Last Updated on November 12, 2024 by Mathew Diekhake

The following tutorial demonstrates how to remove the malware from your computer.

Method One: How to Remove WinLock2 Ransomware by Manually Scanning Files, Folders, and Drives with Windows Defender

Windows 10’s default antivirus program, Microsoft Defender, (known as Windows Defender before the  Windows 10 November 2019 Update) doubles as very good antivirus and antimalware protection. The term “antimalware” is a more modern version of the term “antivirus” because a multitude of malicious programs exist today rather than computer viruses alone. Microsoft Defender finds all sorts of malware and is antimalware that keeps the traditional antivirus name to avoid confusion. That said, Microsoft Defender still might not remove a Potentially Unwanted Program (PUP) on your computer until you enable the PUP protection first. If you tried an antivirus/antimalware scan with Microsoft Defender and the malware was not found, you can try enabling the PUP protection and try again before installing third-party software on your computer.

See also: How to Use Malicious Software Removal Tool in Windows 10

Note: The terms “Potentially Unwanted Programs” (PUPs) and “Potentially Unwanted Applications” (PUAs) are interchangeable. When referring to misleading software installed as a bundle or without users’ consent, common antimalware programs use the term “PUP;” however, Microsoft prefers “PUA” in Windows 10.

Part One: How to Enable or Disable Microsoft Defender PUA Protection in Windows 10

When removing Potentially Unwanted Programs from your computer with the default Microsoft Defender antivirus, you should enable PUP protection first. Here is how to do that:

Option One: How to Enable or Disable Microsoft Defender PUP Protection in Windows PowerShell

1. Open an elevated Windows PowerShell. See this tutorial to read all the different ways in which you can open the elevated version of the Windows PowerShell: How to Open Elevated Windows PowerShell in Windows 10

2. If you are prompted by User Account Control, click on the Yes button.

3. Type one of the following commands into the Windows PowerShell window, depending on what you want to achieve, and then press the Enter key on your keyboard to execute it:

To Enable Microsoft Defender PUA Protection:
Set-MpPreference -PUAProtection 1
or
Set-MpPreference -PUAProtection Enabled

To Disable Microsoft Defender PUA Protection (Default):
Set-MpPreference -PUAProtection 0
or
Set-MpPreference -PUAProtection Disabled

Audit Mode – detects PUPs, but does not block them:
Set-MpPreference -PUAProtection 2
or
Set-MpPreference -PUAProtection AuditMode

4. Restart the computer before attempting to run a new Microsoft Defender antivirus scan that searched for extra PUPs.

You can now close the Windows PowerShell window and continue using your computer if you like.

Option Two: How to Enable or Disable Microsoft Defender PUA Protection in Local Group Policy Editor

Notes:

  • You can only use this option from the Local Group Policy Editor starting from Windows 10 version 1809.
  • The Local Group Policy Editor is only available in Pro, Enterprise, and Education editions of Windows 10.
  • Though Microsoft changed the name Windows Defender to Microsoft Defender in Windows 10 version 1909, as of yet, the Local Group Policy Editor has not been updated to reflect this change. Should there come a time when the following path no longer works, try exchanging Windows Defender for Microsoft Defender in the Local Group Policy Editor where applicable.

1. Open the Local Group Policy Editor (gpedit.msc). See this tutorial to read all the different ways in which you can open the Local Group Policy Editor: How to Open Local Group Policy Editor in Windows 10

2. Using the Local Group Policy Editor’s left pane, navigate through to the following location:

Computer Configuration\Administrative Templates\Windows Components\Windows Defender Antivirus

3. With Windows Defender Antivirus selected, click on Configure detection for potentially unwanted applications from the right pane. (click to enlarge screenshot below)

Windows Defender Antivirus -- Configure detection for potentially unwanted applications

4. From the Configure detection for potentially unwanted applications policy, select either Not Configured (to turn off Windows Defender PUP protection), Enabled (to turn on Windows Defender PUP protection), or Disabled (to turn off Windows Defender PUP protection). (click to enlarge screenshot below)

Note: If selecting Enabled, a drop-down menu appears in the Options window that offers additional options to configure the group policy if you like. For example, from the drop-down menu, you can select Blocked which means the Configure detection for potentially unwanted applications policy will be enabled, and the potentially unwanted programs will be blocked from being downloaded onto your computer. It is suitable for most people to select Blocked from the drop-down menu in the Options window to stop PUPs getting onto your computer in future.

Configure detection for potentially unwanted applications policy settings

You can now close the Local Group Policy Editor and continue using your computer if you like.

Part Two: How to Manually Scan Files, Folders, and Drives with Microsoft Defender in Windows 10

Windows 10 provides the latest antivirus protection with Windows Security. Your device will be actively protected from the moment you start Windows 10. Windows Security continually scans for malware (all types of malicious software), viruses, and security threats. In addition to this real-time protection, updates are downloaded automatically to help keep your device safe and protected from threats.

