How to remove banner virus. We remove the banner from the computer ourselves

Often, users become victims of viruses that seriously interfere with working in Windows. A striking example is blocking the desktop using a banner. This happens if you haven't taken care of protecting your computer. You cannot perform any actions, the OS is locked, and the screen says something like “You have broken the law. Top up such and such a mobile number, otherwise you will lose all your data.” This article describes how to remove such a banner from the desktop of your computer.

Please understand that this is a scam. You didn’t violate anything; there are no provisions in the law regarding blocking users’ desktops. Under no circumstances follow the lead of scammers and do not send them your money.

Most likely, this will not even help - unlocking using a code is unlikely to help get rid of the virus, and the banner will remain on the computer.

Often, to get rid of such problems, it is recommended to simply reinstall operating system. Of course, delete and repeat Windows installation will definitely help. But this is a long way. Don't forget that you still need to install all the necessary drivers and programs.

This article discusses simpler and quick ways get rid of ransomware banners.

Starting in Safe Mode

If you find that when you start Windows, a banner pops up that blocks all functions of the computer, you need to start the operating system in diagnostic mode. To do this, follow the instructions provided:

This will take you to Windows diagnostic mode. If you succeeded and the banner is not here, move on to the next part of the guide. If there is a lock in this mode, you will need to start the PC using LiveCD (described below).

Typically, a banner virus modifies some entries in the registry, which leads to a faulty Windows work. Your task is to find all these changes and eliminate them.

Editing the Registry

Open the Run dialog using the Win + R key combination. In the window that opens, enter the command “regedit” and press Enter. You will be taken to the Windows Registry Editor. Follow the instructions carefully so you don't miss anything.

Using the directory on the left side of the program window, users need to open the following directories:

· HKEY_LOCAL_MACHINE/Software/Microsoft/Windows/Current Version/Run

Here you need to find the entry responsible for autorunning your banner when the system starts. Next, it should be removed. Right-click on the entry and select the “Delete” option from the context menu that opens. Feel free to delete anything suspicious; it will not affect the operation of your system in any way. If you delete something unnecessary, such as Skype autostart, you can get everything back.

· HKEY_LOCAL_MACHINE/Software/Microsoft/Windows NT/CurrentVersion/Winlogon

In this folder you need to find a parameter called “Shell” and assign it the value “explorer.exe”. Next, find the “Userinit” entry and give it a value "C:\Windows\system32\userinit.exe". To edit entries, simply double-click on them.

· HKEY_CURRENT_USER/Software/Microsoft/Windows NT/CurrentVersion/Winlogon

Also look for the "Userinit" and "Shell" options. Write down their meanings somewhere - these are the paths to your banner. Delete both entries. They shouldn't be in this directory.

Prevention

Once you have managed to remove all unnecessary entries from the Windows registry, you can close the editor and restart your computer. The system should start without any problems.

Now you need to remove the “tails” that are left from the malicious script. Open Windows Explorer (My Computer). Find the files that were referenced by the "incorrect" Shell and Userinit parameters and delete them.

After this, it is very important to scan the system using an antivirus program. Preferably with the deepest scan available in your antivirus. If you do not have any system protection, download and install immediately. For example, you can use a free program from Microsoft - Security Essentials. You can download it from this link - https://www.microsoft.com/ru-ru/download/details.aspx?id=5201.

The following guide describes how to remove the banner if it opens even while starting Windows Safe Mode.

Creating a Live CD from Kaspersky

If you are unable to remove the banner through safe mode, you should use a LiveCD. This is a special mini-OS that is recorded on a disk or flash drive. With it, you can boot up and edit a damaged registry or run an automatic troubleshooting utility.

For example, you can use a free service from Kaspersky Lab. To do this, you need to create a bootable USB flash drive or disk on another, working computer:

Unlocking via Kaspersky Live CD

To remove the effects of virus infection, you will need to do the following:

Installation disk

You can also use the installation disk from your operating system to get rid of the consequences of virus infection. You have to resort to this when the banner appears immediately after the BIOS beep, and you do not have the opportunity to use other means.

Insert the installation disk or bootable USB flash drive with an image of your system and restart the PC. Call the Boot Menu and select boot from external media. If necessary, press any key on the keyboard. Next, removing the consequences of a virus attack is described using Windows 7 as an example.

Select the interface language and click “Next”. At the bottom of the screen, click on the hyperlink "System Restore". A new window will open in which you will need to select "Command line".

In the console that opens, enter the command “bootrec.exe /FixMbr” and press Enter. After that, enter another command - “bootrec.exe /FixBoot” and press Enter again. Also enter the line “bcdboot.exe c:\windows” (If the system is installed on a different drive, you need to specify it). Reboot your PC and the problem will be solved.

Winlocker Trojans are a type of malware that, by blocking access to the desktop, extorts money from the user - supposedly if he transfers the required amount to the attacker’s account, he will receive an unlock code.

