Home / Removal Guide / Ransomware / How to remove ransomware virus that locked your computer?

How to remove ransomware virus that locked your computer?

[Total: 0    Average: 0/5]

The interrogation you see above is a logical question that is often being asked by many users whose workstations have been blocked by a serious virus infection that asks for money to unlock it. Such malicious programs are categorized as ransomwares, and the growth rates of their spread are increasing with every year by leaps and bounds. Hence, the contemporary worldwide distribution of this type of infection brings us to the necessity of a thorough analysis of how such infection can be effectively removed in order to unblock the computer that became the target of the ransomware locker.

Ransomwares are entering targeted computers through certain leaks in your system security protection mechanisms. Sometimes the anti-virus programs you have aren’t properly updated, thus allowing various malwares to enter your system. It is a sad thing to admit that often users prefer not to have any security software at all. This pretty well explains the reasons why the computers are so vulnerable to threats like ransomware lockers. Whatever the case might be, the very infiltration of the locker takes place in a hidden manner when you don’t even realize the malware is at the door of your system. Then one day you decide to do something on your computer, you turn it on and you see a strange warning on your system that accuses you of performing various crimes online through your computer and tells that your system is locked for doing such things. No doubt, it is very scary to receive such a type of alert, moreover, it is often presented in the form of a fake police notification. It is a really sad fact to assert that many users after being scared to death with these deceitful police warnings decided to obey the fraudulent instructions and commands of ransomwares, thus fulfilling the commands of online crooks, the authors of such ransomware virus program.

It is also worth mentioning about the ways through which cyber hackers, the developers of screen lockers, receive their unfair earnings. They use the services of today’s well-known payment systems, such as Ukash, Paysafecard and GreenDot MoneyPak. The first two are extremely popular in European countries, whereas GreenDot MoneyPak is primarily represented in the USA and Canada. However, all these three companies have nothing to do with development of ransomwares. Unfortunately, scared users often consider them to be viruses, but this is surely a mistake to think like that. Neither GreenDot MoneyPak, nor Ukash, nor Paysafecard are connected to all known desktop lockers. Cyber hackers simply use the good names of these organizations to achieve their evil goals and implement their fraudulent plots.

How can one remove ransomware from the infected system and unlock the computer? This is surely a question that needs to be properly answered. Some non-professional security blogs that promote some particular security software simply recommend users to run it in order to unblock the system. These blogs only pursue the goal of increasing the number of clicks and software downloads. They don’t provide users with other important details, considering the fact that ransomware can’t be removed simply by running security software. Certain manual steps must be implemented by users in order to unlock their computers and restore them back to the fully functional condition. These steps are reviewed and summarized in the complete ransomware removal instructions you may find below.

Ransomware removal solutions

Solution 1 (automatic)

NB! This solution is applicable for all GreenDot MoneyPak, Ukash and Paysafecard ransomwares.

  1. Reboot your system and press F8 repeatedly while it is restarting.
  2. Select Safe Mode with Networking.
  3. Safe Mode with Networking

  4. Click Start and in the open space type Run, or press [Win]+R on keyboard.
  5. Start - Run

  6. Type msconfig and press “OK“.
  7. msconfig

  8. Disable startup items rundll32 turning on any application from Application Data.
  9. Reboot your computer once again.
  10. Scan your system with GridinSoft Trojan Killer to identify the infected file and delete it.

NB! Some versions of these viruses disable all safe modes, but give a short gap that you can use to run anti-malware tools. Then act as follows:

  1. Reboot normally.
  2. Click Start and in the open space type Run.
  3. Start - Run

  4. Enter the text https://trojan-killer.net/download.php in the open field.
  5. Download link for Trojan Killer

  6. If the malware is loaded, just press Alt+Tab once and keep entering the string blindly then press Enter. Press Alt+tab and then R (letter) a couple of times. The process of ransomware virus should be killed after you succeed to download, install our recommended software and scan your system with it.

