HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\ and HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\, most programs are written to these two keys.
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce\,
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce\
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\NT CurrentVersion\Image File Execution Options\
HKEY_LOCAL_MACHINE\System \CurrentControlSet\Services\VxD\ HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices\
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce\
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices\
HKEY_LOCAL_MACHINE\SYSTEM\NamesServices\CurrentControlSet2 Catalog_Entries and its branches...
HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Devices\ are loaded as device drivers.
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit\ when booting any user.
Look closely at these registry keys!

or restrict the rights of users and put patches
or be prepared to meet with him regularly

they brought me a laptop with a similar problem: ransomware + encrypted files on the desktop. which in fact turned out to be not encrypted, but simply corrupted: in the first 12kb of each file there was just random garbage, it cannot be decrypted (in any case, there was no solution). backup helps (if it was done, of course. although practice shows that no one cares about backup until it's too late)

1. regularly updating honestly purchased operating system, drivers, office suite, browsers, flash, Java and other software,
2. regular automatic daily backups, duplication of critical systems and virtualization,
3. as well as separating roles according to their accounts,
4. cutting off rights to everyone who doesn’t need them - it’s really an admin, helpdesk, 1-s accountant with outdated client banks and service providers,
5. cutting off social networks, asec / Skype, file dumps, torrents, free mailers to everyone who doesn’t need them
6. documenting everything and everything, and approving all procedures at the level of company pericase
will save the father-administrator from 99% of problems.
In my company, after rolling out a banal vsus to all workstations, they solved problems with viruses in about a week. support already forgot what cureit is

create a LIVECD support.kaspersky.ru/viruses/rescuedisk?level=2 will remove your infection, you only need to configure the network after booting from the disk and update the antivirus database.
Wish you luck