Severity scale  
  (99/100)

Petya virus. How to Remove? (Uninstall Guide)

removal by - -   Also known as Petya ransomware | Type: Ransomware
12

The dangerous Petya virus and facts you should know about it

Petya virus is a ransomware-type program which takes over user’s computers and uses a strong encryption to lock the containing files. This ransomware has been growing ever since it hit the Internet, releasing supplementary ransomware versions, such as Mischa ransomware and even forming an affiliate campaign called the "Janus Cybercrime Solutions". The ransomware itself is extremely dangerous and may infect practically any PC, but its primary targets are the computers of German companies. This malicious program enters the victims’ computers stealthily and carries out its malicious activities without the computer owner even suspecting the computer might be under threat. Petya ransomware encrypts files with a very complex RSA-4096 and AES-256 algorithms, even used for military purposes. Such code is impossible to decrypt without a private key. Of course, typically to other ransomware programs like Locky virus, CryptoWall virus, and CryptoLocker, this private key is stored on some remote server, which can only accessed by paying a ransom to the virus creators.

Unlike other ransomware programs, after this virus is launched, it immediately restarts your PC, and when it boots again, a message shows up on the screen saying: “DO NOT TURN OFF YOUR PC! IF YOU ABORT THIS PROCESS, YOU COULD DESTROY ALL OF YOUR DATA! PLEASE ENSURE THAT YOUR POWER CABLE IS PLUGGED IN!”. Even though it may look like a system error, in fact, at a given moment, Petya virus is silently carrying out file encryption in the system’s background. If the user tries to reboot the system or the file encryption is executed, a flashing red skeleton appears on the screen along with the text “PRESS ANY KEY!”. Finally, after pressing the key, a new window with a ransom note appears. In the ransom note, the victim is asked to pay 0,9 BitCoin, which equals around $400. However, this is only a price per one computer; therefore, for the companies, which have numerous of computers the sum may make up thousands. What is also different considering this ransomware is that it gives the victims a whole week to pay the ransom, instead of the usual 12-72 hours spared by other viruses of this category.

What is more, problems with Petya do not end there. Once this virus is in the system, it will try to overwrite the Windows boot files or the so-called master boot record, required to load your operating system. You will not be able to remove Petya virus from your computer unless you restore your MBR settings. Even if you manage to fix these settings and to delete the virus from your system, unfortunately, your files will remain locked because virus removal does not decrypt the encrypted documents but merely deletes the infectious files. Of, course, the virus removal is essential if you want to continue using your computer. We advise using sophisticated and reputable antivirus tools like Reimage to take care of the Petya removal.

Petya virus example screenshot

How can this malware infect your PC and can you prevent the intrusion?

Petya virus is usually distributed through spam emails, which contain a Dropbox download link to a file called "application folder-gepackt.exe" attached to them. The virus activates when the mentioned file is downloaded and opened. As you already know how this virus spreads you might already have an idea how to protect your computer from this virus attack. Of course, you need to be careful about opening emails which are received from suspicious and unknown sources, feature supposedly relevant information which does not relate to your expected correspondence. You should also avoid emails in the “spam” catalogue since the majority of email providers automatically filter emails and place suspicious contents in this particular catalogue. Nevertheless, you should do not trust this built-in filter entirely, because potentially hazardous emails may slip into your regular inbox as well. Also, make sure you equip your system with reputable antivirus software and keep it up to date. Finally, it is always recommended to keep system backup stored in some external drive, in the case of emergency.

UPDATE: Security experts have just announced about Petya ransomware decryption key, which can help you decrypt your files with the special algorithm. To get a change to use this algorithm, you need to visit this website. However, the decryption of your files shouldn't be the only headache of yours. You should also make sure that you remove Petya ransomware from your computer before it starts the second encryption of your files. For that you can use Reimage or Malwarebytes Anti Malware. If you find any trouble while performing Petya removal, check the detailed removal guide on the second page of this post.

UPDATE 2: Petya ransomware creators are not stepping aside from improving and distributing their malicious software. In the latest version of the virus which emerged earlier this month, the hackers finally managed to apply a Salsa20 encryption algorithm eliminating the previous vulnerabilities of the virus. Otherwise, the virus functions similarly to its previous version, spreading in a form of a corrupted PDF file. Although it is still unclear what techniques do the virus developers apply for the distribution of this new variant of infection, it can be presumed that spam emails and fake software updates will be the main focus.

UPDATE 3: Developers of Petya and Mischa ransomware are trying out new techniques to increase the distribution rate of these fraudulent programs by setting up an affiliate campaign in which they offer regular Internet users to take part and earn some money. Depending on the volume of the ransom payment, the users can earn up to 85% of the revenue share for spreading the virus around the Internet. Of course, the criminals also require a registration fee to sift out the "timewasters and kiddies". If you even consider becoming an affiliate of such a nasty company, keep in mind that its creators hold nothing sacred and can easily take advantage of you as well, so be very careful.

Petya removal and system recovery after the attack:

As we already mentioned, uninstalling Petya ransomware from your computer is essential for the safety of your future files. Also, restoring data from external drives can only be carried out when the virus and all its related parts are fully eliminated from the PC. Otherwise, Petya may infiltrate and lock the files in these external platforms as well.
You cannot remove Petya from your computer through the simple uninstall procedure because such option is not feasible with this malicious program. This means that you will have to delete the virus automatically. Automatic Petya removal should be carried out using some trusted antivirus software, which will detect and delete this virus from your computer. However, if you are encountering some troubles removing this virus automatically or it blocks your antivirus from running, you can always check our detailed virus removal instructions provided at the end of this article.

