Remove Aes256 Ransomware Virus (Removal Guide) – Update June 2017

0
14
Aes256 Ransomware Virus Note

Aes256 is a ransomware which bears the same name as the encryption algorithm it uses. A unique decryption key is generated while the encryption process is going on and this key is encrypted with RSA-2048 algorithm. The ‘.aes256’ extension is then appended to each piece of affected data and the ransom note called “!!! READ THIS – IMPORTANT !!!.txt” is put on the Desktop.

Aes256 has a lot in common with other ransomware such as Maktub Locker, Locked-In, UltraLocker and a lot more. It’s distributed through attachments and links contained within spam emails and also through compromised websites that try to run an executable file and put ransomware on your computer. Don’t open suspicious emails and stay on your guard when using file-sharing services. Everything should be fine if you do that.

And even if your data is encrypted, there’s no need to worry – there is a solution that doesn’t require you to pay a ridiculous amount of money. Besides, cybercriminals don’t always keep their word – it’s very common for them to take the money and vanish. They can also take it one step further – as soon as they get the money, they launch a script that deletes all of the encrypted files. So we advise you against trying your luck – use a program like Plumbytes Anti-Malware instead and delete Aes256 from the PC. The detailed instructions on how to do this can be found within our manual. We do our best to keep it updated with latest information so if you have any questions, you’re probably going to get answers to them.

You need to do one last thing after Aes256 is removed – restore your data. This can be achieved by using a file backup and, even though this procedure may appear tedious, it’s certainly better than sending your money to nowhere and then sitting there and worrying about what happens next. Don’t play the game of cybercriminals and keep the control of the situation in your own hands.

Common symptoms of Aes256 ransomware

  • You are not able to access any of the files you try to open.
  • Affected files have odd extensions (like .crypted, .locky, .sage, etc.).
  • You may find .txt or .html ransomware instruction files in system folders.
  • Your desktop screen might be locked, so you can’t access your PC.
  • Pop-up messages that ask you to pay “a ransom” to get access to your PC or files again.
  • Ransomware may delete important system files
  • Sluggish PC performance.
  • Your anti-virus software stops working.

Sources of Aes256 ransomware infection

  • Spam emails that contain malicious attachments or hyperlinks.
  • Compromised websites that have exploit code injected in their web pages.
  • Vulnerabilities in unpatched Windows operating system.
  • Vulnerabilities in outdated web browsers.
  • Drive-by downloads.
  • Fake Flash Player update websites.
  • Installing pirated software or operating systems.
  • Facebook spam messages that contain malicious attachments or links.
  • Malicious SMS messages (ransomware may target mobile devices).
  • Malvertising campaigns (pop-up and banner ads).
  • Self-propagation (spreading from one infected PC to another via LAN networks).
  • Infected game servers.
  • Botnets.
  • Peer-to-peer networks.

My PC is infected with Aes256! What should I do?

Step 1. Create an image of your system and back up encrypted files

Some ransomware viruses have hidden scripts that may remove or overwrite all encrypted files after a certain amount of time has passed after infiltration. We strongly recommend to create a backup of all of your encrypted files before trying to decrypt or restore them. You should find all the encrypted files that end with ransomware file extension and copy them to an external hard drive or USB flash drive.


Step 2. Scan your computer with anti-malware software and block the ransomware activity

Install one of the recommended anti-malware tools listed below and scan your computer for viruses. Anti-malware program will detect all malicious files and move them to quarantine in order to block ransomware activity on your computer. Do NOT delete any of quarantined files! They can be helpful to identify which encryption method was used in your case and if any features match known types of ransomware.

Remove Ransomware with SpyHunter 4 Anti-Malware

1. You should download Plumbytes Anti-Malware installer to scan your computer for any ransomware and other malware that might infected your computer. Plumbytes Anti-Malware is a trusted software that can detect and remove most of security threats, including adware, ransomware, PUPs, trojans, worms and rootkits.

DOWNLOAD PLUMBYTES ANTI-MALWARE

2. Double-click the downloaded “antimalwaresetup.exe” installation file to launch it.

Plumbytes Installer

3. Click “Install” button to start the installation process. The setup wizard will automatically start to download necessary program files to your computer. Once download completed, Plumbytes Anti-Malware will be automatically installed on your computer. The entire installation process takes only 2-3 minutes.

Plumbytes Installation

4. Once installed, Plumbytes Anti-Malware will automatically update its antivirus signatures database and then start smart system scan to detect all malware, adware, spyware and other security threats.

Plumbytes System Scan

5. You will see the detailed list of security threats and potentially unwanted applications detected on your PC. Click “Remove Selected” button to clear your PC from malicious files, adware and potentially unwanted applications.

Plumbytes Detections List


Double-Check your PC with SpyHunter 4 Anti-Malware

6. You can double-check your computer with SpyHunter Anti-Malware in order to remove any leftover malware and ransomware traces. SpyHunter 4 is considered as one of the best and most effective anti-ransomware tools today. Click the following link to download SpyHunter installation package or just click the download button below.

DOWNLOAD SPYHUNTER ANTI-MALWARE

7. Double-click the downloaded “SpyHunter-Installer.exe” file to start the installation process.

Spyhunter Anti-Malware Installer

8. When the installation starts, the Setup Wizard will offer a few options and settings that you may want to configure. We recommend just clicking “Next” button to accept the default application settings. You can check out our detailed SpyHunter 4 Anti-Malware Setup & User Guide which can help you to go through the installation process and provide important information about malware scans and program settings.

Spyhunter Installation

9. Once the installation completed, SpyHunter 4 will automatically update antivirus database and latest virus definitions. Next, SpyHunter 4 Quick Scan will automatically check your computer for any malware, adware, spyware and other security threats.

Spyhunter Scan Started

10. You will see the detailed list of viruses and potentially unwanted applications detected on your PC. Click “Next” button to clear your PC from malicious files, adware and PUPs.

Spyhunter Scan Results


Alternate Recommended Anti-Malware Tools

The following awesome full-scale anti-malware products also have proved their effectiveness against all types of malware and adware. However, some of these anti-malware programs don’t provide a free trial version, and you’ll have to purchase a license key in order to clean your computer from the detected malware and PUPs.

1. HitmanPro.AlertDownload | Our Review – 30-Day Free Trial

2. Malwarebytes Anti-Malware Download | Our Review – 14-Day Free Trial

3. Emsisoft Anti-MalwareDownload | Our Review – 30-Day Free Trial

4. WiperSoft AntispywareDownload | Our Review

5. OSHI Defender AntiMalwareDownload | Our Review


Step 3. Identify the type of ransomware virus

If you don’t know what type of ransomware has infected your PC, you should try ID Ransomware free online service. Visit ID Ransomware website and upload a ransom note or a sample encrypted file to identify the ransomware strain.

