you will find out if there is a solution available to decrypt all of your files for free.

EmsiSoft Decrypter

EmsiSoft’s team continiously works on development of free decrypters for different types of ransomware. Check out Decrypter.emsisoft.com web page for the ransomware decryptor you need. Currently there are more than 40 working decryptors for different crypto-ransomware families.

Kaspersky NoRansom

Kaspersky Lab NoRansom

Russian cyber security firm Kaspersky Lab has launched https://noransom.kaspersky.com website where you can download free ransomware decryptors and removal tools.

Avast Free Ransomware Decryption Tools

Avast Free Ransomware Decryption Tools

At Avast Free Ransomware Decryption Tools web page you can download decryption tools which can help to unclock files encrypted by various forms of ransomware.

Trend Micro Ransomware File Decryptor

Trend Micro Ransomware File Decryptor

Trend Micro Ransomware File Decryptor tool is able to decrypt files encypted by different types of ransomware. Visit TrendMicro website to find detailed instructions and video guide for this decryptor tool.

STEP 5. No Decrypter available? We’re still here to help you

Unfortunately, most recent file-encrypting ransomware don’t have a working decryption solution. Loosely speaking, if you don’t pay attackers for a copy of the private decryption key, you can get stuck with blocked important files for a long time. However, in many cases, even after paying large sum of ransom victims still don’t receive the key to unblock their files. According to statistics, one in five victims who paid the ransom never got their files back. Remember: if you pay the ransom, you directly contribute to the financial success of cyber criminality. Before you decide to pay the ransomware demand, you should better try to gather all available information about the particular type of crypto-ransomware that infected your system.

1. Check out our manual removal guide below. If the ransomware that infected your computer doesn’t delete shadow volume copies from local hard drive, you can try to use System Restore feature to roll Windows operating system back in time or to recover your files from system snapshots.

Malwareless.com website’s team strives to provide all actual and valuable information about ransomware viruses. We continuously monitor latest decryptor tools and add them to the removal instructions.

2. Bleepingcomputer.com website has a great Ransomware Help & Tech Support forum section with quite active ransomware discussions that may save you a lot of money and time. Check the particular forum topics about the type of ransomware that infected your computer and follow the provided instructions.

3. You can also ask for help using EmsiSoft’s Malware Research Center. Their ransomware first aid service is free for both customers and non-customers.

Remove MNS Cryptolocker Ransomware Manually (Removal Guide)

Notice: Manual removal guide is recommended to experienced PC users only. Incorrect modifications introduced into Windows operating system settings, Windows Registry or browser settings may result in system fails or software errors.

We’ve created this detailed removal guide to help you manually remove MNS Cryptolocker and any other ransomware threats from your computer. Please carefully follow all the steps listed in the instruction. We’ve attached detailed screenshots, video guides and descriptions for your convenience. If you have any questions or issues, please contact us via email, public forum or online contact form. You can also add your comments to this guide below.

Windows 10

Remove Ransomware from Windows 10


MNS Cryptolocker removal using Safe Mode with Networking

Why choose this reboot method instead of the common Safe Mode? Safe Mode with Networking option allows to access Internet in order to download necessary tools that can help you to remove MNS Cryptolocker ransomware from your PC.

You can start Windows 10 in Safe Mode with Networking using one of the easy methods below. Depending on the type of ransomware, one of the described start methods may not work properly.

STEP 1: Start your PC in Safe Mode with Networking

If you have a new computer with UEFI BIOS and SSD hard drive, pressing both F8 and Shift+F8 keys may not work for you to get into safe mode.

The easiest method for booting into Safe Mode with Networking is to use the Advanced options settings.

Click Windows button in the bottom-left corner and select Power option, then hold Shift key and click Restart.

Start power restart with Shift Windows 10

You computer will be rebooted once again. You will see the following window with a few options. Select Troubleshoot option.

Troubleshoot Windows 10

Next, select Advanced options.

Advanced options Windows 10

Go to Startup Settings in the Advanced options window.

Startup settings Windows 10

Click Restart button.

Startup settings restart Windows 10

You computer will be rebooted once again. You will see Startup Settings window with different advanced troubleshooting modes.

Select Enable Safe Mode with Networking and press F5 to activate this mode. Safe Mode with Networking option allows to access Internet in order to download necessary tools that can help you to remove ransomware from your PC.

