Home / Spyware Help / WantMoney Ransomware Removal Guide

WantMoney Ransomware Removal Guide

by 0 Comments

Do you know what WantMoney Ransomware is?

WantMoney Ransomware is one of the newest malicious applications encrypting files stored on compromised machines. It seems that it targets English and Chinese-speaking computer users primarily because it opens a window and sets a new Desktop Wallpaper with a message both in English and Chinese. Of course, it does not mean that you cannot encounter this infection if you do not speak any of these languages. Even though ransomware infections are one of those threats that tend to slither onto users’ computers illegally, it usually does not take long for users to find out about the successful entrance of such an infection. If WantMoney Ransomware ever infiltrates your computer too, you will find it impossible to access a bunch of files, including those you consider the most valuable, e.g. music, videos, pictures, and other files. Also, you will find your Wallpaper changed and the ransomware window opened on your screen. Finally, you could no longer open two system utilities: Task Manager and Registry Editor. You will not disable WantMoney Ransomware by restarting your computer because this infection can automatically start together with the Windows OS due to the entry created in the Run registry key. The only solution to this problem is the complete removal of the ransomware infection. We cannot promise that its removal will be easy because you will need to boot into Safe Mode (or Safe Mode with Networking) first and then erase all components of the ransomware infection. Since it is quite a sophisticated threat, it has many of them. It will not be easy to get rid of it, but it is not impossible to erase it, so read this article from beginning to end and then go to take action immediately.

WantMoney Ransomware not only sets an image with a ransom note as a Wallpaper, but also opens a window and drops _Want Money_.txt with the same message. First of all, users are told that their “files are only encrypted by “Want Money Ransomware”.” Then, they find out how they can unlock their encrypted data. As expected, there is only one way to do that – users need to send 0.1 Bitcoin to the Bitcoin address left for them in the ransom note. Then, they need to send an email with a unique ID and payment details to B32588601@163.com. You should not follow decryption instructions indicated in the ransom note because crooks might never give you a working decryption tool. In such a case, your money will not be returned to you either. Unfortunately, another method that would allow you to get your files back for free does not exist, so the chances are high that your files will stay as they are, i.e. encrypted if you decide not to pay the ransom crooks demand. If this nasty infection has successfully entered your system and locked your files, it means that other malicious applications can infiltrate your computer too, so you cannot leave it unprotected.WantMoney Ransomware Removal GuideWantMoney Ransomware screenshot
Scroll down for full removal instructions

It is hard to talk about the distribution of WantMoney Ransomware because this threat is not popular malware. Of course, our malware researchers still have what to stay about this. According to them, it is very likely that this malicious application is mainly spread as an attachment in spam emails. If you remember opening an email attachment recently too, it explains why you have ended up with this crypto-threat. They say that it might also be possible to download this infection by simply clicking on some kind of malicious link. Even though malicious software is often spread via malicious emails, it is definitely not the only distribution method that might be used to promote bad software, so you should be very cautious starting today.

The WantMoney Ransomware removal will not be easy because it creates a bunch of entries in the system registry and creates several new files. You will need to delete them all yourself. Before you start the removal procedure, you need to boot into Safe Mode/Safe Mode with Networking. You should start your Windows OS in Safe Mode with Networking if you are going to download an automated malware remover and use it to clean your system.

How to delete WantMoney Ransomware

Boot into Safe Mode/Safe Mode with Networking

Windows XP/7/Vista

  1. Restart your computer and start tapping F8 on your keyboard.
  2. Select Safe Mode or Safe Mode with Networking using arrow keys in the Advanced Boot Options menu and press Enter.

Windows 8/8.1

  1. At the login screen, hold the Shift key, click Power, and click Restart.
  2. Under Choose an option, click Troubleshoot.
  3. Click Advanced options.
  4. Click Startup Settings.
  5. Click the Restart button.
  6. Press F4 (Safe Mode) or F5 (Safe Mode with Networking) on your keyboard.

Windows 10

  1. Launch Settings from the Start menu.
  2. Click Update & Security.
  3. Move to Recovery and click Restart now.
  4. Click Troubleshoot.
  5. Click Advanced Options.
  6. Click Startup Settings.
  7. Click Restart.
  8. Press 4 (Safe Mode) or 5 (Safe Mode with Networking).

Delete entries and files representing WantMoney Ransomware

  1. Press Win+R.
  2. Type regedit.exe in the command line and click OK.
  3. Open HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run and find the Want Money Value.
  4. Open the directory it points to and delete the main file of the ransomware infection.
  5. Delete the Want Money Value in the Run registry key (HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run).
  6. Delete all entries listed below one by one:
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.WantMoney1
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.WantMoney2
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.WantMoney3
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.WantMoney4
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.WantMoney5
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.WantMoney6
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.WantMoney7
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.WantMoney8
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.WantMoney9
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.WantMoney10
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.WantMoney11
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.WantMoney12
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.WantMoney13
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.WantMoney14
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.WantMoney15
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.WantMoney16
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.WantMoney17
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.WantMoney18
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.WantMoney19
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.WantMoney20
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.WantMoney21
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.WantMoney22
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.WantMoney23
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.WantMoney24
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.WantMoney25
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.WantMoney26
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.WantMoney27
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.WantMoney28
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.WantMoney29
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.WantMoney30
  1. Close Registry Editor and open Explorer (Win+E).
  2. Delete Want Money.lnk from these directories:
  • %ALLUSERSPROFILE%\Start Menu\Programs\Startup
  • %APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup
  • %USERPROFILE%\Microsoft\Windows\Start Menu\Programs\Startup
  • %ALLUSERSPROFILE%\Microsoft\Windows\Start Menu\Programs\Startup
  • %ALLUSERSPROFILE%\Application Data\Microsoft\Windows\Start Menu\Programs\Startup
  1. Open %USERPROFILE%\Desktop.
  2. Remove _Want Money_.bmp and _Want Money_.txt.
  3. Go to %HOMEDRIVE%.
  4. Remove _Want Money_.bmp and _Want Money_.txt.
  5. Empty Trash.

In non-techie terms:

WantMoney Ransomware is a harmful malicious application whose entrance never goes unnoticed. If this threat ever infiltrates your computer, you will find a bunch of your files locked, a new image set as a Desktop Wallpaper, a window opened on your screen, and a new .txt file created. Just like similar threats, this malicious application also wants users’ money, but you should not send a cent to crooks behind it. What you should definitely do is to delete this ransomware infection fully as soon as possible. It is one of those sophisticated threats that make a bunch of notifications on users’ computers, so you will surely need to put some effort into its removal.