ID Ransomware

You can also give a try to the VirusTotal.com free service the same way in order to determine which ransomware family you are dealing with.

Step 4. Find out if there is a decryption tool

Once you’ve identified the exact type of ransomware, you should try to find if there is an effective decrypter available for your encrypted files. In this case, you’ll be lucky to recover your important data withour spending your money on paying the ransom.

You can find the most complete list of current ransomware decryption tools in our “10 Free Tools to Defeat Ransomware in 2017” review.

No More Ransom! Project

NoMoreRansom Crypto Sheriff

Nomoreransom.org website was launched in 2016 and is backed by reputable top security companies and security institutions in many countries. Visit the Crypto Sheriff https://www.nomoreransom.org/crypto-sheriff.php page at Nomoreransom.org, upload one of your encrypted files, and you will find out if there is a solution available to decrypt all of your files for free.

EmsiSoft Decrypter

EmsiSoft’s team continiously works on development of free decrypters for different types of ransomware. Check out Decrypter.emsisoft.com web page for the ransomware decryptor you need. Currently there are more than 40 working decryptors for different crypto-ransomware families.

Kaspersky NoRansom

Kaspersky Lab NoRansom

Russian cyber security firm Kaspersky Lab has launched https://noransom.kaspersky.com website where you can download free ransomware decryptors and removal tools.

Avast Free Ransomware Decryption Tools

Avast Free Ransomware Decryption Tools

At Avast Free Ransomware Decryption Tools web page you can download decryption tools which can help to unclock files encrypted by various forms of ransomware.

Trend Micro Ransomware File Decryptor

Trend Micro Ransomware File Decryptor

Trend Micro Ransomware File Decryptor tool is able to decrypt files encypted by different types of ransomware. Visit TrendMicro website to find detailed instructions and video guide for this decryptor tool.

Step 5. No Decrypter available? We’re still here to help you

Unfortunately, most recent file-encrypting ransomware don’t have a working decryption solution. Loosely speaking, if you don’t pay attackers for a copy of the private decryption key, you can get stuck with blocked important files for a long time. However, in many cases, even after paying large sum of ransom victims still don’t receive the key to unblock their files. According to statistics, one in five victims who paid the ransom never got their files back. Remember: if you pay the ransom, you directly contribute to the financial success of cyber criminality. Before you decide to pay the ransomware demand, you should better try to gather all available information about the particular type of crypto-ransomware that infected your system.

1. Check out our manual removal guide below. If the ransomware that infected your computer doesn’t delete shadow volume copies from local hard drive, you can try to use System Restore feature to roll Windows operating system back in time or to recover your files from system snapshots.

Malwareless.com website’s team strives to provide all actual and valuable information about ransomware viruses. We continuously monitor latest decryptor tools and add them to the removal instructions.

2. Bleepingcomputer.com website has a great Ransomware Help & Tech Support forum section with quite active ransomware discussions that may save you a lot of money and time. Check the particular forum topics about the type of ransomware that infected your computer and follow the provided instructions.

3. You can also ask for help using EmsiSoft’s Malware Research Center. Their ransomware first aid service is free for both customers and non-customers.

Remove Aes256 Ransomware Manually (Removal Guide)

Notice: Manual removal guide is recommended to experienced PC users only. Incorrect modifications introduced into Windows operating system settings, Windows Registry or browser settings may result in system fails or software errors.

We’ve created this detailed removal guide to help you manually remove Aes256 and any other ransomware threats from your computer. Please carefully follow all the steps listed in the instruction. We’ve attached detailed screenshots, video guides and descriptions for your convenience. If you have any questions or issues, please contact us via email, public forum or online contact form. You can also add your comments to this guide below.

Windows 10

Removal Instructions for Windows 10 Users


Aes256 removal using Safe Mode with Networking

Why choose this reboot method instead of the common Safe Mode? Safe Mode with Networking option allows to access Internet in order to download necessary tools that can help you to remove Aes256 ransomware from your PC.

You can start Windows 10 in Safe Mode with Networking using one of the easy methods below. Depending on the type of ransomware, one of the described start methods may not work properly.

Steps

Method 1: Using the Start Menu

If you have a new computer with UEFI BIOS and SSD hard drive, pressing both F8 and Shift+F8 keys may not work for you to get into safe mode.

The easiest method for booting into Safe Mode with Networking is to use the Advanced options settings.

System Restore in Safe Mode with Networking - Method #1 (Windows 10)

Click Windows button in the bottom-left corner and select Power option, then hold Shift key and click Restart.

Start power restart with Shift Windows 10

You computer will be rebooted once again. You will see the following window with a few options. Select Troubleshoot option.

Troubleshoot Windows 10

Next, select Advanced options.

Advanced options Windows 10

Go to Startup Settings in the Advanced options window.

Startup settings Windows 10

Click Restart button.

Startup settings restart Windows 10

You computer will be rebooted once again. You will see Startup Settings window with different advanced troubleshooting modes.

Select Enable Safe Mode with Networking and press F5 to activate this mode. Safe Mode with Networking option allows to access Internet in order to download necessary tools that can help you to remove ransomware from your PC.

Startup settings F5 enable safe mode with networking Windows 10

Desktop screenshot of the Safe Mode with Networking

Safe mode with networking desktop Windows 10

To Tab Menu

Method 2: Using Windows 10 search engine

You can use Windows 10 search system for booting into Safe Mode with Networking.

System Restore in Safe Mode with Networking - Method #2 (Windows 10)

Click Windows start Start Button Windows 10button to open Start screen. Type Advanced and select View advanced startup options.

Advanced settings start search Windows 10

Choose Recovery option in the left navigation bar. Click Restart now button.

Desktop update and security Windows 10

Once your computer restarts successfully, you will see a window with three options available. Select  Troubleshoot option.

Troubleshoot Windows 10

Next, select Advanced options.

Advanced options Windows 10

Next, go to Startup Settings.

Startup settings Windows 10

Click Restart button in the Startup Settings window.

Startup settings restart Windows 10

You computer will be rebooted once again. You will see Startup Settings window with different advanced troubleshooting modes.

Select Enable Safe Mode with Networking and press F5 to activate this mode. Safe Mode with Networking option allows to access Internet in order to download necessary tools that can help you to remove ransomware from your PC.

Startup settings F5 enable safe mode with networking Windows 10

Desktop screenshot of the Safe Mode with Networking

Safe mode with networking desktop Windows 10

To Tab Menu

Method 3: Using Lock Screen

If other start methods don’t work on your computer, you can try to reboot into Safe Mode with Networking using the following manual.

Note that you must have access to Windows lock screen with password field.

