Ahtw Virus

7-day Free Trial w/Credit card, no charge upfront or if you cancel up to 2 days before expiration; Subscription price varies per region w/ auto renewal unless you timely cancel; notification before you are billed; 30-day money-back guarantee; Read full terms and more information about free remover.

*Ahtw is a variant of Stop/DJVU. Source of claim SH can remove it.


Ahtw is a ransomware cryptovirus of the latest kind. Ahtw is quite sophisticated and uses a complex encryption algorithm for the purposes of extorting money from its victims. 

Ahtw ransomware text file (_readme.txt)
Screenshot of the Ahtw ransomware ransom note

Ransomware infections are pretty much everywhere nowadays and every day thousands of users get their machines invaded by this form of malware. In today’s article, we are going to share with you whatever information is available to us regarding the insidious Ahtw ransomware. This particular piece of ransomware is a cryptovirus meaning that its main target once it infects a given computer are the files stored on the machine’s hard drives.

The Ahtw virus

Once the Ahtw virus enters the PC, it searches the HDD for a list of predefined file types, normally ones that are commonly used such as text document files, different image formats, spreadsheets, audio and video files, etc. Once all this data on the computer is accounted for, the Ahtw, Ahui, Neon or Neqp virus goes on to encrypt those files in order to make the PC’s user incapable of opening them.

Once this stage of the ransomware cryptovirus agenda has been completed, the only thing remaining is for the malware to notify its victim about what has just happened to their files and what the user needs to do in order to recover the data. The thing that the hackers behind the malware ask from their victims is for them to pay a certain amount of money, usually by sending the money to a specified cryptocurrency wallet. The instructions on how to carry out the whole transaction process are typically provided within a ransom note that is automatically generated on the infected computer once the encryption process is over and all targeted files are inaccessible to the user.

If the money is indeed paid, the hackers behind Ahtw promise to unlock all encrypted data. However, since you have come to this page, you are probably not overly amazed by the idea of paying money to some criminal hackers, in which case the instructions on how to remove Ahtw provided below may come in handy to you.

The Ahtw file encryption

Few users are lucky enough to notice the Ahtw file encryption process in time before their files have been locked. This is because the Ahtw file encryption process is typically symptom-free and doesn’t interfere with the computer’s performance.

Files encrypted by Ahtw ransomware (.ahtw extension)
Screenshot of the Ahtw ransomware encrypted files

We assume that you are not one of these users and that currently all of your personal files are inaccessible due to the encryption placed on them by Ahtw. Now, to be perfectly honest with you, you must know that there is no guarantee about the future of your files. You may pay the ransom and get them back but you may also waste the money you send and still not receive the special decryption key that the hackers normally promise in exchange for the ransom.

You can also try using our guide to remove Ahtw but after you get rid of the malware, you will also need to take additional actions in order to unlock and restore your data. We have some suggestions on file recovery and instructions on how to use them but we can’t promise or guarantee success. Still, it’s advisable to try everything else before you actually resort to the payment option as this is really not a preferable course of action.


Danger LevelHigh (Ransomware is by far the worst threat you can encounter)
Detection Tool

*Ahtw is a variant of Stop/DJVU. Source of claim SH can remove it.

Before you begin

Before you start performing the steps from the guide, make sure you take into consideration the following points:

  • If there are currently any external devices connected to your PC, disconnect them immediately to prevent the files that may be stored in them from getting encrypted by Ahtw.
  • It’s recommenced that you keep your PC disconnected from the Internet while you perform the next steps – this would prevent Ahtw from trying to communicate with its servers and make its removal more difficult.
  • Paying the ransom is inadvisable and should be seen only as a last resort. However, if you decide to go for it, we recommend first paying the money and only after that completing the next guide.
  • Even if Ahtw doesn’t seem to be in your system before you begin the guide, it’s still advisable that you perform the next steps to ensure that there’s truly nothing left from it on your computer.

With those important notes out of the way, let us now show you how to remove Ahtw.

