Atchbo Ransomware Removal Guide

Atchbo Ransomware is a malicious program that can take control over your computer by locking the screen. The good news is our specialists know how to unlock it, and we can guide you through the process if you have a look at the instructions you can find below this report. Unfortunately, after the screen is no longer blocked the user should notice that most of his files became unusable. Apparently, Atchbo Ransomware may also encipher various files with a secure cryptosystem. However, the worst part is the malicious program’s removal does not undo this damage, so the affected data will be still enciphered. Still, our specialists recommend eliminating the malware if you do not plan on putting up with cyber criminals' requests. If the threat is left on the system, the screen should be blocked once again. No need to worry if you have no idea how to deal with this infection as the instructions located below will explain to you how to delete it too.

Of course, before sliding below the article, we invite you to read it and learn all about Atchbo Ransomware. It looks like the malware can affect various types of data, e.g., pictures, photos, text or other documents, videos, and so on. To mark the enciphered files, the malicious program might apply a second extension at the end of the damaged file’s full title. For example, a document titled text.docx would turn into text.docx.exo. Atchbo Ransomware should work silently in the background; therefore, the user may not notice something is happening unless he sees the mentioned changes to his files. If the process is not interrupted and the threat finishes enciphering your data, it should finally announce its presence. To do so, the infection is supposed to block the screen and show a text saying “YOUR FILES HAVE BEEN ENCRYPTED.” The next lines might suggest following the provided four steps to get the files back.

As one could expect from a ransomware application, the instructions it gives say how to pay a ransom and promises the enciphered files will be decrypted as soon as the payment is confirmed. Needless to say, we advise against it because the malware’s creators may not have any intention to help users. The instructions do not explain how the affected files will be fixed or how you could contact the cyber criminals if anything goes wrong. To put it simply, there are no reassurances, only the chance you might get scammed. We also find it suspicious that Atchbo Ransomware says you have to pay 0.007 BTC (around 40 US dollars) on the message you can see while the screen is blocked and asks for 0.01 BTC (approximately 60 US dollars) in a random note, which should be dropped in various locations on the infected computer. The sums do not look particularly large or something one could not be able to pay, but even so, under such circumstances, we do not think it would be wise to risk it.

If you are not going to pay the ransom, there is no point in keeping it installed especially when it might stop you from working on your computer. More experienced users could follow the instructions located below and try to both unlock the screen and remove Atchbo Ransomware manually. No doubt, our recommended steps might seem rather complicated to less experienced users. In which case, we could propose using an antimalware tool as soon as the infected PC is restarted in Safe Mode with Networking. This way if you do not have a reliable tool that could help you erase this malicious program, you could simply download one.

Restart the PC in Safe Mode with Networking

Windows 8/Windows 10

1. Tap Windows key+I for Windows 8 or open the Start menu for Windows 10.
2. Click the Power button.
3. Press and hold the Shift key and click Restart.
4. Choose Troubleshoot and pick Advanced Options.
5. Select Startup Settings and click Restart.
6. Press the F5 key and restart the PC.

Windows XP/Windows Vista/Windows 7

1. Go to Start, pick Shutdown options and click Restart.
2. Press and hold the F8 key when the computer starts restarting.
3. Select Safe Mode with Networking from Advanced Boot Options window.
4. Click Enter and log on to the computer.

Get rid of Atchbo Ransomware

1. Press Windows key+E.
2. Look for the following location: %APPDATA%
3. Find a file named ExoGUI.exe or similarly.
4. Right-click this file and select Delete.
5. Find these specific locations one by one:
   %ALLUSERSPROFILE%\Start Menu\Programs
   %APPDATA%\Microsoft\Windows\Start Menu\Programs
   %USERPROFILE%\Microsoft\Windows\Start Menu\Programs
   %ALLUSERSPROFILE%\Microsoft\Windows\Start Menu\Programs
   %ALLUSERSPROFILE%\Application Data\Microsoft\Windows\Start Menu\Programs
6. Check if there are files related to the infection, right-click them and choose Delete.
7. Navigate to the given paths:
   %TEMP%
   %USERPROFILE%\desktop
   %USERPROFILE%\downloads
8. Identify the malware’s launcher (suspicious file launched before the malware appeared).
9. Right-click it and click Delete.
10. Exit File Explorer.
11. Press Windows key+R.
12. Type regedit and press OK.
13. Find this path: HKCU\SOFTWARE\Microsoft\Windows\Current Version\Run
14. Locate a value name related to the malicious program, e.g., its value data may point to a similar file: C:\Users\User\AppData\Roaming\ExoGUI.exe
15. Right-click the malicious value name and select Delete.
16. Search for these particular directories:
    HKLM\SOFTWARE\Wow6432Node\Microsoft\Tracing
    HKLM\SOFTWARE\Microsoft\Tracing
17. Find files called ExoGUI_RASAPI32 and ExoGUI_RASMANCS in each of the two listed locations.
18. Right-click mentioned files and choose Delete.
19. Leave Registry Editor.
20. Empty your Recycle bin.