Effective methods for removing banner ransomware (Winlocker). Effective methods for removing banner ransomware (Winlocker) How to remove banners from a Windows 7 computer
Computers 

Effective methods for removing banner ransomware (Winlocker). Effective methods for removing banner ransomware (Winlocker) How to remove banners from a Windows 7 computer

Winlocker (Trojan.Winlock) is a computer virus that blocks access to Windows. After infection, it prompts the user to send an SMS to receive a code that restores the computer’s functionality. It has many software modifications: from the simplest ones - “implemented” in the form of an add-on, to the most complex ones - modifying the boot sector of the hard drive.

Warning! If your computer is locked by a Winlocker, do not under any circumstances send SMS or transfer money to receive an OS unlock code. There is no guarantee that it will be sent to you. And if this happens, know that you will give your hard-earned money to the criminals for nothing. Don't fall for the tricks! The only correct solution in this situation is to remove the ransomware virus from your computer.

Removing a ransomware banner yourself

This method is applicable to winlockers that do not block loading the OS in safe mode, the registry editor and the command line. Its operating principle is based on the use of system utilities exclusively (without the use of anti-virus programs).

1. When you see a malicious banner on your monitor, first turn off your Internet connection.

2. Reboot the OS in safe mode:

  • when the system reboots, hold down the “F8” key until the “Additional boot options” menu appears on the monitor;
  • Using the cursor arrows, select “Safe Mode with Command Line Support” and press “Enter”.

Attention! If the PC refuses to boot into safe mode or the command line/system utilities do not start, try removing Winlocker using another method (see below).

3. At the command prompt, type the command - msconfig, and then press "ENTER".

4. The System Configuration panel will appear on the screen. Open the “Startup” tab in it and carefully review the list of elements for the presence of a Winlocker. As a rule, its name contains meaningless alphanumeric combinations (“mc.exe”, “3dec23ghfdsk34.exe”, etc.) Disable all suspicious files and remember/write down their names.

5. Close the panel and go to the command line.

6. Enter the command “regedit” (without quotes) + “ENTER”. After activation, the Windows Registry Editor will open.

7. In the “Edit” section of the editor menu, click “Find...”. Write the name and extension of the Winlocker found in startup. Start the search using the “Find next...” button. All entries with the name of the virus must be deleted. Continue scanning using the "F3" key until all partitions have been scanned.

8. Right there in the editor, moving along the left column, look at the directory:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\Current Version\Winlogon.

The “shell” entry must have the value “explorer.exe”; the “Userinit” entry is “C:\Windows\system32\userinit.exe,”.

Otherwise, if malicious modifications are detected, use the “Fix” function (right mouse button - context menu) to set the correct values.

9. Close the editor and go to the command line again.

10. Now you need to remove the banner from your desktop. To do this, enter the command “explorer” (without quotes) in the line. When the Windows shell appears, remove all files and shortcuts with unusual names (that you did not install on the system). Most likely, one of them is a banner.

11. Restart Windows normally and make sure that you were able to remove the malware:

  • if the banner has disappeared, connect to the Internet, update the installed antivirus database or use an alternative antivirus product and scan all partitions of the hard drive;
  • if the banner continues to block the OS, use another removal method. Perhaps your PC has been hit by a Winlocker, which is “fixed” in the system in a slightly different way.

Removal using antivirus utilities

To download utilities that remove Winlockers and burn them to disk, you will need another, uninfected computer or laptop. Ask a neighbor, comrade or friend to use his PC for an hour or two. Stock up on 3-4 blank discs (CD-R or DVD-R).

Advice! If you are reading this article for informational purposes and your computer, thank God, is alive and well, still download the healing utilities discussed in this article and save them on disks or a flash drive. A prepared “first aid kit” doubles your chances of defeating a viral banner! Quickly and without unnecessary worries.

