Safe Way to Remove WannaCry and Restore Files

Help! I return to my office today and find my computer attacked by WannaCry. I am not much concerned with such thing before so I really don’t know what to do with it . After that, I google it and surprisingly know that this ransomware has swept the whole globe in last two days and is described by Europol as unprecedented in scale. It demands me to pay $300 worth of Bitcoin if I want to have my file back. I don’t want to pay  for this. Is there anyone can help me with this?


Ransomware is a type of highly dangerous malware that locks a computer or encrypts personal files stored in the hard drives for the purpose of extorting money from the victim. WannaCry belongs to the file-encrypting type which is designed to encrypt important files and demand a ransom for a private key to decrypt those files. If you are attacked by this malware, you can follow the guide provided in this article to try removing it out of your PC.

download removal tool button

1.What is WannaCry?

WannaCry (orWannaCrypt,WanaCrypt0r 2.0, Wanna Decryptor) is a ransomware program targeting Microsoft Windows. On Friday, 12 May 2017, a large cyber-attack using it was launched, infecting over 230,000 computers in 150 countries, demanding ransom payments in bitcoin in 28 languages.


WannaCry is believed to use the EternalBlue exploit, which was developed by the U.S. National Security Agency (NSA) to attack computers running Microsoft Windows operating systems.



2.What Happen to Your Files?

Once this ransomware enters your computer it launches immediately and starts encrypting files to make them inoperable. The encrypted files will be added with extra extension and their icons usually start displaying a padlock.

3.What Does This Mean?

This means that the structure and data within your files have been irrevocably changed, you will not be able to work with them, read them or see them, it is the same thing as losing them forever, but with our help, you can restore them.

4.How Did This Happen?

The attack spreads by hacking unpatched systems as a computer worm.It scans the computer and breaks into TCP 445 Server Message Block by which we can check on shared folders and printers in local area network. It means that as long as you strart you computer, the ransomware sets in secretly and immidiately. You don’t even need to click any e-mail or websites.

5.What Should I Do?

We strongly discourage you from paying the ransom as there is no guarantee that the criminals will provide you with the decryption key or that they will not leave other backdoors to attack you in the future. Instead, we recommend completely removing the threat from your computer and then using our file recovery methods described below.

Manual Removal Instructions:

* Bookmark this page in order to access it after you restart your computer while working on the removal process! You can also print it out or open on another device.

Step 1: Restart your Windows in Safe Mode.

  • Restart your computer.
  • Then softly and repeatedly tap F8 when a black screen with white text appears.


  • Select safe mode.


Step 2: Remove suspicious programs from your startup.

  • Hold Windows key and click R


  • Enter msconfig in the filed



  • The infected or fake startup items usually have “Unknown” listed as Manufacturer.
  • Locate and remove it from startup.



  • Click OK when you finish unselecting all potentially dangerous processes.


Step 3: Clean up Windows temporary files

  • The infected or fake startup items usually have “Unknown” listed as Manufacturer.
  • Enter %temp% in the field; Click OK.


  • All temporary files will be listed in the directory


  • Select all temporary files by simultaneously pressing CTRL + A and delete them permanently by pressing SHIFT + DELETE.



Step 4: Delete virus associated files from system

  • Hold Windows key and click R key.


  • Enter %appdata% in the field; click OK



  • Delete files that associate with wannacry, they are usually recently placed.



 Repeat the deletion step in local file holder


Step 5: Clean up your registry entries.

  • Press Windows  key and click R key


  • Enter regedit in the blank



All Windows registry entries will open.

Most of them are critical for correct system operation and deleting important entries might result in Windows failing to load. Make sure you are very careful while deleting and editing the entries!

Use the folder tree on the left to navigate to the following directory:




If you find any registry entries that could be associated with Sage (usually randomly named), copy their random names and then delete them by right-clicking on it and choosing Delete.


Then search for the random name you have just copied by pressing keyboard buttons CTRL + F and entering the copied value in the search field. Click Find Next.



Repeat search and delete all registry entries associated with the virus.

Then navigate to the following location and repeat the process:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Fd3KZfCq


Note: Keep in mind that you should follow above instructions carefully. If you are not sure about this, continue to read, the following will show you how to get rid of wannacry ransomware without above complicated manual steps.


Automatic Removal Instructions:

Since it is risky to modify registry since a minor mistake could paralyze your system. We recommend you install a professional malware removal tool. That can save you a lot of time and trouble.

In this case, we recommend using Plumbytes Anti-Malware which is an advanced security tool design to detect and remove various malware threats including browser hijackers, adware, harmful toolbars, Trojans, worms, ransomware, etc. Besides, this tool is equipped with the 24X7 online tech support. If you fail to remove a malware threat using the tool, you can contact the tech support for further help. Here is how to get rid of wannacry ransomware using Plumbytes Anti-Malware.

download removal tool button

(Take 50% off by using this coupon code: PLUMNGZ250)

Run the setup file after it has been downloaded completely. Then, follow the instructions to install Plumbytes Anti-malware on your PC.

You can change the default installation language on the top right corner. Click on the INSTALL button and the setup wizard will start.

install program

When the installation is completed, this program will automatically update its database and perform a new scan for your computer system. It will scan through the whole computer for all kinds of potential malware threats.


You can browse the details of scanning results while the scan is in process.

The time for completing the scan depends on the particular condition on individual computer system. After the scanning gets finished, all detected threats will be marked and you can remove them all by simply clicking on the “REMOVE NOW” button.

If there are any safe programs being wrongfully flagged as malicious items and you want to keep them on your computer, you should deselect them before clicking the “REMOVE SELECTED” button.

scan completed

Once the program finishes the removal, please restart your PC to make the change take effect.

Important Note: The free version of Plumbytes Anti-Malware only supports the malware scan. If you want to want to clean all detected threats, you need to buy its registered version

6.How to Restore Your Files without Paying the Ransom?

Method 1: Use Restore System in Your Computer

The first and best method is to restore your data from a recent backup, in case that you have one.

  • Press Windows key and R key
  • Enter rstrui.exe in the field; click OK

windows code

  • Check Show more restore points.

system restore

  • Restore the system to a point when system has not been attacked.


Method 2: Use File Recovery Software
  • Download Shadow Explorer.
  • Run the program
  • Select the drive and the date that you want to restore from
  • Right-click on a folder name and select Export. The folder will be restored.

shadow explorer

7.How to Prevent?

If your computer hasn’t be attacked by now, we strongly suggest you launch your friewall and close SMB port 445 which is used by Wannacry ransomware to hack in your computer. This step is very effective and important, please don’t skip this part and follow the video below carefully.


By now, have you successfully remove wannacry ransomware? We hope that you have cleaned this malicious threat out of your PC and gain your files back. We would like to remind you that the safest and easiest way to spare you the trouble of data loss caused by ransomware is making a backup of your files and installing a professional malware removal tool.

Learn how to back up your files here and safeguard your PC using a powerful anti-malware program by clicking the button below. This program can keep your computer away from a variety of malware threats and save you much trouble and even money.

download removal tool button

(Take 50% off by using this coupon code: PLUMNGZ250)



Share Button