How to remove Wana Decrypt0r virus and restore .WNCRY encrypted files

Wana Decryptor exploits Windows vulnerability and infects users computer without any visible activity. After computer penetration, victim can see background that remind him that the files were encrypted. Additionally, there are pop-up window with information about virus. We try to answer next questions: how to delete Wana Decrypt0r and restore the encrypted data.


Wana Decrypt0r ransomware virus


The virus gets on your machine through malicious additions in electronic mail or through 445 internet port, and after that straight begins to encode folders. If you didn't manage to stop the virus before it got in, then your files will be encrypted. Wana Decrypt0r encodes all file types, including video, text, images and audio. The encoding takes from five minutes to several hours. Encoding speed might vary depending on the computer capacity and the number of information stored on it. The amount of payment is 300 USD and if you have not pay for three days sum will be doubled. And after 7 days criminals threaten to delete files.

Ransomware is the very dangerous kind of viruses that may be faced by the user. Most of viruses only call discomfort, and the fruits of their actions can be eliminated in few minutes, but ransomware brings major harm, and in most cases, you need to spend funds and time to fix it. The very malicious of all is the encrypting ransomware, like Wana Decrypt0r, which makes greatest gain to its developers, and major losses to its victims.


Encrypted files


The majority of ransomware apply extremely complex encryption algorithms like AES-128 and RSA-2048, which easily protect the files of countries, secret services and big corporations. Wana Decrypt0r isn't an exception. This means that you only have single absolutely reliable method to recover the files: to use the backup. The absence of backups mean that you can forget about your files, because you cannot be sure that hackers, which stolen your files, won’t trick you one more time when the payment will be received. Your data may be decrypted in few ways, but they aren't absolutely efficient.

File restore is the main objective, which you care about, if your files were infected by the encrypting virus. Nonetheless, the virus should be removed to protect new files. It does not matter which recovery technique you choose, you still have to eliminate Wana Decrypt0r. Using the manual decryption or the backups load, you must delete Wana Decrypt0r ASAP, and if you prefer to pay those criminals - Wana Decrypt0r must be deleted before the complete data recovery. The removal can be performed with use of special antivirus program, or in manual mode. Swiftness and reliability of both manners are identical, but the requirements for your experience and knowledge are extremely different. 

How to remove Wana Decrypt0r Virus




Step 1. Disable 445 internet port


Start command line as administrator.

  • Press Start
  • Type Cmd and Run it As administrator
  • Type Netsh advfirewall firewall add rule dir=in action=block protocol=tcp localport=445 name="Block_TCP-445"
  • press Enter

Step 2. Boot the system into safe mode

  • Press Start
  • Type Msconfig and press Enter

Safe mode. Step 1


  • Select Boot tab

Safe mode. Step 2



  • Select Safe boot and press Ok

More information about Safe mode: What is Safe Mode and how to boot computer in Safe Mode


Step 3. Show all hidden files and folders

  • Press Start
  • Click on Control Panel

Show hidden files. Step 1


  • Select Appearance and Personalization

Show hidden files. Step 2


  • Click on Folder Options
  • Select View tab
  • Select Show hidden files, folders and drives

Show hidden files. Step 3


  • Press Ok


Step 4. Remove virus files


Check next folders to find suspicious files:

  • %TEMP%
  • %ProgramData%


Step 5. Fix hosts file

  • Go to %SystemRoot%\System32\drivers\etc\ folder



  • Open hosts file using Notepad or other text editor
  • Delete suspicious elements
  • Basic hosts file looks like this:



Step 6. Clean registry (for experienced users)

  • Click Start
  • Type Regedit.exe and press Enter
  • Clean startup registry keys
  • HKEY_LOCAL_MACHINE(HKEY_CURRENT_USER)\Software\Microsoft\Windows\CurrentVersion\Run
  • HKEY_LOCAL_MACHINE(HKEY_CURRENT_USER)\Software\Microsoft\Windows\CurrentVersion\RunOnce
  • HKEY_LOCAL_MACHINE(HKEY_CURRENT_USER)\Software\Microsoft\Windows\CurrentVersion\RunServices
  • HKEY_LOCAL_MACHINE(HKEY_CURRENT_USER)\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit

Step 7. Scan computer with antivirus


You can use Avast, Dr.Web, Emsisoft or other trusted antivirus. We can suggest Spyhunter as antivirus tool.


Special Offer

Download Spyhunter - Anti-malware scanner

We advise downloading SpyHunter to see, if it can detect malware for you.

Spyhunter has a biggest malware database

It protects the system against all kinds of threats: Trojans, adware and hijackers

24/7 Free Support Team

SpyHunter scanner detects threats and malware for free, but to remove infected elements you need to purchase a full version of program for 39.99$. More information about Spyhunter, EULA and Privacy policy.


Step 8. Disable Safe Mode and restart computer

  • Press Start
  • Type Msconfig and press Enter
  • Select Boot tab
  • Remove the check near Safe boot

Step 9. Update Windows


This is very important step that can help you to prevent new infection!

How to restore files encrypted by Wana Decrypt0r

If you did not reset your system after encryption, you can run these decryptors:

For Windows XP:

For Windows XP, Windows 7, Vista, 2003 and 2008 server:


In this guide we have told few times that the customer whose system is captured with ransomware has only one 100% efficient technique to recover data: to load the backups. You should try other manners if you have no option, but be prepared that they might fail. The only advantage of backups is that they are kept on an external drive, and aren't sensitive for viral exposure.

All other ways depend on the Windows in-built services, and their efficiency may be lowered by the complexity of the ransomware and the lack of skill. Anyway, except the backup copies, and the paying of ransom, there are two complementary ways to recover your files. They are: Shadow Volume Copies service and the decryption with help of special decryption program. Decryption using the special decryptor is quite effective, but unfortunately, this tool does not yet exist. News on the progress in the developing of such program can be found on Kaspersky lab, MalwareHunterTeam and EmsiSoft official sites. By-hand restore via shadow copies can be done without any preparation. You may use the basic functionality of Windows OS, but, we offer you more comfortable programs that will significantly simplify your task. These programs are completely toll-free, and they were made by reliable developers. Their names are ShadowExplorer and Recuva, and you may find more information on the official websites.

  • Click Start
  • Click Control Panel

Decrypt files. Step 1


  • Click System and Security

Decrypt files. Step 2


  • Select Backup and Restore

Decrypt files. Step 3


  • Select Restore files from backup
  • Select checkpoint to restore






Share your feedback to help other people
1 1 1 1 1 1 1 1 1 1 Rating 5.00 [1 Vote]

Add comment

Security code



Acronis suggestion to CrashPlans users

Around a month ago, there was an accident with CrashPlans backup software.

What is MicTrayDebugger and is it dangerous

This is a brief entry about MicTrayDebugger: what is it, how it appeared in the system, is it dangerous and how to get rid of it.

What is HoeflerText and is it dangerous?


This article is dedicated to the fraud scheme that is called HoeflerText font wasn't found. We will explain you what is this scheme and how to avoid it.

What is Wpad.dat virus and how it is used

The topic of our today's article is a script that had been unjustly called a virus. It’s Wpad.dat, and it is not a virus. We will explain what is Wpad.dat and how to prevent fraudsters to deceive yourself with its help.


Cancer virus trollware

This is an article about crazy Cancer virus and the madness that it brings to victim's computer.

This website uses cookies to improve your experience