1. Go to the official website of the utility developers - antiwinlocker.ru.

2. On the main page, click the AntiWinLockerLiveCd button.

3. A list of links for downloading program distributions will open in a new browser tab. In the “Disk images for treating infected systems” column, follow the link “Download the AntiWinLockerLiveCd image” with the number of the older (new) version (for example, 4.1.3).

4. Download the image in ISO format to your computer.

5. Burn it to DVD-R/CD-R in ImgBurn or Nero using the “Burn image to disc” function. The ISO image must be burned unpacked to create a bootable disk.

6. Insert the disc with AntiWinLocker into the PC in which the banner is running rampant. Restart the OS and go into the BIOS (find out the hotkey to enter in relation to your computer; possible options are “Del”, “F7”). Set to boot not from the hard drive (system partition C), but from the DVD drive.

7. Restart your PC again. If you did everything correctly - correctly burned the image to disk, changed the boot setting in the BIOS - the AntiWinLockerLiveCd utility menu will appear on the monitor.

8. To automatically remove the ransomware virus from your computer, click the “START” button. That's all! No other actions are needed - destruction in one click.

9. At the end of the removal procedure, the utility will provide a report on the work done (which services and files it unblocked and disinfected).

10. Close the utility. When rebooting the system, go into the BIOS again and specify booting from the hard drive. Start the OS in normal mode and check its functionality.

WindowsUnlocker (Kaspersky Lab)

1. Open the page sms.kaspersky.ru (office website of Kaspersky Lab) in your browser.

2. Click the “Download WindowsUnlocker” button (located under the inscription “How to remove the banner”).

3. Wait until the Kaspersky Rescue Disk boot disk image with the WindowsUnlocker utility is downloaded to your computer.

4. Burn the ISO image in the same way as the AntiWinLockerLiveCd utility - make a bootable disk.

5. Configure the BIOS of a locked PC to boot from a DVD drive. Insert the Kaspersky Rescue Disk LiveCD and reboot the system.

6. To launch the utility, press any key, then use the cursor arrows to select the interface language (“Russian”) and press “ENTER”.

7. Read the terms of the agreement and press the “1” key (agree).

8. When the Kaspersky Rescue Disk desktop appears on the screen, click on the leftmost icon in the taskbar (the letter “K” on a blue background) to open the disk menu.

9. Select “Terminal”.

10. In the terminal window (root:bash), near the “kavrescue ~ #” prompt, enter “windowsunlocker” (without quotes) and activate the directive with the “ENTER” key.

11. The utility menu appears. Press "1" (Unlock Windows).

12. Once unlocked, close the terminal.

13. There is already access to the OS, but the virus is still free. To destroy it, do the following:

  • connect to the Internet;
  • launch the “Kaspersky Rescue Disk” shortcut on your desktop;
  • update antivirus signature databases;
  • select the objects that need to be checked (it is advisable to check all elements of the list);
  • left-click to activate the “Scan objects” function;
  • If a ransomware virus is detected, select “Delete” from the proposed actions.

14. After treatment, in the main menu of the disk, click “Turn off”. When the OS restarts, go into the BIOS and set to boot from the HDD (hard drive). Save your settings and boot Windows as normal.

Computer unlocking service from Dr.Web

This method involves trying to force the winlocker to self-destruct. That is, give him what he requires - an unlock code. Naturally, you don’t have to spend money to get it.

1. Write down the wallet or phone number that the attackers left on the banner to purchase the unlock code.

2. Log in from another, “healthy” computer to the Dr.Web unlocking service - drweb.com/xperf/unlocker/.

3. Enter the rewritten number in the field and click the “Search codes” button. The service will automatically select an unlock code according to your request.

4. Rewrite/copy all codes displayed in the search results.

Attention! If you can’t find any in the database, use Dr.Web’s recommendation for removing Winlocker yourself (follow the link located under the message “Unfortunately, at your request...”).

5. On the infected computer, enter the unlock code provided by the Dr.Web service into the banner “interface”.

6. If the virus self-destructs, update your antivirus and scan all partitions of your hard drive.

Warning! Sometimes the banner does not respond to code input. In this case, you need to use another removal method.

Removing the MBR.Lock banner

MBR.Lock is one of the most dangerous winlockers. Modifies the data and code of the master boot record of the hard disk. Many users, not knowing how to remove this type of banner ransomware, begin to reinstall Windows in the hope that after this procedure their PC will “recover.” But, alas, this does not happen - the virus continues to block the OS.

To get rid of MBR.Lock ransomware, follow these steps (option for Windows 7):
1. Insert the Windows installation disc (any version or build will do).

2. Go to the computer’s BIOS (find out the hotkey for entering the BIOS in the technical description of your PC). In the First Boot Device setting, set “Cdrom” (boot from a DVD drive).

3. After the system restarts, the Windows 7 installation disk will load. Select your system type (32/64 bit), interface language and click “Next”.

4. At the bottom of the screen, under the “Install” option, click “System Restore”.

5. In the “System Recovery Options” panel, leave everything unchanged and click “Next” again.

6. Select the “Command Prompt” option from the Tools menu.

7. At the command prompt, enter the command - bootrec /fixmbr, and then press Enter. The system utility will overwrite the boot record and thereby destroy the malicious code.

8. Close the command prompt, and click "Restart".

9. Scan your PC for viruses using the Dr.Web CureIt! or Virus Removal Tool (Kaspersky).

It is worth noting that there are other ways to treat a computer from Winlocker. The more tools you have in your arsenal to combat this infection, the better. In general, as they say, God protects the careful - do not tempt fate: do not go to dubious sites and do not install software from unknown manufacturers.

Let your PC avoid ransomware banners. Good luck!

Winlocker Trojans are a type of malware that, by blocking access to the desktop, extorts money from the user - supposedly if he transfers the required amount to the attacker’s account, he will receive an unlock code.

If, once you turn on your PC, you see instead of the desktop:

Or something else in the same spirit - with threatening inscriptions, and sometimes with obscene pictures, do not rush to accuse your loved ones of all sins. They, and maybe you yourself, have become victims of the trojan.winlock ransomware.

How do ransomware blockers get onto your computer?

Most often, blockers get onto your computer in the following ways:

  • through hacked programs, as well as tools for hacking paid software (cracks, keygens, etc.);
  • downloaded via links from messages on social networks, sent supposedly by acquaintances, but in fact by attackers from hacked pages;
  • downloaded from phishing web resources that imitate well-known sites, but in fact are created specifically for spreading viruses;
  • come by e-mail in the form of attachments accompanying letters with intriguing content: “you were sued...”, “you were photographed at the crime scene”, “you won a million” and the like.

Attention! Pornographic banners are not always downloaded from porn sites. They can do it from the most ordinary ones.

Another type of ransomware is spread in the same way - browser blockers. For example, like this:

They demand money for access to browsing the web through a browser.

How to remove the “Windows blocked” banner and similar ones?

When your desktop is blocked and a virus banner prevents any programs from running on your computer, you can do the following:

  • go into safe mode with command line support, launch the registry editor and delete the banner autorun keys.
  • boot from a Live CD ("live" disk), for example, ERD commander, and remove the banner from the computer both through the registry (autorun keys) and through Explorer (files).
  • scan the system from a boot disk with an antivirus, for example Dr.Web LiveDisk or Kaspersky Rescue Disk 10.

Method 1. Removing Winlocker from safe mode with console support.

So, how to remove a banner from your computer via the command line?

On machines with Windows XP and 7, before the system starts, you need to quickly press the F8 key and select the marked item from the menu (in Windows 8\8.1 there is no this menu, so you will have to boot from the installation disk and launch the command line from there).

Instead of a desktop, a console will open in front of you. To launch the registry editor, enter the command into it regedit and press Enter.

Next, open the registry editor, find virus entries in it and fix it.

