Get the 411 on Spyware
PedCont Ransomware Removal Guide
It hasn't been more crucial to protect your operating system and personal files because a new dangerous threat called PedCont Ransomware is on the loose. This devious malware was created to terrorize Windows users into paying a humongous ransom, but it is more malicious than your average file-encryptor. First of all, we must establish that this ransomware does NOT encrypt files. Well, that is good news, right? That depends on how you look at things. While some file encryptors can be decoded by legitimate file decryptors, it seems like there is nothing you can do to save your files from this infection. Although it does not corrupt documents, photos, and other personal files, you might end up losing it all if the infection invades your system and then paralyzes it. According to our research, this might happen regardless of whether you close the ransom note window (that definitely initiates the paralysis), or simply wait to see what happens. Therefore, if you encounter the malicious threat, you need to figure out quickly if you want to remove it. If you are sure you want to delete PedCont Ransomware, you need to continue reading this report to understand the risks.
How did PedCont Ransomware enter? That is a question we cannot answer because the entrance of this malware can be personalized for every victim that is targeted. Most likely, malicious downloaders, spam emails, and RDP connections are used to drop the threat onto the computer. When our malware research team was analyzing the threat, it came as “AliceRides.mp4_Unpack.WinRAR_SFX.scr,” and it had to be opened for malware to execute. This suggests that the victims of PedCont Ransomware might be playing an important part in the distribution of this malware. Once executed, the threat immediately shows the window entitled “PedCont :: COMPUTER HIJACKED! :: Read this carefully and follow the steps to pay with BTC/LTC.” Basically, the gist of the message is represented via this title, and that is your system is paralyzed, and you need to pay a ransom to get it unlocked. At least, that is what the creator of the malicious infection wants you to believe. If you pay attention to the ransom note before you attempt to remove the threat, you might think that paying a ransom either in Bitcoins or Litecoins is an actual option. Here’s the thing: No one knows if the system would be unlocked if you paid the ransom! That being said, it is only 50 USD – which is a small price compared to what other threats have been known to demand – and so some users are likely to pay the ransom before they delete the threat.
The ransom message represented by PedCont Ransomware is very odd. It informs that the victim has been found to participate in cyber criminal activity; such as “seeking out child pornography.” If you have nothing to do with that kind of activity, the message is clearly fake, but that does not really change anything. Now, if you have done something illegal recently, you might rush to pay the ransom right away because the ransom message warns that information about illegal activity would be sent to authorities, who could then prosecute you. If you decide to pay the ransom, you are required to set up a crypto- wallet, purchase the right amount of crypto-currency, and then transfer it to the right wallet address. It is suggested that once the ransom is paid, the system would be unlocked. Our research team is doubtful regarding this, and it is more likely that you would simply waste money for no good reason. Even if the ransom note disappears, your operating system could still be paralyzed. As discussed earlier, if you close the window launched by PedCont Ransomware or wait too long, the system is restarted. After this, your system blacks out, and the only thing you can do is reinstall Windows.
As you see, there are quite a few steps in the manual removal process. In fact, the instructions below are mostly showing you the registries that need to be modified. For every registry that you see, a value named “Debugger” must be deleted. Unfortunately, we are not sure that you would have the time to perform all steps at once. Therefore, we suggest focusing on four registries: explorer.exe, regedit.exe, svchost.exe, and taskmgr.exe. If you fix these in HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ and HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ paths, you might get the chance to remove PedCont Ransomware remnants. You would not need to worry too much about this if your personal files were backed up externally, and if you were able to reinstall Windows on your own. Without a doubt, once you get your system cleaned, you should immediately back up files – if you have not done so already – and reinforce the system’s protection by installing reliable anti-malware software.
How to delete PedCont Ransomware
- Tap Win+E to launch Explorer and then enter %WINDIR% into the bar at the top.
- Right-click and Delete the file named ScreenSaver.scr.
- Tap Win+R to launch RUN and then enter regdit.exe to launch Registry Editor.
- Move to HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run.
- Right-click and Delete the value named SCRService.
- Move to HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ and HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ (separately).
- Find the values listed below, open them, and delete the word Debugger:
- taskmgr.exe
- svchost.exe
- regedit.exe
- explorer.exe
- chrome.exe
- cmd.exe
- conhost.exe
- dwm.exe
- firefox.exe
- iexplore.exe
- mbam.exe
- Microsoft.Photos.exe
- MicrosoftEdge.exe
- mspaint.exe
- opera.exe
- plugin-container.exe
- rstrui.exe
- tor.exe
- avast.exe
- rundll32.exe
- safari.exe
- SearchIndexer.exe
- setup.exe
- skype.exe
- SystemSettings.exe
- updater.exe
- WinRAR.exe
- Empty Recycle Bin to clear the system from the removed elements.
- Install a trusted malware scanner and perform a full system scan to see if no leftovers remain.
PedCont Ransomware Screenshots:
