How to get rid of ransomware virus on your computer. How to get rid of ransomware viruses. Ransomware viruses can masquerade as legitimate programs
According to Kaspersky Labs and Dr.Web, ransomware viruses were the most common malware in the past year and are breaking all records this year. You are very lucky if your computer is reliably protected and has not yet received such a “guest”.
What is a ransomware virus?
This is a malicious program, usually a Trojan, that blocks your computer and offers to restore the status quo if you send a paid SMS to a short number.The most interesting thing is that sending this message most often does not have any consequences, that is, you will spend money and get no results. Moreover, very often SMS costs much more than the amount indicated.
There are several types of ransomware viruses. Some restrict access to websites or use of the browser. Others encrypt user files. Still others block access to operating system resources or limit actions within it. Such viruses are usually hidden among files with the extensions zip, rar, exe, bat, com.
How to avoid becoming a victim of a ransomware virus?
1. Of course, you can’t do without. With the latest, constantly updated databases. Protection against viruses can be provided by both paid and free antivirus. In any case, you yourself assess the importance of stable operation and data protection on your computer. Skimping on protection is not the best option.2. One of the mandatory actions that should be assigned to your anti-virus program is full detection of viruses. Again, you determine the frequency of checking for yourself, but it’s worth doing such a check at least once a week.
Manufacturers of virus protection systems also offer to check files directly on their websites, these are so-called online scanners. If you have doubts about some files on your computer, you can check them again, each individually:
Dr.Web online scanner
http://vms.drweb.com/online/
Kaspersky Online Scanner
http://www.kaspersky.ru/scanforvirus
Dr.Web also offers its own solution – Dr.Web LinkChecker. This is a set of plugins for three browsers (Mozilla Firefox, Opera and Internet Explorer), after installing which all pages you open and files downloaded from the Internet will be checked for malware in advance, i.e. before you open or download anything. 3. Is it worth repeating once again that it is better to bypass some resources by taking the tenth route. We are talking about sites that promise a lot of free porn, etc. By the way, resources offering all kinds of cracks, hacking programs, keys and similar software are also potentially dangerous for your computer. By the way, I recommend that MirSovetov readers download any programs - be it a regular photo viewer, an IM client, or even a standard set of codecs - from official websites. At a minimum, the resource must be reliable and verified.
Large search sites (for example, Yandex, Google) have already learned to recognize sites where you can get a virus as a reward by visiting them, and warn about this. But if you are not sure about the reliability of the site (even official sites can sometimes pose a threat of infection), you can check it yourself. This can easily be done on the page of the same Dr.Web online scanner, where by clicking on the “Check link (URL)” link and entering the address of the site page, you will find out whether the resource you are interested in contains viruses.
It would be a good idea to install additional protection to check the sites you visit before they open. For example, you can use the free Dr.Web LinkChecker (http://www.freedrweb.com/linkchecker/), which is built into all the most popular browsers: Mozilla Firefox, Opera, Internet Explorer.
4. Don't open emails or files from people you don't know or click on links received from strangers. More often than not, this is where ransomware viruses are contained, and not only them.
5. It is recommended to store passwords and logins that are important to you separately.
6. Immediately check all disks, flash drives, memory cards and other removable media that you connect to your computer for malware and only then start working with it. In addition, it is better to disable autostart of removable media (automatic opening when connected) completely; viruses can hide there too. To disable autorun, use the help for your operating system.
In the case when a previously running program does not start, files that you recently worked with quietly do not open, you cannot access the Internet or it is generally impossible to work with the computer... when instead of all this a window appears asking you to send an SMS, you almost certainly had to get acquainted with one of the types of ransomware viruses. Of course, we do not recommend sending messages anywhere; there will be no result. But it is possible and necessary to fight the virus.
To do this, it is advisable to have a set of utilities to treat your computer from such viruses. We will talk about them further. But if you are not sure that you can handle treating your computer on your own, it is better to seek help from a specialist.
How to get rid of ransomware virus
What to do if a ransomware virus does get into your computer? First of all, don't panic. Despite the fact that ransomware viruses are rapidly evolving, they can still be fought. You just need to pull yourself together and take a number of measures.To succeed in the fight against ransomware, you must first determine what kind of guest visited you and your computer.
1. Viruses that block Internet access. If you cannot access the Internet or access most sites and see a banner in front of you requiring you to send a paid SMS, most likely you have been visited by one of these viruses: Trojan-Ransom.BAT.Agent.c or Trojan-Ransom.Win32.Digitala (Get Accelerator, Digital Access, Get Access, Download Manager v1.34, Ilite Net Accelerator).
The first, as the name suggests, has a bat extension. This virus modifies the Hosts file located in the root directory of the system disk (Windows-95/98/ME) or in the WindowsSystem32driversetc folder (Windows NT/2000/XP/Vista). You need to open this file using any text editor and remove all lines except 127.0.0.1 localhost.