System Restore in Safe Mode with Networking - Method #3 (Windows 10)

Click Power Power Windows 10icon in the bottom-right corner, then hold Shift key and click Restart.

Lock screen restart Windows 10

Select Troubleshoot in the Choose an options window.

Troubleshoot Windows 10

Next, choose Advanced options.

Advanced options Windows 10

Choose Startup Settings in the Advanced options.

Startup settings Windows 10

Click Restart button to reboot your PC.

Startup settings restart Windows 10

You computer will be restarted once again. You will see Startup Settings window with different advanced troubleshooting modes.

Select Enable Safe Mode with Networking and press F5 to activate this mode.

Startup settings F5 enable safe mode with networking Windows 10

Desktop screenshot of the Safe Mode with Networking

Safe mode with networking desktop Windows 10

To Tab Menu

Method 4: Using Run (msconfig.exe) utility

This is the quickest method to start Windows in Safe Mode with Networking. However, in some cases this start method may not work properly on your computer due to ransomware activity.

System Restore in Safe Mode with Networking - Method #4 (Windows 10)

Press Windows + R keys. Type msconfig or msconfig.exe in the Open field. Click OK button or hit Enter key.

Msconfig Windows 10

Go to Boot tab. Check mark in Safe boot checkbox and in Network checkbox. Click OK button.

System configuration boot network Windows 10

Click Restart button in the confirmation window.

System configuration restart Windows 10

Your computer will boot up in safe mode with a black blank screen and with the words “Safe Mode” in all four corners.

Desktop screenshot of the Safe Mode with Networking

Safe mode with networking desktop Windows 10

To Tab Menu

Turn off Safe Mode with Networking

If you used Method 4 (through Windows + R –> Run –> msconfig) to start Windows in Safe Mode with Networking, you need to turn this safe mode off in order to return your PC to a Normal startup mode. Otherwise, your PC will continue to automatically boot into Safe Mode with Networking.

Turn off Safe Mode with Networking in Windows 10

Press Windows + R and type msconfig or msconfig.exe in the Open: field. Click OK button or hit Enter.

Safe mode with networking msconfig Windows 10

Go to General tab and check Normal startup checkbox.

Safe mode with networking system configuration normal statrup Windows 10

Go to Boot tab and check whether all checkboxes are unchecked. Click OK button.

Safe mode with networking system configuration boot Windows 10

Click Restart button in the confirmation window.

Safe mode with networking system configuration restart Windows 10

Your computer will restart in a Normal startup mode with all drivers, applications and other components running.

To Tab Menu

Steps

Once you are in Safe Mode with Networking, launch your web browser and download a trusted anti-virus or anti-malware software to scan your PC for Aes256 malicious files and processes. If you don’t want to purchase an anti-malware software license, you can simply scan your system for viruses, and then manually remove the detected malicious files.

You may need to see hidden files and folders to delete all the malicious files. Follow the steps below to display hidden files, folders and file extensions.

Show Hidden Files and Folders in Windows 10

Right-click Start Start Button Windows 10button and go to Control Panel.

Start control panel Windows 10

Select Appearance and Personalization settings in the Control Panel (view by: Category).

Control panel Windows 10

Next, go to File Explorer Options –> Show hidden files and folders.

Appearance and personalization Windows 10

Click View tab, and then select Show hidden files, folders, or drives in the list. Scroll down and un-check the Hide extensions for known file types box. Click OK button.

File Explorer Options Windows 10

Don’t forget to restore previous system settings once you get rid of ransomware threat.

To Tab Menu

Steps

Remove malicious files installed by ransomware

Once an exploit kit infiltrates into your computer, it downloads and installs
ransomware files into your system.

You should manually check the following system folders for the batch (.cmd, .btm, .bat), bitmap (.bmp), DLL (.dll) and executable (.exe) files that could be created by the ransomware virus:

  • \%TEMP%\
  • \%APPDATA%\
  • \%ProgramData%\
  • \%UserpProfile%\

Steps

Clean your Windows Registry (for experienced users only)

It’s strongly recommended to clean your Windows Registry to remove all entries associated with ransomware infection. Windows Registry contains all the settings and information for the software applications and user accounts in your Windows operating system. You need to launch Registry Editor utility to make changes to registry.

How to Clean & Fix Windows Registry in Windows 10

Press Windows + R and type Run regedit or regedit.exe into the Open: search field. Click OK button or press Enter key.

Run registry editor Windows 10

When you open the Registry Editor for the first time, you’ll see a treeview on the left-hand side that contains all of the registry keys, with values and data on the right-hand side.

Registry editor Windows 10

Once Registry Editor opened, you need to find and remove registry keys and values created by ransomware infection.

Press Ctrl + F (or go to Menu –> Edit –> Find) to open the Find bar.

Look up the names of the files associated with ransomware threat affecting your PC and type it into “Find what:” text box. Select all checkboxes and then click Find Next button.

Search in registry editor Windows 10

Right-click on the located registry entry and click Delete from the context menu. Repeat this process for each of the registry entries associated with the malware or adware.

Delete entry registry editor Windows 10

Click Yes button in the confirmation window.

Confirm delete entry registry editor Windows 10

Check the following auto startup folders for suspicious registry keys:

  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit
  • Next, check the HKEY_CURRENT_USER folder for suspicious registry keys.

To remove all traces of ransomware, you need to delete the malicious registry keys associated with it.

To Tab Menu

Aes256 removal using Safe Mode with Command Prompt

If you cannot start your computer in Safe Mode with Networking, try performing a System Restore using Safe Mode with Command Prompt.

This method works only if System Protection feature is enabled on your Windows 10 computer. You can find more information about System Protection feature in the following article on our website.

Method 1: Using the Start Menu
System Restore in Safe Mode with Command Prompt - Method #1 (Windows 10)

Click WindowsStart Button Windows 10button in the bottom-left corner and select Power option, then hold Shift key and click Restart.

Start power restart with Shift Windows 10

You computer will be rebooted once again. You will see the following window with a few options. Select Troubleshoot option.

Troubleshoot Windows 10

Next, select Advanced options.

Troubleshoot Windows 10 Advanced options Windows 10

Go to Startup Settings in the Advanced options window.

Startup settings Windows 10

Click Restart button.

Startup settings restart Windows 10

You computer will be rebooted once again. You will see Startup Settings window with different advanced troubleshooting modes.

Select Enable Safe Mode with Command Prompt and press F6 to activate this mode.

Startup settings F6 enable safe mode with command prompt Windows 10

After your computer restarts, an MS-DOS black command prompt window will appear. Type cd restore using command prompt and press Enter.

Windows cmd cd restore Windows 10

Type rstrui.exe in the next line and press Enter.

