Remove CoinVault Ransomware

 

What is CoinVault!

CoinVault is an annoying ransomware infection that will deny you the access to any of your files once it has managed to reach your system. The program will encrypt your files and will ask you to pay a certain amount of money in order to decrypt them. Moreover, it will threaten you that if you do not pay the money and try to delete this software, you will not be able see your original files ever again. The most important thing in this situation is not to panic because CoinVault is not as serious an infection as it pretends to be.

How did I get infected with CoinVault ransomware?

We do not think that there is anyone who expects programs of the type of CoinVault to manifest themselves when entering users’ computers. The infiltration is done silently and users only realize the infection is present when they notice that their files are blocked and when they see the notifications. CoinVault usually arrives on the system when users click on random ads they see on malicious or infected websites, also when they install fake program updates and false video codecs, open spam email attachments, etc. The bottom line is that you should avoid browsing through unknown web pages and downloading software from suspicious sources if you do not want such infections on your PC.

Why is CoinVault dangerous?

The creators of CoinVault, who are obviously cyber criminals, use certain scare tactics to convince you to pay the money requested. For example, you will be given 24 hours to purchase an encryption key and if you do not manage to do that within the time given, the amount you have to pay will be doubled. This is done to put more pressure on you so that you fall for the trick more easily. Under no circumstance should you pay anything as your bank account details may be stolen by the program’s developers. Once you manage to decrypt your files, you should also delete CoinVault because it might encrypt them again in future.

CoinVault removal instructions

STEP 1: Start Your Computer into Safe Mode with Command Prompt

• Make sure you do not have any floppy disks, CDs, and DVDs inserted in your computer
• Restart the computer
  
• When you see a table, start tapping the F8 key every second until you enter the Advanced Boot Options

• in the Advanced Boot Options screen, use the arrow keys to highlight Safe Mode with Networking , and then press ENTER.

• Once the operating system loads press simultaneously the Windows Logo Button and the R key.

• A dialog box should open. Type iexplore www.virusresearch.org/download-en

• your default browser will open and a professional scanner will start downloading
• Follow the instruction and use the professional malware removal tool to detect the files of the virus.
• After performing a full scan you will be asked to register the software. You can do that or perform a manual removal.

To perform Manual removal you need to delete the following files. These were in our case:

we recommend not to delete the file, but to rename it and change its extension. You never know you might need it again!

Open your registry editor and delete the following registry key:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run:Vault

Please, have in mind that the names in your machine might be different as they are generated randomly, that’s why you run the professional scanner to identify the files.

Recover CoinVault Encrypted Files Manually

There are several methods you can use, however nothing is guaranteed.

Method 1 to restore the encrypted by CoinVault files by hand:

You can try to use the built in feature of Windows called System Restore. By default the system restore feature is automatically turned on. Windows creates shadow copy snapshots that contain older copies since the system restore was performed. These snapshots will let us to recover any previous version of your file, although it will not be the latest one, still you can recover some important information. Please note, that Shadow Volume Copies are only available with Windows XP SP2, Vista, Windows 7 and Windows 8.

Method 2 to partially restore the encrypted by Coinvault files by using Microsoft Office junk files:

Basically you need to show your hidden files. The fastest way to do that is:

1. Open Folder Options by clicking the Start button .
2. In the search box type “FOLDER OPTIONS”.
3. Select View TAB
4. Under Advanced settings, find Show hidden files and folders and select it and then click OK.

In the picture above you see two hidden files. You are interested in every file that looks like ~WRL382.tmp This is actually a Microsoft office junk file that contains the previous version of the Word document itself. The CoinVault parasite will not encrypt these files. The name of the file will be unknown, but you can recover a lot of lost documents using this method. This can be utilized for Microsoft Word and Microsoft Excel. In addition you can try to match the file sizes in order to figure out what is what and eventually you can restore a slightly older original document. In the picture on the left there is another method you can locate the files in question.All you have to do is to hit the start button  and type *.tmp. You will be presented a list of all the temp files located in your computer. The next thing is to open them one by one with Microsoft Word/Excel and recover the lost information, by saving it to another place. You can do that, by opening a new instance of MS Word/Excel, trough the file menu select open and then navigate to the location of the TMP file.

It is always a good idea to use a reputable anti-malware program after manual removal to prevent this from happening again.