Mr. Dec ransomware (Virus Removal Guide) - Jul 2019 update

Mr. Dec virus Removal Guide

What is Mr. Dec ransomware?

Mr. Dec ransomware is a deadly virus that renders all personal files useless and threatens to delete the decryptor within specific time limit

Mr. Dec ransomware imageMr. Dec ransomware is a dangerous virus that renders all personal files on the device useless and asks to contact hackers for the decoder

Mr. Dec ransomware is cryptovirus that was first spotted in mid-May 2018, and since then was updated multiple times. Hackers behind it use a variety of distribution methods, such as spam email, exploits,[1] brute-force attacks, malicious ads, fake updates, and other tactics, so that more users would be susceptible for the infection.

Mr. Dec ransomware encrypts all personal data on the device with the help of AES encryption algorithm[2] and appends .[ID]random 16 characters[ID] file extension, preventing from their further usage. Additionally, the malware drops a ransom note Decoding help.hta, which explains that users need to contact cybercrooks to have a chance of retrieving their data. Nevertheless, experts advise avoiding contact with them and urge users to remove Mr. Dec ransomware instead.

Hackers behind Mr. Dec ransomware used various email addresses and ransom notes – the latest variant drops Decoder.hta on the infected machines and prompts to contact bad actors via or emails. It is also known that the threat mainly targets businesses and formats all the backups, although regular users are affected as well.

Name Mr. Dec
Type Ransomware
Danger level Very high
Distribution Spam emails, exploits, web infects, brute-force attacks, fake updates, cracked software, etc.
Contact addresses
File extension .[ID]16 random characters[ID]
Name of the ransom note Decoding help.hta, Help for decrypting (, Decoder.hta
Related files DECODE KEY.KEY, searchfiles.exe
Removal You can only delete Mr. Dec ransomware with a professional anti-malware software
Recovery Use FortectIntego to restore Windows Registry and remediate your computer from the infection

Despite how threatening it might seem, we do not recommend you to contact the criminals in any way. According to the instructions, they should send you Mr. Dec's decryptor after you make the payment. Unfortunately, these are merely empty promises by hackers since they are only interested in blackmailing you for more money.

Thus, there is a high risk that you will be asked for more money once you pay for Mr.Dec ransomware authors. Here is the latest variant of the ransom note Decoder.hta which is displayed right after the malware finishes data encryption:

You are unlucky! The terrible virus has captured your files! For decoding please contact by email or

1. In the subject line, write your ID.
2. Attach 1-2 infected files that do not contain important information (less than 2 mb) are required to generate the decoder and restore the test file.

Hurry up! Time is limited!
Do not contact third parties for help, this may lead to the fact that you will be deceived and you will not receive your decoder.

REMEMBER – only we have a tool to get your files back!

Mr.Dec ransomware ransom noteRansom note Decoder.hta serves as a information sheet for users. Nevertheless, they should never contact hackers via the provided email address.

Note that criminals behind Mr.Dec ransomware are good at human psychology. Likewise, they put their victims under time pressure to make sure that they will agree to pay the ransom for locked files. However, we want to warn you that you do not necessarily need to make the transaction for data decryption, as you can get scammed or even be sent a malicious file instead of the decoder.

While there is currently no decryption tool for Mr.Dec ransomware available that would be able to help you with file recovery, you might want to try alternative solutions that we provide instructions for below.

Although, you must terminate Mr. Dec ransomware before starting data recovery. Even though many might think that they are experienced enough to deal with ransomware-type infections, only professionals or automatic tools can help you eliminate this cyber threat from your system.

Therefore, we strongly advise you to stay cautious and do not try manual Mr. Dec ransomware removal. It is highly dangerous and might put your computer's well-being at risk. Instead, you should install professional antivirus software and let it eliminate this ransomware automatically. After that, we suggest you scan your PC with FortectIntego – it will help you recover from the infection and make Windows run normally again.

Mr. Dec Ransomware illustrationMr. Dec Ransomware is a dangerous cyber threat which demands a ransom to decrypt files with .[ID][Random characters][ID] extension.

Stay away from spam emails and adequately protect your computer from malware

In order to avoid ransomware attacks in the future, one must understand how it reaches the system in the first place. Likewise, we advise you to stay away from malicious spam emails right away since it is the primary malware distribution source which can easily trick many novice computer users.

Usually, the sent emails look innocent and even legitimate, like coming from a well-known company as an invoice or another document. Unfortunately, this is merely a trick, and the attachment is holding the payload of the ransomware. Thus, if you open it, you automatically let the cyber threat inside your system.