It might be that we are affiliated with any of our recommended products. Full disclosure can be found in our Agreement of Use. By downloading any of provided Anti-spyware software you agree with our Privacy Policy and Agreement of Use.
Do it now!
Download
Reimage - remover Happiness
Guarantee
Compatible with Microsoft Windows
What to do if failed?
If you failed to remove infection using Reimage Reimage, submit a question to our support team and provide as much details as possible.
Reimage is recommended to uninstall Petya virus. Free scanner allows you to check whether your PC is infected or not. If you need to remove malware, you have to purchase the licensed version of Reimage malware removal tool.

More information about this program can be found in Reimage review.
Reimage is recommended to uninstall Petya virus. Free scanner allows you to check whether your PC is infected or not. If you need to remove malware, you have to purchase the licensed version of Reimage malware removal tool.

More information about this program can be found in Reimage review.
Not using OS X? Download a remover for Windows.
Press Mentions on Reimage
Alternate Software
Alternate Software
Plumbytes
We are testing Plumbytes's efficiency (2016-07-28 03:01)
Malwarebytes Anti Malware
We are testing Malwarebytes Anti Malware's efficiency (2016-07-28 03:01)
Hitman Pro
Webroot SecureAnywhere AntiVirus

Method 1. Remove Petya using Safe Mode with Networking

Step 1: Reboot your computer to Safe Mode with Networking
Windows 7 / Vista / XP
  • Click Start Shutdown Restart OK.
  • When your computer becomes active, start pressing F8 multiple times until you see the Advanced Boot Options window.
  • Select Safe Mode with Networking from the list
Select 'Safe Mode with Networking'
Windows 10 / Windows 8
  • Press the Power button at the Windows login screen. Now press and hold Shift, which is on your keyboard, and click Restart..
  • Now select Troubleshoot Advanced options Startup Settings and finally press Restart.
  • Once your computer becomes active, select Enable Safe Mode with Networking in Startup Settings window.
Select 'Enable Safe Mode with Networking'
Step 2: Remove Petya

Log in to your infected account and start the browser. Download Reimage or other legitimate anti-spyware program. Update it before a full system scan and remove malicious files that belong to your ransomware and complete Petya removal.

If your ransomware is blocking Safe Mode with Networking, try further method.

Reimage is a tool to detect malware. You need to purchase full version to remove infections.
More information about Reimage
Reimage is a tool to detect malware. You need to purchase full version to remove infections. More information about Reimage

Method 2. Remove Petya using System Restore

Step 1: Reboot your computer to Safe Mode with Command Prompt
Windows 7 / Vista / XP
  • Click Start Shutdown Restart OK.
  • When your computer becomes active, start pressing F8 multiple times until you see the Advanced Boot Options window.
  • Select Command Prompt from the list
Select 'Safe Mode with Command Prompt'
Windows 10 / Windows 8
  • Press the Power button at the Windows login screen. Now press and hold Shift, which is on your keyboard, and click Restart..
  • Now select Troubleshoot Advanced options Startup Settings and finally press Restart.
  • Once your computer becomes active, select Enable Safe Mode with Command Prompt in Startup Settings window.
Select 'Enable Safe Mode with Command Prompt'
Step 2: Restore your system files and settings
  • Once the Command Prompt window shows up, enter cd restore and click Enter. Enter 'cd restore' without quotes and press 'Enter'
  • Now type rstrui.exe and press Enter again.. Enter 'rstrui.exe' without quotes and press 'Enter'
  • When a new window shows up, click Next and select your restore point that is prior the infiltration of Petya. After doing that, click Next. When 'System Restore' window shows up, select 'Next' Select your restore point and click 'Next'
  • Now click Yes to start system restore. Click 'Yes' and start system restore
Once you restore your system to a previous date, download and scan your computer with Reimage and make sure that Petya removal is performed successfully.
Reimage is a tool to detect malware. You need to purchase full version to remove infections.
More information about Reimage
Reimage is a tool to detect malware. You need to purchase full version to remove infections. More information about Reimage

Finally, you should always think about the protection of crypto-ransomwares. In order to protect your computer from Petya and other ransomwares, use a reputable anti-spyware, such as Reimage, PlumbytesWebroot SecureAnywhere AntiVirus or Malwarebytes Anti Malware

Lucia Danes
Lucia Danes - Virus researcher

If this free removal guide helped you and you are satisfied with our service, please consider making a donation to keep this service alive. Even a smallest amount will be appreciated.

Removal guides in other languages


Information updated:

Comments on Petya virus

0
0
Ulysses
It does not only target companies PCs!!! My friend got his files locked not that while ago. Im afraid he might have sent this virus to me by mail or something...
0
0
MontyPytonFan4Ever
I cannot imagine losing my files! Program like these are the worst...

Post a comment

Attention: Use this form only if you have additional information about a parasite, its removal instructions, additional resources or behavior. By clicking "post comment" button you agree not to post any copyrighted, unlawful, harmful, threatening, abusive, harassing, defamatory, vulgar, obscene, profane, hateful, racially, ethnically or otherwise objectionable material of any kind.

Home page Name



«

(All fields are required)