Skip to content
  • Active
  • Severity: High
  • Ransomware
  • Windows
  • Verified · Aug 2017

How to remove OhNo! ransomware virus

A step-by-step removal guide for affected devices. Follow the verified procedure below — most readers complete it in under 10 minutes.

Julie Splinters · Anti-malware specialist

OhNo! ransomware is after your files

The screenshot of OhNo! message

OhNo! virus operates as ransomware which is designed to encode files. Currently, it is still under development as not all samples of the malware encrypt data. Nonetheless, the virus appends .ohno file extension. It still manages to infiltrate systems and demands ransom. Here are the key features of the threat: 

  • functions via GoogleChrome.exe
  • opens Mount Point Manager
  • deletes certain files[1]
  • asks ransom in XMR currency (Monero)
  • detectable as Trojan.Ransom.OhNo, Trojan.Win32.Generic.pak!cobra, Ransom_CRYPTOLOCKER.USDL, etc

Though the virus does not function at its full power, remove OhNO! virus right away. FortectIntego or MalwarebytesMalwarebytes will be helpful in this situation.

Misleading veneer?

While the virtual infection does not operate as a full-fledged malware yet, it surely contains the potential to become such. After the infiltration, OhNo! virus generates multiple system and shell processses[2], such as:

  • kernel32.dll
  • gdi32.dll
  • ole32.dll
  • shell32.dll
  • msvcrt.dll
  • comctl32.dll

Later on, it reads system registry files and further technical information about the system. It also launches Mount Point Manager and looks for other malware present on the system.  Additionally, the malware connects to Local Procedure Call (LPC ) port. It may hide in [random number].rar older.  

Naturally, due to its activity, the overall PC performance highly deteriorates. Such behavior lets us assume that the malware currently performs the role of data collector rather than attempts to inflict damage.  Nonetheless, the crypto-malware also has a tendency to delete some files. After it completes its preparations, the error message called “OhNo!” pops up. Here is a short extract from it:

You have been infected with OhNo! ALL your Documents, Downloads, and Desktop have been Encrypted with a Unique Key to your System.(…) Please Pay 2.XMR to the specified address below and you will receive a Email with your Key.

Currently, the threat demands 2 XMR which approximately amounts to 276 USD. Since it is still under development, we discourage you from transmitting the money. Instead, focus on OhNo! removal.

Ways to get infected with a file-encrypting threat

Regarding the features of the malware, it tends to target systems with weak Remote Desktop Protocols (RDP). However, since it may also come into a system in .rar file, it suggests that spam emails are an additional distribution option. 

You should not also exclude the possibility that the malware may dwell in a corrupted application. Thus, in order to lower the possibility of OhNo! malware hijack, make sure to update your security application, regularly scan the device and beware of the visited websites as well as downloaded software. Alternative OhNo! trojan names

Terminate OhNo! virus and delete its components

As most of ransomware threats, this threat also targets Windows. You should be able to remove OhNo! virus with the assistance of anti-virus and malware elimination utilities. However, due to the activity of the threat, it is not surprising if you will not be able to launch the tools.

If you encounter OhNo! removal problems, launch the operating system in Safe Mode, Further instructions are displayed below. Try to terminate its processes via Task Manager as well. Note that OhNo! ransomware targets non-native English speakers, such as Danish[3] users as well.

Be the first to comment

Spyware news
Privacy preferences

We use cookies to improve your experience and analyze traffic. Some cookies enable embedded content like videos and social posts. Choose what you allow — you can change this anytime.