Ioqa Virus

7-day Free Trial w/Credit card, no charge upfront or if you cancel up to 2 days before expiration; Subscription price varies per region w/ auto renewal unless you timely cancel; notification before you are billed; 30-day money-back guarantee; Read full terms and more information about free remover.

*Ioqa is a variant of Stop/DJVU. Source of claim SH can remove it.


Ioqa is a new malware variant of the Ransomware category that causes your files to become inaccessible by encrypting them. Ioqa then goes on to tell you about a ransom you must pay to free the files via a pop-up notification or a notepad file.

Ioqa 1024x627
The Ioqa ransomware will leave a _readme.txt file with instructions

The pop-up is typically displayed on the screen whenever the user tries to open an encrypted file. If a notepad file is used to inform you about the demanded ransom, then it is usually placed on the Desktop or inside any folder that contains locked data.

The applied data encryption is impenetrable and no regular program can access a file to which it has been applied. This gives the hackers behind threats like Ioqa, Hhoo and Hhmm the needed leverage to ask for a ransom payment. If the user refuses to send them money, they would not be granted access to their files and will not be able to ever use them again – at the very least that is what the cybercriminals behind Ioqa would have you believe.

In reality, however, things are a bit different. The first thing worth mentioning here is that the payment of the demanded sum doesn’t necessarily mean that the files will be restored. In order to decrypt the locked data, the user needs a special key that is in possession of the hackers. According to the latter, if the payment is made, the key will be sent to the victim immediately. However, there are countless examples when users have completed the payment, yet the hackers haven’t provided them with a working decryption key. This is one of the reasons why it is inadvisable to opt for the payment “solution” because it may backfire and worsen the situation instead of mitigating it.

The Ioqa virus

The Ioqa virus is a new and advanced computer infection that’s able to block all data on your computer. The Ioqa virus aims to force you to spend money on the release key for your files by paying a ransom to the hackers.

Ioqa Virus 1024x631
The Ioqa will encrypt your files

We already mentioned one of the reasons why paying that ransom is not a particularly wise idea. Another reason we can give you to not pay the money is the potential for recovering some of the data via alternative means. We will give you some potential recovery options in the guide you will see below, but you will first need to complete the removal section in order to get rid of the virus.

The Ioqa file extension

The Ioqa file extension is a special sequence of characters that are added at the end of the filenames of the encrypted files. The Ioqa file extension replaces the normal extensions of the files, effectively making those files unrecognizable to the programs on the computer.

Decrypting the files is the only way to remove the extension but without the key, you may not be able to achieve this. However, if you are lucky, some of the methods explained in our removal guide may allow you to bypass this problem and still recover some of your data without needing to contact the hackers whatsoever.


Data Recovery ToolNot Available
Detection Tool

*Ioqa is a variant of Stop/DJVU. Source of claim SH can remove it.

Ioqa Ransomware Removal


If the Ioqa Ransomware is presently on your computer, the first step towards deleting the virus and preventing it from further encrypting more of your files is to end its process/process tree. You can do this from the Task Manager’s Processes tab so open this by pressing the Ctrl + Shift + Esc keys together and then selecting Processes. The list shown on your screen contains all currently running processes on your PC and your task is to find the one that comes from the virus. It is unlikely that the name of that process would be the same as that of the virus (Ioqa) but if you see such a process, right-click on it and then select the End Process Tree option. If you don’t see a process with the Ioqa name, then look for other ones that have unfamiliar and/or suspicious-looking names and that are consuming a lot of virtual memory (RAM) and processing power (CPU).

One thing we should mention here is that it is possible that a normal system process seems suspicious to you so we suggest that you take a few moments to look up the names of all processes you deem questionable before you make the decision to end them. A quick online search should be enough to let you know whether a given process from your Task Manager is from your system or is from an unwanted and harmful program such as Ioqa.


Once you have pinpointed the process in the Task Manager that is most likely linked to the Ransomware, right-click on its name, select the Open File Location option, and then use the free online scanner tool provided below and/or your own security program to test the files from the file location for malware code.

Each file will be scanned with up to 64 antivirus programs to ensure maximum accuracy
This scanner is free and will always remain free for our website's users.
This file is not matched with any known malware in the database. You can either do a full real-time scan of the file or skip it to upload a new file. Doing a full scan with 64 antivirus programs can take up to 3-4 minutes per file.
Drag and Drop File Here To Scan
Drag and Drop File Here To Scan
Analyzing 0 s
Each file will be scanned with up to 64 antivirus programs to ensure maximum accuracy
    This scanner is based on VirusTotal's API. By submitting data to it, you agree to their Terms of Service and Privacy Policy, and to the sharing of your sample submission with the security community. Please do not submit files with personal information if you do not want them to be shared.

    If any of the scanned files get flagged as malicious, and the suspicious process from the Task Manager and then delete the whole file location folder. If you are not allowed to delete the folder because one or more files contained in it cannot be deleted, delete the rest of the files from that folder and proceed to Step 2. Once the whole guide has been completed, you must return to this folder and once more try to delete it with the files that are left in it – hopefully, you should be allowed to do that by then.



    *Ioqa is a variant of Stop/DJVU. Source of claim SH can remove it.

