Happychoose ransomware (Virus Removal Instructions) - Easy Removal Guide

Happychoose virus Removal Guide

What is Happychoose ransomware?

Happychoose ransomware – a new cryptovirus in the Globeimposter ransomware family

Happychoose ransom noteHappychoose ransomware locks files and creates a file with instructions on each system's folder

Happychoose is a dangerous cyber infection that attempts to lock files with .happychoose extension and demand a ransom in exchange for the decryption key. Victims started searching for help to encrypt data attached by this file-encrypting malware[1] at the end of February 2020, thus exposing a new evolving threat. Initially, Happychoose ransomware might seem like a unique piece of crypto-virus, but closer analysis reveals that it's a member of an infamous GlobeImposter family. Distributed through spam, it attacks random PCs by happening unreadable extensions to files and creating a ransom note named “Decryption INFO.html.”

Happychoose ransomware virus creates the Decryption INFO.html on every system's folder that contains files locked with .happychoose extension. The note contains a list of demands and instructions. Cybercriminals encourage victims to contact them asap via happychoose@cock.lt or happychoose2@cock.lt email. Crooks demand the victim to send an email that contains one locked file and a unique ID code that is provided on the note. The size of the ransom is not indicated. According to the information, it will be revealed only when ransomware developers receive the victim's ID and evaluate the amount of locked data.

Name Happychoose
Origin GlobeImposter 2.0 ransomware family
Distribution Unprotected Remote Desktop, spam email attachments, drive-by-download attacks
Symptoms Upon Happychoose infiltration, most of the files present on the target system receive .happychoose file extension. The ransom note “Decryption INFO.html” appears on the desktop. Multiple registries on the system are compromised. The overall system's performance may diminish significantly.
Contact e-mail adress happychoose@cock.lt or happychoose2@cock.lt
Ransom note Decryption INFO.html
File extension .happychoose
Removal The only way to eliminate Happychoose ransomware is to launch AV tool and run a full system scan. Any professional antivirus tool with a powerful detection mechanism is appropriate, though we recommend SpyHunter 5Combo Cleaner or Malwarebytes.
Data recovery There are two options – to pay the ransom or use third-party data recovery tools to decrypt corrupted files. Paying the ransom is not recommended in any way. For more information on how to unlock files after Happychoose attack, see the end of the post.
System's repair Ransomware can severely damage multiple Windows Registry entries and initiate other disruptive modifications. To fix any system's damage, use FortectIntego repair utility.

Happychoose virus renders a unique cipher to encrypt data on a target computer. The virus runs the cipher by taking advantage of the infected cmd.exe file, as well as other vulnerable Windows Registries. The powerful ransomware scanner is capable of tracking over 34 file types and inject the .happychoose suffix to each of them. The extension may also contain an email address of the developers or other ransom looking codes. Another thing proving the fact that the system has been infected is Html file Decryption INFO. The ransom note states:



To recover data you need decryptor.

To get the decryptor you should:

Send 1 test image or text file happychoose@cock.li or happychoose2@cock.li.

In the letter include YOUR ID (look at the beginning of this document).

We will give you the decrypted file and assign the price for decryption all files

After we send you instruction on how to pay for decrypt and after payment you will receive a decryptor and instructions. We can decrypt one file in quality the evidence that we have the decoder.


Only happychoose@cock.li or happychoose2@cock.li can decrypt your files

Do not trust anyone happychoose@cock.li or happychoose2@cock.li

Do not attempt to remove the program or run the antivirus tools

Attempts to self-decrypting files will result in the loss of your data

Decoders other users are not compatible with your data, because each user's unique encryption key

Although criminals do not reveal the size of the ransom, it may be assumed that the payment varies from 1 to 10 Bitcoins. Such assumptions are based on its ancestor, GlobeImposter 2.0 requirements. Happychoose encryptor may be a severe problem and money stealer for those who are not used to backup files. Since the decryption for this malicious infection hasn't been created yet, there's no other way to get data back except to pay the demanded ransom. Nevertheless, a deal with criminals is always a risk.

Happychoose ransomware virus informationHappychoose ransomware developers urge victims to contact asap and pay the ransom for the decryption tool

Developers of this cyber infection try to raise people's fair, claiming that any attempts to decrypt files encrypted by Happychoose ransomware manually may lead to a permanent data loss. Even more, a risk to cause perpetual data lock is the usage of automatic antivirus and recovery solutions. However, there's no clear evidence that third-party data recovery tools cannot repair damaged files. Therefore, we strongly recommend victims to remove Happychoose with tools like SpyHunter 5Combo Cleaner and then install a reliable data recovery software, which may turn out to deal with ransomware cipher successfully.

Checking malicious email attachments – a straight way to a ransomware attack

Dieviren.de[2] and other security experts keep trying to warn Internet users about spam emails, which is by far the most widely used technique to spread various malware and virus types. Cybercriminals keep developing botnets that are later used for massive spam attacks. Such messages are typically filled with infected with ransomware, spyware, trojans, and other viruses. Usually, attackers do research on people's preferences and make the infected emails look credible and professional. The more legitimate the email looks like, the more recipients are expected to open them.