Most often, ransomware banners are registered in the following sections:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon- here they change the values ​​of the Shell, Userinit and Uihost parameters (the last parameter is only available in Windows XP). You need to fix them to normal:

  • Shell = Explorer.exe
  • Userinit = C:\WINDOWS\system32\userinit.exe, (C: is the letter of the system partition. If Windows is on drive D, the path to Userinit will start with D:)
  • Uihost = LogonUI.exe

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows- see the AppInit_DLLs parameter. Normally, it may be absent or have an empty value.

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run- here the ransomware creates a new parameter with a value in the form of the path to the blocker file. The parameter name can be a string of letters, for example, dkfjghk. It needs to be removed completely.

The same goes for the following sections:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx

To correct registry keys, right-click on the parameter, select “Change”, enter a new value and click OK.

After that, restart your computer in normal mode and run an antivirus scan. It will remove all ransomware files from your hard drive.

Method 2. Removing Winlocker using ERD Commander.

ERD commander contains a large set of tools for restoring Windows, including those damaged by blocking Trojans. Using the built-in registry editor ERDregedit, you can perform the same operations as we described above.

ERD commander will be indispensable if Windows is locked in all modes. Copies of it are distributed illegally, but they are easy to find on the Internet.

ERD commander sets for all versions of Windows are called MSDaRT (Microsoft Diagnostic & Recovery Toolset) boot disks; they come in ISO format, which is convenient for burning to DVD or transferring to a flash drive.

After booting from such a disk, you need to select your version of the system and go to the menu and click Registry Editor.

In Windows XP, the procedure is slightly different - here you need to open the Start menu, select Administrative Tools and Registry Editor.

After editing the registry, boot Windows again - most likely, you will not see the “Computer is blocked” banner.

Method 3. Removing the blocker using an antivirus “rescue disk”.

This is the easiest, but also the longest unlocking method. It is enough to burn the Dr.Web LiveDisk or Kaspersky Rescue Disk image to DVD, boot from it, start scanning and wait for it to finish. The virus will be killed.

Removing banners from your computer using both Dr.Web and Kaspersky disks is equally effective.

How to protect your computer from blockers?

  • Install a reliable antivirus and keep it active at all times.
  • Please check all files downloaded from the Internet for security before launching.
  • Don't click on unknown links.
  • Do not open email attachments, especially those that come in letters with intriguing text. Even from your friends.
  • Keep track of what sites your children visit. Use parental controls.
  • If possible, do not use pirated software - many paid programs can be replaced with safe free ones.

After restarting the computer, the monitor displays a request to send a paid SMS, or to deposit money into a mobile phone account?

Meet this, this is what a typical ransomware virus looks like! This virus comes in thousands of different forms and hundreds of variations. However, he is easy to recognize by a simple sign: he asks you to put money (call) on an unfamiliar number, and in return promises to unlock your computer. What to do?

First, realize that this is a virus whose goal is to suck as much money out of you as possible. That is why do not give in to his provocations.

Remember a simple thing, do not send any SMS. They will withdraw all the money that is on the balance (usually the request says 200-300 rubles). Sometimes they require you to send two, three or more SMS. Remember, the virus will not go away from your computer, whether you send money to scammers or not. Trojan winloc will remain on your computer until you remove it yourself.

The action plan is as follows: 1. Remove the block from the computer 2. Remove the virus and treat the computer.

Ways to unlock your computer:

1. Enter the unlock code And. The most common way to deal with an obscene banner. You can find the code here: Dr.web, Kasperskiy, Nod32. Don't worry if the code doesn't work, move on to the next step.

2. Try booting into Safe Mode. To do this, after turning on the computer, press F8. When the boot options window appears, select “safe mode with driver support” and wait for the system to boot.

2a. Now let's try restore the system(start-standard-system-restore) to an earlier checkpoint. 2b. Create a new account. Go to Start - Control Panel - Accounts. Add a new account and restart the computer. When you turn it on, select the newly created account. Let's move on to .

