Kaspersky WindowsUnlocker to fight ransom malware

Home / Fighting malicious programs / Viruses and solutions

 
 

 
 

Kaspersky WindowsUnlocker to fight ransom malware

This section explains how to neutralize complicated malware, i.e. when user participation is required to modify the system registry or execute a special utility, for example. If you have not found the requested information in this section please submit a request to the Kaspersky Lab Technical support.

 
 

 
 

Kaspersky WindowsUnlocker to fight ransom malware
ID Article: 8005

If when working with the computer a banner (ad's module) appears on the screen and requests sending sms to a specified phone number, it means that your computer is infected with ransom malware. Such malware are created to block access to a computer or restrict access to some functions and request a ransom to restore computer functionality.

In order to fight ransom malware Kaspersky Lab specialists designed a special utility Kaspersky WindowsUnlocker. The utility can be launched when your computer is started from Kaspersky Rescue Disk 10 and allows working in graphic and text modes of Kaspersky Rescue Disk.

In the article you can find detailed description on how to work with the Kaspersky WindowsUnlocker utility:

1. Functions of Kaspersky WindowsUnlocker
   
2. How to start computer from disk with the utility
   
3. How to launch Kaspersky WindowsUnlocker and disinfect computer
   
4. How to scan computer using Kaspersky Rescue Disk
   
5. Reports of Kaspersky Windows Unlocker
   
6. If Kaspersky WindowsUnlocker won't help
   

1. Functions of Kaspersky WindowsUnlocker

The Kaspersky WindowsUnlocker utility is designed to disinfect registries of all operating systems installed on the computer (including operating systems installed on different partitions or in different folders on one partition) and disinfect user registry trees. Kaspersky WindowsUnlocker does not perform any actions with files (in order to disinfect files you can use Kaspersky Rescue Disk).

Top of page

2. How to start computer from disk with Kaspersky WindowsUnlocker

Kaspersky Rescue Disk recording to CD/DVD or USB removable device should be performed on not infected computer connected to the Internet.

 
 

1. Download the disk with Kaspersky WindowsUnlocker

Download kav_rescue_10.iso (~236 MB) from the Kaspersky Lab server.

2. Record the image to a CD/DVD or removable device

2.1 How to record the image to a CD/DVD

You can record the iso image to a CD/DVD using any record program (for example, Nero Burning ROM, ISO Recorder, DeepBurner, Roxio Creator etc.).

 
 

2.2 How to record the image to a removable USB device

In order to record the image to a removable USB device, perform the following actions:

1. Connect your removable USB device to the computer.
   

In order to successfully record the image to a removable USB device, space capacity of it must be not less than 256 MB. The connected USB device must have FAT16 or FAT32 file system. If NTFS file system is installed on the device, you are required to format it in FAT16 or FAT32. Do not use an USB device with other operating systems installed on it. It may cause incorrect booting your computer.

1. Download the utility to record the image to USB devices from the Kaspersky Lab server (~378 KB).
   
2. Run the downloaded file rescue2usb.exe.
   
3. On the Kaspersky USB Rescue Disk Maker window, click Browse... and select the iso image of Kaspersky Rescue Disk
   

1. Select the required USB device from the drop-down menu.
   
2. Click START.
   
3. Wait until the process is complete.
   

1. Click OK on the open window informing that Kaspersky USB Rescue Disk has been successfully created.
   

3. Configure the computer

In order to boot the BIOS menu, use the keys Delete or F2. The keys F1, F10, F11, F12, as well as the following combinations may be used for some motherboards:

• Ctrl+Esc
  
• Ctrl+Ins 
  
  
• Ctrl+Alt 
  
• Ctrl+Alt+Esc
  
• Ctrl+Alt+Enter
  
• Ctrl+Alt+Del
  
• Ctrl+Alt+Ins
  
• Ctrl+Alt+S
  

Information how to open the BIOS menu is displayed at the start of the OS boot:

• Enable booting from CD/DVD ROM or a removable device in BIOS settings (for more details refer to the documentation for the motherboard installed on your computer):
  
  • If you recorded the image to a CD/DVD, select CD-ROM Drive
    
  • If you recorded the image to a removable USB device, select Removable Devices
    

1. Insert the disk into the CD/DVD ROM drive or connect the removable USB device.
   

4. Boot your computer from Kaspersky Rescue Disk 10

1. Restart your computer. After reboot, a message will appear on the screen: Press any key to enter the menu.
   

1. Press any key. A loading wizard will start (you will see the menu to select the required language).
   

If you do not press any key in 10 seconds, the computer boots from hard drive automatically.