Remove Ahtw Ransomware

  1. To remove Ahtw, begin by deleting any questionable or potentially unwanted programs you may find in the Programs and Features section.
  2. Next, go to the Task Manager, find and quit any rogue processes and also delete their folders.
  3. Clean the AppData, LocalAppData, ProgramData, Temp, and WinDir folders from any rogue files.
  4. Revoke any unwanted changes made to the Task Scheduler, System Registry, Hosts file, or the Startup items list.

This was only a quick rundown of the steps you need to complete. For further details, please check the in-depth guide below.

  1. To remove Ahtw, start by uninstalling any suspicious entries from the Programs and Features list of your PC.
  2. Next, ensure that there are no rogue processes running in the Task Manager’s processes tab.
  3. Also make sure to clean the AppData, LocalAppData, WinDir, ProgramData, and Temp folders from rogue data.
  4. Lastly, to remove Ahtw, check the Hosts file, Startup items list, Tash Scheduler, and System Registry for questionable entries, and delete anything you find.

For further details about each of those four steps, please check the in-depth instructions shown below.

Detailed Ahtw removal steps

Step 1

Type Programs and Features in the Start Menu, open the first item, scroll down, and look for entries that seem questionable or unwanted. It would help if you sort the list of programs by their installation date and focus on the most recently installed ones. If you find anything, select it, select Uninstall, and follow the removal prompts to delete that item.

This image has an empty alt attribute; its file name is uninstall1.jpg

Step 2


*Ahtw is a variant of Stop/DJVU. Source of claim SH can remove it.

Type Task Manager in the Start Menu, open the Task Manager app, click More Details if such an option is available, and look at the list of processes. We recommend sorting the entries by Memory or CPU usage to see which ones are consuming the most of each resource. Then see if there are any items that look suspicious and check their names in Google to see if there are any online reports about them that say the processes in question may be rogue. Also right-click the suspicious process, click Open File Location, and scan the files in newly-opened folder with our online malware scanner you’ll find right below.

Each file will be scanned with up to 64 antivirus programs to ensure maximum accuracy
This scanner is free and will always remain free for our website's users.
This file is not matched with any known malware in the database. You can either do a full real-time scan of the file or skip it to upload a new file. Doing a full scan with 64 antivirus programs can take up to 3-4 minutes per file.
Drag and Drop File Here To Scan
Drag and Drop File Here To Scan
Analyzing 0 s
Each file will be scanned with up to 64 antivirus programs to ensure maximum accuracy
    This scanner is based on VirusTotal's API. By submitting data to it, you agree to their Terms of Service and Privacy Policy, and to the sharing of your sample submission with the security community. Please do not submit files with personal information if you do not want them to be shared.
    Task Manager1

    If the results in Google and the results from the scan suggest that the process is rogue, quit that process and then delete its location folder. Do this for every process that gets determined to be rogue.

    Task Manager2

    Step 3

    Next, it’s advisable to enter Safe Mode on your computer in order to prevent Ahtw from restarting any of its malicious processes.

    Step 4

    *Ahtw is a variant of Stop/DJVU. Source of claim SH can remove it.

    Now search for Folder Options in the Start Menu, click on the first result, go to the View section, enable the Show hidden files, folders, and drives setting, and then click OK to save the change.

    After that, in the Start Menu, search for and open each of the following folders. Be sure to type the name of the folders as they are shown below, including the “%” symbols.

    • %AppData%
    • %WinDir%
    • %LocalAppData%
    • %ProgramData%
    • %Temp%

    Delete the most recent files in each of those folders, and once you get to the “%Temp%” folder, delete everything in it. Since there would typically be a lot of items stored there (probably thousands), the easiest way to delete them all is to press Ctrl + A when in the folder, and then press Del.

    Step 5

    For this next step, you need to once again use the Start Menu to search for and access several sections of your system settings. Type the items shown below in the Start Menu, open then, and perform the instructions we’ve provided for each:

    Task Scheduler – Once the Task Scheduler opens, click the Task Scheduler Library from the top-right, then look for any suspicious items shown in the list to the right, and delete the ones you think may be linked to Ahtw.

