How to remove Facebook ransomware and restore encrypted files

If you fell a victim of a ransomware and you know that it is the Facebook virus – in our guide you will receive help. We suggest easy and safe tips on Facebook deletion and practicable methods to restore the wasted info.

What is Facebook

Ransomware can be considered a worricow of mankind, and everyone knows that if a pop-up says: “files are encrypted” – it’s time to worry. It’s a correct reaction, unfortunately. An encrypting virus is the worst threat that you might meet in the Web as a regular customer has no resources to uninstall it. The single case when you can defeat an encrypting virus is when you are not facing a real one, but a dummy, that blocks the display and attempts to lure your funds. In all other events, if a virus was developed and secured in a right method – you can only hope that specialists can beat it. If web-criminals committed a mistake, and a virus has any drawbacks, which allow you to recover data – you'll find a solution in the following article.



Regardless of ransomware’s kind, the RSA and AES methods are overly complicated to break them directly. It will take centuries to perform all needed calculations on a regular machine and, maybe, 3-4 decades in case of usage of an industrial computer. The only way to neutralize a powerful virus is to find flaws in its code, or hack its database, to find a master key. Some viruses also have a breaker, allowing to stop ransomware's operation completely or to drive it off a particular machine. If someone discovers such breaker for Facebook, or create a decryptor, we'll provide you with full information in this article.


So, what is Facebook ransomware? The main difference between this virus and other ransomware is thta Facebook virus doesn't ask a ransom. It encrypt the files and just mocks users. It consists of an absolutely legitimate coding algorithm that changes the files on user’s workstation, so you can't use them in any way. Of course, a key is encrypted too, but with another algorithm. Usually, web-criminals favour RSA and AES manners, which are known for their complexity and reliability. These methods and the software based on them can be easily found on the Internet, so scammers just have to create techniques of defense, to block an access to a program, and create the safe update and control system. Some viruses may act on their own, and swindlers get a report of another victim as late as he writes them and transmits his money. The best viruses are work in another manner, and send files to hundreds URL's, to confuse the researchers and throw them off virus’ track.


There are several alternatives to test, before giving up and waiting for a decryptor. As it is stated in previous paragraphs, scammers make failures, and certain characteristics of your system can serve you to restore files.


  • If your system record has no administrator capabilities – you can compliment yourself. The matter is that your operating system replicates any files until they’re deleted or encrypted. Those copies are called SVC, and Facebook knows how to destroy them. If you are operating from the usual profile – the OS requests for a confirmation at the exact second Facebook attempts to remove these copies. If you saw suchlike request and declined it – then the SVC are fine, and you should use a topical software to restore the data.
  • A protected copy is the only fully effective manner to recover your information, but you have to remove a virus first. Make sure that the ransomware is eliminated in full, since if it’s not – all info will be spoiled instantly, with the files that are on a flash drive.


If all of these advice didn't help and you have no way to restore encrypted information – you need to remove Facebook from your device and wait until a decryptor will be created.

How to remove Facebook

As for the elimination – there’s no chance to totally avoid an installation of software. This ransomware is too tricky and you will definitely pass some parts and then regret it (it could happen if you connect an outer data storage with the backups to a not-really-purged device). It also conceals pretty good, so you just won’t have a chance to uninstall it totally by hand. Here's your elimination specification that can help you to get rid of this issue. It consists of several manual stages and an extra AV software stage.

Removal instruction

If you are MAC user, follow this guide: how to decrypt files on MAC.