Windows cmd cd restore rstrui.exe Windows 10

Check if System Restore window opens and click Next button to continue.

System Restore Windows 10

Select a restore point with the date prior to malware infection and click Next button.

System Restore choose restore point Windows 10

Click Finish button to confirm your restore point.

System Restore confirm Windows 10

Click Yes button in the confirmation window.

System Restore confirm Windows 10

To Tab Menu

Method 2: Using Windows 10 search engine

You can use Windows 10 search system for booting into Safe Mode with Command Prompt and then try to perform a System Restore.

System Restore in Safe Mode with Command Prompt - Method #2 (Windows 10)

Click Windows start Start Button Windows 10button to open Start screen. Type Advanced and select View advanced startup options.

Advanced settings start search Windows 10

Choose Recovery option in the left navigation bar. Click Restart now button.

Desktop Update and Security Windows 10

Once your computer restarts successfully, you will see a window with three options available. Select  Troubleshoot option.

Troubleshoot Windows 10

Next, select Advanced options.

Advanced options Windows 10

Next, go to Startup Settings.

Startup settings Windows 10

Click Restart button in the Startup Settings window.

Startup settings restart Windows 10

You computer will be restarted once again. You will see Startup Settings window with different advanced troubleshooting modes.

Select Enable Safe Mode with Command Prompt and press F6 to activate this mode.

Startup settings F6 enable safe mode with command prompt Windows 10

After your computer restarts, an MS-DOS black command prompt window will appear. Type cd restore using command prompt and press Enter.

CMD cd restore Windows 10

Type rstrui.exe in the next line and press Enter.

CMD cd restore rstrui.exe Windows 10

Check if System Restore window opens and click Next button to continue.

System Restore Windows 10

Select a restore point with the date prior to malware infection and click Next button.

System Restore choose restore point Windows 10

Click Finish button to confirm your restore point.

System Restore confirm Windows 10

Click Yes button in the confirmation window.

System Restore confirm Windows 10

To Tab Menu

Method 3: Using Lock Screen

If other start methods don’t work on your computer, you can try to reboot into Safe Mode with Command Prompt using the following manual.

Note that you must have access to Windows lock screen with password field.

System Restore in Safe Mode with Command Prompt - Method #3 (Windows 10)

Click Power icon Power Windows 10in the bottom-right corner, then hold Shift key and click Restart.

Lock screen restart Windows 10

Once your computer restarts successfully, you will see a window with three options available. Select  Troubleshoot option.

Troubleshoot Windows 10

Next, select Advanced options.

Advanced options Windows 10

Go to Startup Settings in the Advanced options window.

Startup settings Windows 10

Click Restart button.

Startup settings restart Windows 10

You computer will be restarted once again. You will see Startup Settings window with different advanced troubleshooting modes.

Select Enable Safe Mode with Command Prompt and press F6 to activate this mode.

Startup settings F6 enable safe mode with command prompt Windows 10

After your computer restarts, an MS-DOS black command prompt window will appear. Type cd restore using command prompt and press Enter.

CMD cd restore Windows 10

Type rstrui.exe in the next line and press Enter.

CMD cd restore rstrui.exe Windows 10

Check if System Restore window opens and click Next button to continue.

System Restore Windows 10

Select a restore point with the date prior to malware infection and click Next button.

System Restore choose restore point Windows 10

Click Finish button to confirm your restore point.

System Restore confirm Windows 10

Click Yes button in the confirmation window.

System Restore confirm Windows 10

To Tab Menu

Windows 8

Removal Instructions for Windows 8.1 Users


Aes256 removal using Safe Mode with Networking

Why choose this reboot method instead of the common Safe Mode? Safe Mode with Networking option allows to access Internet in order to download necessary tools that can help you to remove Aes256 ransomware from your PC.

You can start Windows 8.1 in Safe Mode with Networking using one of the easy methods below. Depending on the type of ransomware, one of the described start methods may not work properly.

Steps

Method 1: Using Windows 8 search engine

If you have a new computer with UEFI BIOS and SSD hard drive, pressing both F8 and Shift+F8 keys may not work for you to get into safe mode.

The easiest method for booting into Safe Mode with Networking is to use the Advanced options settings.

System Restore in Safe Mode with Networking - Method #1 (Windows 8)

Click Windows start Start Button Windows 8button to open Start screen. Type in Advanced and select Change advanced startup options from the Search results list.

Search advanced settings Windows 8

Go to Update and recovery –> Recovery and click Restart now button.

Advanced Recovery Windows 8

Once your computer restarts successfully, you will see a window with three options available. Select  Troubleshoot option.

Choose an option Windows 8

Next, select Advanced options.

Troubleshoot Windows 8

Next, go to Startup Settings.

Advanced options Windows 8

Click Restart button.

Startup settings restart Windows 8

You computer will be rebooted once again. You will see Startup Settings window with different advanced troubleshooting modes.

Select Enable Safe Mode with Networking and press F5 to activate this mode. Safe Mode with Networking option allows to access Internet in order to download necessary tools that can help you to remove ransomware from your PC.

Startup settings F5 enable safe mode with networking Windows 8

Desktop screenshot of the Safe Mode with Networking.

Safe mode with networking desktop Windows 8

To Tab Menu

Method 2: Using Lock Screen

If other start methods don’t work on your computer, you can try to reboot into Safe Mode with networking using the following manual.

Note that you must have access to Windows lock screen with password field.

System Restore in Safe Mode with Networking - Method #2 (Windows 8)

Click Power Power Windows 8icon in the bottom-right corner, then hold Shift key and click Restart.

Lock screen Shift restart Windows 8

Select Troubleshoot in the Choose an options window.

Choose an option Windows 8

Next, choose Advanced options.

Troubleshoot Windows 8

Choose Startup Settings in the Advanced options.

Advanced options Windows 8

Click Restart button to reboot your PC.

Startup settings restart Windows 8

You computer will be restarted once again. You will see Startup Settings window with different advanced troubleshooting modes.

Select Enable Safe Mode with Networking and press F5 to activate this mode.

Startup settings F5 enable safe mode with networking Windows 8

Desktop screenshot of the Safe Mode with Networking.

Safe mode with networking desktop Windows 8

To Tab Menu

Method 3: Using Run (msconfig.exe) utility

This is the quickest method to start Windows in Safe Mode with Networking. However, in some cases this start method may not work properly due to malware activity.

System Restore in Safe Mode with Networking - Method #3 (Windows 8)

Press Windows + R keys. Type msconfig or msconfig.exe in the Open field. Click OK button or hit Enter key.

Run msconfig Windows 8

Go to Boot tab. Check mark in Safe boot checkbox and in Network checkbox. Click OK button.