Some features differ if you are running Windows 10 in S mode. Because this mode is streamlined for tighter security, the Virus & threat protection area has fewer options. However, that does not mean it is less secure—the built-in security of this mode automatically prevents viruses and other threats from running on your device, and you will receive security updates automatically.

Microsoft Defender automatically scans your system periodically, so it should pick up and remove any malware on your computer by itself over time. If you need a quick solution, Microsoft Defender also allows for manual scans so that you can scan any location on the operating system immediately.

Note: The Microsoft Defender antivirus application shown below comes out of the box on all versions of Windows 10, the latest version of Windows operating system. If you are running an older version of Windows, such as Windows 7, then you can skip to one of the next parts that shows you how to install a third-party antimalware application instead.

Option One: How to Scan with Microsoft Defender Using Context Menu

Here is how you can run an antivirus scan with the built-in Microsoft Defender antivirus program from the context menu of a file or folder:

Notes:

  • The Windows Security is available in all versions of Windows 10 after version 1703.
  • While Microsoft has changed the name from Windows Defender to Microsoft Defender as of Windows 10 version 1909, most locations around Windows, including the context menu via File Explorer, still list the older Windows Defender name. Should there come a time when the following path no longer works, try clicking on Scan with Microsoft Defender… instead of Scan with Windows Defender… from the context menu instead.

1. From File Explorer, select the drivefolder, or file that you suspect may contain the potential malicious program.

2. Right-click on Scan with Windows Defender from the context menu. (click to enlarge screenshot below)

The Downloads folder found within File Explorer; Scan with Windows Defender from its context menu
Select your file, folder, or drive from any area within File Explorer — you can find the main folders by selecting This PC from navigation pane — and then right-click on it, and select Scan with Windows Defender… from its context menu.

3. When the scan completes, Windows Security will open and show you the results. The total time for the scan to complete will vary. Scanning drives will take the longest, while scanning individual files the quickest. (click to enlarge screenshot below)

Notes:

    • The Windows Security application used to be called the Windows Defender Security Center in previous versions of Windows 10. All the settings within the app remained the same after the name change.
    • Starting with Windows 10 version 1803, the app has two new areas: Account protection and Device security.
Scan options: Custom scan running...
No matter what type of scan you choose, you can always observe the progress bar at the top of the page beneath the Scan options to see how the scan is progressing.

a. If there are no threats found, Windows Security will let you know as much in the same region where it previously show you the scan was underway. (click to enlarge screenshot below)

Scan options: No current threats found.

b. If there are threats found, however, it will let you know there are threats found, as well as the threat names and location in the same area. (click to enlarge screenshot below)

Scan options: Threats found. Start the recommended actions.

4. To remove any threats found, click on the Start actions button. (click to enlarge screenshots below)

Note: Clicking on Start actions will result in Windows Security removing the threat immediately.

Windows Security: Start actions

Protection history: Threat found -- action needed
The malware we have used in these screenshots is test malware, designed to imitate how real malware works so that it will show up in Microsoft Defender scan results. We do not ever recommend downloading actual malware onto your computers.

You can now close the Windows Security app and continue using your computer if you like.

Option Two: Scan with Microsoft Defender in Windows Security

Here is how you can run an antivirus scan with the built-in Microsoft Defender antivirus program from the Windows Security app:

1. Open Windows Security. See this tutorial to read all the different ways in which you can open Windows Security in Windows 10: How to Open Windows Security in Windows 10

Microsoft Defender icon in Notification Area

2. Click on the Virus & threat protection icon in Windows Security’s Security at a glance page. (click to enlarge screenshot below)

Windows Security: Security at a glance

3. Do step 4, step 5, step 6, or step 7 depending on what it is that you would like to do.

4. To Run a Quick Scan with Microsoft Defender

a. Click on the Scan now button. (click to enlarge screenshot below)

Windows Security: Quick scan

5. To Run a Full Scan with Microsoft Defender

a. Select Full scan and then click on the Scan now button. (click to enlarge screenshot below)

Windows Security: Full scan

6. To Run a Custom Scan with Microsoft Defender

a. Select Custom scan and then click on the Scan now button. (click to enlarge screenshot below)

Windows Security: Custom scan

7. To Run an Offline Scan with Microsoft Defender

a. Select Windows Defender Offline scan and then click on the Scan now button. (click to enlarge screenshot below)

Windows Security: Windows Defender Offline scan

8. Select the filefolder, or drive that you want to scan and then click Select Folder. (click to enlarge screenshot below)

Custom Scan: Select folder, Razer Blade HDD

9. Microsoft Defender starts scanning the option that you chose. (click to enlarge screenshot below)

Windows Security: Full scan running

10. When the scan completes, you get the results in numbers. (click to enlarge screenshot below)

Scan options: No current threats.
If there are no threats found once the scan has completed, it will say so from the same region that previously showed you the progress bar. This region has changed a bit since the earlier versions of Windows 10; no longer is there a link that allows you to see threat details like previous versions offered. Simplifying this was perhaps a good idea because you should always remove the threat from the computer once it is found.