    For Step 2, you will have to restart your PC into Safe Mode – this will help you remove the virus by keeping it from launching its processes on startup, thus stopping Ioqa from interfering with your attempts to delete it. Detailed instructions on how to enter Safe Mode for different versions of Windows can be accessed on the provided link.


    *Ioqa is a variant of Stop/DJVU. Source of claim SH can remove it.

    Once your computer reboots and Safe Mode is now enabled, open the System Configuration window by typing system configuration under the Start Menu and selecting the first icon that gets shown in the search results. Then select Startup and see what items are shown in the list – those are apps and features that automatically start when Windows loads and if any of those apps/features seem like they could be from the virus, you must uncheck the checkbox in front of them and then click on Apply. In general, we suggest unchecking everything that seems unfamiliar, unneeded, or that has an Unknown manufacturer in addition to everything that looks like it could be from the Ransomware.


    After you are done with disabling potentially unwanted startup items, click on OK to finalize this step.


    Next you must access the Hosts file of your PC by placing this next line under the Start Menu and then hitting the Enter key: notepad %windir%/system32/Drivers/etc/hosts. When the Hosts file appears on your screen, you must see if there are any lines written below the “Localhost” word – if there are, you must copy all of them and send them to us by writing us a comment below this article. It is highly likely (though not guaranteed) that those lines have been placed there by the virus and must be removed. However, we must first have a look at them to confirm that this is indeed the case with your Hosts file which is why we need you to show us what is written below Localhost. Once we take a look at what you’ve sent us, we will tell you whether you need to do anything about those lines in your Hosts file.

    hosts_opt (1)

    If we determine that the lines that you have sent us are from the virus, we will let you know, and then you will have to delete them from the Hosts file, saving the changes afterwards.


    For this step, you must find items in your PC’s Registry placed there by the Ransomware. In some cases, it may be difficult to tell if an item in the Registry is from a virus which could lead to deleting the wrong thing and causing more problems to your system. Therefore, we strongly advise our readers to always contact us when in doubt about a certain Registry item that they are not sure if they should remove.

    One way you can access the Registry Editor for your PC is to type regedit under the Start Menu and then hit Enter. Before the Editor opens, you will be required to allow the app to make changes to the computer so click on Yes to provide confirmation. After you do this, the Registry Editor will start and you must then go to its Edit menu, select Find, and type the name of the virus inside the search box. Now click on the Find Next button and if there are any items in the Registry with Enfp in their name, you will be shown the first search result which you must delete by selecting it, pressing Del from your keyboard, and then selecting Yes. Do the search again and delete the next found item and keep doing this until there’s nothing left in the Registry that is named Enfp.

    Next, find the following Registry directories:

    • HKEY_CURRENT_USER > Software
    • HKEY_CURRENT_USER > Software > Microsoft > Windows > CurrentVersion > Run
    • HKEY_CURRENT_USER > Software > Microsoft > Internet Explorer > Main

    Sometimes, malware programs add items to them that don’t carry the name of the virus but instead have long and odd-looking names consisted of numbers and letters arranged in a seemingly random order. If you think that a given item in those Registry directories fits this description, you should probably delete it. However, since, as we already pointed out, it might sometimes be difficult to determine when a given Registry item needs to be deleted because it has been added there by a malware program, remember that you can always ask for our assistance, and we will tell you whether you should delete a given item from the Registry.



    For this final step, you must copy each of the next lines, paste them under the Start Menu, and hit the Enter key for each line to open the respective folder that it redirects to. 

    1. %AppData%
    2. %LocalAppData%
    3. %ProgramData%
    4. %WinDir%
    5. %Temp%

    In those folders, sort the files stored in them by date and then delete all files from the newest one to the one created just before the Ransomware infected your computer. When you get to the Temp folder, delete all files that are stored inside of it.

    Once you have completed the current step and all the ones that came before it, return to the file location folder from Step 1 and try to delete that folder again – this time you shouldn’t have any problems doing that because all other Ransomware data should have already been removed from your PC.

    How to Decrypt Ioqa files

    Deleting the virus is only the first stage of file recovery. The removal itself will not release your files but it is important to ensure that the threat is gone so that no more files get encrypted and the files you may manage to restore don’t get locked up again. Once you complete this guide and are certain that the threat is no longer on your computer, it is time to try to bring back your data. Obviously, one possible way is to pay the ransom, but we advise against it because you may simply throw away your money without getting your data back. Therefore, we have created a How to Decrypt Ransomware Guide on our site where we have explained several alternative data-recovery methods that our readers can try in order to attempt to restore their locked data without paying the ransom. We suggest you go to that guide as soon as you finish the steps from the current one.

    Final Notes

    We sincerely hope that the instructions we have provided on this page have been enough to delete the Ioqa threat from your computer. If, however, the virus still seems to be inside the system, do not forget that you can also use the advanced and powerful security program recommended here, on this page, as it can quickly find and delete all sorts of malware threats and also keep you protected in the future. Additionally, if you think a certain file on your computer may contain malicious code from the Ransomware, you can always use our online scanner for free to test any such files.

    About the author


    Brandon Skies

    Brandon is a researcher and content creator in the fields of cyber-security and virtual privacy. Years of experience enable him to provide readers with important information and adequate solutions for the latest software and malware problems.

    Leave a Comment