 
 

1. In the start up wizard window that opens, select the graphic interface language using the cursor moving keys. Click the ENTER key on the keyboard.
   

• Select one of the following start up methods:
  
  • Kaspersky Rescue Disk. Graphic Mode loads the graphic subsystem.
    
  • Kaspersky Rescue Disk. Text Mode loads the text user interface represented by the Midnight Commander (MC) console file manager.
    

1. Press the ENTER key on the keyboard.
   

1. The End User License Agreement of Kaspersky Rescue Disk 10 will be displayed on the screen. Read carefully the agreement. If you agree with all the statements of the agreement press the 1 to accept the agreement, press 2 to reboot and 3 to shut down the computer.
   

Once you performed the actions described above, the Linux operating system is started. It scans connected devices and detects operating systems installed on the computer. Once the operating system is booted, you can start working with it.

If the host operating system is in sleep mode or its operation has been completed incorrectly, you will be informed about it.

In order to shut down the operating system correctly, select Restart computer.

If you select Continue
Kaspersky Rescue Disk will continue mounting the file system, but there is a fairly high risk of file system damage.

 
 

If you select Skip Kaspersky Rescue Disk will skip file system mounting. Only boot sectors and autorun elements will be scanned. In this case the file system can also be damaged.

Top of page

3. How to launch Kaspersky WindowsUnlocker and disinfect the registry

In order to disinfect the registry using Kaspersky WindowsUnlocker, perform the following actions:

• If you booted Kaspersky Rescue Disk in the graphic mode, click the button К ; in the bottom right corner of the screen and in the menu select Terminal. In the command prompt enter the command windowsunlocker and press Enter on the keyboard.
  

 
 

• If you booted Kaspersky Rescue Disk in the text mode, press F10 to close the menu. At the bottom of Midnight Commander in the command prompt enter windowsunlocker and press Enter on the keyboard.
  

 
 

After the utility start the menu with the commands will appear in the Terminal window (to select a command, press the corresponding key and then press Enter on the keyboard):

 
 

• 1 – Unblock Windows (the utility will clean the registry and will display results in the window).
  

Kaspersky Lab experts strongly recommend performing this action.

 
 

• 2 – Save boot sector copies (the utility will copy boot sectors into the Quarantine folder. The path to the created files (/var/kl/WUnlocker.1.2.0.0_%dd.mm.yy_hh.mm.ss_quarantine/ will be displayed on the screen).
  

• 0 - Exit.
  

Top of page

4. How to scan computer using Kaspersky Rescue Disk

Having cleared the registry, you need to remove the remains of the ransom-blocker from your computer. For this, run full computer scan using Kaspersky Rescue Disk.

Top of page

5. Reports of Kaspersky WindowsUnlocker

The report (log file) of the utility can be requested by Kaspersky Lab specialists to analyze your request to Kaspersky Lab Technical Support. You can create a request via the My Kaspersky Account service. In order to view the utility report, perform the following actions:

1. On the desktop double-click File Manager to open it (if you work in the text mode, close User Menu, by pressing F10).
   

1. In the File Manager menu (in the text mode - Midnight Commander) find the folder /var/kl  (or /var/tmp in case the first folder is not accessable) and open it.
   
2. The folder containing the text file with the name WUnlocker.1.0.1.0_%dd.mm.yy_hh.mm.ss_log%.txt will open. The file contains reports on Kaspersky WindowsUnlocker work.
   

When you finish work with the Kaspersky WindowsUnlocker utility, restart your computer and in the Boot menu of BIOS parameters select your hard drive.

Top of page

6. If Kaspersky WindowsUnlocker won't help

If you have any questions concerning the usage of the utility or cannot perform any steps from the instruction, visit Kaspersky Lab official forum.

Top of page

Inserted from <http://support.kaspersky.com/faq?chapter=176492791&print=true&qid=208285998>