For this reason, we recommend you only open emails from trusted sources and never allow macros to run if prompted via the attachment. Besides, you should also look into these protection methods that would reduce the infection chance to a minimum:

  • Equip your computer with anti-malware software and enable Firewall;
  • Install the ad-blocking application;
  • Update your Windows OS regularly, along with all the installed software on it;
  • Never download pirated software to cracks;[3]
  • Avoid peer-to-peer[4] networks and sites;
  • Use strong passwords for all your accounts;
  • Backup your files routinely.

Safe Mr. Dec virus removal guide

As we have already mentioned, there is no other way how to remove Mr. Dec ransomware rather than get help from a professional. For that, you can either see your local IT specialists or install a robust antivirus to help you complete the elimination procedure safely.

Mr.Dec ransomware encrypted filesAs soon as the infection of Mr.Dec spreads in the PC, it encrypts all personal files, including pictures, videos, music, etc.

You can install SpyHunter 5Combo Cleaner, Malwarebytes, or other security software, and it should complete Mr. Dec removal within several minutes. Nevertheless, be aware that new versions of the virus regularly emerge, so not all AV engines can catch it at all times. Also, anti-malware software is excellent for protecting computers from various other cyber threats that might try to enter the system.

Additionally,[5] experts say that if you are unable to download the malware removal program, there is a high risk that the ransomware is still active. Check the guidelines below and learn how to deactivate the malicious software to start the elimination procedure right away.

do it now!
Fortect Happiness
Intego Happiness
Compatible with Microsoft Windows Compatible with macOS
What to do if failed?
If you failed to fix virus damage using Fortect Intego, submit a question to our support team and provide as much details as possible.
Fortect Intego has a free limited scanner. Fortect Intego offers more through scan when you purchase its full version. When free scanner detects issues, you can fix them using free manual repairs or you can decide to purchase the full version in order to fix them automatically.
Alternative Software
Different software has a different purpose. If you didn’t succeed in fixing corrupted files with Fortect, try running SpyHunter 5.
Alternative Software
Different software has a different purpose. If you didn’t succeed in fixing corrupted files with Intego, try running Combo Cleaner.

Getting rid of Mr. Dec virus. Follow these steps

Manual removal using Safe Mode

You should start the elimination of the ransomware by booting your computer into Safe Mode as shown below:

Important! →
Manual removal guide might be too complicated for regular computer users. It requires advanced IT knowledge to be performed correctly (if vital system files are removed or damaged, it might result in full Windows compromise), and it also might take hours to complete. Therefore, we highly advise using the automatic method provided above instead.

Step 1. Access Safe Mode with Networking

Manual malware removal should be best performed in the Safe Mode environment. 

Windows 7 / Vista / XP
  1. Click Start > Shutdown > Restart > OK.
  2. When your computer becomes active, start pressing F8 button (if that does not work, try F2, F12, Del, etc. – it all depends on your motherboard model) multiple times until you see the Advanced Boot Options window.
  3. Select Safe Mode with Networking from the list. Windows 7/XP
Windows 10 / Windows 8
  1. Right-click on Start button and select Settings.
  2. Scroll down to pick Update & Security.
    Update and security
  3. On the left side of the window, pick Recovery.
  4. Now scroll down to find Advanced Startup section.
  5. Click Restart now.
  6. Select Troubleshoot. Choose an option
  7. Go to Advanced options. Advanced options
  8. Select Startup Settings. Startup settings
  9. Press Restart.
  10. Now press 5 or click 5) Enable Safe Mode with Networking. Enable safe mode

Step 2. Shut down suspicious processes

Windows Task Manager is a useful tool that shows all the processes running in the background. If malware is running a process, you need to shut it down:

  1. Press Ctrl + Shift + Esc on your keyboard to open Windows Task Manager.
  2. Click on More details.
    Open task manager
  3. Scroll down to Background processes section, and look for anything suspicious.
  4. Right-click and select Open file location.
    Open file location
  5. Go back to the process, right-click and pick End Task.
    End task
  6. Delete the contents of the malicious folder.

Step 3. Check program Startup

  1. Press Ctrl + Shift + Esc on your keyboard to open Windows Task Manager.
  2. Go to Startup tab.
  3. Right-click on the suspicious program and pick Disable.

Step 4. Delete virus files

Malware-related files can be found in various places within your computer. Here are instructions that could help you find them:

  1. Type in Disk Cleanup in Windows search and press Enter.
    Disk cleanup
  2. Select the drive you want to clean (C: is your main drive by default and is likely to be the one that has malicious files in).
  3. Scroll through the Files to delete list and select the following:

    Temporary Internet Files
    Recycle Bin
    Temporary files

  4. Pick Clean up system files.
    Delete temp files
  5. You can also look for other malicious files hidden in the following folders (type these entries in Windows Search and press Enter):


After you are finished, reboot the PC in normal mode.