3. Try ctrl+alt+del- the task manager should appear. We launch healing utilities through the task manager. (select the file - a new task and our programs). Another way is to hold down Ctrl + Shift + Esc and, while holding these keys, search for and delete all strange processes until the desktop is unlocked.

4. The most reliable way- This means installing a new OS (operating system). If you absolutely need to keep the old OS, then we will look at a more labor-intensive way to deal with this banner. But no less effective!

Another way (for advanced users):

5. Booting from disk LiveCD which has a registry editing program. The system has booted, open the registry editor. In it we will see the registry of the current system and the infected one (its branches on the left side are displayed with a signature in brackets).

We find the key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon - there we look for Userinit - we delete everything after the comma. ATTENTION! The file itself “C:\Windows\system32\userinit.exe” CANNOT be deleted.);

Look at the value of the key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell it should be explorer.exe. We're done with the registry.

If the error “Editing the registry is prohibited by the system administrator” appears, download the AVZ program. Open "File" - "System Restore" - Check "Unlock Registry Editor", then click "Perform selected operations". The editor is available again.

We launch Kaspersky removal tool and dr.web cureit and scan the entire system with them. All that remains is to reboot and return the bios settings. However, the virus has NOT yet been removed from the computer.

Treating your computer from Trojan WinLock

For this we need:
- ReCleaner registry editor
- popular antivirus Tool removal Kaspersky
- famous antivirus Dr.web cureit
- effective antivirus Removeit pro
- Plstfix registry repair utility
- Program for removing temporary files ATF cleaner

1. It is necessary to get rid of the virus in the system. To do this, launch the registry editor. Go to Menu - Tasks - Launch Registry Editor. Need to find:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon - there we look for the Userinit section - we delete everything after the comma. ATTENTION! The file itself “C:\Windows\system32\userinit.exe” CANNOT be deleted.);

Look at the value of the key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell there should be explorer.exe. We're done with the registry.

Now select the "Startup" tab. We look through the startup items, check the boxes and delete (lower right corner) everything that you did not install, leaving only desktop and ctfmon.exe. The remaining svchost.exe and other.exe processes from the windows directory must be removed.
Select Task - Clean the registry - Use all options. The program will scan the entire registry and delete everything permanently.

2. To find the code itself, we need the following utilities: Kaspersky, Dr.Web and RemoveIT. Note: RemoveIT will ask you to update the virus signature databases. It is necessary to establish an Internet connection while it is being updated!
With these programs we scan the system disk and delete everything they find. If you wish, you can check all the computer drives just in case. It will take much longer, but it is more reliable.

3. The next utility is Plstfix. It restores the registry after our actions on it. As a result, the task manager and safe mode will start working again.

4. Just in case, delete all temporary files. Often copies of the virus are hidden in these folders. This is how even well-known antiviruses may not detect them. It is better to manually remove anything that will not significantly affect the operation of the system. Install ATF Cleaner, mark everything and delete it.

5. Reboot the system. Everything works! even better than before :).

Hello Friends! In this article we will look at ways to remove banner from desktop. This can happen not only due to visiting sites with erotic content, but also when using cracks or keygens downloaded from unknown sources. Therefore, try to download software only from manufacturers' websites. If you receive a suspicious file, do not be lazy and check it for viruses online. Typically, such banners are called extortionists, as they demand money from the user. This can be like sending an SMS to a short number or topping up an account in an electronic payment system. Fraudsters usually write on such banners that the user has violated the law, for which they are required to pay a fine. In this article we will tell you how to unblock your computer from such banners.

These services are easy to use, but there are no guarantees. You can spend a lot of time but still not unlock the system. But you definitely need to try it.

To use, you need a device (another computer, tablet or phone) with Internet access. Go to any of the listed addresses. Let's take Kaspersky for example.

In a special field you must enter the phone number or account to which you want to transfer money. If you are asked to send an SMS to a short number, then write down this number and the text that needs to be sent, separated by a colon. Afterwards, press Get code

The search results will appear below. Choose your banner and try the codes against it.