Then conduct a full scan of your computer with an antivirus. After checking, restart your computer. The problem should go away. As for the viruses of the Trojan-Ransom.Win32.Digitala group, everything is much more complicated. These malware can masquerade as legitimate software. They are much more complex and know how to hide themselves. So, in front of you hangs a hated window demanding a ransom to restore the functionality of your computer. Perhaps the first thing you can try to do to get rid of viruses that require entering an activation code by sending an SMS is to try to find out this very code. To do this, using another computer (at least from a mobile phone), you need to go to the website of one of the anti-virus software manufacturers (links are given below), to a page with a ransomware virus deactivation service:
Kaspersky Lab ransomware blocker deactivation service
http://support.kaspersky.ru/viruses/deblocker
ESET NOD32 Technical Support: Unlocking Windows
http://www.esetnod32.ru/.support/winlock/
Dr.Web: Unlock Windows from Trojan.WinlockYou just need to fill out a few fields, and the system will give you a code with which you can unlock your computer. If the numeric code provided to you helped and your computer started working again, don’t stop there! Most likely, traces of a harmful virus remain somewhere inside the operating system. They may make themselves known a little later with frequent malfunctions, and possibly repeated blocking. To prevent this from happening, I recommend that MirSovetov readers check their operating system using an antivirus, and do not forget to update its database before doing so.
http://www.drweb.com/unlocker/
If the unlock code does not help, you can try to cure your computer using the Digita_Cure utility (a product of Kaspersky Lab), specially designed to treat ransomware viruses of the Trojan-Ransom.Win32.Digitala group, or the CureIt program (a product of Dr.Web), which detects and other types of viruses. They can be downloaded for free on the websites of these laboratories:
Digita_Cure utility
Program page: http://www.kaspersky.ru/support/viruses/solutions?print=true&qid=208637303
Download link: http://www.kaspersky.ru/support/downloads/utils/digita_cure.zip
CureIt utilityBefore you begin treatment for the virus, you need to close Internet access and restart your computer in safe mode by pressing the F8 button immediately after turning it on and selecting “Boot in Safe Mode.” Then you will need to launch a flash drive or disk with the Digita_Cure (or CureIt) utility and conduct a full scan of the computer. Alternatively, you can use a removable hard drive with an alternative antivirus program. After treatment, the computer will need to be restarted in normal mode. The ransomware virus must be removed after this procedure.
Program page: http://www.freedrweb.com/cureit/
Download link: http://www.freedrweb.com/download+cureit/gr/
2. Browser blocking viruses. If you are surfing the World Wide Web using Internet Explorer and, when entering any website, you see a very explicit banner on the screen with a short number and a ransom demand written on it, you should know that you are visiting Trojan-Ransom.Win32.Hexzone or Trojan -Ransom.Win32.BHO. These viruses do not block the operation of the entire computer, but live only in.
They use the BNO (browser helper object) add-on mechanism. You can solve the problem manually using the following algorithm. Open Internet Explorer, find the “Tools” menu item, then select “Add-ons” (manage add-ons) > “Turn settings on and off.” By clicking on the last item, you will see all the add-ons installed in the browser. Your task is to check all add-ons that do not have an entry in the “Publisher” column or that say “Not verified.” 
Disable them one by one, starting Internet Explorer again each time. The add-on, after disabling which the porn banner will disappear, is malicious and will need to be disabled. You can also remove this type of ransomware virus using the AVPTool utility from Kaspersky (http://support.kaspersky.ru/viruses/avptool2010?level=2) or CureIT from Dr.Web (http://www.freedrweb.com/ cureit/).
3. Viruses that block access to the OS. If no program runs on your computer except Internet Explorer and Outlook Express, and in front of you is a window demanding a ransom for , then you have received a virus that blocks the operating system, one of these is Trojan-Ransom.Win32.Krotten.
To rid your computer of this group of ransomware viruses, you can also contact a free unlocking service (links to the pages of unlocking services were given above). After unlocking, do not forget to conduct a deep scan of your computer with a licensed anti-virus program with fresh databases. In case of failure, you will need to use the LiveCD from Dr.Web, designed for emergency system recovery.
You will need to download and burn the image to disk, making it bootable (this can be done using the CDBurnerXP program, selecting the “Make disk bootable” option when burning). Then, by setting First Boot Device: in the BIOS, boot the computer from this disk. LiveCD from Dr.Web already contains tools for treating and removing viruses, but in this case the malicious program can interfere with the launch of the utilities built into the boot disk.