Startup settings F5 enable safe mode with networking Windows 10

Desktop screenshot of the Safe Mode with Networking

Safe mode with networking desktop Windows 10

STEP 2: Download Anti-Malware Software

Once you are in Safe Mode with Networking, launch your web browser and download a trusted anti-virus or anti-malware software to scan your PC for MNS Cryptolocker malicious files and processes. If you don’t want to purchase an anti-malware software license, you can simply scan your system for viruses, and then manually remove the detected malicious files.

Our short guide below will explain how to show hidden files, folders and file extensions on your hard drive file system.

STEP 3: Remove malicious files installed by ransomware

Once an exploit kit infiltrates into your computer, it downloads and installs
ransomware files into your system.

You should manually check the following system folders for the batch (.cmd, .btm, .bat), bitmap (.bmp), DLL (.dll) and executable (.exe) files that could be created by the ransomware virus:

  • \%TEMP%\
  • \%APPDATA%\
  • \%ProgramData%\
  • \%UserpProfile%\
STEP 4: Clean your Windows Registry (for experienced users only)

It’s strongly recommended to clean your Windows Registry to remove all entries associated with ransomware infection. Windows Registry contains all the settings and information for the software applications and user accounts in your Windows operating system. You need to launch Registry Editor utility to make changes to registry.

Press Windows + R and type Run regedit or regedit.exe into the Open: search field. Click OK button or press Enter key.

Run registry editor Windows 10

When you open the Registry Editor for the first time, you’ll see a treeview on the left-hand side that contains all of the registry keys, with values and data on the right-hand side.

Registry editor Windows 10

Once Registry Editor opened, you need to find and remove registry keys and values created by ransomware infection.

Press Ctrl + F (or go to Menu –> Edit –> Find) to open the Find bar.

Look up the names of the files associated with ransomware threat affecting your PC and type it into “Find what:” text box. Select all checkboxes and then click Find Next button.

Search in registry editor Windows 10

Right-click on the located registry entry and click Delete from the context menu. Repeat this process for each of the registry entries associated with the malware or adware.

Delete entry registry editor Windows 10

Click Yes button in the confirmation window.

Confirm delete entry registry editor Windows 10

Check the following auto startup folders for suspicious registry keys:

  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit
  • Next, check the HKEY_CURRENT_USER folder for suspicious registry keys.

To remove all traces of ransomware, you need to delete the malicious registry keys associated with it.

To Tab Menu

(Optional) MNS Cryptolocker removal using Safe Mode with Command Prompt

If you cannot start your computer in Safe Mode with Networking, try performing a System Restore using Safe Mode with Command Prompt.

This method works only if System Protection feature is enabled on your Windows 10 computer. You can find more information about System Protection feature in the following article on our website.

Click WindowsStart Button Windows 10button in the bottom-left corner and select Power option, then hold Shift key and click Restart.

Start power restart with Shift Windows 10

You computer will be rebooted once again. You will see the following window with a few options. Select Troubleshoot option.

Troubleshoot Windows 10

Next, select Advanced options.

Troubleshoot Windows 10 Advanced options Windows 10

Go to Startup Settings in the Advanced options window.

Startup settings Windows 10

Click Restart button.

Startup settings restart Windows 10

You computer will be rebooted once again. You will see Startup Settings window with different advanced troubleshooting modes.

Select Enable Safe Mode with Command Prompt and press F6 to activate this mode.

Startup settings F6 enable safe mode with command prompt Windows 10

After your computer restarts, an MS-DOS black command prompt window will appear. Type cd restore using command prompt and press Enter.

Windows cmd cd restore Windows 10

Type rstrui.exe in the next line and press Enter.

Windows cmd cd restore rstrui.exe Windows 10

Check if System Restore window opens and click Next button to continue.

System Restore Windows 10

Select a restore point with the date prior to malware infection and click Next button.

System Restore choose restore point Windows 10

Click Finish button to confirm your restore point.

System Restore confirm Windows 10

Click Yes button in the confirmation window.

System Restore confirm Windows 10

Windows 8

Remove Ransomware from Windows 8.1


MNS Cryptolocker removal using Safe Mode with Networking

Why choose this reboot method instead of the common Safe Mode? Safe Mode with Networking option allows to access Internet in order to download necessary tools that can help you to remove MNS Cryptolocker ransomware from your PC.

You can start Windows 8.1 in Safe Mode with Networking using one of the easy methods below. Depending on the type of ransomware, one of the described start methods may not work properly.

STEP 1: Start your PC in Safe Mode with Networking

If you have a new computer with UEFI BIOS and SSD hard drive, pressing both F8 and Shift+F8 keys may not work for you to get into safe mode.

