Remove Av666@weekendwarrior55(.)com Ransomware and Restore the Encrypted Files - How to, Technology and PC Security Forum |

Remove [email protected](.)com Ransomware and Restore the Encrypted Files

A new ransomware reported with the domain weekendwarrior55(.)com redirecting to has been reported to encrypt user files with random extensions. Users have increasingly begun complaining that the malicious program has corrupted their data. However, unlike other ransomware, this particular ransomware does not leave a ransom note and lets the victim contact the attacker by the email provided on the encrypted file as an extension or this backup email – [email protected](.)com.

Name[email protected](.)com
TypeRansomware Trojan
Short DescriptionThe malicious threat infects users to encrypt their files and extort them with Bitcoins for the decryption.
SymptomsThe user`s files become corrupt with a [email protected](.)com extension.
Distribution MethodVia PUPs, installed by bundling (Browser Hijackers) or by visiting a suspicious third-party site that is advertising it.
Detection ToolDownload Malware Removal Tool, to See If Your System Has Been Affected by [email protected](.)com
User ExperienceJoin our forum to discuss about the decryption of files encrypted by [email protected](.)com Ransomware .


[email protected](.)com Ransomware – How Does It Infect?

This ransomware has been reported on security forums to infect primarily Windows-based computers as well as server machines by email. What it does is it may attach a malicious attachment as a .zip or .rar or other archive formats containing the following file extensions:

.doc, .docx, .pdf, .xls, .jpg, .bmp

What is more, these files may contain malicious code or have another file in combination to them that may be of the following file extension:

.bat, .dll ,.tmp ,.exe

This is essentially the file that brings the payload on the victim`s computer.

[email protected](.)com Ransomware – More About It

Once activated, these are the most common locations where [email protected](.)com Ransomware may create its payload files that may be programmed to scan and encrypt data:


One of the files reported by users on Bleeping Computer forums have detected a .tmp file that may be disguised as an executable in the following location:

C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\99DB.tmp

Malware researchers believe that the malware may also create registry entries with values set to run the executable 99DB.tmp and other malicious files spread by this ransomware trojan on system startup. This may happen in the following Windows Registry entry:


After delivering its payload, the ransomware begins to scan for user files of different extensions. Users have reported the following types of files being encrypted by this devastating ransomware:

→.pdf, .csv, .xls, .jpg, .rtf, .doc

However, according to researchers the malware may also look for other file extensions to encrypt:

.cer .crt .db .dbf .der .doc .docm .docx .groups .kwm .mdb .mdf .pem .pwm .rtf .safe .sql .txt .xlk .xlsb .xlsm .xlsx

After encryption, the encrypted file looks like the following:

[email protected]

The specific detail that distinguishes @ type of ransomware that includes an email in the file extension is that they usually do not leave any ransom note after making files seem corrupt by encrypting them. The situation with [email protected](.)com is basically the same. One affected user at forums has even tried contacting the cyber criminals on the questionable e-mail address provided. The conversation is as follows:

My files has been crypted on Friday, 27.11.2015.
Please, send me a decryptor to unlock my files.
The hijacker:
If you wish to get all your files back, you need to pay 3 bitcoins.
Go to localbitcoins dot com, it’s probably the easiest way, open an account,
buy bitcoins and then ask me for the address to send the bitcoins to.
My friend, I am from Bulgaria. 3 bitcoins are my salary for two months.
If you agree I can pay 0.1.
The hijacker:
2 btc “

It is highly recommended NOT to try to pay the ransom money that are being suggested by the cyber criminals because of two main reasons:

  • You fund the cybercriminals to spread their ransomware and improve it.
  • There are methods to restore the files.

Removing [email protected](.)com Ransomware Fully From Your PC

To remove this ransomware and decrypt your files, you should copy the encrypted data on an external drive or upload it in the cloud. This is done just in case the ransomware is encoded to delete encrypted data or decryption keys if tampered with. Before following our instructions for restoring your files, you should try the step-by-step instructions after the article to remove all malicious files of the [email protected](.)com Ransomware.

1. Boot Your PC In Safe Mode to isolate and remove [email protected](.)com
2. Remove [email protected](.)com with SpyHunter Anti-Malware Tool
3. Remove [email protected](.)com with Malwarebytes Anti-Malware.
4. Remove [email protected](.)com with STOPZilla AntiMalware
5. Back up your data to secure it against infections and file encryptions by [email protected](.)com in the future

Restoring Files Encrypted by [email protected](.)com Ransomware

In order to restore your files encrypted by [email protected](.)com ransomware successfully via volume shadow copies in Windows, please use the instructions below:

Method 1: Instructions to restore your files encrypted with [email protected](.)com extension.

Method 2: Decrypt your files using Volume Shadow Copies in Windows

Ventsislav Krastev

Ventsislav has been covering the latest malware, software and newest tech developments at SensorsTechForum for 3 years now. He started out as a network administrator. Having graduated Marketing as well, Ventsislav also has passion for discovery of new shifts and innovations in cybersecurity that become game changers. After studying Value Chain Management and then Network Administration, he found his passion within cybersecrurity and is a strong believer in basic education of every user towards online safety.

More Posts - Website

Leave a Comment

Your email address will not be published. Required fields are marked *

Time limit is exhausted. Please reload CAPTCHA.

Share on Facebook Share
Share on Twitter Tweet
Share on Google Plus Share
Share on Linkedin Share
Share on Digg Share
Share on Reddit Share
Share on Stumbleupon Share