Having this in mind, it's a must to carefully analyze all emails that contain attachments before double-clicking on the file. Look for grammar or type mistakes, check the sender online, and think twice does the email really has any information that is relevant for you. If you are not sure, you'd better not open the attachment.

In addition to spam, ransomware can be deployed by clicking on the malicious links on unprotected websites or social network messages. Unprotected Remote desktop, as well as drive-by-download attacks, are also among conventional ransomware distribution means.

Happychoose locks most of the file typesHappychoose is capable of locking most of the file types

We want to stress the fact that GlobeImposter 2.0 ransomware family has been noticed on the landscape in 2019 and is ranking third with 12.57%[3], among other ransomware-type infections. It shows that impostors that are responsible for disseminating Happychoose and GlobeImposter are going on the right way looking from cybercriminal's perspective. Therefore, to protect your files and PC from severe attacks, take care of a proper system's security and try to be more suspicious when browsing the Internet.

Delete Happychoose ransomware pack from the system

Happychoose ransomware virus is currently in an active transmission phase, security forums reveal. If its developers managed to successfully upgrade GlobeImposter 2.0 and release it with a new strength, the prognosis on the infection rate might be saddening.

The removal of Happychoose may be a tough nut to crack as most of the ransomware are incredibly resistant to detection. This threat may be programmed to block AV tools and other security programs, as well as take care of the complete removal of Windows Shadow Copies. Therefore, you may need the help of professional IT experts to clean the system and get at least some of the files back.

Anyway, we highly recommend trying an automatic Happychoose removal with a reliable security tool. To bypass AV blockade, boot the system into Safe Mode and run SpyHunter 5Combo Cleaner, Malwarebytes, or an alternative program. You can learn how to do that with the help of the instructions provided below. As for encrypted files, antivirus software will not be able to revert the changes that the ransomware initiate. If you manage to remove Happychoose ransomware successfully, fix Windows Registry damage with FortectIntego utility and then give a chance for third-party data recovery tools. You can find several useful decryption methods below.

do it now!
Fortect Happiness
Intego Happiness
Compatible with Microsoft Windows Compatible with macOS
What to do if failed?
If you failed to fix virus damage using Fortect Intego, submit a question to our support team and provide as much details as possible.
Fortect Intego has a free limited scanner. Fortect Intego offers more through scan when you purchase its full version. When free scanner detects issues, you can fix them using free manual repairs or you can decide to purchase the full version in order to fix them automatically.
Alternative Software
Different software has a different purpose. If you didn’t succeed in fixing corrupted files with Fortect, try running SpyHunter 5.
Alternative Software
Different software has a different purpose. If you didn’t succeed in fixing corrupted files with Intego, try running Combo Cleaner.

Getting rid of Happychoose virus. Follow these steps

Manual removal using Safe Mode

If it is not possible to remove the Happychoose virus because it blocks AV tools, try rebooting the system into Safe Mode with networking and running security software.

Important! →
Manual removal guide might be too complicated for regular computer users. It requires advanced IT knowledge to be performed correctly (if vital system files are removed or damaged, it might result in full Windows compromise), and it also might take hours to complete. Therefore, we highly advise using the automatic method provided above instead.

Step 1. Access Safe Mode with Networking

Manual malware removal should be best performed in the Safe Mode environment. 

Windows 7 / Vista / XP
  1. Click Start > Shutdown > Restart > OK.
  2. When your computer becomes active, start pressing F8 button (if that does not work, try F2, F12, Del, etc. – it all depends on your motherboard model) multiple times until you see the Advanced Boot Options window.
  3. Select Safe Mode with Networking from the list. Windows 7/XP
Windows 10 / Windows 8
  1. Right-click on Start button and select Settings.
  2. Scroll down to pick Update & Security.
    Update and security
  3. On the left side of the window, pick Recovery.
  4. Now scroll down to find Advanced Startup section.
  5. Click Restart now.
  6. Select Troubleshoot. Choose an option
  7. Go to Advanced options. Advanced options
  8. Select Startup Settings. Startup settings
  9. Press Restart.
  10. Now press 5 or click 5) Enable Safe Mode with Networking. Enable safe mode

Step 2. Shut down suspicious processes

Windows Task Manager is a useful tool that shows all the processes running in the background. If malware is running a process, you need to shut it down:

  1. Press Ctrl + Shift + Esc on your keyboard to open Windows Task Manager.
  2. Click on More details.
    Open task manager
  3. Scroll down to Background processes section, and look for anything suspicious.
  4. Right-click and select Open file location.
    Open file location
  5. Go back to the process, right-click and pick End Task.
    End task
  6. Delete the contents of the malicious folder.

