.Booa is a new Windows virus that attacks the files of its victims by blocking the access to them using data encryption. The hackers behind .Booa want the infected users to pay a ransom in order to receive the means for unlocking their inaccessible data.
If a user who doesn’t keep any sensitive and important files on their computer gets attacked by such a virus, they wouldn’t be in too much trouble because the malicious program doesn’t do any other type of harm. It won’t damage the computer’s system or spy on the user so if the files locked by it aren’t too valuable, the attack from this piece of malware shouldn’t be a huge deal. The same would be the case if the attacked user has previously made sure to copy their important files on a backup location. Such backup locations can be cloud storages, external drives, or even other devices (preferably ones that aren’t connected to the Internet).
The real problem with .Booa, .Igdm and .Weui and other similar infections comes when there is no backup and the files locked by the virus are important to the user. In those cases, the victim is forced to make the difficult choice between paying the requested ransom and opting for some alternative options. Below, we will tell you what we believe is the best course of action if Ransomware has attacked you and we will explain what you can do to ameliorate the situation.
The .Booa virus
The .Booa virus is a Windows infection categorized as file-blocking Ransomware. The representatives of the Ransomware category such as the .Booa virus are known for their ability to silently encrypt all potentially important user data and later demand a ransom for the decryption key.
If this virus has attacked you and has managed to place its advanced encryption on some important files that you don’t want to lose, it is important to not succumb to panic and do the first thing that comes to mind. If you have enough money and can afford to make the ransom, this option may seem like a reasonable trade-off if the files the virus has locked are really that valuable to you. However, you must understand that the ransom payment cannot guarantee anything. Yes, it improves your chances of restoring your files but it doesn’t remove the possibility of the hackers simply deciding that they won’t provide you with the decryption key.
The .Booa file decryption
The .Booa file decryption is a file-recovery process that is only possible if you have the corresponding access key. The .Booa file decryption cannot be completed without that key but in order to get it, you are required to pay the ransom.
However, there may be ways you can bring back your data without necessarily acquiring the key or even without decrypting the locked files. Like the ransom payment, the alternative methods don’t guarantee that your data will be restored but, with them, you will at least not be required to risk your money. In our guide that you will see below, there are instructions on how to first remove .Booa and then attempt to bring some of your files back without paying the Ransom.
.Booa Ransomware Removal
Important! In this guide, there will be steps that will require you to quit your browser. That’s why, in order to get back to this page quickly, we recommend you to Bookmark it by clicking on the star icon on the upper right corner of the URL bar.
The other important thing that you need to do before you start the actual removal process of .Booa is to boot your computer in Safe Mode. The active link will lead you to another guide that will show you how to do that.
WARNING! READ CAREFULLY BEFORE PROCEEDING!
Once you have Bookmarked this page and have entered in Safe Mode, your first job is to launch the Windows Task Manager app. A quick way to do that is to use the CTRL + SHIFT + ESC key combination.
Go to the Processes Tab when the app opens and carefully examine the processes that are running. Look for processes that are consuming way too much CPU or Memory and google them if you cannot determine if they are malicious. Keep in mind that ransomware threats like .Booa may operate under different names and may use the name of legitimate system processes as a cover.
When you are sure that you have detected an .Booa-related process, right-click on it. Then, choose Open File Location from the list of options that appears on the screen. Scan the files found in that location for malware with the free online virus scanner that is available here:
In case that the scanned files are flagged as malicious, end the processes related to them by going back to the Task Manager’s Process tab, and delete the folders that contain the infected files.
After you have removed all the infected files and have ended their malicious processes from the Task Manager, press the Start and R – copy keys from your keyboard to open a Run box. Next, copy this command in the Run box’s text field:
Hit the Enter key from the keyboard and this will immediately open a text file on your screen that is named “Hosts”.
Scroll through the file and find the place where it is written “Localhost”. Normally, there shouldn’t be many IP addresses under Localhost, but in case you see some, this might indicate that your computer has been hacked.
The image below explains what you have to look for:
If the “Localhost” section of your Hosts files contains some suspicious IP addresses, please drop us a comment below this post and we will reply to you with instructions on what you need to do next.
After you have checked the Hosts file, and you haven’t detected anything suspicious in it, type the msconfig command in the Windows search field and hit enter. The System Configuration app will launch immediately:
Go to the fourth tab which says Startup. There, carefully check the apps that are allowed to launch with the system’s startup and seek for suspicious or .Booa-related entries. Remove the checkmark from the checkbox of these entries. If there are entries that have “Unknown” Manufacturer, remove the checkmark from their checkbox as well.
- Attention! Ransomware like .Booa may use a fake name for its processes and Manufacturer, that’s why make sure that you google the entries you leave checked in.
You won’t be able to fully remove the ransomware unless you delete its entries from the Registry Editor. That’s why in this step you will have to launch it (type Regedit in the windows search field and press Enter) and perform a search.
When the Registry Editor opens, press CTRL and F keys from the keyboard together. A Find box will appear on your screen where you have to type the name of the virus, which in your case is .Booa.
Next, click on the Find Next button and delete any entries that are found with this name. We need to warn you, though, that you need to be very careful with your deletions because if you happen to delete something that is not related to .Booa, this may damage your entire Operating System in a serious way. If you want to avoid that, you should better use a professional removal tool that can clean the registries from the ransomware for you.
Once you are done with finding and deleting the ransomware entries by their name, go to the Windows Search Field and type each of the following:
After each search, check if anything new has recently been added to these directories. When you reach the Temp folder, delete everything that is found there.
Remember! You can always ask us for help in the comments below any time you run into trouble!
How to Decrypt .Booa files
The hardest part about being infected with ransomware such as .Booa is the recovery of the encrypted files. Personal backups may be of great help when it comes to this but there are also a few other methods that may be worth your attention if you are not keen on paying a ransom to some anonymous cyber crooks.
That’s why at the end of this guide we have included a link to a detailed and daily updated file-recovery guide that you can find here.
If you cannot deal with .Booa on your own and the ransomware is still causing you trouble, please don’t leave it like that and use the professional removal program that we recommend, or another trusted anti-virus software of your choice.