The Anonpop Fake Ransomware is a malware program discovered by @JAMESWT_MHT that pretends to be a ransomware that encrypts your files and demands a ransom of $125 to decrypt them. In reality, though, this program does not encrypt any of your files and deletes them instead. Thankfully, these scumbags do not securely delete the files and you can use Shadow Volume Copies or programs like Recuva or PhotoRec to recover your files.
When installed, Anonpop will delete every file found in the following folders and drives
%USERPROFILE%\Documents\ %USERPROFILE%\Downloads\ %USERPROFILE%\Pictures\ %USERPROFILE%\Music\ %USERPROFILE%\Videos\ %USERPROFILE%\Contacts\ %USERPROFILE%\Favorites\ %USERPROFILE%\Searches\ C:\Program Files\Google\ C:\Program Files\Windows Defender\ C:\Program Files\Mozilla Firefox\ C:\Program Files\Internet Explorer\ C:\Program Files (x86)\Google\ C:\Program Files (x86)\Internet Explorer\ C:\Program Files (x86)\Mozilla Firefox\ %AppData%\Local\Temp\ %USERPROFILE%\Desktop\ D:\ E:\ F:\ H:\ G:\ I:
It will then download a JPG image and display it over the Windows desktop so that you are unable to access your normal programs, start menu, or files. This JPG image is a ransom note, shown below, that states that your computer and files are encrypted and that you must pay $125 within 24 hours or $199 after 24 hours to get your files back. They also state that after 72 hours the files will be deleted. They then tell you to contact email@example.com once you have made payment.
In reality, if you see this message, all of the files in the above folder have already been deleted.
Another malware executable will then be downloaded that is set to run every time you log into Windows. This executable, will display a similar message as the ransom note above and then automatically begin a shutdown of Windows. That means that every time someone logs in, they would just be logged off again in 60 seconds.
The shutdown alert can be seen below.
The good news is that the developer of this program did not securely delete your files and you can use a tool like Recuva or PhotoRec to recover your files. Before using a file recovery tool, I suggest you try to recovery your files from Shadow Volume Copies and then use recovery tools for any files that cannot be recovered.
For information on how to recover files from Shadow Volume Copies, you can use this tutorial: How to recover files and folders using Shadow Volume Copies.
How did the Anonpop Fake Ransomware get on my computer?
The AnonPop or Supportfile@yandex.com malware is distributed via SPAM emails that pretend to be complaints from the Office of The Attorney General. This email will state that a complaint has been filed against the business and will contain a link to the supposed complaint. An example of this email can be seen below.
From: The Office of The Attorney General <firstname.lastname@example.org>
Subj: The Office of The Attorney General Complaint
Dear Business Owner:
A complaint has been filed against your Business.
Enclosed is a copy of the complaint which requires your response. You have 10 days to file a rebuttal if you so desire.
You may view the complaint at the link below.
Rebuttals should not exceed 25 pages and may refer to any additional documents or exhibits that are available on request.
The Office of The Attorney General cannot render legal advice nor can The Office of The Attorney General represent individuals or intervene on their behalf in any civil or criminal matter.
Please review the enclosed complaint. If filing a rebuttal please do so during the specified time frame.
The Office of The Attorney General
This document and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error, please notify the system manager. This message contains confidential information and is intended only for the individual named. If you are not the named addressee, you should not disseminate, distribute or copy this email.
When a user clicks on this link, a zip file called complaint376878.zip is downloaded, which contains a batch file that pretends to be a PDF file. If a user double-clicks on the PDF file, the batch will use PowerShell commands to download other files that install the rest of the malware.
As you can see, the person who created this malware is a real low life who is trying to steal your money even after they have deleted your files. This guide will walk you through removing the anonpop crapware from your computer. It will not, though, explain how to use Recuva or other file recovery tools to get your files back. For those who need help with that, you should ask in our Ransomware Tech Support and Help Forum.
Self Help Guide
If you are uncomfortable making changes to your computer or following these steps, do not worry! Instead you can get free one-on-one help by asking in the forums.
To remove Fake AnonPop Ransomware, follow these steps:
- STEP 1: Print out instructions before we begin.
- STEP 2: Reboot into Safe Mode with Networking
- STEP 3: Use Rkill to terminate suspicious programs.