The easiest method for booting into Safe Mode with Networking is to use the Advanced options settings.

Click Windows start Start Button Windows 8button to open Start screen. Type in Advanced and select Change advanced startup options from the Search results list.

Search advanced settings Windows 8

Go to Update and recovery –> Recovery and click Restart now button.

Advanced Recovery Windows 8

Once your computer restarts successfully, you will see a window with three options available. Select  Troubleshoot option.

Choose an option Windows 8

Next, select Advanced options.

Troubleshoot Windows 8

Next, go to Startup Settings.

Advanced options Windows 8

Click Restart button.

Startup settings restart Windows 8

You computer will be rebooted once again. You will see Startup Settings window with different advanced troubleshooting modes.

Select Enable Safe Mode with Networking and press F5 to activate this mode. Safe Mode with Networking option allows to access Internet in order to download necessary tools that can help you to remove ransomware from your PC.

Startup settings F5 enable safe mode with networking Windows 8

Desktop screenshot of the Safe Mode with Networking.

Safe mode with networking desktop Windows 8

STEP 2: Download Anti-Malware Software

Once you are in Safe Mode with Networking, launch your web browser and download a trusted anti-virus or anti-malware software to scan your PC for MNS Cryptolocker malicious files and processes. If you don’t want to purchase an anti-malware software license, you can simply scan your system for viruses, and then manually remove the detected malicious files.

Our short guide below will explain how to show hidden files, folders and file extensions on your hard drive file system.

STEP 3: Remove malicious files installed by ransomware

Once an exploit kit infiltrates into your computer, it downloads and installs ransomware files into your system.

You should manually check the following system folders for the batch (.cmd, .btm, .bat), bitmap (.bmp), DLL (.dll) and executable (.exe) files that could be created by the ransomware virus:

  • \%TEMP%\
  • \%APPDATA%\
  • \%ProgramData%\
  • \%UserpProfile%\
STEP 4: Clean your Windows Registry (for experienced users only)

It’s strongly recommended to clean your Windows Registry to remove all entries associated with ransomware infection. Windows Registry contains all the settings and information for the software applications and user accounts in your Windows operating system. You need to launch Registry Editor utility to make changes to registry.

Press Windows + R and type Run regedit or regedit.exe into the Open: search field. Click OK button or press Enter key.

Run Registry Editor regedit.exe Windows 8

When you open the Registry Editor for the first time, you’ll see a treeview on the left-hand side that contains all of the registry keys, with values and data on the right-hand side.

Registry editor Windows 8

Once Registry Editor opened, you need to find and remove registry keys and values created by ransomware infection.

Press Ctrl + F (or go to Menu –> Edit –> Find) to open the Find bar.

Look up the names of the files associated with ransomware threat affecting your PC and type it into “Find what:” text box. Select all checkboxes and then click Find Next button.

Search in registry editor Windows 8

Right-click on the located registry entry and click Delete from the context menu. Repeat this process for each of the registry entries associated with the malware or adware.

Delete entry registry editor Windows 8

Click Yes button in the confirmation window.

Confirm delete entry registry editor Windows 8

Check the following auto startup folders for suspicious registry keys:

  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit
  • Next, check the HKEY_CURRENT_USER folder for suspicious registry keys.

To remove all traces of ransomware, you need to delete the malicious registry keys associated with it.

To Tab Menu

(Optional) MNS Cryptolocker removal using Safe Mode with Command Prompt

If you cannot start your computer in Safe Mode with Networking, try performing a System Restore using Safe Mode with Command Prompt.

This method works only if System Protection feature is enabled on your Windows 8 computer. You can find more information about System Protection feature in the following article on our website.

Click Windows start Start Button Windows 8button to open Start screen. Type Advanced in the Search field and select Change advanced startup options.

Search advanced settings Windows 8

Go to Update and recovery –> Recovery and click Restart now button.

Advanced recovery Windows 8

Once your computer restarts successfully, you will see a window with three options available. Select  Troubleshoot option.

Choose an option Windows 8

Next, select Advanced options.

Troubleshoot Windows 8

Choose Startup Settings in the advanced options.

Advanced options Windows 8

Click Restart button.

Startup settings restart Windows 8

You computer will be restarted once again. You will see Startup Settings window with different advanced troubleshooting modes.

Select Enable Safe Mode with Command Prompt and press F6 to activate this mode.