If you haven’t found your banner, try on the Dr.Web or Eset website. If this method did not help remove the banner from your desktop, read on.

Using System Restore

This option is good if you have this function enabled. If System Restore was disabled, proceed to the next step.

In order to remove the banner from the desktop using system restore- restart the computer and click on boot F8 several times. If a list of devices from which booting is possible appears, select your drive (hard drive or SSD) and continue pressing F8 again. You should see a similar picture below. You need to select the item System Troubleshooting highlighted by default

A window will load where you need to select a language, then a user. Next there will be a window with a choice of several recovery options. Choose System Restore. Then select a restore point and return the computer to that point in time. First, take the nearest restore point; if that doesn’t help, restore to an earlier one.

You can read more about how to use System Restore.

Removing the banner from safe mode

By checking Dr.Web Cureit or analogues

There are banners that are not active in safe mode. You need to take advantage of this. To prepare for treatment, you need to download the Dr.Web Cureit utility on a healthy computer by opening the following link in your browser.

To remove a banner from your desktop by cleaning the registry, you need to check several points in the registry.

On the left side of the window go to the address

HKEY_CURRENT_USER -> Software -> Microsoft -> Windows -> CurrentVersion -> Run

Go to the right side and delete all items except one (Default) for which the value is not assigned. Right-click on the item and select Delete. With this action we will remove the banner from Windows startup. (You can read how to control startup of Windows 7 and Windows 8 when the computer is in working order.)

All the above steps must also be performed in the section

HKEY_LOCAL_MACHINE -> Software -> Microsoft -> Windows -> CurrentVersion -> Run

There are two more places left to check

HKEY_CURRENT_USER -> Software -> Microsoft -> Windows NT -> CurrentVersion -> Winlogon

In this we check the absence of points Shell And Userinit. If they are there, delete them.

HKEY_LOCAL_MACHINE -> Software -> Microsoft -> Windows NT -> CurrentVersion -> Winlogon

check the values ​​of the above points

Shell = explorer.exe

Userinir = C:\Windows\system32\userinit.exe, (comma required)

If the values ​​are different, we correct them to the correct ones.

Close the registry editor and, to be on the safe side, check the computer with the Dr.Web Cureit utility or an analogue if you did not check it before editing the registry.

After checking, reboot in normal mode and check whether the banner is removed.

Using Kaspersky WindowsUnlocker to remove a banner from the desktop

Using this utility, you can disinfect all operating systems installed on your computer. It does automatically what we did manually in the previous paragraph. This utility is included in Kaspersky Rescue Disk.

You can download the Kaspersky Rescue Disk image from the official website here

To record to a USB device, it is better to use the utility from the manufacturer

In the program window using the button Review specify the path to the Kaspersky Rescue Disk image. You insert the USB drive into the computer and it immediately appears in the appropriate section. If this does not happen, select it manually.

Attention! Save all important data from your USB drive.

After all the settings, press the button START

The image will be written to the USB drive. If the process completes successfully you will see the following window. Click OK and close the rescue2usb program

Now you need to boot from the prepared USB drive on the infected computer. To do this, insert the USB flash drive into the computer and reboot. When you boot your computer, press F8 several times to call up a list of devices from which it can boot. Select the connected USB drive. (There may be two inscriptions in this list suggesting booting from USB. Try one first, then the other). If you can’t boot from a flash drive, you need to set boot from a USB drive in the BIOS. You can read how to do this.

After all the settings, it will boot from the USB drive and you will see the following window. Any key must be pressed within 10 seconds

Select the required language using the arrows on the keyboard

You must accept the license by pressing button 1 on the keyboard

Select the Kaspersky Rescue Disk download mode. If you don't have a mouse, choose text. In all other cases, select graphics mode

In the terminal we type windowsunlocker and press Enter

If you have selected text mode, then press F10 close the menu that appears and type windowsunlocker in the line under the file manager. Click Enter

For that to remove the banner from the desktop press 1

After all the manipulations, you must press 0 - Exit.