System configuration boot network Windows 8

Click Restart button in the confirmation window.

System configuration restart Windows 8

Your computer will boot up in safe mode with a black blank screen and with the words “Safe Mode” in all four corners.

Desktop screenshot of the Safe Mode with Networking.

Safe mode with networking desktop Windows 8

To Tab Menu

Turn off Safe Mode with Networking

If you used Method 4 (through Windows + R –> Run –> msconfig) to start Windows in Safe Mode with Networking, you need to turn this safe mode off in order to return your PC to a Normal startup mode. Otherwise, your PC will continue to automatically boot into Safe Mode with Networking.

Turn off Safe Mode with Networking in Windows 8

Press Windows + R and type msconfig or msconfig.exe in the Open: field. Click OK button or hit Enter.

Safe mode with networking msconfig Windows 8

Go to General tab and select Normal startup checkbox.

Safe mode with networking system configuration normal statrup Windows 8

Go to Boot tab and check whether all checkboxes are unchecked. Click OK button.

Safe mode system configuration boot Windows 8

Click Restart button in the confirmation window.

Safe mode configuration restart Windows 8

Your computer will restart in a Normal startup mode with all drivers, applications and other components running.

To Tab Menu

Steps

Once you are in Safe Mode with Networking, launch your web browser and download a trusted anti-virus or anti-malware software to scan your PC for Aes256 malicious files and processes. If you don’t want to purchase an anti-malware software license, you can simply scan your system for viruses, and then manually remove the detected malicious files.

You may need to see hidden files and folders to delete all the malicious files. Follow the steps below to display hidden files, folders and file extensions.

Show Hidden Files and Folders in Windows 8

Right-click Start Start Button Windows 8button and go to Control Panel.

Start control panel Windows 8

Select Appearance and Personalization settings in the Control Panel (view by: Category).

Control panel appearance and personalization Windows 8

Next, go to File Explorer Options –> Show hidden files and folders.

Appearance and personalization Windows 8

Click View tab, and then select Show hidden files, folders, or drives in the list. Scroll down and un-check the Hide extensions for known file types box. Click OK button.

File explorer options view Windows 8

Don’t forget to restore previous system settings once you get rid of ransomware threat.

To Tab Menu

Steps

Remove malicious files installed by ransomware

Once an exploit kit infiltrates into your computer, it downloads and installs ransomware files into your system.

You should manually check the following system folders for the batch (.cmd, .btm, .bat), bitmap (.bmp), DLL (.dll) and executable (.exe) files that could be created by the ransomware virus:

  • \%TEMP%\
  • \%APPDATA%\
  • \%ProgramData%\
  • \%UserpProfile%\

Steps

Clean your Windows Registry (for experienced users only)

It’s strongly recommended to clean your Windows Registry to remove all entries associated with ransomware infection. Windows Registry contains all the settings and information for the software applications and user accounts in your Windows operating system. You need to launch Registry Editor utility to make changes to registry.

How to Clean & Fix Windows Registry in Windows 8

Press Windows + R and type Run regedit or regedit.exe into the Open: search field. Click OK button or press Enter key.

Run Registry Editor regedit.exe Windows 8

When you open the Registry Editor for the first time, you’ll see a treeview on the left-hand side that contains all of the registry keys, with values and data on the right-hand side.

Registry editor Windows 8

Once Registry Editor opened, you need to find and remove registry keys and values created by ransomware infection.

Press Ctrl + F (or go to Menu –> Edit –> Find) to open the Find bar.

Look up the names of the files associated with ransomware threat affecting your PC and type it into “Find what:” text box. Select all checkboxes and then click Find Next button.

Search in registry editor Windows 8

Right-click on the located registry entry and click Delete from the context menu. Repeat this process for each of the registry entries associated with the malware or adware.

Delete entry registry editor Windows 8

Click Yes button in the confirmation window.

Confirm delete entry registry editor Windows 8

Check the following auto startup folders for suspicious registry keys:

  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit
  • Next, check the HKEY_CURRENT_USER folder for suspicious registry keys.

To remove all traces of ransomware, you need to delete the malicious registry keys associated with it.

To Tab Menu

Aes256 removal using Safe Mode with Command Prompt

If you cannot start your computer in Safe Mode with Networking, try performing a System Restore using Safe Mode with Command Prompt.

This method works only if System Protection feature is enabled on your Windows 8 computer. You can find more information about System Protection feature in the following article on our website.

Method 1: Using Windows 8 search engine
System Restore in Safe Mode with Command Prompt - Method #1 (Windows 8)

Click Windows start Start Button Windows 8button to open Start screen. Type Advanced in the Search field and select Change advanced startup options.

Search advanced settings Windows 8

Go to Update and recovery –> Recovery and click Restart now button.

Advanced recovery Windows 8

Once your computer restarts successfully, you will see a window with three options available. Select  Troubleshoot option.

Choose an option Windows 8

Next, select Advanced options.

Troubleshoot Windows 8

Choose Startup Settings in the advanced options.

Advanced options Windows 8

Click Restart button.

Startup settings restart Windows 8

You computer will be restarted once again. You will see Startup Settings window with different advanced troubleshooting modes.

Select Enable Safe Mode with Command Prompt and press F6 to activate this mode.

Startup settings F6 enable safe mode with networking Windows 8

After your computer restarts, an MS-DOS black command prompt window will appear. Type cd restore using command prompt and press Enter.

Safe mode with command prompt cd restore Windows 8

Type rstrui.exe in the next line and press Enter.

Safe mode with command prompt rstrui.exe Windows 8

Check if System Restore window opens and click Next button to continue.

Safe mode with command prompt system restore Windows 8

Select a restore point with the date prior to malware infection and click Next button.

Safe mode with command prompt system restore choose restore point Windows 8

Click Finish button to confirm your restore point.

Safe mode with command prompt system restore confirm Windows 8

Click Yes button in the confirmation window.

Safe mode with command prompt system restore confirm Windows 8

To Tab Menu

Method 2: Using Lock Screen

If other start methods don’t work on your computer, you can try to reboot into Safe Mode with Command Prompt using the following manual.

Note that you must have access to Windows lock screen with password field.

System Restore in Safe Mode with Command Prompt - Method #2 (Windows 8)

Click Power Power Windows 8icon in the bottom-right corner, then hold Shift key and click Restart.

Lock screen restart with Shift key Windows 8

Select Troubleshoot in the Choose an options window.

Choose an option Windows 8

Next, choose Advanced options.

Troubleshoot Windows 8

Choose Startup Settings in the Advanced options.

Advanced options Windows 8

Click Restart button to reboot your PC.

Startup settings restart Windows 8

You computer will be restarted once again. You will see Startup Settings window with different advanced troubleshooting modes.