Startup settings F6 enable safe mode with networking Windows 8

After your computer restarts, an MS-DOS black command prompt window will appear. Type cd restore using command prompt and press Enter.

Safe mode with command prompt cd restore Windows 8

Type rstrui.exe in the next line and press Enter.

Safe mode with command prompt rstrui.exe Windows 8

Check if System Restore window opens and click Next button to continue.

Safe mode with command prompt system restore Windows 8

Select a restore point with the date prior to malware infection and click Next button.

Safe mode with command prompt system restore choose restore point Windows 8

Click Finish button to confirm your restore point.

Safe mode with command prompt system restore confirm Windows 8

Click Yes button in the confirmation window.

Safe mode with command prompt system restore confirm Windows 8

To Tab Menu

Windows 7

Remove Ransomware from Windows 7


MNS Cryptolocker removal using Safe Mode with Networking

Why choose this reboot method instead of the common Safe Mode? Safe Mode with Networking option allows to access Internet in order to download necessary tools that can help you to remove MNS Cryptolocker ransomware from your PC.

You can start Windows 7 in Safe Mode with Networking using one of the easy methods below. Depending on the type of ransomware, one of the described start methods may not work properly.

STEP 1: Start your PC in Safe Mode with Networking

If you have a new computer with UEFI BIOS and SSD hard drive, pressing both F8 and Shift+F8 keys may not work for you to get into safe mode.

Restart your computer. While your PC restarts, immediately press and hold F8 key.

Use the arrow keys to highlight Safe Mode with Networking on the Advanced Boot Options screen. Hit Enter key.

F8 safe mode with networking Windows 7

Your computer will boot up in safe mode with a black blank screen and with the words “Safe Mode” in all four corners.

Desktop screenshot of the Windows 7 Safe Mode with Networking.

Safe mode with networking desktop Windows 7

STEP 2: Download Anti-Malware Software

Once you are in Safe Mode with Networking, launch your web browser and download a trusted anti-virus or anti-malware software to scan your PC for MNS Cryptolocker malicious files and processes. If you don’t want to purchase an anti-malware software license, you can simply scan your system for viruses, and then manually remove the detected malicious files.

Our short guide below will explain how to show hidden files, folders and file extensions on your hard drive file system.

STEP 3: Remove malicious files installed by ransomware

Once an exploit kit infiltrates into your computer, it downloads and installs ransomware files into your system.

You should manually check the following system folders for the batch (.cmd, .btm, .bat), bitmap (.bmp), DLL (.dll) and executable (.exe) files that could be created by the ransomware virus:

  • \%TEMP%\
  • \%APPDATA%\
  • \%ProgramData%\
  • \%UserpProfile%\
STEP 4: Clean your Windows Registry (for experienced users only)

It’s strongly recommended to clean your Windows Registry to remove all entries associated with ransomware infection. Windows Registry contains all the settings and information for the software applications and user accounts in your Windows operating system. You need to launch Registry Editor utility to make changes to registry.

Press Windows + R and type Run regedit or regedit.exe into the Open: search field. Click OK button or press Enter key.

Run registry editor Windows 7

When you open the Registry Editor for the first time, you’ll see a treeview on the left-hand side that contains all of the registry keys, with values and data on the right-hand side.

Registry editor Windows 7

Once Registry Editor opened, you need to find and remove registry keys and values created by ransomware infection.

Press Ctrl + F (or go to Menu –> Edit –> Find) to open the Find bar.

Look up the names of the files associated with ransomware threat affecting your PC and type it into “Find what:” text box. Select all checkboxes and then click Find Next button.

Search in registry editor Windows 7

Right-click on the located registry entry and click Delete from the context menu. Repeat this process for each of the registry entries associated with the malware or adware.

Delete entry registry editor Windows 7

Click Yes button in the confirmation window.

Confirm delete entry registry editor Windows 7

Check the following auto startup folders for suspicious registry keys:

  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit
  • Next, check the HKEY_CURRENT_USER folder for suspicious registry keys.

To remove all traces of ransomware, you need to delete the malicious registry keys associated with it.

To Tab Menu

(Optional) MNS Cryptolocker removal using Safe Mode with Command Prompt

If you cannot start your computer in Safe Mode with Networking, try performing a System Restore using Safe Mode with Command Prompt.

This method works only if System Protection feature is enabled on your Windows 7 computer. You can find more information about System Protection feature in the following article on our website.

