Thursday, October 10, 2024

How To Remove Ransomware From Your PC

You’ve just turned on your computer, and you see a notepad file open. It reads that you have been infected with a virus, and unless a ransom of some bitcoins isn’t received within 72 hours, you will never be able to access your files again. No one can help you, the only way this can all go away is with a big chunk of change. Or worse yet, there is a lock on your computer, stating the Department of Justice has shut off computer access for illegal use of files, and you have to pay a several hundred dollar fine to regain access. Is this really the only solution? Of course not. Here, we take a look at some common Ransomware viruses and how to get rid of them for free.

What types of Ransomware are there?

Primarily, there are two types of Ransomware. The first and by far the most common, are the encryptor variety. Going by names such as CryptLocker, Locky, and Tescrypt. These are typically spread computer to computer through attachments, hiding in such places as the header of pdf files or being composed of JavaScript that executes in other attachments, often alongside a variety of malware. When infecting a computer, any of these ransomware type leaves the normal operating files of the computer mostly untouched, opting instead of encrypt personal files of all sorts on the drive, save the .txt file claiming responsibility and offering help at a steep price.

Often, Ransomware creators will incorporate real agency logos to try and scare victims; No government agency uses this method of extortion.
Often, Ransomware creators will incorporate real agency logos to try and scare victims; No government agency uses this method of extortion.

It should be noted that there is such a thing as “bluffware” that often mimics the appearance of any of the aforementioned viruses, but can be corrected in a matter of seconds. To test for bluffware, simply right click on any of the “encrypted” files, and edit the name to remove the last files extension. For example, if you have myname.pdf.crypted as an encrypted files, right click it, select rename, and make it myname.pdf. This should in turn reassign the file to open with your standard reader. If the file opens properly, then you needn’t use any tools listed below.

If there are many files with this problem though, you may find renaming each file a chore. However, if you wish to try your hand at a little bit of tech wizardry, you can have this automated for you and done in a matter of seconds. To do so, open up your command prompt (in windows 10, type cmd into your app search bar). Then, direct your command prompt to focus on affected volumes (for example, the whole C:/ drive, or just Documents). To do this, type in the following without quotations:
cd C:\Users\Me\Documents

and hit enter, replacing Me with the name of the user. Then, type the following in without the first set of quotations and hit enter to have your computer rename the file type of the document to the previous version.
forfiles /S /M *.crypted /C “cmd /c rename @file @fname””.

The second and far more insidious form of Ransomware are those of the locking variety. The most common of these is Fakebsod, which as the name implies, locks the user out of their own machine and allows for no core functions to take place. There are other varieties that also infect the TCP/IP stack, locking the computer out from the internet and quite effectively hiding from all but the most astute security programs and professionals.

How to remove Encryptor Ransomware

In truth, removal of Ransomware is remarkably simple. Downloading any of the antivirus programs mentioned here will allow the removal of the executable files responsible for active encryption and the popup of ransom messages with a simple scan. When we get to the decryption and recovery of your files the solution is likewise simple, and is satisfyingly ironic.

The first step is to download a decryption program. Personally I have used the free TrendMicro decryption program as a go to solution for multiple clients, and have yet to lose a single file. First, go to the download site here, and download the decryptor. Then, you should find a window appear that asks to select the specific virus that has infected your computer. Don’t worry if you don’t happen to know the exact malware that did so, as there is an option for the program to take an encrypted program and run a “best guess” to determine the ransomware. After this, you can select what folders need to be decrypted. It’s often best to have the program run through the entire computer (for most users, the entire C:/ drive). In most cases, a notice will pop up saying that MicroTrend needs a copy of an affected file, as well as a clean copy to try and determine the encryption. To do this, it is recommended that you find an encrypted file that was previously an email attachment and download it again, and upload both into the program. Thus, you can solve a problem caused by opening attachments, by opening more attachments.

After the program has finished scanning, there are two final steps. The first is opening a few test files (particularly at least one .pdf, one .docx and one .png if available), and making sure they open properly. If so, then delete all the copies of those files who remain encrypted. To do this in a rapid manner, open your command prompt by typing in cmd into your program search bar. Then, type the following command without quotations:
del /s /q /f c:\ *.crypted
Where crypted can be replaced by any file extension the ransomware placed on those files.