Solution 2 (automatic)

  1. Go to your friend, relative or anybody else who has computer with Internet connection.
  2. Take your USB flash drive / Memory Stick with you.
  3. Download GridinSoft Trojan Killer installation file from this site https://trojan-killer.net/download.php and save it to your USB flash drive / Memory Stick.
  4. Get back to your infected PC and insert the USB Drive / Memory Stick into the respective USB slot.
  5. Perform hard reset (press reset button on your computer) if your infected PC has been on with ransomware’s background. If not, then simply turn your PC on.
  6. Before the very boot process begins keep repeatedly hitting “F8” button on your keyboard.
  7. In the window that appeared select “Safe Mode with Command Prompt” option and press Enter.
  8. Safe Mode with Command Prompt

  9. Choose your operating system and user account which was infected with ransomware virus.
  10. In the cmd.exe window type “explorer” and press “Enter” button on your keyboard.
  11. Select “My Computer” and choose your USB flash drive / Memory Stick.
  12. Run the installation file of GridinSoft Trojan Killer. Install the program and run scan with it. (update of the program will not work for “Safe mode with command prompt” option)
  13. When the hijackers are successfully disabled (fixed) by GridinSoft Trojan Killer you may close GridinSoft Trojan Killer application.
  14. In the cmd.exe window type “shutdown /r /t 0” and press “Enter” button on your keyboard.
  15. shutdown /r /t 0

  16. Upon system reboot your PC will be unlocked and you will be able to use it just as before the infection took pace.
  17. However, it is recommended that you now update GridinSoft Trojan Killer and run the scan with it again to remove the source of the infections causing ransomware virus to infect your PC.

Similar automatic removal video

Solution 3 (manual)

  1. Restart your system into “Safe Mode with Command Prompt“. While the PC is booting press the “F8 key” continuously, which should present the “Windows Advanced Options Menu” (for Windows XP) or “Advanced Boot Options” (for Windows 7 and Vista) as presented in the image below. Apply the arrow keys in order to move to “Safe Mode with Command Prompt” and hit Enter key of your keyboard. Login as the same user you were previously logged in under the normal Windows mode.
  2. Safe Mode with Command Prompt

  3. Once Windows boots successfully, the Windows command prompt would appear as described at the screenshot below. At the command prompt, type-in the word “explorer.exe“, and press Enter. Windows Explorer should open. Please do not yet close it. You can minimize it for a while.
  4. explorer.exe

  5. Afterwards open the Registry editor by applying the same Windows command prompt. Type-in the word “regedit.exe” and hit Enter button of your keyboard. The Registry Editor should open.
  6. regedit.exe

  7. Find the following registry entry:
  8. HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionWinlogon

  9. In the right-side panel select the registry entry named Shell. Right click on this registry key and select “Modify” option. Its default value should be “Explorer.exe“. However, ransomware virus did its job, and so after you click “Modify” you would see totally different value of this registry entry.
  10. Copy the location of the modified value of the above-mentioned registry entry to the piece of paper or memorize its location. It shows where exactly the main executable of ransomware virus is located.
  11. Modify the value of the registry entry back to “explorer.exe” and save the settings of the Registry Editor.
  12. Go to the location indicated in the value of modified registry entry. Remove the malicous file. Use the file location you copied into the piece of paper or otherwise noted in step in previous step.
  13. Get back to “Normal Mode“. In order to reboot your system, when at the command prompt, type-in the following phrase “shutdown /r /t 0” (without the quotation marks) and hit Enter button.
  14. shutdown /r /t 0

  15. The virus should be gone. However, in order to clean your PC from other possible virus threats and malware remnants, make sure to download and run GridinSoft Trojan Killer.

Similar manual removal video

Check Also

How to detect Anatova Ransomware?

[Total: 0    Average: 0/5] Anatova malware is not a typical bot or keylogger, this …

.Tfudeq (_openme.txt) scary alerts (removal instructions)

[Total: 0    Average: 0/5] .Tfudeq (_openme.txt) malware is not a typical bot or keylogger, …

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.