Step 3. Check program Startup

  1. Press Ctrl + Shift + Esc on your keyboard to open Windows Task Manager.
  2. Go to Startup tab.
  3. Right-click on the suspicious program and pick Disable.

Step 4. Delete virus files

Malware-related files can be found in various places within your computer. Here are instructions that could help you find them:

  1. Type in Disk Cleanup in Windows search and press Enter.
    Disk cleanup
  2. Select the drive you want to clean (C: is your main drive by default and is likely to be the one that has malicious files in).
  3. Scroll through the Files to delete list and select the following:

    Temporary Internet Files
    Recycle Bin
    Temporary files

  4. Pick Clean up system files.
    Delete temp files
  5. You can also look for other malicious files hidden in the following folders (type these entries in Windows Search and press Enter):


After you are finished, reboot the PC in normal mode.

Remove Happychoose using System Restore

Upon successful malware removal try alternative means to restore the files. Open System Restore feature and recover at least a part of corrupted data.

  • Step 1: Reboot your computer to Safe Mode with Command Prompt
    Windows 7 / Vista / XP
    1. Click Start Shutdown Restart OK.
    2. When your computer becomes active, start pressing F8 multiple times until you see the Advanced Boot Options window.
    3. Select Command Prompt from the list Select 'Safe Mode with Command Prompt'

    Windows 10 / Windows 8
    1. Press the Power button at the Windows login screen. Now press and hold Shift, which is on your keyboard, and click Restart..
    2. Now select Troubleshoot Advanced options Startup Settings and finally press Restart.
    3. Once your computer becomes active, select Enable Safe Mode with Command Prompt in Startup Settings window. Select 'Enable Safe Mode with Command Prompt'
  • Step 2: Restore your system files and settings
    1. Once the Command Prompt window shows up, enter cd restore and click Enter. Enter 'cd restore' without quotes and press 'Enter'
    2. Now type rstrui.exe and press Enter again.. Enter 'rstrui.exe' without quotes and press 'Enter'
    3. When a new window shows up, click Next and select your restore point that is prior the infiltration of Happychoose. After doing that, click Next. When 'System Restore' window shows up, select 'Next' Select your restore point and click 'Next'
    4. Now click Yes to start system restore. Click 'Yes' and start system restore
    Once you restore your system to a previous date, download and scan your computer with FortectIntego and make sure that Happychoose removal is performed successfully.

Bonus: Recover your data

Guide which is presented above is supposed to help you remove Happychoose from your computer. To recover your encrypted files, we recommend using a detailed guide prepared by 2-spyware.com security experts.

If your files are encrypted by Happychoose, you can use several methods to restore them:

Data Recovery Pro – a powerful utility to crack ransomware encryption algorythm

Data Recovery Pro is a powerful data recovery tool, which is capable of restoring files lost after the system's crash, as well as a ransomware infection. to give the tool a try, follow these steps:

  • Download Data Recovery Pro;
  • Follow the steps of Data Recovery Setup and install the program on your computer;
  • Launch it and scan your computer for files encrypted by Happychoose ransomware;
  • Restore them.

Take advantage of Windows Previous Versions

Files encrypted by Happychoose ransomware can be recovered by enabling the Previous Windows version feature. 

  • Find an encrypted file you need to restore and right-click on it;
  • Select “Properties” and go to “Previous versions” tab;
  • Here, check each of available copies of the file in “Folder versions”. You should select the version you want to recover and click “Restore”.

Finally, you should always think about the protection of crypto-ransomwares. In order to protect your computer from Happychoose and other ransomwares, use a reputable anti-spyware, such as FortectIntego, SpyHunter 5Combo Cleaner or Malwarebytes

How to prevent from getting ransomware

Access your website securely from any location

When you work on the domain, site, blog, or different project that requires constant management, content creation, or coding, you may need to connect to the server and content management service more often. The best solution for creating a tighter network could be a dedicated/fixed IP address.

If you make your IP address static and set to your device, you can connect to the CMS from any location and do not create any additional issues for the server or network manager that needs to monitor connections and activities. VPN software providers like Private Internet Access can help you with such settings and offer the option to control the online reputation and manage projects easily from any part of the world.


Recover files after data-affecting malware attacks

While much of the data can be accidentally deleted due to various reasons, malware is one of the main culprits that can cause loss of pictures, documents, videos, and other important files. More serious malware infections lead to significant data loss when your documents, system files, and images get encrypted. In particular, ransomware is is a type of malware that focuses on such functions, so your files become useless without an ability to access them.

Even though there is little to no possibility to recover after file-locking threats, some applications have features for data recovery in the system. In some cases, Data Recovery Pro can also help to recover at least some portion of your data after data-locking virus infection or general cyber infection. 


About the author
Lucia Danes
Lucia Danes - Virus researcher

If this free guide helped you and you are satisfied with our service, please consider making a donation to keep this service alive. Even a smallest amount will be appreciated.

Contact Lucia Danes
About the company Esolutions