Pay_creditcard ransomware / virus (updated Apr 2017) - Removal Instructions

Pay_creditcard virus Removal Guide

What is Pay_creditcard ransomware virus?

Things to know if your PC was infected with Pay_creditcard ransomware

Pay_creditcard virus is a recently discovered ransomware[1] virus that seems to be created by quite advanced programmers. Just like other ransomware viruses, it seeks to encrypt all files on the target PC, and for that it uses a complex encryption algorithm[2]. The encryption is based on usage of two keys – private and public one. The public one is used to encrypt files, while the private one is the one that can revert them to their original condition. Without the private key, the victim cannot restore his/hers files. To mark all encrypted files and help the victim understand the extent of the attack, virus marks each file with a .crypted file extension. Once that’s done, the ransomware creates an index.html file, which is a shortcut of Pay_creditcard.htm and index.html. These HTML documents open via victim’s default web browser and show detailed information on how to restore encrypted data (how to buy Bitcoins[3], how to transfer them, etc.) Pay_creditcard ransomwareResearcher shows the ransom note displayed by Pay_creditcard virus. The web page behind it is the Pay_creditcard.htm file, which explains how to acquire Bitcoins.

The ransom note that the virus opens immediately after the attack clearly reminds us of the infamous CTB-Locker’s GUI, which allows switching between several languages. It explains that all of victim’s files, including photos, documents, databases, and the rest of important data was encrypted with an individual key created for the victim. It is easy to guess what cyber frauds wants the victim to do, and the type of the virus prompts it – they want the victim to pay a ransom in exchange for a chance to decrypt corrupted data. They suggest buying the key for 1 BTC, which, according to the ransom-demanding message, equals to 957 USD. However, the price can go up and down at any time because the price of this virtual currency changes frequently. The ransom note urges the victim to gather required amount of money within 4 days, or the decryption key will be deleted and the files will remain useless forever. Now, we need to remind you why paying the ransom is not the best idea[4]. First of all, your data might stay locked, second, you might receive even more malware, and third, you can not know how scammers are going to use that money. You might be funding something illegal or really bad, so we suggest you think about it. If you decide to remove Pay_creditcard ransomware and not obey cybercriminals’ commands, we recommend using anti-malware software you can trust. For this case, we suggest using FortectIntego software. Before you launch or download this program, follow steps of Pay_creditcard removal guide that is given right below the article.

How to not get infected with ransomware?

Ransomware is a sneaky computer program, which is developed by advanced programmers who certainly know what they’re doing. We discovered that Pay_creditcard malware is being distributed via RIG Exploit Kit[5], which is known to be responsible for distribution of many other ransomware variants, such as CryptoMix, CryptoShield, and even Cerber ransomware. We recommend removing all unnecessary browser extensions and keeping software installed on the computer up-to-date if you do not want to become a victim of such exploit kit-based attack. Ransomware is also frequently distributed via email, so needless to say, you should be careful when opening emails (make sure you avoid that Spam folder at all costs). To protect your PC, use an up-to-date anti-malware software. Finally, if you do not want to consider the option of paying the ransom, create data backups in time. Data backup is the only thing that can save you time and provide you with copies of data that was encrypted due to ransomware attack.

Best practices to remove Pay_creditcard ransomware virus

Ransomware is probably the worst computer virus that can destroy years of work very quickly, however, we are happy to see an improvement in users’ cybercrime awareness these days. We invite you to say no to cybercriminals and not to pay the ransom to them. If you’re ready to remove Pay_creditcard virus, you should remove all of its remains, including the “How_To_Decrypt_Files” folder that it creates to store the ransom notes. However, we do not recommend doing this manually because you might miss some of the malignant files and leave the system vulnerable to further malware attacks. To deep-clean your PC system, we recommend using anti-malware programs. We strongly recommend you to read these Pay_creditcard removal instructions before you attempt to launch the security software.

do it now!
Fortect Happiness
Intego Happiness
Compatible with Microsoft Windows Compatible with macOS
What to do if failed?
If you failed to fix virus damage using Fortect Intego, submit a question to our support team and provide as much details as possible.
Fortect Intego has a free limited scanner. Fortect Intego offers more through scan when you purchase its full version. When free scanner detects issues, you can fix them using free manual repairs or you can decide to purchase the full version in order to fix them automatically.
Alternative Software
Different software has a different purpose. If you didn’t succeed in fixing corrupted files with Fortect, try running SpyHunter 5.
Alternative Software
Different software has a different purpose. If you didn’t succeed in fixing corrupted files with Intego, try running Combo Cleaner.