Step 1. Boot the system into safe mode

  • Press Start
  • Type Msconfig and press Enter

Safe mode. Step 1


  • Select Boot tab

Safe mode. Step 2



  • Select Safe boot and press Ok

More information about Safe mode: What is Safe Mode and how to boot computer in Safe Mode


Step 2. Show all hidden files and folders

  • Press Start
  • Click on Control Panel

Show hidden files. Step 1


  • Select Appearance and Personalization

Show hidden files. Step 2


  • Click on Folder Options
  • Select View tab
  • Select Show hidden files, folders and drives

Show hidden files. Step 3


  • Press Ok


Step 3. Remove virus files


Check next folders to find suspicious files:

  • %TEMP%
  • %ProgramData%


Step 4. Fix hosts file

  • Go to %SystemRoot%\System32\drivers\etc\ folder



  • Open hosts file using Notepad or other text editor
  • Delete suspicious elements
  • Basic hosts file looks like this:



Step 5. Clean registry (for experienced users)

  • Click Start
  • Type Regedit.exe and press Enter
  • Clean startup registry keys
  • HKEY_LOCAL_MACHINE(HKEY_CURRENT_USER)\Software\Microsoft\Windows\CurrentVersion\Run
  • HKEY_LOCAL_MACHINE(HKEY_CURRENT_USER)\Software\Microsoft\Windows\CurrentVersion\RunOnce
  • HKEY_LOCAL_MACHINE(HKEY_CURRENT_USER)\Software\Microsoft\Windows\CurrentVersion\RunServices
  • HKEY_LOCAL_MACHINE(HKEY_CURRENT_USER)\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit

Step 6. Scan computer with antivirus

Here's Spyhunter AntiMalware that is not only effective, but also modern and continuously evolving antivirus that will clean the computer of all viruses. Click the link below to test it and eliminate the ransomware.


Special Offer

Download Spyhunter - Anti-malware scanner

We advise downloading SpyHunter to see, if it can detect malware for you.

Spyhunter has a biggest malware database

It protects the system against all kinds of threats: Trojans, adware and hijackers

24/7 Free Support Team

SpyHunter scanner detects threats and malware for free, but to remove infected elements you need to purchase a full version of program. More information about Spyhunter, EULA and Privacy policy.


Step 7. Disable Safe Mode and restart computer

  • Press Start
  • Type Msconfig and press Enter
  • Select Boot tab
  • Remove the check near Safe boot

How to restore files

Since you cleared your system of Facebook ransomware, or at though aware of how you can to do it, let’s think about the data restoration. As we said before, if you logged in from an admin account and you granted Facebook a pass to the computer – you have no trick to recover your data except for the previously saved copies. If you use a common entry – you might have a chance, but it needs peculiar recovery software. The most popular ones of them are Recuva or ShadowExplorer tools. They're easy to get on their official websites, with good guides.

  • Click Start
  • Click Control Panel

Decrypt files. Step 1


  • Click System and Security

Decrypt files. Step 2


  • Select Backup and Restore

Decrypt files. Step 3


  • Select Restore files from backup
  • Select checkpoint to restore


Share your feedback to help other people
1 1 1 1 1 1 1 1 1 1 Rating 0.00 [0 Votes]

You have no rights to post comments



Acronis suggestion to CrashPlans users

Around month ago, there was an accident with CrashPlans backup software. You can read the discussion on Reddit about it with real users comments: reddit.


Looking on bad experience of using CrashPlans recovery software, Acronis decided to make their own suggestion to user's who decide to change one program to another.


Company is offering 50% discount to CrashPlan users that want to switch to Acronis Backup, but is subject to validation. 50% off their new Acronis Backup Licenses


Want to know more about Acronis to decide if it's suitable to you, read our review: Acronis True Image 2019.







What is MicTrayDebugger and is it dangerous

This is a brief entry about MicTrayDebugger: what is it, how it appeared in the system, is it dangerous and how to get rid of it.

What is HoeflerText and is it dangerous?


This article is dedicated to the fraud scheme that is called HoeflerText font wasn't found. We will explain you what is this scheme and how to avoid it.

What is Wpad.dat virus and how it is used

The topic of our today's article is a script that had been unjustly called a virus. It’s Wpad.dat, and it is not a virus. We will explain what is Wpad.dat and how to prevent fraudsters to deceive yourself with its help.


Cancer virus trollware

This is an article about crazy Cancer virus and the madness that it brings to victim's computer.

This website uses cookies to improve your experience