Program page: http://www.freedrweb.com/livecd/
Link to download the image: ftp://ftp.drweb.com/pub/drweb/livecd/minDrWebLiveCD-5.0.1.iso
And, most likely, you will need the help of other antivirus utilities recorded on a flash drive. They will need to be renamed to “iexplore.exe”, after which they can be launched. Tools such as AVPTool from Kaspersky (the product description is here http://support.kaspersky.ru/viruses/avptool2010?level=2) or the AVZ utility (http://z-oleg.com/secur/avz) can help /download.php), however, scripts are needed to work with it. To compile them, you can turn to specialized forums, for example, VirusInfo. Before using the services of forum specialists, carefully read the rules, read the FAQ and register. You will be provided with a script designed specifically for your case. Next, you will need to copy the script, select “File – Run script” in the program menu, paste the script into the window that opens and click “Run”. Let us repeat once again: if you are not sure that you can do everything correctly yourself, it is better to contact a specialist. It has been noticed that some viruses that block access to operating system resources are removed themselves exactly 2 hours after entering the computer. To get rid of the virus, it turns out that it is enough to set the clock in the BIOS forward by more than a couple of hours. After a reboot, the window with the requirement to send an SMS disappears, as do traces of the presence of the virus. Nevertheless, a full scan with an antivirus is recommended for prevention.
4. Ransomware viruses. A special place is occupied by viruses that encrypt data stored on your computer: Trojan-Ransom.Win32.GPCode, Trojan-Ransom.Win32.Encore, Trojan.Ramvicrype. As a rule, files with extensions txt, xls, doc are affected. You can find out that your computer is infected thanks to the lack of access to information and a window on the desktop or a text document attached to a directory with encrypted files. Encryptors are perhaps the most dangerous ransomware viruses. Until recently, there were no standard methods for their treatment. Today, the Dr.Web laboratory offers utilities designed specifically for treating viruses of this type (http://www.freedrweb.com/aid_admin/). Using the link provided, you can download a series of utilities to combat viruses such as Trojan-Ransom.Win32.Encore. They are provided free of charge.
You can also use the free utilities PhotoRec (created by Christophe Grenier, distributed under the GPL license) and StopGpcode2 (a product of Kaspersky Lab). Instructions for using them are described in great detail and clearly on the securelist.com website page:
http://www.securelist.com/ru/viruses/encyclopedia?virusid=313444#doc2
Symantec has developed a utility that fights the Ramvicrype ransomware virus. This virus encrypts files in the system folder, giving them the .vicrypt extension. As a rule, no program can run on a computer infected with this virus. You can download the free Trojan.Ramvicrype Removal Tool on the official Symantec website:
http://www.symantec.com/en/uk/business/security_response/writeup.jsp?docid=2009-102921-3210-99
Before running the Symantec antivirus utility, you must close all programs and disconnect your computer from the network. Attention: the instructions for using the utility also recommend disabling the system restore service. After checking your computer, you need to reboot and scan again. Only after these steps should you restore your network connection and enable the recovery service again.
If none of the above methods help you, you will have to contact technical support specialists on the website of the manufacturer of your antivirus software.
In conclusion, I would like to note that prevention is always better than cure. Therefore, always follow the rules of Internet security and do not skimp on protecting your computer - use licensed anti-virus programs. And yet, it is best to store very important files not only on the computer’s hard drive, but also on some other medium, for example, duplicating them on a CD, DVD or flash drive.
Banner ransomware can be a real headache for a computer owner. It not only hangs in the center of the screen but also blocks all work. You need to get rid of it in any case. Here, be extremely careful: under no circumstances should you send SMS to a paid number! The cost of such one message is usually 300-500 rubles. What's the point of giving your money to scammers when you can remove the SMS banner yourself? Unfortunately, it is too difficult to remove the program yourself, as a result of which it is necessary to use additional and proven programs, as well as practical advice. So, some methods are listed below. The simplest one is to call a computer technician to your home, who will solve the problem in a few hours. However, if you lack funds, you can solve the problem yourself, but for this you will need a second infected computer or laptop.
You need to download to your PC (or better yet, to another computer, and then transfer it to a flash card) the free Kaspersky Virus Removal Tool from the company’s official website. After that, press the key combination Ctrl+Alt+Delete (task manager). You will usually see the following picture: when you press these buttons, the dispatcher will appear. However, as soon as you release the keys, the dispatcher will disappear. This is another proof of the presence of a virus on your PC. You need to manage, without releasing a single button, to cancel a single task that will be in the manager, since this is a banner program. After you complete all the steps, launch the Kaspersky utility on your PC. After installing the utility, check your PC. As soon as the utility detects the fraudulent program, Kaspersky will respond as follows: “Found *** file. Disinfect and restart the computer." That is, there will be no “Delete (recommended)” option. After all of the above, the computer automatically restarts. Don't be surprised if you don't find the utility - it disappeared along with the banner!