11. If there are threats found, however, it will let you know there are threats found, as well as the threat names and location in the same area. (click to enlarge screenshot below)

Scan options: Threats found. Start the recommended actions.
When threats are found, it tells you so and let’s you know that you need to get started with the recommended actions by clicking on the Start actions button.

12. To remove any threats found, click on the Start actions button. (click to enlarge screenshots below)

Note: Clicking on Start actions will result in Windows Security removing the threat immediately.

Windows Security: Start actions

Protection history: Threat found -- action needed
The malware we have used in these screenshots is test malware, designed to imitate how real malware works so that it will show up in Microsoft Defender scan results. We do not ever recommend downloading actual malware onto your computer.

You can now close the Windows Security app and continue using your computer if you like.

Option Three: How to Scan with Microsoft Defender from Windows PowerShell

Here is how you can run an antivirus scan with Microsoft Defender from the Windows PowerShell:

1. Open the Windows PowerShell. See this tutorial to read all the different ways in which you can open the Windows PowerShell application in Windows 10: How to Open Windows PowerShell in Windows 10

2. Type the command below that best suits your needs and then press the Enter key on your keyboard to execute it.

Update and Quick scan:
Update-MpSignature; Start-MpScan -ScanType QuickScan

Quick scan:
Start-MpScan -ScanType QuickScan

Full scan:
Start-MpScan -ScanType FullScan

Windows PowerShell: MPScan QuickScan running
Windows PowerShell: MPScan QuickScan completed

You can now close the Windows PowerShell window and continue using your computer if you like.

Option Four: How to Scan with Microsoft Defender from Command Prompt

Here is how you can run an antivirus scan with Microsoft Defender from the command line:

Note: Though Windows Defender has been renamed to Microsoft Defender, Microsoft has not yet updated the commands to reflect this change. Should there come a time when the following commands no longer work, try exchanging Windows Defender for Microsoft Defender in the commands where applicable.

1. Open the Command Prompt. See this tutorial to read all the different ways in which you can open the Command Prompt application in Windows 10: How to Open Command Prompt in Windows 10

2. Type the command below that best suits your needs and then press the Enter key on your keyboard to execute it. (click to enlarge screenshot below)

Update and Quick scan:
"%ProgramFiles%\Windows Defender\MpCmdRun.exe" -SignatureUpdate & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -Scan -ScanType 1

Quick scan:
"%ProgramFiles%\Windows Defender\MpCmdRun.exe" -Scan -ScanType 1

Full scan:
"%ProgramFiles%\Windows Defender\MpCmdRun.exe" -Scan -ScanType 2

Command Prompt: Windows Defender ScanType 1

You can now close the Command Prompt window and continue using your computer if you like.

Method Two: How to Remove WinLock2 Ransomware Using Malwarebytes

If scanning with the Windows Security antimalware protection doesn’t remove the WinLock2 ransomware, you can try installing third-party antimalware tools instead, such as Malwarebytes, and see if that removes the ransomware instead. You can also use an antimalware program such as Malwarebytes to remove the extensions and all other related files remaining on your computer, so you don’t have to do any of it manually.

Note: Malwarebytes also has an application for smartphones that run on Android and iOS. Here is a tutorial for how to install Malwarebytes on Android:

The iOS version will be very similar, apart from needing to use the Apple App Store in place of the Google Play Store. You will not have any problems finding it because your iOS software only comes with the Apple App Store.

1. Download the Malwarebytes for Windows from the Malwarebytes website.

2. If prompted by your web browser with a message that says “This type of file can harm your computer. Do you want to keep the executable (.exe) file anyway?,” click on the Keep button.

3. If you are prompted by User Account Control asking “Do you want to allow this app to make changes to your device,” click on the Yes button.

4. Click on the Scan Now button to begin scanning the computer for malware and other potentially unwanted programs. (click to enlarge screenshot below)

5. Wait for the scan to complete. (click to enlarge screenshot below)

6. Select all of the malware and potentially unwanted programs that you want to be removed from the computer and then click on the Quarantine Selected button. (click to enlarge screenshot below)

7. You may get a message from Malwarebytes letting you know that all selected items have been removed successfully, but the computer must be restarted before the removal process can be completed. Select the Yes button to reboot your computer now. (click to enlarge screenshot below)

8. Upon signing back in to your computer, the Malwarebytes interface will open and let you know that the scan and quarantine are complete. (click to enlarge screenshot below)

Note: You can also export the scan results by clicking on Export summary from the main Malwarebytes results page and then clicking on the Export button from the scan report. (click to enlarge screenshot below)

You can now close the Malwarebytes interface and continue using your computer if you like.

That’s all.