If your PC has been infected with ransomware virus…

admin | July 23, 2012

The abyss of the Internet is full of the viruses of different kinds and natures: rogues, Trojans, spyware, ransomware etc. The very entry is devoted to ransomware computer infections. They are wide-spread phenomenon in the modern web life. They can mow down anybody. Nobody is 100% safe. So this post is for all PC owners. Here you will find the detailed algorithm of your actions if your workstation has been invaded by the parasite of such kind.

This is one of numerous possible pictures you can see if your PC is contaminated with ransomware.

1. Launch your PC in the safe mode with command prompt.
2. Do the next commands:

  • reg delete hkcuSoftwareMicrosoftWindowsCurrentVersionPoliciesSystem /v DisableRegistryTools /f
  • reg delete hklmSoftwareMicrosoftWindowsCurrentVersionPoliciesSystem /v DisableRegistryTools /f


3. Run the registry editor regedit.exe
4. In the registry editor:

  • remove the parameter NoDesktop from HKCUSoftwareMicrosoftWindowsCurrentVersionPoliciesExplorer

  • remove the parameter DisableTaskMgr from HKCUSoftwareMicrosoftWindowsCurrentVersionPoliciesSystem

  • Set the parameter 0 for HideIcons in HKCUSoftwareMicrosoftWindowsCurrentVersionExplorerAdvanced

  • Set explorer.exe for Shell in HKLMSOFTWAREMicrosoftWindows NTCurrentVersionWinlogon

  • remove the parameter Shell from HKCUSOFTWAREMicrosoftWindows NTCurrentVersionWinlogon

  • find the parameter with the random name in HKCUSoftwareMicrosoftWindowsCurrentVersionRun and copy its name to the clipboard – and search in HKLMSOFTWAREMicrosoftActive SetupInstalled Components


  • If the parameter is found remove the full entry

  • remove the file, indicated in the parameter with the random name. To do this, enter the following combination del /f /q “parameter value” in the command line.

  • remove the parameter with the random name in the registry entries
    HKCUSoftwareMicrosoftWindowsCurrentVersionRun
    HKLMSoftwareMicrosoftWindowsCurrentVersionRun



5. Now restart your PC. Enter the following combination shutdown -r -t 0 in the command line.

If all above-stipulated steps are done the ransomware should be neutralized. Now it is a high time to check your PC for other malicious objects presence, because they can be hidden deeply in the system. Install GridinSoft Trojan Killer and run full scan with it. Make sure to update the program before you run it. Then, when the scan has been completed, remove all infections it finds and reboot your system. If you have difficulties deleting the viruses please contact us via support channels available at this site.

Ransomware automatic remover:

11 Comments

  1. KuBa says:

    A jak mogłbym to zrobić jeżeli mam 4 konta użytkowników i tylko 1 nie działa? Muszę rejestry zmieniac pomocy :[

  2. Chelsey says:

    This doesn’t work. When I bring up my Command Prompt, it doesn’t say, “C:\>” like it shows on the picture. Mine says, “C:\Windows\system32>” What is going on here?

  3. Mart says:

    @Chelsey
    You have to know how to navigate the command prompt. Your default is “C:\Windows\system32>”, so type “cd..” twice to get “C:\>”.

    @KuBa
    Google Translate from Polish to English may help with a response.

  4. bill ryley says:

    This is a good solution to an older version of this trojan but will not work now. with the new trojan you will only be allowed to start your pc in normal mode.If you try any of the safe modes,you will get an appology from microsoft saying it was unable to launch.I am suprised that microsoft has seen fit to ignore its customers by being unwilling or unable to resolve this problem

    bill ryley

  5. Colin says:

    It would help if the website didn’t cut off the directories I need to go to.

  6. anthony says:

    Hey i have a problem with my pc this fbi greendot stuff pop up when i turn on my wifi connection on my pc how do i remove this virus from my pc

  7. Ricky says:

    Agree with Bill R above, I think its more sophisticated now, I can’t open any safe mode. Anyone know how to delete the virus without safe mode? I can log in as another user and get into the regedit but I cannot find the offending (.exe?) file.

  8. JR says:

    Like the previous people said, this virus is now disabling safe mode. Any tips and tricks on how to bring it back?

  9. Julia says:

    Dear users,
    Some versions of these viruses disable all safe modes, but give a short gap that you can use to run anti-malware programs. Then do following:
    1. Reboot normally.
    2. Start –> Run.
    3. Enter: http://trojan-killer.net/download.php?trojankiller If malware is loaded, just press alt+tab once and keep entering the string blindly then press Enter.
    4. Press Alt+tab and then R (letter) couple of times. The malicious processes should be killed.
    Best regards,
    GridinSoft Trojan Killer

  10. Curtis T says:

    A problem on my end- forgive me if this is a stupid question, but I do not know much about what I’m doing… When i do either of the first ‘reg delete’ commands, I recieve ‘ERROR: The system was unable to find the specified registry or value.’ I noticed this occured above, so I am not sure if this really is my problem.

    In the registry editor, I am unable to find HKCU- again, I don’t know if this has anything to do with the above error or if it is ny own unfamiliarness with the command prompt.

  11. JB says:

    for the love of god, up 24 hours working on this, im no expert and ive tried 5 different methods, the only thing keeping it at bay is in any safe mode, run>msconfig>{startup}>disable all, then i can run my comp on a normal boot, but ive only found one file on my comp so far labeled something like wbwbwbgwbwbgwb, any info at all please email me, usajay1992@yahoo.com

5 Trackbacks

Leave a comment

*