Getting rid of Pay_creditcard virus. Follow these steps

Manual removal using Safe Mode

The first method helps to remove the ransomware using Safe Mode with Networking feature. It allows you to boot the computer and limits Windows operation. 

Important! →
Manual removal guide might be too complicated for regular computer users. It requires advanced IT knowledge to be performed correctly (if vital system files are removed or damaged, it might result in full Windows compromise), and it also might take hours to complete. Therefore, we highly advise using the automatic method provided above instead.

Step 1. Access Safe Mode with Networking

Manual malware removal should be best performed in the Safe Mode environment. 

Windows 7 / Vista / XP
  1. Click Start > Shutdown > Restart > OK.
  2. When your computer becomes active, start pressing F8 button (if that does not work, try F2, F12, Del, etc. – it all depends on your motherboard model) multiple times until you see the Advanced Boot Options window.
  3. Select Safe Mode with Networking from the list. Windows 7/XP
Windows 10 / Windows 8
  1. Right-click on Start button and select Settings.
  2. Scroll down to pick Update & Security.
    Update and security
  3. On the left side of the window, pick Recovery.
  4. Now scroll down to find Advanced Startup section.
  5. Click Restart now.
  6. Select Troubleshoot. Choose an option
  7. Go to Advanced options. Advanced options
  8. Select Startup Settings. Startup settings
  9. Press Restart.
  10. Now press 5 or click 5) Enable Safe Mode with Networking. Enable safe mode

Step 2. Shut down suspicious processes

Windows Task Manager is a useful tool that shows all the processes running in the background. If malware is running a process, you need to shut it down:

  1. Press Ctrl + Shift + Esc on your keyboard to open Windows Task Manager.
  2. Click on More details.
    Open task manager
  3. Scroll down to Background processes section, and look for anything suspicious.
  4. Right-click and select Open file location.
    Open file location
  5. Go back to the process, right-click and pick End Task.
    End task
  6. Delete the contents of the malicious folder.

Step 3. Check program Startup

  1. Press Ctrl + Shift + Esc on your keyboard to open Windows Task Manager.
  2. Go to Startup tab.
  3. Right-click on the suspicious program and pick Disable.

Step 4. Delete virus files

Malware-related files can be found in various places within your computer. Here are instructions that could help you find them:

  1. Type in Disk Cleanup in Windows search and press Enter.
    Disk cleanup
  2. Select the drive you want to clean (C: is your main drive by default and is likely to be the one that has malicious files in).
  3. Scroll through the Files to delete list and select the following:

    Temporary Internet Files
    Recycle Bin
    Temporary files

  4. Pick Clean up system files.
    Delete temp files
  5. You can also look for other malicious files hidden in the following folders (type these entries in Windows Search and press Enter):


After you are finished, reboot the PC in normal mode.

Remove Pay_creditcard using System Restore

  • Step 1: Reboot your computer to Safe Mode with Command Prompt
    Windows 7 / Vista / XP
    1. Click Start Shutdown Restart OK.
    2. When your computer becomes active, start pressing F8 multiple times until you see the Advanced Boot Options window.
    3. Select Command Prompt from the list Select 'Safe Mode with Command Prompt'