Restart your computer. During your PC boot process, press the F8 key on your keyboard multiple times until the Windows Advanced Options menu appears, and then use arrow keys to select Safe Mode with Command Prompt from the list.

Hit Enter key.

F8 safe mode with command prompt Windows 7

After your computer restarts, an MS-DOS black command prompt window will appear. Type cd restore using command prompt and press Enter.

Safe mode cmd cd restore Windows 7

Type rstrui.exe in the next line and press Enter.

Safe mode cmd cd restore rstrui.exe Windows 7

Check if System Restore window opens and click Next button to continue.

Safe mode cmd system restore Windows 7

Select a restore point with the date prior to malware infection and click Next button.

Safe mode cmd system restore choose restore point Windows 7

Click Finish button to confirm your restore point.

Safe mode cmd system restore confirm Windows 7

Click Yes button in the confirmation window.

Safe mode cmd system restore confirm Windows 7

To Tab Menu

Windows XP

Remove Ransomware from Windows XP


MNS Cryptolocker removal using Safe Mode with Networking

Why choose this reboot method instead of the common Safe Mode? Safe Mode with Networking option allows to access Internet in order to download necessary tools that can help you to remove MNS Cryptolocker ransomware from your PC.

You can start Windows XP in Safe Mode with Networking using one of the easy methods below. Depending on the type of ransomware, one of the described start methods may not work properly.

STEP 1: Start your PC in Safe Mode with Networking

If you have a new computer with UEFI BIOS and SSD hard drive, pressing both F8 and Shift+F8 keys may not work for you to get into safe mode.

Restart your computer. While your PC restarts, immediately press and hold F8 key.

Use the arrow keys to highlight Safe Mode with Networking on the Advanced Boot Options screen.

Advanced options menu safe mode with networking Windows XP

Hit Enter key. If you have multiple operating system installed, select Windows XP and press Enter key.

Select operating system to start safe mode with networking Windows XP

Your computer will boot up in safe mode with a black blank screen and with the words “Safe Mode” in all four corners.

Click Yes button to proceed to work in safe mode.

Safe mode attention Windows XP

Desktop screenshot of the Windows XP Safe Mode with Networking.

Safe mode desktop Windows XP

STEP 2: Download Anti-Malware Software

Once you are in Safe Mode with Networking, launch your web browser and download a trusted anti-virus or anti-malware software to scan your PC for MNS Cryptolocker malicious files and processes. If you don’t want to purchase an anti-malware software license, you can simply scan your system for viruses, and then manually remove the detected malicious files.

Our short guide below will explain how to show hidden files, folders and file extensions on your hard drive file system.

STEP 3: Remove malicious files installed by ransomware

Once an exploit kit infiltrates into your computer, it downloads and installs ransomware files into your system.

You should manually check the following system folders for the batch (.cmd, .btm, .bat), bitmap (.bmp), DLL (.dll) and executable (.exe) files that could be created by the ransomware virus:

  • \%TEMP%\
  • \%APPDATA%\
  • \%ProgramData%\
  • \%UserpProfile%\
STEP 4: Clean your Windows Registry (for experienced users only

It’s strongly recommended to clean your Windows Registry to remove all entries associated with ransomware infection. Windows Registry contains all the settings and information for the software applications and user accounts in your Windows operating system. You need to launch Registry Editor utility to make changes to registry.

Press Windows + R and type Run regedit or regedit.exe into the Open: search field. Click OK button or press Enter key.

Run registry editor regedit.exe Windows XP

When you open the Registry Editor for the first time, you’ll see a treeview on the left-hand side that contains all of the registry keys, with values and data on the right-hand side.

Registry editor Windows XP

Once Registry Editor opened, you need to find and remove registry keys and values created by ransomware infection.

Press Ctrl + F (or go to Menu –> Edit –> Find) to open the Find bar.

Look up the names of the files associated with ransomware threat affecting your PC and type it into “Find what:” text box. Select all checkboxes and then click Find Next button.

Search in registry editor Windows XP

Right-click on the located registry entry and click Delete from the context menu. Repeat this process for each of the registry entries associated with the malware or adware.

Delete entry registry editor Windows XP

Click Yes button in the confirmation window.

Confirm delete entry registry editor Windows XP

Check the following auto startup folders for suspicious registry keys:

  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit
  • Next, check the HKEY_CURRENT_USER folder for suspicious registry keys.

To remove all traces of ransomware, you need to delete the malicious registry keys associated with it.

