Remove Ransomware and its associated files from Windows OS through safe mode with command prompt.
This article instruct users users to manually remove ransomware threat using safe mode with command prompt. However, these steps involves reverting the crucial changes made by the ransomware threat, so you should be very carefully while performing them.
- Reboot your computer to “Safe Mode with Command Prompt”
- End malicious process from “Task Manager”
- Deleting “Registry Entries” created by the Ransomware threat
- Deep Scan the infected computer to ensure complete removal (Recommended)
Step1: Reboot your computer to “Safe Mode with Command Prompt”
- Click on the Start menu, then on click the arrow next to “Shut Down.” Select Restart. (Just as you normally Restart your PC).
- Once the computer screen is powered on, immediately start tapping “F8” key till you see “Advanced Boot Options” screen. if you don’t enter to the boot screen, then restart the process again and press F8 while the PC is restarting.
- Here, you need to choose Safe Mode with Command Prompt option and press “enter” key to troubleshooting windows. As later on, you need to access the internet.
- Once you choose the Safe Mode with Command Prompt option wait for the system to load necessary system files.
- And you will now see the login screen. Now log in with your Administrator Account.
NOTE: To get back to your normal windows configuration, you need to repeat steps 1-3 and select Start Windows Normally.
- For Windows 10: Click Start –> Power and then hold the Shift key on your keyboard and click Restart.
- For Windows 8/8.1: Press the “Windows key + C“, and then click “Settings“. Click “Power“, hold down the Shift key on your keyboard and then click “Restart“.
- From here steps are same for Windows 10 and 8.
- Click Troubleshoot.
- Click Advanced options.
- Click Startup Settings.
- Click Restart.
- After your computer restarts, select Safe Mode with Command Prompt.
- Enter your Administrative username and password to start Windows in Safe Mode with Networking.
NOTE: To get back to normal Windows configuration you need to Click Start ? Power and then click Restart.
Step 2: Open task manager using command prompt and end malicious process:
- Type “taskmgr.exe” within the cmd(Command Prompt) window and press enter.
- Once the Task manager window opens-switch to the “Processes” tab to locate the malicious process and end them all.
- To end the ransomware associated process: click on the process name and hit the “End Process” button at the bottom-right corner.
- Once done close the task manager window.
Note: If you are not sure of any process if it is exactly a malware or not then leave it.
Step 3: Deleting Registry Entries created by the Ransomware threat:
- Within the command prompt window: type “regedit” and press “enter”.
- This will open the Registry Editor window. You need to find the “Winlogon” folder within the left menu pane. Or simply copy and paste the URL “HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionWinlogon” (without quotes).
- In the middle pane, will appear the list of registries and its values set. Find the entry for “Shell” and the default value for this should be “explorer.exe”. If appears to be some different like “C:Documents and Settingsusernamedesktopransomwarename.exe.” Then you need to reset it to its default value. (But before that copy the name “ransomwarename.exe” of the virus to find more such entries and delete them.)
- Right click on the “Shell” and choose “modify” now replace its malicious value to “explorer.exe” and click “ok”.
- Now press “ctrl+F” to open the “Find” window, now paste the malicious entry which you found within the Shell and once you find the name, Right click on it and choose the “Delete” option. Continue to find and delete till you delete all malicious entries.
- Once finished, close the registry editor window.
- Now you are back to command prompt window type “shutdown /r /t 0”(without quotes) and press Enter. This command will restart the computer in normal mode.
Once your computer is started normally, and start the deep scan to the computer system to remove any traces of the threat remain inside.