Ransomware Removal Guide

Threat Level:
Rate this Article:
Comments (0)
Article Views: 337
Category: Trojans

Recently our specialists came across a new variant of BTCWare Ransomware called Ransomware. Apparently, it encrypts all data it finds on the infected computer except the files associated with the operating system or other essential software. Afterward, the threat should leave a ransom note asking to contact the malicious application’s creators via provided email address. The reason we would not recommend putting up with such demands is that once you approach the hackers behind Ransomware, they will most likely ask you to pay a ransom. Needless to say, doing so could be extremely risky as you could lose a lot of money in an instance and in vain. Therefore, instead of this, we advise users deleting the malicious application with the instructions provided a bit below or a reliable security tool of their choice. It will not undo what the damage done to your files, but at least you will be able to start anew.

In the remaining text, we will talk about the malware’s working manner, its deletion, and other vital details. First of all, it is believed, Ransomware could enter the system after user launches a malicious email attachment, a harmful software installer, and so on. In other words, it could be the user himself who infects the system while acting carelessly. To make sure this never happens ever again, the user should stay away from doubtful Spam emails, unreliable file-sharing web pages, etc. Additionally, it would be recommendable to pick a reliable antimalware tool and install it on the computer so it could guard it against various threats and alert the user about possible dangers.

The moment, the user opens Ransomware’s launcher, the threat should start encrypt every file it locates on the infected computer. Naturally, the data belonging to the system like the operating system is left alone to ensure the user’s computer will still be able to boot and display the ransom note. Afterward, the user should instantly notice the opened malware’s window. It appears after the threat launches a file called payday.hta. According to our specialists, it should be placed in the %APPDATA% directory. Also, to reopen it automatically after each restart the malicious application should create a few tasks in the HKCU\Software\Microsoft\Windows\CurrentVersion\Run and HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run directories.

Besides the ransom note, the user should notice that all of his data now has a second extension called .[]-id-AD0.wallet or similarly. Sadly, data marked this way cannot be opened. Plus, besides the encrypted files, the user may notice that some of the programs, which were running before suddenly stopped working since Ransomware can lock not just personal files like photographs or documents, but also executable files belonging to programs you may have installed on the system. Of course, such software can be rewritten, but as for the other data, the user can only recover it by replacing it with backup copies; if we do not consider paying the ransom as an option.

The reason we do not think paying the ransom is a good idea is because there is a chance the hackers could trick the user by taking his money and not providing the promised decryption tool. Consequently, for those who do not want to risk their savings, we advise removing Ransomware at once. To do so manually you should follow the instructions provided a bit below the article, but if the process seems a bit too complicated we would recommend leaving this task to a reputable antimalware tool.

Remove Ransomware

  1. Tap Win+E.
  2. Locate the following directories:
  3. Find a malicious file downloaded before the malware appeared.
  4. Right-click the doubtful file and select Delete.
  5. Locate this path: %APPDATA%
  6. Find a file called payday.hta, right-click it and select Delete.
  7. Leave File Explorer.
  8. Press Win+R, type Regedit and click OK.
  9. Navigate to the following paths:
  10. Look for value names called 1payday, 2baby, 3payday, 4baby.
  11. Right-click then and press Delete.
  12. Leave Registry Editor.
  13. Empty Recycle bin.
  14. Reboot the device.
Download Remover for Ransomware *
*SpyHunter scanner, published on this site, is intended to be used only as a detection tool. To use the removal functionality, you will need to purchase the full version of SpyHunter. Ransomware Screenshots: Ransomware Ransomware Ransomware technical info for manual removal:

Files Modified/Created on the system:

# File Name File Size (Bytes) File Hash
1payday.hta13674 bytesMD5: 6ea9ac61dfb9c9df7e81a1e3babc0be1
2! How Decrypt Files.txt104 bytesMD5: fa2a2a41c5a016c9c60d47ca7839474c
3BTCWare Slacker.exe272896 bytesMD5: 2c1a9fff423a7afd1b25d1b4c7c5ae3c

Memory Processes Created:

# Process Name Process Filename Main module size
1BTCWare Slacker.exeBTCWare Slacker.exe272896 bytes

Comments are closed.