Another option, which will be simpler, is, again, removing the fraudulent program using Kaspersky. Still, it is advisable to have a new version of any anti-virus program, and it is not at all necessary that it be Kaspersky Anti-Virus. However, it must already be present on the PC at the time of infection, since after the banner has blocked the ability to install programs, it will no longer be possible to install it. As you can see, only an experienced computer technician can remove an SMS banner without a special program. So purchasing an antivirus program will be the best solution to virus-related problems!
If you need to convert documents in the pdf to text direction, then you can use the free Img2txt service. It allows you to easily recognize text online.
Or other ransomware, you can use a bootable disk or flash drive to completely remove the threat. In this article we will look in detail at how to do this.
|
|
Creating a bootable USB drive: You don't need to install HitmanPro. After downloading the program, click on the small man icon to access the dialog for creating a bootable flash drive.
|
|
: Once the product detects a threat, the background image turns red. Suspicious files are analyzed on cloud servers. Click Next to initiate the removal process.
|
|
: Windows 7 and 8 have a built-in tool for burning ISO images to CDs.
|
|
: When you launch the utility for the first time, you must select the interface language.
|
|
In both cases, you need to download the ISO image file. Burning an ISO image to diskAn ISO file is a digital copy of the contents of a disc. You will simply need to burn this image to disk using the built-in tools in Windows 7 or 8. If you are still using Windows XP, you will have to use a third-party program to burn the image. For usersWindows7 andWindows8 you will need to do the following:
Using boot disks to remove threatsInsert the boot disk and restart your computer. After the start screen appears, you need to make sure that the boot will occur from the boot disk; to do this, you will need to press the appropriate key (remember, among the possible options are , , or ). When a list of devices that can boot from appears, select the burned disc. The remaining steps happen automatically. Boot disks scan the system and, if traces of malware are detected, remove threats. When using an Avira disk, use the "F2" key to select the desired interface language, and then launch the recovery system. After booting the system, a step-by-step wizard will guide you through the steps necessary for successful cleaning. When using a Kaspersky disk, press any key to access the menu after loading the recovery environment. You will then need to select a language before enabling the graphical mode of the recovery system. If you have questions when using boot disks, you can ask them on the website or on the forum. Follow the tests of antivirus solutions on the website to select effective products with maximum protection. If your antivirus allows Trojans, try switching to another antivirus program that shows consistently high results in tests from AV-Test and other independent laboratories. Some Trojans create a system restore point and use it as a hiding place. If Windows recovers to one of these points, the Trojan remains in the system. It is advisable to delete all restore points. To do this, press the keyboard shortcut “Windows + Pause” and select the “System Protection” tab. Having selected drive C, click the “Configure” button, and then next to the inscription “delete all system points”, click the “Delete” button, and then “Next”. Based on materials from the AV-Test testing laboratory. Found a typo? Highlight and press Ctrl + Enter |
This article will discuss ways to unlock and remove ransomware for Windows 7, 8, XP or Vista systems. Basically, viruses of this kind are “Trojans” from the Winlock galaxy. Finding out that it really is a ransomware virus is quite simple.
If your PC is infected, a different image will appear on the monitor. The computer will stop responding to commands. In person, a banner similar to a window with the inscription “” will appear before your eyes and will offer you to send a paid SMS or transfer money to a specific account to unlock it, after which you will receive a special code that must be entered in the window that appears. After this, supposedly, the system should unlock. There are different types of ransomware viruses, and the difficulty of removing each of them will depend on this.
Method 1. Task Manager and Task Manager
If you come across a primitive Trojan, then you can use the task manager. By calling the dispatcher using the combination CTRL+SHIFT+ESC or CTRL+ALT+DEL, you need to terminate a process that should not be running.
In a situation where the dispatcher cannot be called, you can use the process manager using the Win+R combination. In the manager window you need to enter the word “ notepad» and press ENTER. This will open the Notepad application. Then in Notepad you need to type any characters and briefly press the PC power button. After this, the entire process will end, but the computer will not turn off. Thus, while the virus is disabled, you can check your PC using an antivirus for malware. If there is no antivirus on your computer, you can try to remove malicious files manually. As a rule, Winlock ransomware settles in the temporary file directories of the system or browser.
You need to check the paths:
C:\Documents and Settings\PC username\
C:\Users\PC username\AppData\Roaming\.
In these directories you need to find the file " ms.exe" and other files with a strange name, for example, " Hhcxcx.exe" or " 0.287999.exe" and delete them.
Method 2: System Restore.
You need to boot the system in safe mode. In you need to write: “ C:\WINDOWS\system32\Restore\rstrui.exe» and press ENTER.
The operating system recovery window will open, where you need to select a restore point from those proposed.
It is necessary to choose the point when you can say with 100% probability that the computer was fully functional and “clean” of viruses.
Method No. 3. Safe mode
If the previous methods did not bring results, then the user is dealing with a more advanced virus. In this case, you will have to remove the virus in
