How to remove Shadow ransomware and restore encrypted files

Guide how to delete Shadow virus and decrypt files corrupted by ransomware. Effective antivirus and programs that can restore lost information. During the encryption, Shadow switches the extension of files to .[This email address is being protected from spambots. You need JavaScript enabled to view it.]-id-[numbers].shadow.




Shadow ransomware already infected many laptops in different parts of the world via easiest method: false messages with dangerous attachments. Occasionally scammers use exploits to infect the computer, but well-known software developers quickly fix them. After the infection, the virus checks the hard disc, defines the amount of folders to be cyphered and their rough value. Currently, any new virus is able to encrypt text, image, audio and video information in all popular extensions. Special attention is attracted to businesslike documents, because medium and large companies are the main target for criminals. Virus targets only files with information, and doesn't spoil the programs, so that the victim can pay the ransom through his computer. Encryption is carried out with the help of famous RSA and AES algorithms, and its complexity is so high that decryption of data with no key is impossible. Such complexity creates basis for such a stunning efficiency of this sort of viruses in recent years: common PC operator, even having a pretty good experience in suchlike things, will never recover the data, and will need to pay ransom. The sole manner to restore the data is to crack the fraudster's webpage and obtain the master key. Sometimes it is possible to get the keys through flaws in viruse's program code.


The knowledge of computers is highly important in progressive world, as it helps user to defend the workstation from computer viruses. Statistically, 90% of users understand the significance of PC knowledge just after ransomware infection. It's very easy to decrease the chances of getting encrypting virus by following these rules:

    • Pay attention to the dialog boxes. One of the simplest manners of information recovery is the restoration from Shadow Copies, and the makers of viruses have added the elimination of those copies into the default features of viruses. However deleting of shadow copies requires administrator rights and user's acceptance. The second of thinking before verifying the pop-up can save your information and your money.
    • Do not ignore the signs that your PC displays. File encrypting is a sophisticated operation that uses a considerable amount of computer resources. In few seconds after the infection, the system slows down, and the encryption process can be seen in Process Manager. You can catch this moment and unplug the system before data will be totally spoiled. This, in case of penetration, will protect a lot of your data.
    • Be cautious with the e-mails which contain files. The very popular model of scam e-mails is the story about prize gaining or parcel earning. The other popular type of scam letters is a forgery for business correspondence. lawsuits, complaints, summaries, Bills for services and goods and suchlike sensitive information cannot be sent accidentally, and the addressee should know the sender. Otherwise, it is a scam.


Virus removal isn't the happy end - it's only a one turn on the long road before the complete data restoration. To decrypt the data you'll have to follow the advices in the next paragraph of our entry. To deelete any malware, user needs to start the system in safe mode and run the scanning with antivirus tool. We don't advise you to remove ransomware by hand, since it has numerous protection mechanics which can counteract you. Modern encrypting viruses can easily delete encrypted data, or part of it, when trying to delete the program. To avoid this, follow the tips under this paragraph.

Removal instruction

If you are MAC user, follow this guide: how to decrypt files on MAC.




Step 1. Boot the system into safe mode

  • Press Start
  • Type Msconfig and press Enter

Safe mode. Step 1


  • Select Boot tab

Safe mode. Step 2



  • Select Safe boot and press Ok

More information about Safe mode: What is Safe Mode and how to boot computer in Safe Mode


Step 2. Show all hidden files and folders

  • Press Start
  • Click on Control Panel

Show hidden files. Step 1


  • Select Appearance and Personalization

Show hidden files. Step 2


  • Click on Folder Options
  • Select View tab
  • Select Show hidden files, folders and drives

Show hidden files. Step 3


  • Press Ok


Step 3. Remove virus files


Check next folders to find suspicious files:

  • %TEMP%
  • %ProgramData%


Step 4. Fix hosts file

  • Go to %SystemRoot%\System32\drivers\etc\ folder



  • Open hosts file using Notepad or other text editor
  • Delete suspicious elements
  • Basic hosts file looks like this:



Step 5. Clean registry (for experienced users)

  • Click Start
  • Type Regedit.exe and press Enter
  • Clean startup registry keys
  • HKEY_LOCAL_MACHINE(HKEY_CURRENT_USER)\Software\Microsoft\Windows\CurrentVersion\Run
  • HKEY_LOCAL_MACHINE(HKEY_CURRENT_USER)\Software\Microsoft\Windows\CurrentVersion\RunOnce
  • HKEY_LOCAL_MACHINE(HKEY_CURRENT_USER)\Software\Microsoft\Windows\CurrentVersion\RunServices
  • HKEY_LOCAL_MACHINE(HKEY_CURRENT_USER)\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit

Step 6. Scan computer with antivirus


Special Offer

Download Spyhunter - Anti-malware scanner

We advise downloading SpyHunter to see, if it can detect malware for you.

Spyhunter has a biggest malware database

It protects the system against all kinds of threats: Trojans, adware and hijackers

24/7 Free Support Team

SpyHunter scanner detects threats and malware for free, but to remove infected elements you need to purchase a full version of program for 39.99$. More information about Spyhunter, EULA and Privacy policy.


Step 7. Disable Safe Mode and restart computer

  • Press Start
  • Type Msconfig and press Enter
  • Select Boot tab
  • Remove the check near Safe boot

If you made all steps, mentioned in above paragraph - it's time to restore the data. We're not able to reverse the encryption, but we'll get them back via OS functionality and the additional programs: Shadow Explorer or Recuva.

  • Click Start
  • Click Control Panel

Decrypt files. Step 1


  • Click System and Security

Decrypt files. Step 2


  • Select Backup and Restore

Decrypt files. Step 3


  • Select Restore files from backup
  • Select checkpoint to restore
Share your feedback to help other people
1 1 1 1 1 1 1 1 1 1 Rating 5.00 [2 Votes]

Add comment

Security code



Acronis suggestion to CrashPlans users

Around a month ago, there was an accident with CrashPlans backup software.

What is MicTrayDebugger and is it dangerous

This is a brief entry about MicTrayDebugger: what is it, how it appeared in the system, is it dangerous and how to get rid of it.

What is HoeflerText and is it dangerous?


This article is dedicated to the fraud scheme that is called HoeflerText font wasn't found. We will explain you what is this scheme and how to avoid it.

What is Wpad.dat virus and how it is used

The topic of our today's article is a script that had been unjustly called a virus. It’s Wpad.dat, and it is not a virus. We will explain what is Wpad.dat and how to prevent fraudsters to deceive yourself with its help.


Cancer virus trollware

This is an article about crazy Cancer virus and the madness that it brings to victim's computer.

This website uses cookies to improve your experience