Remove Mr. Dec using System Restore

  • Step 1: Reboot your computer to Safe Mode with Command Prompt
    Windows 7 / Vista / XP
    1. Click Start Shutdown Restart OK.
    2. When your computer becomes active, start pressing F8 multiple times until you see the Advanced Boot Options window.
    3. Select Command Prompt from the list Select 'Safe Mode with Command Prompt'

    Windows 10 / Windows 8
    1. Press the Power button at the Windows login screen. Now press and hold Shift, which is on your keyboard, and click Restart..
    2. Now select Troubleshoot Advanced options Startup Settings and finally press Restart.
    3. Once your computer becomes active, select Enable Safe Mode with Command Prompt in Startup Settings window. Select 'Enable Safe Mode with Command Prompt'
  • Step 2: Restore your system files and settings
    1. Once the Command Prompt window shows up, enter cd restore and click Enter. Enter 'cd restore' without quotes and press 'Enter'
    2. Now type rstrui.exe and press Enter again.. Enter 'rstrui.exe' without quotes and press 'Enter'
    3. When a new window shows up, click Next and select your restore point that is prior the infiltration of Mr. Dec. After doing that, click Next. When 'System Restore' window shows up, select 'Next' Select your restore point and click 'Next'
    4. Now click Yes to start system restore. Click 'Yes' and start system restore
    Once you restore your system to a previous date, download and scan your computer with FortectIntego and make sure that Mr. Dec removal is performed successfully.

Bonus: Recover your data

Guide which is presented above is supposed to help you remove Mr. Dec from your computer. To recover your encrypted files, we recommend using a detailed guide prepared by security experts.

If your files are encrypted by Mr. Dec, you can use several methods to restore them:

Get Data Recovery Pro tool for decryption

Experts have developed a professional software which is designed to help people recover files if they have accidentally lost them or in case of ransomware attack.

  • Download Data Recovery Pro;
  • Follow the steps of Data Recovery Setup and install the program on your computer;
  • Launch it and scan your computer for files encrypted by Mr. Dec ransomware;
  • Restore them.

Windows Previous Versions feature might help you

Another great way to get back the access to the compromised files is to use an inbuilt Windows feature. Unfortunately, it requires System Restore function to be enabled before ransomware attack.

  • Find an encrypted file you need to restore and right-click on it;
  • Select “Properties” and go to “Previous versions” tab;
  • Here, check each of available copies of the file in “Folder versions”. You should select the version you want to recover and click “Restore”.

You might retrieve files using Shadow Explorer

If the malware hasn't corrupted or deleted Shadow Volume Copies from your computer, we highly advise you trying this tool.

  • Download Shadow Explorer (;
  • Follow a Shadow Explorer Setup Wizard and install this application on your computer;
  • Launch the program and go through the drop down menu on the top left corner to select the disk of your encrypted data. Check what folders are there;
  • Right-click on the folder you want to restore and select “Export”. You can also select where you want it to be stored.

There is no Mr. Dec ransomware decryptor available yet.

Finally, you should always think about the protection of crypto-ransomwares. In order to protect your computer from Mr. Dec and other ransomwares, use a reputable anti-spyware, such as FortectIntego, SpyHunter 5Combo Cleaner or Malwarebytes

How to prevent from getting ransomware

Do not let government spy on you

The government has many issues in regards to tracking users' data and spying on citizens, so you should take this into consideration and learn more about shady information gathering practices. Avoid any unwanted government tracking or spying by going totally anonymous on the internet. 

You can choose a different location when you go online and access any material you want without particular content restrictions. You can easily enjoy internet connection without any risks of being hacked by using Private Internet Access VPN.

Control the information that can be accessed by government any other unwanted party and surf online without being spied on. Even if you are not involved in illegal activities or trust your selection of services, platforms, be suspicious for your own security and take precautionary measures by using the VPN service.

Backup files for the later use, in case of the malware attack

Computer users can suffer from data losses due to cyber infections or their own faulty doings. Ransomware can encrypt and hold files hostage, while unforeseen power cuts might cause a loss of important documents. If you have proper up-to-date backups, you can easily recover after such an incident and get back to work. It is also equally important to update backups on a regular basis so that the newest information remains intact – you can set this process to be performed automatically.

When you have the previous version of every important document or project you can avoid frustration and breakdowns. It comes in handy when malware strikes out of nowhere. Use Data Recovery Pro for the data restoration process.

About the author
Alice Woods
Alice Woods - Likes to teach users about virus prevention

If this free guide helped you and you are satisfied with our service, please consider making a donation to keep this service alive. Even a smallest amount will be appreciated.

Contact Alice Woods
About the company Esolutions