    Windows 10 / Windows 8
    1. Press the Power button at the Windows login screen. Now press and hold Shift, which is on your keyboard, and click Restart..
    2. Now select Troubleshoot Advanced options Startup Settings and finally press Restart.
    3. Once your computer becomes active, select Enable Safe Mode with Command Prompt in Startup Settings window. Select 'Enable Safe Mode with Command Prompt'
  • Step 2: Restore your system files and settings
    1. Once the Command Prompt window shows up, enter cd restore and click Enter. Enter 'cd restore' without quotes and press 'Enter'
    2. Now type rstrui.exe and press Enter again.. Enter 'rstrui.exe' without quotes and press 'Enter'
    3. When a new window shows up, click Next and select your restore point that is prior the infiltration of Pay_creditcard. After doing that, click Next. When 'System Restore' window shows up, select 'Next' Select your restore point and click 'Next'
    4. Now click Yes to start system restore. Click 'Yes' and start system restore
    Once you restore your system to a previous date, download and scan your computer with FortectIntego and make sure that Pay_creditcard removal is performed successfully.

Bonus: Recover your data

Guide which is presented above is supposed to help you remove Pay_creditcard from your computer. To recover your encrypted files, we recommend using a detailed guide prepared by security experts.

If you have a data backup, you can restore your files using it – just remove the virus first. However, if you do not have it, then you will need to try other data recovery options. We described some of them below.

If your files are encrypted by Pay_creditcard, you can use several methods to restore them:

Restore files using Data Recovery Pro

Data Recovery Pro is a widely used tool that helps to restore all kinds of corrupted data – whether it was modified, deleted, or damaged in some type of way. Remember that it cannot guess the decryption key, so it might not succeed in restoring all of your files. However, we believe that this tool is definitely worth a try.

  • Download Data Recovery Pro;
  • Follow the steps of Data Recovery Setup and install the program on your computer;
  • Launch it and scan your computer for files encrypted by Pay_creditcard ransomware;
  • Restore them.

Shadow explore your PC

ShadowExplorer is a useful program that helps to find Volume Shadow Copies and use them to restore corrupted files. If the virus failed to remove them (sometimes it happens), you will successfully restore your files using ShadowExplorer software.

  • Download Shadow Explorer (;
  • Follow a Shadow Explorer Setup Wizard and install this application on your computer;
  • Launch the program and go through the drop down menu on the top left corner to select the disk of your encrypted data. Check what folders are there;
  • Right-click on the folder you want to restore and select “Export”. You can also select where you want it to be stored.

Finally, you should always think about the protection of crypto-ransomwares. In order to protect your computer from Pay_creditcard and other ransomwares, use a reputable anti-spyware, such as FortectIntego, SpyHunter 5Combo Cleaner or Malwarebytes

How to prevent from getting ransomware

Do not let government spy on you

The government has many issues in regards to tracking users' data and spying on citizens, so you should take this into consideration and learn more about shady information gathering practices. Avoid any unwanted government tracking or spying by going totally anonymous on the internet. 

You can choose a different location when you go online and access any material you want without particular content restrictions. You can easily enjoy internet connection without any risks of being hacked by using Private Internet Access VPN.

Control the information that can be accessed by government any other unwanted party and surf online without being spied on. Even if you are not involved in illegal activities or trust your selection of services, platforms, be suspicious for your own security and take precautionary measures by using the VPN service.

Backup files for the later use, in case of the malware attack

Computer users can suffer from data losses due to cyber infections or their own faulty doings. Ransomware can encrypt and hold files hostage, while unforeseen power cuts might cause a loss of important documents. If you have proper up-to-date backups, you can easily recover after such an incident and get back to work. It is also equally important to update backups on a regular basis so that the newest information remains intact – you can set this process to be performed automatically.

When you have the previous version of every important document or project you can avoid frustration and breakdowns. It comes in handy when malware strikes out of nowhere. Use Data Recovery Pro for the data restoration process.

About the author
Olivia Morelli
Olivia Morelli - Ransomware analyst

If this free guide helped you and you are satisfied with our service, please consider making a donation to keep this service alive. Even a smallest amount will be appreciated.

Contact Olivia Morelli
About the company Esolutions

Removal guides in other languages