Follow these steps to unlock a windows session that may have been locked by ransomware variants especially ones using skype.dat as a malicious file name:
-
Start Windows in Safe Mode.
-
Log on to Windows using either a local admin account or a non-infected user with admin privileges.
Type "regedit.exe" in the command prompt, and then press ENTER to open the Registry Editor.
-
Select HKEY_USERS on the left then click File > Load Hive.
-
Go to the infected user's home folder and select the file called NTUSER.DAT then click Open.
NTUSER.DAT is a hidden file so depending on current system setting, you might not see it. In case hidden files are not shown, once you are in the correct folder, type the filename you want to open. -
Provide a Hive name to which the user registry will be loaded. Enter "Infected" on the text field and click OK.
-
Go to the following registry key:
HKEY_USERS\Infected\Software\Microsoft\Windows NT\CurrentVersion\Winlogon
-
Select Winlogon on the left then check if you see "Shell" on the right. If you do, double-click "Shell" to fully see its data. By default, the data value should be Explorer.exe. Anything after that is the full path to the possible malicious file.
In this example, the suspected file is located in the c:\Documents and Settings\Tom\ folder and the file name is skype.dat
Leave the Shell value intact. -
Take note of the path and filename and close the registry editor. On the command prompt, type the following command and press enter:
ren Source_full_path New_filename
Where:
Source_full_path -> the full path to the file including the file name.
New_filename -> the new file name without any path.If the full path has spaces, enclose it with "". - Reboot the system and log on to the infected user account.
If the login is a success, collect the renamed file and send it to Trend Micro Technical Support within a password protected archive.