To Tab Menu

(Optional) MNS Cryptolocker removal using Safe Mode with Command Prompt

If you cannot start your computer in Safe Mode with Networking, try performing a System Restore using Safe Mode with Command Prompt.

This method works only if System Protection feature is enabled on your Windows XP computer. You can find more information about System Protection feature in the following article on our website.

Restart your computer. During your PC boot process, press the F8 key on your keyboard multiple times until the Windows Advanced Options menu appears, and then use arrow keys to select Safe Mode with Command Prompt from the list.

Advanced options menu safe mode with command prompt Windows XP

Hit Enter key. If you have multiple operating system installed, select Windows XP and press Enter key.

Select operating system to start safe mode with command prompt Windows XP

After your computer restarts, an MS-DOS black command prompt window will appear. Type C:\Windows\system32\Restore\rstrui.exe using command prompt and press Enter.

Safe mode with command prompt rstrui.exe Windows XP

Check if System Restore window opens and click Next button to continue.

Safe mode welcome system restore Windows XP

Select a restore point with the date prior to malware infection and click Next button.

Safe mode select restore point Windows XP

Click Next button to confirm your restore point.

Safe mode select confirm restore point selection Windows XP

To Tab Menu

Restore previous versions of the files encrypted by MNS Cryptolocker ransomware

To restore files encrypted by ransomware, try using Windows Previous Versions feature. This recovery method is only effective if the System Restore option was enabled on your Windows operating system. Notice: some types of ransomware are known to remove Shadow Volume Copies of the files, so this method may not be working on your computer.

Please check out our “How to Restore Previous Versions of a File” step-by-step guide for more information.


Recover your files using ShadowExplorer program

You can also try using a third-party software to recover files deleted, damaged or encrypted by ransomware attack. We recommend you to install ShadowExplorer version 0.9 – this tool is free and user-friendly. ShadowExplorer allows to browse through Shadow Copies of your files created by the Windows Volume Shadow Copy Service. Notice: some types of ransomware are known to remove Shadow Volume Copies of the files, so this method may not be working on your computer.

Please read our ShadowExplorer installation and user’s guide for additional information about this useful application.


How to Prevent Ransomware Attacks?

Security Tips to Protect Your Computer against Ransomware:

  • Back up your important data on a regular basis. Use an external hard drive and/or a cloud service for back ups.
  • Turn on System Restore feature in your operating system.
  • Disable macros in Microsoft Office suite (Word, Excel, PowerPoint, etc.).
  • Install a Microsoft Office viewer to check a downloaded Word or Excel document without macros.
  • Configure your webmail to block automatically attachments with extensions like .exe, .vbs, and .scr.
  • Don’t open attachments in emails that look suspicious.
  • Don’t click any links in spam and suspicious emails.
  • Don’t click suspicious hyperlinks and don’t open adult photos or videos received in social networks or instant messengers.
  • Patch your Windows operating system reguralry.
  • For daily use, don’t use Windows user account with administrative privileges.
  • Enable “Show File Extensions” option in order to see what types of files you open. Stay away from suspicious files with extensions like ‘.exe’, ‘.vbs’ and ‘.scr’.
    Ransomware files often can look like they have two extensions – e.g., “.pdf.exe”, “.avi.exe” or “.xlsx.scr” – so pay attention to the files of this sort.
  • Disable Windows PowerShell framework.
  • Disable Windows Script Host (WSH) technology.
  • Use the Windows Group or Local Policy Editor to create Software Restriction Policies to disable executable files running from AppData, LocalAppData, Temp, ProgramData and Windows\SysWow folders.
  • Disable file sharing to make sure that the ransomware virus will stay isolated to infected PC only.
  • Disable Remote Desktop Protocol (RDP).
  • Switch off unused Bluetooth or infrared ports.
  • Keep the Windows Firewall turned on and properly configured.
  • Use a trusted ransomware-blocking anti-malware software and keep its database up-to-date.
  • Keep your web browsers up-to-date.
  • Remove outdated and unnecessary browser extensions, plugins and add-ons.
  • Keep Adobe Flash Player, Java, and other important software up-to-date.
  • Always scan for viruses compressed or archived files.
  • Use strong passwords that can’t be easily brute-forced.
  • Install an AdblockPlus browser extension to block pop-up ads and warnings as they also used to spread ransomware exploits.
  • Deactivate AutoPlay to stop malicious processes to automatically start from external drive, such as external hard drives or USB memory sticks.

LEAVE A REPLY

Please enter your comment!
Please enter your name here