After unlocking the operating system, you need to update the Kaspersky Rescue Disk databases and perform a full scan of your computer. To do this, open the main menu and select Kaspersky Rescue Disk. Go to the update tab and click Perform update. In this case, the Internet must be connected to the computer

Go to the tab Checking objects and select all objects in field 2 with checkboxes. Click Perform object check

Wait until the scan is completed and delete or disinfect any malicious files found. Afterwards, reboot in normal mode and check whether the banner is removed from the desktop.

Fixing the boot record

If the virus loads immediately when you turn on the computer before the operating system logo appears, then this infection has changed the boot record of your drive.

You need to go to the Windows Recovery Console and try to restore the boot record.

To open the recovery console, you must press the key at boot F8 as when selecting safe mode. When a window appears with a choice of download options. The item selected by default will appear at the very top - System Troubleshooting. Select this item by clicking Enter

A window for selecting a user and entering a password will then appear. Select a user and enter a password if you have one and click Next

Then a window will appear with system recovery options. There you can choose to restore the computer from an image (which is done by backing up data in Windows) or perform a system restore (if it is enabled. See point 3 of this article) and much more. You select the last item Command line.

You type in it BOOTREC.EXE /FixBoot

Then reboot and check whether the banner has been removed from the desktop.

Checking the drive on a healthy computer

If you have the opportunity to check your drive on another computer, do so.

Turn off your computer. Disconnect the hard drive. With it turned off, connect it to another computer. Boot up. Update your anti-virus databases and scan the connected disk for viruses. I like this option the most because it is possible. If it is not there, use the options described above.

I hope it doesn’t come to a reinstallation and some of the points described above will help you.

Conclusion

In this article how to remove banner from desktop we looked at a lot of ways to successfully unlock the operating system. The main thing we need to understand is that there is no need to send any SMS or top up any accounts.

Of course, it’s worth starting the unlocking process by using the services provided by large antivirus companies. Such services are described in the first part of this article. The next thing that is best to use is a system restore one, two or three for back. In general, the system recovery service can be of great help in critical situations. I highly recommend turning it on and allocating several gigabytes for it in the settings. If recovery fails, then proceed to treatment in safe mode. Unless, of course, the virus blocks everything there with its banner.

If safe mode does not work, then Kaspersky WindowsUnlocker as part of Kaspersky Rescue Disk is an excellent solution. If possible, you can and should check your drive on the healthy machine of your relative, friend or neighbor. Don't worry, the virus won't jump to another computer. If the virus is registered in the boot record, then try through the recovery console. If all else fails (which is unlikely), then it is better to reinstall the operating system.

Video on how to unlock a computer from a banner

Every fifth owner of a personal computer has been attacked by scammers on the World Wide Web. A popular type of deception are Winlocker Trojans - these are banners that block Windows work processes and require you to send an SMS to a paid number. To get rid of such ransomware, you need to figure out what threats it poses and how it gets into the system. In particularly difficult cases, you will have to contact the service center.

How do virus banners get onto a computer?

First on the list of sources of infection are pirated programs for work and leisure. We must not forget that Internet users have become accustomed to obtaining software online for free. But downloading software from suspicious sites carries a high risk of banner infection.

Windows often locks when opening a downloaded file with the “.exe” extension. Of course, this is not an axiom; it makes no sense to refuse to download software with such an extension. Just remember a simple rule - “.exe” is a game or program installation extension. And its presence in the name of video, audio, image or document files maximizes the likelihood of a computer being infected by a Winlocker Trojan.

The second most common method is based on a call to update your flash player or browser. It looks like this: when moving from page to page while surfing the Internet, the following message pops up - “your browser is out of date, install an update.” Such banners do not lead to the official website. Agreeing to an upgrade offer from a third-party resource will in 100% of cases lead to infection of the system.