What this process will do is delete (del) the specified file type (/s) without asking permission on every single file (/q), including the forced deletion of read-only files (/f) who reside on the c drive and have the file extension desired (c:\ *.crypted).

How To Remove Fake BSOD

FakeBSOD programs often have a
FakeBSOD programs often have a “toll-free” line, where they will try to get you to pay large sums to get your computer “fixed”.

Fake BSOD (Blue Screen of Death) is particularly nasty Javascript virus, typically found as all of these are; within corrupted attachments or file downloads. It can infiltrate and lock down everything from your firewall programs, your Windows Registry, and can hide in multiple folders throughout your PC, making it a severe pain to handle, and deleting it comes with a significant, though not monetary cost. A requirement to resolving this issue can be restoring your PC to its last stable state, which if you have never backed up your PC before this point, more or less means a factory reset. That being said, it’s better to have to essentially start over with your current PC than use it as a several hundred dollar paperweight. That being said, try the non-restore method first on the off chance that a restore won’t be needed.

To remove Fake BSOD for good without a restore, take the following steps:
Step One: Boot your PC into SafeMode with Networking enabled. For Windows 8 and 10, click the power button, and while keeping your finger on the shift key, select Restart and then Enable Safe Mode with Networking.
Step Two: In safe mode, open file explorer and click on the menu tab labeled View.
Step Three: Click on “Show Hidden Items” and then select Options, and enable the Radio Button. This should expose the infected folders, typically under JS/FakeBsod.A nomenclature. Delete these folders.
Step Four: To ensure that your system is clean, open the command prompt and type in the following command, which will show IPs on your network, as well as foreign IPs within your system (where the virus came from):
notepad %windir%/system32/Drivers/etc/hosts
If there are no other connections, you can continue use of your computer as normal.

If this solution fails, then a restore is in order. To do this, restart the computer in safe mode as described above. Then, enter into the command prompt and enter the following:
cd restore
Press enter, and then type in the following, followed by enter again:
rstrui.exe
This will open the restore menu, and allow you to pick a restore date. Then, confirm you wish to restore, and restart your PC one final time afterwards to be rid of Fake BSOD permanently.

How To Remove TCP/IP Ransomware

As mentioned earlier, TCP/IP Ransomware can be particularly tricky to handle. This is primarily due to the fact that the TCP/IP stack is used to communicate with the internet and local connections, making any outside help to the affected PC significantly more difficult. This is far from impossible to fix, though. First, if you have such a program as those listed in our top 10 free antivirus programs, be sure to run it to quarantine the malware. If you do not, it is recommended you use a secondary PC to download one of these programs onto a USB stick, and then running the executable once it is plugged into your PC. In this case, it is also recommended to do a redundant scan, preferably with a program such as Malwarebytes. After this procedure is finished (typically around 15-30 minutes in total) reboot your PC.

Another way to reset Winsock.
Another way to reset Winsock.

Next, open up your command prompt via the program search bar. Then, type in the following command:
netsh int ip reset resetlog.txt
This will reset your TCP/IP protocols and settings to what they were as originally configured when you bought the PC. Next, reset Winsock (a program that handles inputs and outputs for internet connections). To do this, type in the following command:
netsh winsock reset
After this has reset, restart your computer one more time. You should now have complete network access once again.

A Final Word

As with any malware, ransomware can adapt quickly to security solutions. Therefore, it’s always recommended that after stabilizing your system to set a restore point in case the worst should occur. Also if you have recently been infected with Ransomware, being sure to secure your identity is encouraged. As always, thank you for relying on GazetteReview for your tech troubleshooting needs, and safe searching.

Cody Carmichael
Cody Carmichael
University graduate in Psychology, and health worker. On my off time I'm usually tinkering with tech or traveling to the ends of the globe.
RELATED ARTICLES

LEAVE A REPLY

Please enter your comment!
Please enter your name here