- STEP 4: Use Malwarebytes AntiMalware to Scan for Malware and Unwanted Programs
- STEP 5: Use AdwCleaner to remove adware from a computer.
- STEP 6: Use HitmanPro to scan your computer for badware
- STEP 7: Run Secunia PSI to find outdated and vulnerable programs.
This removal guide may appear overwhelming due to the amount of the steps and numerous programs that will be used. It was only written this way to provide clear, detailed, and easy to understand instructions that anyone can use to remove this infection for free. Before using this guide, we suggest that you read it once and download all necessary tools to your desktop. After doing so, please print this page as you may need to close your browser window or reboot your computer.
Reboot your computer into Safe Mode with Networking using the instructions for your version of Windows found in the following tutorial:
When following the steps in the above tutorial, select Safe Mode with Networking rather than just Safe Mode. When the computer reboots into Safe Mode with Networking make sure you login with the username you normally use. When you are at your Windows desktop, please continue with the rest of the steps.
To terminate any programs that may interfere with the removal process we must first download the Rkill program. Rkill will search your computer for active malware infections and attempt to terminate them so that they wont interfere with the removal process. To do this, please download RKill to your desktop from the following link.
When at the download page, click on the Download Now button labeled iExplore.exe. When you are prompted where to save it, please save it on your desktop.
Once it is downloaded, double-click on the iExplore.exe icon in order to automatically attempt to stop any processes associated with Fake AnonPop Ransomware and other malware. Please be patient while the program looks for various malware programs and ends them. When it has finished, the black window will automatically close and a log file will open. Please review the log file and then close so you can continue with the next step. If you have problems running RKill, you can download the other renamed versions of RKill from the rkill download page. All of the files are renamed copies of RKill, which you can try instead. Please note that the download page will open in a new browser window or tab.
Do not reboot your computer after running RKill as the malware programs will start again.
At this point you should download Malwarebytes Anti-Malware, or MBAM, to scan your computer for any infections, adware, or potentially unwanted programs that may be present. Please download Malwarebytes from the following location and save it to your desktop:
Once downloaded, close all programs and Windows on your computer, including this one.
Double-click on the icon on your desktop named mb3-setup-1878.1878-188.8.131.528.exe. This will start the installation of MBAM onto your computer.
When the installation begins, keep following the prompts in order to continue with the installation process. Do not make any changes to default settings and when the program has finished installing, make sure you leave Launch Malwarebytes Anti-Malware checked. Then click on the Finish button. If MalwareBytes prompts you to reboot, please do not do so.
MBAM will now start and you will be at the main screen as shown below.
We now need to enable rootkit scanning to detect the largest amount of malware and unwanted programs that is possible with MalwareBytes. To do this, click on the Settings button on the left side of the screen and you will be brought to the general settings section.
Now click on the Protection tab at the top of the screen. You will now be shown the settings MalwareBytes will use when scanning your computer.
At this screen, please enable the Scan for rootkits setting by clicking on the toggle switch so it turns green.
Now that you have enabled rootkit scanning, click on the Scan button to go to the scan screen.
Make sure Threat Scan is selected and then click on the Start Scan button. If there is an update available for Malwarebytes it will automatically download and install it before performing the scan.
MBAM will now start scanning your computer for malware. This process can take quite a while, so we suggest you do something else and periodically check on the status of the scan to see when it is finished.
When MBAM is finished scanning it will display a screen that displays any malware, adware, or potentially unwanted programs that it has detected. Please note that the items found may be different than what is shown in the image below due to the guide being updated for newer versions of MBAM.
You should now click on the Remove Selected button to remove all the selected items. MBAM will now delete all of the files and registry keys and add them to the programs quarantine. When removing the files, MBAM may require a reboot in order to remove some of them. If it displays a message stating that it needs to reboot, please allow it to do so. Once your computer has rebooted, and you are logged in, please continue with the rest of the steps.
You can now exit the MBAM program.
Now please download AdwCleaner and save it to your desktop. AdwCleaner will scan your computer for adware programs that may have been installed on your computer without your knowledge. You can download AdwCleaner from the following URL:
When AdwCleaner has finished downloading, please double-click on the AdwCleaner.exe icon that now appears on your desktop. Once you double-click on the icon the AdwCleaner program will open and you will be presented with the program's license agreement. After you read it, click on the I agree button if you wish to continue. Otherwise, click on the I disagree button to close the program. If Windows prompts you as to whether or not you wish to run AdwCleaner, please allow it to run.