    This image has an empty alt attribute; its file name is 1-6-1024x406.jpg

    notepad %windir%/system32/Drivers/etc/hosts – When you open this item, a notepad named Hosts should appear on your screen. You must look at the bottom of the text in the file and see if there’s anything written below the two Localhost lines. If there are any entries there, tell us in the comments about them and we will let you know if you need to delete them

    This image has an empty alt attribute; its file name is hosts2.jpg

    Msconfig – This will open the System Configuration window, in which you must click the Startup tab and then select Open Task Manager if you see such an option. Then look at the startup entries and make sure to disable anything you don’t recognize or think is unwanted.

    Regedit.exe – Click Yes when your Admin permission is required, and when the Task Manager opens, press Ctrl + F, type Ahtw, and click Find Next. If anything gets found, delete the item, search again, delete the next result, and do this until no more Ahtw items remain in the Registry.

    1 1

    After that, manually go to the following three Registry locations in the left panel and check each of them for items with questionable names, such as names that seem randomly generated. If anything catches your attention, let us know in the comments, and we will tell you if anything needs to be done about the suspicious item/s.

    • HKEY_CURRENT_USER > Software
    • HKEY_CURRENT_USER > Software > Microsoft > Windows > CurrentVersion > Run
    • HKEY_CURRENT_USER > Software > Microsoft > Internet Explorer > Main

    Step 6

    In case you think that Ahtw may still be in the system even after you’ve performed everything from the guide, we recommend installing the advanced anti-malware tool available on this page and scanning your system with it. If it finds any malicious data or settings, the program will automatically delete them for you. Furthermore, it will keep your PC safe in the future by blocking any incoming malware before it manages to enter the system. If you are not sure if a given file or files on your computer may be rogue, you can also use this free online scanner that you can find on our site.

    How to decrypt Ahtw files

    To decrypt Ahtw files, you’ll need a special private decryption key that matches the encryption algorithm that has been used to lock them. It may be possible to reverse-engineer that key using a free decryption tool, and thus decrypt the Ahtw files.

    After you’ve completed the guide and/or used the professional anti-malware tool to eliminate Ahtw, you can safely move on to the decryption of your files. We cannot promise you that the next method will work for everyone, but it’s still worth the try, considering the ransom payment alternative.

    Also, note that, for this method to work, you will need several file pairs with identical files, of which one is encrypted, and the other one is accessible. Search your other devices, external drives, cloud storages, USB Flash drives, emails, and other locations to find a couple of accessible files that can form such pairs with encrypted files on your PC. If you’ve managed to form several such pairs, you can begin the next steps.

    1. Start by going to this link, clicking on the first Choose a file option, and loading an encrypted file from one of the aforementioned file pairs.
    2. Next, click the other Choose a file button and load the accessible version of the same file pair.
    3. Click the Submit button, and wait for the decryption key to get generated. If no key gets extracted, try again using a different pair of files.
    4. If a key is successfully extracted, go to this page and download the tool you’ll find on it.
    5. Once the program downloads, right-click it, click Open as Administrator, approve the action, and agree to the tool’s terms of use.
    6. Finally, once on the main page of the decryption tool, load a folder where there are encrypted file, click on Decrypt, and wait for the process to complete.

    If the decryption process doesn’t work for some or all of your files, you can go back and try with a different pair of files.


    About the author


    Violet George

    Violet is an active writer with a passion for all things cyber security. She enjoys helping victims of computer virus infections remove them and successfully deal with the aftermath of the attacks. But most importantly, Violet makes it her priority to spend time educating people on privacy issues and maintaining the safety of their computers. It is her firm belief that by spreading this information, she can empower web users to effectively protect their personal data and their devices from hackers and cybercriminals.

    Leave a Comment

    We are here to help! Use SpyHunter to remove malware in under 15 minutes.

    Not Your OS? Download for Windows® and Mac®.

    * See Free Trial offer details and alternative Free offer here.

    ** SpyHunter Pro receives additional removal definitions and manual fixes through its HelpDesk in cases where they are needed.

    Spyware Helpdesk 1