Select Enable Safe Mode with Command Prompt and press F6 to activate this mode.

Startup settings F6 enable safe mode with networking Windows 8

After your computer restarts, an MS-DOS black command prompt window will appear. Type cd restore using command prompt and press Enter.

Safe mode with command prompt cd restore Windows 8

Type rstrui.exe in the next line and press Enter.

Safe mode with command prompt rstrui.exe Windows 8

Check if System Restore window opens and click Next button to continue.

Safe mode with command prompt system restore Windows 8

Select a restore point with the date prior to malware infection and click Next button.

Safe mode with command prompt system restore choose restore point Windows 8

Click Finish button to confirm your restore point.

Safe mode with command prompt system restore confirm Windows 8

Click Yes button in the confirmation window.

Safe mode with command prompt system restore confirm Windows 8

To Tab Menu

Windows 7

Removal Instructions for Windows 7 Users


Aes256 removal using Safe Mode with Networking

Why choose this reboot method instead of the common Safe Mode? Safe Mode with Networking option allows to access Internet in order to download necessary tools that can help you to remove Aes256 ransomware from your PC.

You can start Windows 7 in Safe Mode with Networking using one of the easy methods below. Depending on the type of ransomware, one of the described start methods may not work properly.

Steps

Method 1: Using Advanced Boot Options menu

If you have a new computer with UEFI BIOS and SSD hard drive, pressing both F8 and Shift+F8 keys may not work for you to get into safe mode.

System Restore in Safe Mode with Networking - Method #1 (Windows 7)

Restart your computer.

Restart Windows 7

While your PC restarts, immediately press and hold F8 key.

Use the arrow keys to highlight Safe Mode with Networking on the Advanced Boot Options screen. Hit Enter key.

F8 safe mode with networking Windows 7

Your computer will boot up in safe mode with a black blank screen and with the words “Safe Mode” in all four corners.

Desktop screenshot of the Windows 7 Safe Mode with Networking.

Safe mode with networking desktop Windows 7

To Tab Menu

Method 2: Using Run (msconfig.exe) utility

This is the quickest method to start Windows in Safe Mode with Networking. However, in some cases this start method may not work properly due to malware activity.

System Restore in Safe Mode with Networking - Method #2 (Windows 7)

Press Windows + R keys. Type msconfig or msconfig.exe in the Open field. Click OK button or hit Enter key.

Run msconfig Windows 7

Go to Boot tab. Check mark in Safe boot checkbox and in Network checkbox. Click OK button.

System configuration boot network Windows 7

Click Restart button in the confirmation window.

System configuration restart Windows 7

Your computer will boot up in safe mode with a black blank screen and with the words “Safe Mode” in all four corners.

Desktop screenshot of the Windows 7 Safe Mode with Networking.

Safe mode with networking desktop Windows 7

To Tab Menu

Turn off Safe Mode with Networking

If you used Method 2 (through Windows + R –> Run –> msconfig) to start Windows in safe mode with networking, you need to turn this safe mode off in order to return your PC to a Normal startup mode. Otherwise, your PC will continue to automatically boot into Safe Mode with Networking.

Turn off Safe Mode with Networking in Windows 7

Press Windows + R and type msconfig or msconfig.exe in the Open: field. Click OK button or hit Enter.

Safe mode with networking msconfig Windows 7

Go to General tab and select Normal startup checkbox.

Safe mode with networking system configuration normal statrup Windows 7

Go to Boot tab and check whether all checkboxes are unchecked. Click OK button.

Safe mode with networking system configuration boot Windows 7

Click Restart button in the confirmation window.

Safe mode with networking system configuration restart Windows 7

Your computer will restart in a Normal startup mode with all drivers, applications and other components running.

To Tab Menu

Steps

Once you are in Safe Mode with Networking, launch your web browser and download a trusted anti-virus or anti-malware software to scan your PC for Aes256 malicious files and processes. If you don’t want to purchase an anti-malware software license, you can simply scan your system for viruses, and then manually remove the detected malicious files.

You may need to see hidden files and folders to delete all the malicious files. Follow the steps below to display hidden files, folders and file extensions.

Show Hidden Files and Folders in Windows 7

Click Start Start Button Windows 7button and go to Control Panel.

Start control panel Windows 7

Select Appearance and Personalization settings in the Control Panel (view by: Category).

Control panel Windows 7

Go to File Explorer Options –> Show hidden files and folders.

Appearance and personalization Windows 7

Click View tab, and then select Show hidden files, folders, or drives in the list. Scroll down and un-check the Hide extensions for known file types box. Click OK button.

File explorer options view Windows 7

Don’t forget to restore previous system settings once you get rid of ransomware threat.

To Tab Menu

Steps

Remove malicious files installed by ransomware

Once an exploit kit infiltrates into your computer, it downloads and installs ransomware files into your system.

You should manually check the following system folders for the batch (.cmd, .btm, .bat), bitmap (.bmp), DLL (.dll) and executable (.exe) files that could be created by the ransomware virus:

  • \%TEMP%\
  • \%APPDATA%\
  • \%ProgramData%\
  • \%UserpProfile%\

Steps

Clean your Windows Registry (for experienced users only)

It’s strongly recommended to clean your Windows Registry to remove all entries associated with ransomware infection. Windows Registry contains all the settings and information for the software applications and user accounts in your Windows operating system. You need to launch Registry Editor utility to make changes to registry.

How to Clean & Fix Windows Registry in Windows 7

Press Windows + R and type Run regedit or regedit.exe into the Open: search field. Click OK button or press Enter key.

Run registry editor Windows 7

When you open the Registry Editor for the first time, you’ll see a treeview on the left-hand side that contains all of the registry keys, with values and data on the right-hand side.

Registry editor Windows 7

Once Registry Editor opened, you need to find and remove registry keys and values created by ransomware infection.

Press Ctrl + F (or go to Menu –> Edit –> Find) to open the Find bar.

Look up the names of the files associated with ransomware threat affecting your PC and type it into “Find what:” text box. Select all checkboxes and then click Find Next button.

Search in registry editor Windows 7

Right-click on the located registry entry and click Delete from the context menu. Repeat this process for each of the registry entries associated with the malware or adware.

Delete entry registry editor Windows 7

Click Yes button in the confirmation window.

Confirm delete entry registry editor Windows 7

Check the following auto startup folders for suspicious registry keys:

  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit
  • Next, check the HKEY_CURRENT_USER folder for suspicious registry keys.

To remove all traces of ransomware, you need to delete the malicious registry keys associated with it.

To Tab Menu

Aes256 removal using Safe Mode with Command Prompt

If you cannot start your computer in Safe Mode with Networking, try performing a System Restore using Safe Mode with Command Prompt.

