ABANTES Ransomware Removal Guide

Threat Level:
Rate this Article:
Comments (0)
Article Views: 995
Category: Trojans

Did ABANTES Ransomware invade your Windows operating system? It should not take long for you to figure that out because the threat encrypts files and adds “.Abantes” as an additional extension. It also changes the Desktop wallpaper and makes your entire operating system run funny. For example, the cursor could start acting up. The screen could flip randomly and display strange windows too. At the end, the blue screen of death (BSOD) should appear, and you should not be able to access the computer. Why? That is because the threat is capable of overwriting the master boot record (MBR). Do you know how to fix that? You need to reinstall Windows, and if you do that, everything on your computer is reset. Hopefully, you can delete ABANTES Ransomware before the MBR is overwritten, and we have created a removal guide that shows how to do that manually. Unfortunately, it is unlikely that you can restore your personal files in the process, and if backups do not exist, your files are likely to be lost forever.

It is unclear how ABANTES Ransomware spreads, but since it is a Hidden Tear (RaaS) infection, it is likely to spread using misleading spam emails. Exposed system vulnerabilities could be used too. Once the threat is in, it does not stay quiet. Instead, it encrypts files right away. According to our research team, the threat can corrupt files with .jpg, .jpeg, .raw, .tif, .gif, .png, .bmp, and 128 other extensions. It basically covers all personal files, from photos to documents. This is pretty much the only thing that ABANTES Ransomware shares with other Hidden Tear threats, such as BSS Ransomware, SnowPicnic Ransomware, Cry Ransomware, or SummyWare Ransomware. Other than that, this infection is extremely aggressive, which is unlike other threats from the same family. Once it is inside, besides encrypting personal files, it also can disable the Task Manager. That is done by creating the “DisableTaskMgr” entry in HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System. It also can remove registries in HKLM, HKCU, and HKR. As we mentioned already, it can force BSOD and overwrite the MBR. It was also found that it can change the username to “Abantes was here” and delete shadow volume copies to make it impossible to use the system restore point.

What is the purpose of ABANTES Ransomware? Since it is a file-encrypting ransomware, one could assume that it was created to bring in money. After files are encrypted, a ransom note should be created to ask money in return for the files. However, ABANTES Ransomware does not act that way. Instead, it is all about destruction. Even the message that is created by this malware does not make any demands. The message is delivered via a window titled “Rules,” and it presents 5 different rules. According to these rules, “Your PC will die” if you kill processes, delete malware files, employ antivirus software, use Task Manager or CMD, and, finally, edit entries in MSCONFIG. As you can see, not much sense is made. So, what are you supposed to do? It might be best to turn the computer off and take it to an expert.

The removal of ABANTES Ransomware is complicated. Most likely, the MBR is overwritten already, in which case, you do not actually need to worry about deleting the infection. Instead, you need to figure out how to reinstall Windows. If you do not know how to do it, use the help of experts. If the MBR is not overwritten, you might have a chance to delete ABANTES Ransomware, but you need to move fast. If you cannot find the .exe file that launched the threat, you cannot eliminate the infection manually. Do not panic because an anti-malware program is always ready to assist. As long as you install one you can trust, you will not need to worry about removing malware or protecting your system against it in the future. Of course, we still recommend backing up files because you never know what kind of malware could emerge in the future and how it could affect your files. However, even if they are removed or encrypted, if backups exist, you will not lose anything.

How to delete ABANTES Ransomware

  1. Find the [random name].exe launcher file and Delete it.
  2. Move to the C:\Windows directory.
  3. Delete the folder named Defenderwith these files inside:
    • Action.bat
    • authui.dll.mui
    • cursor.cur
    • data.bin
    • explorer.exe.mui
    • icon.ico
    • IFEO.exe
    • logonOverwrite.bat
    • LogonUi.exe
    • LogonUIStart.exe
    • Payloads.dll
    • Rules.exe
  4. Launch RUN (tap Win+R).
  5. Enter regedit.exe into the dialog box and click OK.
  6. In Registry Editor go to HKLM\Software\.
  7. Delete the key named Abantes.
  8. Go to HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System.
  9. Delete the value named DisableTaskMgr to restore Task Manager.
  10. Install and run a reliable malware scanner to check for malware leftovers.

Note: if MBR was overwritten, your only option is to reinstall Windows.

Download Remover for ABANTES Ransomware *
*SpyHunter scanner, published on this site, is intended to be used only as a detection tool. To use the removal functionality, you will need to purchase the full version of SpyHunter.

ABANTES Ransomware Screenshots:

ABANTES Ransomware
ABANTES Ransomware


Your email address will not be published.


Enter the numbers in the box to the right *