Mzlq Ransomware - How to remove

Mzlq is ransomware from the Djvu family. Mzlq comes with pirated software, installs a trojan, and then corrupts the files on the infected computer. To fix the files, Mzlq’s makers demand a ransom of up to $980.

Removing Mzlq is just the beginning. The trojan that Mzlq installs might steal your passwords and other data. And though there are ways to repair some of the broken files, the process tends to be complicated. Meanwhile, scammers share false promises to prey on desperate victims of Mzlq ransomware.

About Mzlq ransomware:

Classification	Ransomware, trojan, spyware.
How Mzlq breaks computers	Blocks some websites, breaks antivirus programs and disables Task Manager, installs a spyware trojan, uses cryptography to corrupt files and renames them with a second extension “.mzlq”.
How to get back the corrupted files	Restore from a backup, use data recovery programs, shadow volume copies, etc., repair the files with specific programs, use the free decrypter.
How to remove Mzlq ransomware	Repair system settings, download and use anti-malware tools (Spyhunter, Malwarebytes, others) to remove malware, change your passwords.

What is Mzlq ransomware

Mzlq is ransomware – it breaks files and then leaves a ransom note called _readme.txt where its creators demand money.

Mzlq comes in pirated files, “free” programs, cracking tools. Possibly in fake software, too. Once this infected file is downloaded and you open it to start the installation, Mzlq enters your computer:

• Mzlq breaks the Task Manager, deletes file backups, and removes files that are important to your antivirus program.
• It edits your hosts file to block some websites. This makes it difficult to find information on Mzlq.
• Installs Azorult, which is a password-stealing trojan.
• Finally, Mzlq encrypts your data, which essentially corrupts your files.

The reason that Mzlq encrypts your files instead of corrupting them is that encryption is reversible – with the correct decryption key and algorithm. To make sure that every victim is forced to pay the ransom, each computer has a unique encryption ID used on its files (with the exception of when Mzlq is forced to run offline and use the offline ID).

To encrypt hundreds of Gigabytes of data in a short amount of time, Mzlq only encrypts portions of the bigger files. This means that a lot of your data is still unencrypted, but your programs still can’t open them.

Although Mzlq likely doesn’t steal your files, it installs a trojan (Azorult) that can steal small files. It can also take snapshots of your screen, extract the passwords saved in your browser and other online programs, and install more malware (such as adware).

Mzlq is part of the Djvu ransomware family. It was preceded by Sqpc, Qewe, Lalo, and many others.

How to restore the files

If you have backups of your files, then you just need to remove Mzlq before you bring them to your computer.

But though data backups are very important to have, not everyone sets them up. The good news is that there are a few other possibilities.

First of all, you should not contact the authors of Mzlq. Mzlq’s ransom note provides the email addresses of the criminals responsible for Mzlq ([email protected], [email protected]) in order to tempt victims. You must remember that contacting cybercriminals is very risky:

• The criminals will take any personal information that you reveal and use it or reveal it to other scammers.
• You must pay the money first and then there is nothing forcing Mzlq’s authors to keep their end of the deal. There’s also no way to get your money back.
• It’s possible that you will be noted and targeted in the future.

Look into other ways of getting your files back, first. Mzlq ransomware sometimes breaks or can’t connect to the internet during the attack, and then it uses a non-unique encryption key to encrypt your files. Download the Emsisoft decrypter (it was developed by a ransomware expert and is maintained by Emsisoft) and run it on your files to find out if that’s true for you. If so, you may be able to repair your files without paying the ransom.

You can also repair some files, though not recover them 100%. For example, audio tracks can be repaired, but they’ll be missing a few seconds. JPEG files can be repaired, but a section of the image will be corrupted and will need to be cut off. Stay away from anyone who promises to fix your files completely. But do look into programs for repairing corrupted files, they might be able to help you.

How to remove Mzlq

Unblock security sites like described in the instructions below. Also, restore Task Manager.

Then, use anti-malware programs, such as Spyhunter, Malwarebytes, and others, to find and remove Mzlq ransomware, the Azorult trojan, and any other malicious files and programs that may be lurking. And if you have the option to scan the infected drive without booting it (such as by using another computer), that might be the best.

The encrypted files (the ones labeled with the “.mzlq” extension) do not need to be deleted.

Finally, after you’ve removed the malware (or by using a clean device), change your passwords. If Azorult stole any of your passwords, they could be used in the future to try and hack your accounts. If any of them have your payment information saved, it could be bad. Make sure that criminals can’t use your login credentials by settings new passwords and turning on 2-step verification.