This method works only if System Protection feature is enabled on your Windows 7 computer. You can find more information about System Protection feature in the following article on our website.

Method 1: Using Advanced Boot Options menu
System Restore in Safe Mode with Command Prompt (Windows 7)

Restart your computer.

Restart Windows 7

During your PC boot process, press the F8 key on your keyboard multiple times until the Windows Advanced Options menu appears, and then use arrow keys to select Safe Mode with Command Prompt from the list.

Hit Enter key.

F8 safe mode with command prompt Windows 7

After your computer restarts, an MS-DOS black command prompt window will appear. Type cd restore using command prompt and press Enter.

Safe mode cmd cd restore Windows 7

Type rstrui.exe in the next line and press Enter.

Safe mode cmd cd restore rstrui.exe Windows 7

Check if System Restore window opens and click Next button to continue.

Safe mode cmd system restore Windows 7

Select a restore point with the date prior to malware infection and click Next button.

Safe mode cmd system restore choose restore point Windows 7

Click Finish button to confirm your restore point.

Safe mode cmd system restore confirm Windows 7

Click Yes button in the confirmation window.

Safe mode cmd system restore confirm Windows 7

To Tab Menu

Windows XP

Removal Instructions for Windows XP Users


Aes256 removal using Safe Mode with Networking

Why choose this reboot method instead of the common Safe Mode? Safe Mode with Networking option allows to access Internet in order to download necessary tools that can help you to remove Aes256 ransomware from your PC.

You can start Windows XP in Safe Mode with Networking using one of the easy methods below. Depending on the type of ransomware, one of the described start methods may not work properly.

Steps

Method 1: Using Windows Advanced Options Menu

If you have a new computer with UEFI BIOS and SSD hard drive, pressing both F8 and Shift+F8 keys may not work for you to get into safe mode.

System Restore in Safe Mode with Networking - Method #1 (Windows XP)

Restart your computer.

Restart Windows XP

Restart Windows XP 2

While your PC restarts, immediately press and hold F8 key.

Use the arrow keys to highlight Safe Mode with Networking on the Advanced Boot Options screen.

Advanced options menu safe mode with networking Windows XP

Hit Enter key. If you have multiple operating system installed, select Windows XP and press Enter key.

Select operating system to start safe mode with networking Windows XP

Your computer will boot up in safe mode with a black blank screen and with the words “Safe Mode” in all four corners.

Click Yes button to proceed to work in safe mode.

Safe mode attention Windows XP

Desktop screenshot of the Windows XP Safe Mode with Networking.

Safe mode desktop Windows XP

To Tab Menu

Method 2: Using Run (msconfig.exe)

This is the quickest method to start Windows in Safe Mode with Networking. However, in some cases this start method may not work properly due to malware activity.

System Restore in Safe Mode with Networking - Method #2 (Windows XP)

Press Windows + R keys. Type msconfig or msconfig.exe in the Open field. Click OK button or hit Enter key.

System configuration boot minimal Windows XP

Go to BOOT.INI tab. Check mark in /SAFEBOOT checkbox and in NETWORK checkbox. Click OK button.

System configuration boot network Windows XP

Click Restart button in the confirmation window.

System configuration restart Windows XP

Your computer will boot up in safe mode with a black blank screen and with the words “Safe Mode” in all four corners.

Desktop screenshot of the Windows XP Safe Mode with Networking.

Safe mode desktop Windows XP

To Tab Menu

Turn off Safe Mode with Networking

If you used Method 2 (through Windows + R –> Run –> msconfig) to start Windows in safe mode with networking, you need to turn this safe mode off in order to return your PC to a Normal startup mode. Otherwise, your PC will continue to automatically boot into Safe Mode with Networking.

Turn off Safe Mode with Networking in Windows XP

Press Windows + R and type msconfig or msconfig.exe in the Open: field. Click OK button or hit Enter.

Safe mode msconfig Windows XP

Go to General tab and select Normal startup – load all device drivers and services checkbox.

Safe mode msconfig normal startup Windows XP

Go to BOOT.INI tab and check whether all checkboxes are unchecked. Click OK button.

Safe mode msconfig boot.ini Windows XP

Click Restart button in the confirmation window.

Safe mode restart Windows XP

Click Yes button to continue restarting.

Safe mode restart confirm Windows XP

Your computer will restart in a Normal startup mode with all drivers, applications and other components running.

To Tab Menu

Steps

Once you are in Safe Mode with Networking, launch your web browser and download a trusted anti-virus or anti-malware software to scan your PC for Aes256 malicious files and processes. If you don’t want to purchase an anti-malware software license, you can simply scan your system for viruses, and then manually remove the detected malicious files.

You may need to see hidden files and folders to delete all the malicious files. Follow the steps below to display hidden files, folders and file extensions.

Show Hidden Files and Folders in Windows XP

Click Start Start Button Windows XPbutton and go to Control Panel.

Start control panel Windows XP

Select Folder Options settings in the Control Panel.

Control panel folder options Windows XP

Click View tab, and then check Show hidden files, folders, or drives checkbox in the list. Scroll down and un-check Hide extensions for known file types checkbox. Click OK button.

Folder options Windows XP

Don’t forget to restore previous system settings once you get rid of ransomware threat.

To Tab Menu

Steps

Remove malicious files installed by ransomware

Once an exploit kit infiltrates into your computer, it downloads and installs ransomware files into your system.

You should manually check the following system folders for the batch (.cmd, .btm, .bat), bitmap (.bmp), DLL (.dll) and executable (.exe) files that could be created by the ransomware virus:

  • \%TEMP%\
  • \%APPDATA%\
  • \%ProgramData%\
  • \%UserpProfile%\

Steps

Clean your Windows Registry (for experienced users only

It’s strongly recommended to clean your Windows Registry to remove all entries associated with ransomware infection. Windows Registry contains all the settings and information for the software applications and user accounts in your Windows operating system. You need to launch Registry Editor utility to make changes to registry.

How to Clean & Fix Windows Registry in Windows XP

Press Windows + R and type Run regedit or regedit.exe into the Open: search field. Click OK button or press Enter key.

Run registry editor regedit.exe Windows XP

When you open the Registry Editor for the first time, you’ll see a treeview on the left-hand side that contains all of the registry keys, with values and data on the right-hand side.

Registry editor Windows XP

Once Registry Editor opened, you need to find and remove registry keys and values created by ransomware infection.

Press Ctrl + F (or go to Menu –> Edit –> Find) to open the Find bar.

Look up the names of the files associated with ransomware threat affecting your PC and type it into “Find what:” text box. Select all checkboxes and then click Find Next button.

Search in registry editor Windows XP

Right-click on the located registry entry and click Delete from the context menu. Repeat this process for each of the registry entries associated with the malware or adware.