If you selected to continue, you will be presented with the start screen as shown below.
Now click on the Scan button in AdwCleaner. The program will now start to search for known adware programs that may be installed on your computer. When it has finished it will display all of the items it has found in Results section of the screen above. Please look through the results and try to determine if the programs that are listed contain ones that you do not want installed. If you find programs that you need to keep, then uncheck the entries associated with them.
For many people, the contents of the Results section may appear confusing. Unless you see a program name that you know should not be removed,please continue with the next step.
To remove the adware programs that were detected in the previous step, please click on the Clean button on the AdwCleaner screen. AdwCleaner will now prompt you to save any open files or data as the program will need to close any open programs before it starts to clean.
Please save your work and then click on the OK button. AdwCleaner will now delete all detected adware from your computer. When it is done it will display an alert that explains what PUPs (Potentially Unwanted Programs) and Adware are. Please read through this information and then press the OK button. You will now be presented with an alert that states AdwCleaner needs to reboot your computer.
Please click on the OK button to let AdwCleaner reboot your computer.
When your computer reboots and you are logged in, AdwCleaner will automatically open a log file that contains the files, registry keys, and programs that were removed from your computer.
Please review this log file and then close the Notepad Window.
If your computer is still in Safe Mode with Networking, you can reboot your computer back to normal mode. Once your computer is rebooted and you are back at the desktop, you can proceed with the rest of the instructions.
Now you should download HitmanPro from the following location and save it to your desktop:
When you visit the above page, please download the version that corresponds to the bit-type of the Windows version you are using.
Once downloaded, double-click on the file named HitmanPro.exe (for 32-bit versions of Windows) or HitmanPro_x64.exe (for 64-bit versions of Windows). When the program starts you will be presented with the start screen as shown below.
Now click on the Next button to continue with the scan process.
You will now be at the HitmanPro setup screen. If you would like to install the 30 day trial for HitmanPro, select the Yes, create a copy of HitmanPro so I can regularly scan this computer (recommended) option. Otherwise, if you just want to scan the computer this one time, please select the No, I only want to perform a one-time scan to check this computer option.
Once you have selected one of the options, please click on the Next button.
HitmanPro will now begin to scan your computer for infections, adware, and potentially unwanted programs. When it has finished it will display a list of all the items that Hitman has found as shown in the image below. Please note that the items found may be different than what is shown in the image.
You should now click on the Next button to have HitmanPro remove the detected items. When it is done you will be shown a Removal Results screen that shows the status of the various programs that were removed. At this screen you should click on the Next button and then if prompted you should click on the Reboot button. If HitmanPro does not prompt you to reboot, please just click on the Close button.
Once your computer has has restarted or you pressed the Close button, you should now be at your Windows desktop.
As many malware and unwanted programs are installed through vulnerabilities found in out-dated and insecure programs, it is strongly suggested that you use Secunia PSI to scan for vulnerable programs on your computer. A tutorial on how to use Secunia PSI to scan for vulnerable programs can be found here:
Your computer should now be free of the Fake AnonPop Ransomware program. If your current security solution allowed this program on your computer, you may want to consider purchasing the full-featured version of Malwarebytes Anti-Malware to protect against these types of threats in the future.
If you are still having problems with your computer after completing these instructions, then please follow the steps outlined in the topic linked below:
Are Your Protected?
While Malwarebytes Anti-Malware & HitmanPro will scan and clean a computer for free, the free versions do not offer real-time protection. If you want to be fully protected at all times then it is recommended that you purchase a premium version.
Purchase the full-featured version of Malwarebytes Anti-Malware, which includes real-time protection, scheduled scanning, and website filtering, to protect yourself against these types of threats in the future!
Purchase the full-featured version of HitmanPro, which includes discover viruses, trojans, rootkits, spyware and other malware on up-to-date and fully protected computers using cloud protection and behavioral detections, to protect yourself against these types of threats in the future!
Disclaimer: While we do earn a commission from the sale of the above products, rest assured we only recommend them due to their effectiveness.