Important -- edit the hosts file to unblock security websites

TL DR : The hosts file is edited to block security sites Before the virus can be removed, it's necessary to fix the hosts file (the file which controls which addresses connect to which IPs). That is the reason the majority of security websites is inaccessible when infected with this particular parasite. This infection edits this file to stop certain websites, including anti-malware download sites, from being accessed from the infected computer, making browsers return the "This site can't be reached" error. Luckily, it's trivial to fix the file and remove the edits that were made to it.

Find and edit the hosts file

The hosts file can be found on C:/Windows/System32/Drivers/etc/hosts. If you don't see it, change the settings to see hidden files.

1. In the Start Menu, search for Control Panel.
2. In the Control Panel, find Appearance and Personalization.
3. Select Folder Options.
4. Open the View tab.
5. Open Advanced settings.
6. Select "Show hidden files...".
7. Select OK.

Open this file with administrator privileges.

1. Open the Start Menu and enter "notepad".
2. When Notepad shows up in the result, right-click on it.
3. In the menu, choose "Run as administrator"
4. File->Open and browse for the hosts file.

The hosts file should look like this: Delete additional lines that they connect various domain names to the wrong IP address. Save the file.

Download and run the antivirus program

After that, download antivirus programs and use them to remove the ransomware, the trojan, and other malware. Spyhunter (https://www.2-viruses.com/reviews/spyhunter/dwnld/).

Automatic Malware removal tools

How to recover Mzlq Ransomware encrypted files and remove the virus

Step 1. Restore system into last known good state using system restore

1. Reboot your computer to Safe Mode with Command Prompt:

for Windows 7 / Vista/ XP

• Start → Shutdown → Restart → OK.
• Press F8 key repeatedly until Advanced Boot Options window appears.
• Choose Safe Mode with Command Prompt.

for Windows 8 / 10

• Press Power at Windows login screen. Then press and hold Shift key and click Restart.
• Choose Troubleshoot → Advanced Options → Startup Settings and click Restart.
• When it loads, select Enable Safe Mode with Command Prompt from the list of Startup Settings.

 

2.Restore System files and settings.

• When Command Prompt mode loads, enter cd restore and press Enter.
• Then enter rstrui.exe and press Enter again.
• Click “Next” in the windows that appeared.
• Select one of the Restore Points that are available before Mzlq Ransomware has infiltrated to your system and then click “Next”.
• To start System restore click “Yes”.

 

Step 2. Complete removal of Mzlq Ransomware

After restoring your system, it is recommended to scan your computer with an anti-malware program, like Spyhunter and remove all malicious files related to Mzlq Ransomware. You can check other tools here.  

Step 3. Restore Mzlq Ransomware affected files using Shadow Volume Copies

If you do not use System Restore option on your operating system, there is a chance to use shadow copy snapshots. They store copies of your files that point of time when the system restore snapshot was created. Usually Mzlq Ransomware tries to delete all possible Shadow Volume Copies, so this methods may not work on all computers. However, it may fail to do so. Shadow Volume Copies are only available with Windows XP Service Pack 2, Windows Vista, Windows 7, and Windows 8. There are two ways to retrieve your files via Shadow Volume Copy. You can do it using native Windows Previous Versions or via Shadow Explorer. a) Native Windows Previous Versions Right-click on an encrypted file and select Properties → Previous versions tab. Now you will see all available copies of that particular file and the time when it was stored in a Shadow Volume Copy. Choose the version of the file you want to retrieve and click Copy if you want to save it to some directory of your own, or Restore if you want to replace existing, encrypted file. If you want to see the content of file first, just click Open.

b) Shadow Explorer It is a program that can be found online for free. You can download either a full or a portable version of Shadow Explorer. Open the program. On the left top corner select the drive where the file you are looking for is a stored. You will see all folders on that drive. To retrieve a whole folder, right-click on it and select “Export”. Then choose where you want it to be stored.

Step 4. Use Data Recovery programs to recover Mzlq Ransomware encrypted files

There are several data recovery programs that might recover encrypted files as well. This does not work in all cases but you can try this:

• We suggest using another PC and connect the infected hard drive as slave. It is still possible to do this on infected PC though.
• Download a data recovery program.
• Install and scan for recently deleted files.

Note: In many cases it is impossible to restore data files affected by modern ransomware. Thus I recommend using decent cloud backup software as precaution. We recommend checking out Carbonite, BackBlaze, CrashPlan or Mozy Home.