Delete entry registry editor Windows XP

Click Yes button in the confirmation window.

Confirm delete entry registry editor Windows XP

Check the following auto startup folders for suspicious registry keys:

  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit
  • Next, check the HKEY_CURRENT_USER folder for suspicious registry keys.

To remove all traces of ransomware, you need to delete the malicious registry keys associated with it.

To Tab Menu

Aes256 removal using Safe Mode with Command Prompt

If you cannot start your computer in Safe Mode with Networking, try performing a System Restore using Safe Mode with Command Prompt.

This method works only if System Protection feature is enabled on your Windows XP computer. You can find more information about System Protection feature in the following article on our website.

Method 1: Using Windows Advanced Options Menu
System Restore in Safe Mode with Command Prompt (Windows XP)

Restart your computer.

Restart Windows XP

Restart Windows XP 2

During your PC boot process, press the F8 key on your keyboard multiple times until the Windows Advanced Options menu appears, and then use arrow keys to select Safe Mode with Command Prompt from the list.

Advanced options menu safe mode with command prompt Windows XP

Hit Enter key. If you have multiple operating system installed, select Windows XP and press Enter key.

Select operating system to start safe mode with command prompt Windows XP

After your computer restarts, an MS-DOS black command prompt window will appear. Type C:\Windows\system32\Restore\rstrui.exe using command prompt and press Enter.

Safe mode with command prompt rstrui.exe Windows XP

Check if System Restore window opens and click Next button to continue.

Safe mode welcome system restore Windows XP

Select a restore point with the date prior to malware infection and click Next button.

Safe mode select restore point Windows XP

Click Next button to confirm your restore point.

Safe mode select confirm restore point selection Windows XP

To Tab Menu

Aes256 removal using Normal Startup mode

When your computer works in normal mode, all the drivers, software and network services will be started and run as usual. You can try to perform a System Restore in normal startup mode.

Method 1: Using the Start Menu
System Restore in Normal Startup Mode - Method #1 (Windows XP)

Click Start Start Button Windows XPbutton and then click All Programs option. Go to: Accessories –> System Tools –> System Restore.

Start button System Restore Windows XP

Check if System Restore window opens and click Next button to continue.

System Restore Windows XP

Select a restore point with the date prior to malware infection and click Next button.

Select a restore point Windows XP

Click Next button to confirm your restore point.

Confirm restore point selection Windows XP

Wait until the restoration process is complete and click OK button.

Safe mode with command prompt system restore restoration complete Windows XP

To Tab Menu

Method 2: Using Run (rstrui.exe) utility

Below is another quick way to start and use System Restore without reboot into Safe Mode. However, some versions of ransomware may block important operating system features, so this method may not work on all computers.

System Restore in Normal Startup Mode - Method #2 (Windows XP)

Press Windows + R keys. Type C:\Windows\system32\Restore\rstrui.exe in the Open field to start System Restore console as administrator.

Run rstrui.exe Windows XP

Check if System Restore window opens and click Next button to continue.

System Restore Windows XP

Select a restore point with the date prior to malware infection and click Next button.

Select a Restore point Windows XP

Click Next button to confirm your restore point.

Confirm restore point selection Windows XP

Wait until the restoration process is complete and click OK button.

Safe mode with command prompt system restore restoration complete Windows XP

After restoring your PC to a previous date, download and scan your computer with recommended anti-malware software to remove any remaining Aes256 ransomware files.

To Tab Menu

Restore previous versions of the files encrypted by Aes256 ransomware

To restore files encrypted by ransomware, try using Windows Previous Versions feature. This recovery method is only effective if the System Restore option was enabled on your Windows operating system. Notice: some types of ransomware are known to remove Shadow Volume Copies of the files, so this method may not be working on your computer.

Please check out our “How to Restore Previous Versions of a File” step-by-step guide for more information.


Recover your files using ShadowExplorer program

You can also try using a third-party software to recover files deleted, damaged or encrypted by ransomware attack. We recommend you to install ShadowExplorer version 0.9 – this tool is free and user-friendly. ShadowExplorer allows to browse through Shadow Copies of your files created by the Windows Volume Shadow Copy Service. Notice: some types of ransomware are known to remove Shadow Volume Copies of the files, so this method may not be working on your computer.

Please read our ShadowExplorer installation and user’s guide for additional information about this useful application.


How to Prevent Ransomware Attacks?

Security Tips to Protect Your Computer against Ransomware:

  • Back up your important data on a regular basis. Use an external hard drive and/or a cloud service for back ups.
  • Turn on System Restore feature in your operating system.
  • Disable macros in Microsoft Office suite (Word, Excel, PowerPoint, etc.).
  • Install a Microsoft Office viewer to check a downloaded Word or Excel document without macros.
  • Configure your webmail to block automatically attachments with extensions like .exe, .vbs, and .scr.
  • Don’t open attachments in emails that look suspicious.
  • Don’t click any links in spam and suspicious emails.
  • Don’t click suspicious hyperlinks and don’t open adult photos or videos received in social networks or instant messengers.
  • Patch your Windows operating system reguralry.
  • For daily use, don’t use Windows user account with administrative privileges.
  • Enable “Show File Extensions” option in order to see what types of files you open. Stay away from suspicious files with extensions like ‘.exe’, ‘.vbs’ and ‘.scr’.
    Ransomware files often can look like they have two extensions – e.g., “.pdf.exe”, “.avi.exe” or “.xlsx.scr” – so pay attention to the files of this sort.
  • Disable Windows PowerShell framework.
  • Disable Windows Script Host (WSH) technology.
  • Use the Windows Group or Local Policy Editor to create Software Restriction Policies to disable executable files running from AppData, LocalAppData, Temp, ProgramData and Windows\SysWow folders.
  • Disable file sharing to make sure that the ransomware virus will stay isolated to infected PC only.
  • Disable Remote Desktop Protocol (RDP).
  • Switch off unused Bluetooth or infrared ports.
  • Keep the Windows Firewall turned on and properly configured.
  • Use a trusted ransomware-blocking anti-malware software and keep its database up-to-date.
  • Keep your web browsers up-to-date.
  • Remove outdated and unnecessary browser extensions, plugins and add-ons.
  • Keep Adobe Flash Player, Java, and other important software up-to-date.
  • Always scan for viruses compressed or archived files.
  • Use strong passwords that can’t be easily brute-forced.
  • Install an AdblockPlus browser extension to block pop-up ads and warnings as they also used to spread ransomware exploits.
  • Deactivate AutoPlay to stop malicious processes to automatically start from external drive, such as external hard drives or USB memory sticks.

LEAVE A REPLY

Please enter your comment!
Please enter your name here