How to remove banner ransomware from your computer

There is only one way with a 100% guarantee - reinstalling Windows. The only downside here is a very big one - if you do not have an archive of important data from the C drive, then during a standard reinstallation they will be lost. Are you eager to reinstall programs and games because of the banner? Then it’s worth taking note of other methods. They all fall into two main categories:

  • There is access to safe mode;
  • You cannot use Safe Startup mode.

Viruses are constantly being improved and can disable any OS boot mode. Therefore, the first option to remove the banner from your computer is not always possible.

With all the variety of methods of pest control, all operations come down to one principle. After the removal procedure is completed and the system is successfully rebooted (when there are no ransomware banners), additional measures are required. Otherwise, the virus will appear again, or the computer will freeze. Let's look at the two most common ways to avoid this.

Safe Mode

Reboot the computer by pressing the F8 key until a menu of other OS boot options appears. In it, using the arrows on the keyboard, select the line “Safe Mode with Command Line Support” from the list.

If the malware has not penetrated deeply into the system, the desktop will be displayed. Through the “Start” button, select “Search files and programs.” In the window that appears, fill in the “regedit” command. Here you will need basic knowledge of computer systems to clean the registry of the virus and remove its consequences.

Let's start with the directory:

HKEY_LOCAL_MACHINE\Software\Microsoft\WinNT\CurrentVersion\Winlogon. In it we study 2 subparagraphs sequentially. Shell - only the “explorer.exe” item should be present. Other values ​​- a sign of a banner - are deleted. Userinit should contain "C:\Windows\system32\userinit.exe". Instead of the letter “C” there may be another one if the operating system is running from a different local drive.

  • HKEY_CURRENT_USER (similar subdirectories). If the sub-items listed above are present, they must be deleted.
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run. All suspicious lines with meaningless names must be cleared - for example, “skjgghydka.exe”. Do you have any doubts about the harm of the registry file? In fact, the removal process is not necessary. Add "1" to the beginning of its name. Having an error, it will not start, and if necessary, you can return the original value.
  • HKEY_CURRENT_USER (subdirectories). Actions are the same as in the previous paragraph.
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce. We repeat all operations.
  • HKEY_CURRENT_USER (further path, as in the paragraph above). We are carrying out similar actions.

After completing all the steps, run the system utility “cleanmgr”. Having selected a local drive with Windows, we start scanning. Next, in the window that appears, check all the boxes except “Update package backup files.” After running the utility, all that remains is to clean and remove the consequences of the virus.

Restoring the system to a checkpoint

To remove the banner from the computer, we will use a standard system restore to the existing save point that preceded the appearance of the Winlocker. The process is started via the command line by entering the value "rstrui". In the window that opens, you can select a recommended date or set your own from the available list.

The recovery will take some time and will end with a system reboot. The result will be complete removal of the malicious program. In some cases, a message may appear stating that it is impossible to restore the system. With this option, all you have to do is contact the service center. It’s better to do this if you don’t have the necessary skills to work with the registry.

Protect your computer from being blocked

Anyone can encounter a Winlocker Trojan. It’s easy to avoid a nervous situation if you follow simple safety rules:

  • Install a working antivirus program;
  • Do not open suspicious emails;
  • Do not click on pop-up messages on the Internet;
  • Update your operating system regularly.

But if trouble has already arisen, the Recomp service center will help you. Our specialists will remove blocking programs and other viruses, eliminate traces of their presence and improve the operation of the operating system. With us it is easy to avoid the loss of important data, and if necessary, we will restore lost files!

For free

For free

views


You may also like

Basic Internet safety rules

Basic Internet safety rules

0
Improving graphics in GTA San Andreas The best graphic mods for gta san andreas

Improving graphics in GTA San Andreas The best graphic mods for gta san andreas

0
Types of analog-to-digital converters (ADC) 8 bit analog-to-digital converter

Types of analog-to-digital converters (ADC) 8 bit analog-to-digital converter

0