How to remove Writeme virus and restore encrypted files

Encryption virus can be considered a roadkill of our society, and everyone knows that if you cannot access your information and there's a ransom note – the things are going ugly. It’s a true, by the way. An encrypting virus is the ugliest threat that you might face in the Web since a regular man literally cannot uninstall it. The exclusive case when you're able to beat ransomware is if you aren't facing a real one, but an imitation, that blocks your screen and attempts to lure your money. In any other case, if ransomware was developed and tuned in a right method – you can only trust that malware fighters will beat it. If swindlers committed a mistake, and there are any vulnerabilities, that let you to restore data – you'll find a solution in this guide.



Virus sort doesn't actually matter, as the AES and RSA methods are very complex to bruteforce them. It might take hundreds of years to execute all needed operations on a standard home PC and, possibly, few decades if you have an access to an industrial gear. The only method to beat a well-made ransomware is to hack it, or break into its server, to receive a master key. Rare viruses also have a breaker that can stop ransomware's activity in full or to leave unscathed a particular device. If anyone discovers such switch for Writeme, or make a decryptor, we'll update this item.


Ransomware virus is built upon a completely legitimate encryption system that modifies the folders on operator’s machine, so customer can't utilize them in any approach. That key is also encrypted with another algorithm. In most cases, these manners are AES and RSA, which are known for their complexity and fail-safety. These methods and the programs built upon them are in free access in the Web, so web-criminals only need to create mechanisms of defense, to block an admittance to a program, and make the flawless update and control scheme. Some viruses may work in standalone mode, and web-criminals know of another "client" only when he turns to them and forwards the ransom. Other viruses are function in another manner, and transmit reports to thousands servers, to puzzle the malware-fighters and throw them off virus’ track.


Here we've gathered a few things to test, before yielding and waiting for a decryptor. As we said earlier, swindlers make errors, and certain peculiarities of the Windows might support you to get back your information.


  • If you employ an entry without administrator rights – you're very fortunate. The thing is that the Windows duplicates all information prior to they’re eliminated or altered. These backups are known as the Shadow Volume Copies, and Writeme knows how to destroy them. If you are employing the user's account – the operating system asks for a permission at the very moment Writeme attempts to delete SVC. If you've seen such thing and reversed it – it means that the copies are safe, and might be used to restore the files.
  • A protected copy is the sole entirely effective method to get the data back, but you should eliminate Writeme first. Ensure that the virus is removed totally, because if it’s not – all files will be corrupted again, with the files that are on an outer hard drive.


If you examined all these things and there is no possibility to restore your information – you need to remove the malware from the device and expect when a decryption program will be created.

How to remove Writeme

Unfortunately, you can't completely escape an automatic mode. The virus is too sly and you could miss some remains and then regret it (it may happen if you line up an external data storage with the backups to a not-totally-clean computer). It knows how to hide pretty good, and you just won’t have a chance to eliminate it entirely on your own. Knowing this, we’ve made an efficient uninstall instruction which can suit all your needs. It has several manual steps and an optional antivirus software step.

Removal instruction

If you are MAC user, follow this guide: how to decrypt files on MAC.




Step 1. Boot the system into safe mode

  • Press Start
  • Type Msconfig and press Enter

Safe mode. Step 1


  • Select Boot tab

Safe mode. Step 2



  • Select Safe boot and press Ok

More information about Safe mode: What is Safe Mode and how to boot computer in Safe Mode


Step 2. Show all hidden files and folders

  • Press Start
  • Click on Control Panel

Show hidden files. Step 1


  • Select Appearance and Personalization

Show hidden files. Step 2


  • Click on Folder Options
  • Select View tab
  • Select Show hidden files, folders and drives

Show hidden files. Step 3


  • Press Ok


Step 3. Remove virus files


Check next folders to find suspicious files:

  • %TEMP%
  • %ProgramData%


Step 4. Fix hosts file

  • Go to %SystemRoot%\System32\drivers\etc\ folder



  • Open hosts file using Notepad or other text editor
  • Delete suspicious elements
  • Basic hosts file looks like this:



Step 5. Clean registry (for experienced users)

  • Click Start
  • Type Regedit.exe and press Enter
  • Clean startup registry keys
  • HKEY_LOCAL_MACHINE(HKEY_CURRENT_USER)\Software\Microsoft\Windows\CurrentVersion\Run
  • HKEY_LOCAL_MACHINE(HKEY_CURRENT_USER)\Software\Microsoft\Windows\CurrentVersion\RunOnce
  • HKEY_LOCAL_MACHINE(HKEY_CURRENT_USER)\Software\Microsoft\Windows\CurrentVersion\RunServices
  • HKEY_LOCAL_MACHINE(HKEY_CURRENT_USER)\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit

Step 6. Scan computer with antivirus

Here's Spyhunter anti-viral tool which is not only effective, but is fast and constantly developing program that will clean your device of all dangerous programs. Push the button below to use it and delete Writeme.


Special Offer

Download Spyhunter - Anti-malware scanner

We advise downloading SpyHunter to see, if it can detect malware for you.

Spyhunter has a biggest malware database

It protects the system against all kinds of threats: Trojans, adware and hijackers

24/7 Free Support Team

SpyHunter scanner detects threats and malware for free, but to remove infected elements you need to purchase a full version of program for 39.99$. More information about Spyhunter, EULA and Privacy policy.


Step 7. Disable Safe Mode and restart computer

  • Press Start
  • Type Msconfig and press Enter
  • Select Boot tab
  • Remove the check near Safe boot

How to restore files

When you eliminated Writeme, you should try to do some info recovery. As you know now, if you logged in from an admin profile and you let the virus an access into the device – there is no trick to recover the files save for the backups. If you haven’t done this – you have poor fortunes for data recovery, but it will require peculiar recovery software. We suggest you to try Recuva or ShadowExplorer programs. You can find these tools simply on the registered pages of their owners, with thorough instructions.

  • Click Start
  • Click Control Panel

Decrypt files. Step 1


  • Click System and Security

Decrypt files. Step 2


  • Select Backup and Restore

Decrypt files. Step 3


  • Select Restore files from backup
  • Select checkpoint to restore


Share your feedback to help other people
1 1 1 1 1 1 1 1 1 1 Rating 0.00 [0 Votes]

Add comment

Security code



Acronis suggestion to CrashPlans users

Around a month ago, there was an accident with CrashPlans backup software.

What is MicTrayDebugger and is it dangerous

This is a brief entry about MicTrayDebugger: what is it, how it appeared in the system, is it dangerous and how to get rid of it.

What is HoeflerText and is it dangerous?


This article is dedicated to the fraud scheme that is called HoeflerText font wasn't found. We will explain you what is this scheme and how to avoid it.

What is Wpad.dat virus and how it is used

The topic of our today's article is a script that had been unjustly called a virus. It’s Wpad.dat, and it is not a virus. We will explain what is Wpad.dat and how to prevent fraudsters to deceive yourself with its help.


Cancer virus trollware

This is an article about crazy Cancer virus and the madness that it brings to victim's computer.

This website uses cookies to improve your experience