If, once you turn on your PC, you see instead of the desktop:

Or something else in the same spirit - with threatening inscriptions, and sometimes with obscene pictures, do not rush to accuse your loved ones of all sins. They, and maybe you yourself, have become victims of the trojan.winlock ransomware.

How do ransomware blockers get onto your computer?

Most often, blockers get onto your computer in the following ways:

• through hacked programs, as well as tools for hacking paid software (cracks, keygens, etc.);
• downloaded via links from messages on social networks, sent supposedly by acquaintances, but in fact by attackers from hacked pages;
• downloaded from phishing web resources that imitate well-known sites, but in fact are created specifically for spreading viruses;
• come by e-mail in the form of attachments accompanying letters with intriguing content: “you were sued...”, “you were photographed at the crime scene”, “you won a million” and the like.

Attention! Pornographic banners are not always downloaded from porn sites. They can do it from the most ordinary ones.

Another type of ransomware is spread in the same way - browser blockers. For example, like this:

They demand money for access to browsing the web through a browser.

How to remove the “Windows blocked” banner and similar ones?

When your desktop is blocked and a virus banner prevents any programs from running on your computer, you can do the following:

• enter safe mode with support command line, launch the registry editor and delete the banner autorun keys.
• boot from a Live CD ("live" disk), for example, ERD commander, and remove the banner from the computer both through the registry (autorun keys) and through Explorer (files).
• scan the system from a boot disk with an antivirus, for example Dr.Web LiveDisk or Kaspersky Rescue Disk 10.

Method 1. Removing Winlocker from safe mode with console support.

So, how to remove a banner from your computer via the command line?

On machines with Windows XP and 7, before the system starts, you need to quickly press the F8 key and select the marked item from the menu (in Windows 8\8.1 there is no this menu, so you will have to boot from the installation disk and launch the command line from there).

Instead of a desktop, a console will open in front of you. To launch the registry editor, enter the command into it regedit and press Enter.

Next, open the registry editor, find virus entries in it and fix it.

Most often, ransomware banners are registered in the following sections:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon- here they change the values ​​of the Shell, Userinit and Uihost parameters (the last parameter is only available in Windows XP). You need to fix them to normal:

• Shell = Explorer.exe
• Userinit = C:\WINDOWS\system32\userinit.exe, (C: is the letter of the system partition. If Windows is on drive D, the path to Userinit will start with D:)
• Uihost = LogonUI.exe

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows- see the AppInit_DLLs parameter. Normally, it may be absent or have an empty value.

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run- here the ransomware creates a new parameter with a value in the form of the path to the blocker file. The parameter name can be a string of letters, for example, dkfjghk. It needs to be removed completely.

The same goes for the following sections:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx

To correct registry keys, right-click on the parameter, select “Change”, enter a new value and click OK.

After that, restart your computer in normal mode and run an antivirus scan. It will remove all ransomware files from your hard drive.

Method 2. Removing Winlocker using ERD Commander.

ERD commander contains a large set of tools for restoring Windows, including those damaged by blocking Trojans. Using the built-in registry editor ERDregedit, you can perform the same operations as we described above.

ERD commander will be indispensable if Windows is locked in all modes. Copies of it are distributed illegally, but they are easy to find on the Internet.

ERD commander kits for everyone Windows versions called MSDaRT (Microsoft Diagnostic & Recovery Toolset) boot disks, they come in ISO format, which is convenient for burning to DVD or transferring to a flash drive.

After booting from such a disk, you need to select your version of the system and go to the menu and click Registry Editor.

In Windows XP, the procedure is slightly different - here you need to open the Start menu, select Administrative Tools and Registry Editor.

After editing the registry, boot Windows again - most likely, you will not see the “Computer is blocked” banner.

Method 3. Removing the blocker using an antivirus “rescue disk”.

This is the easiest, but also the longest unlocking method. It is enough to burn the Dr.Web LiveDisk or Kaspersky Rescue Disk image to DVD, boot from it, start scanning and wait for it to finish. The virus will be killed.

Removing banners from your computer using both Dr.Web and Kaspersky disks is equally effective.

How to protect your computer from blockers?

• Install a reliable antivirus and keep it active at all times.
• Please check all files downloaded from the Internet for security before launching.
• Don't click on unknown links.
• Do not open email attachments, especially those that come in letters with intriguing text. Even from your friends.
• Keep track of what sites your children visit. Use parental controls.
• If possible, do not use pirated software - many paid programs can be replaced with safe free ones.

Let's imagine an ordinary computer user. This is a person who most often has minimal knowledge of protecting his device from viruses. Nevertheless, he “travels” to all the desired sites, follows the suggested links, without thinking at all about the possible danger of his actions. And at one moment he sees the following picture in front of him: the computer screen is locked, and the attackers are demanding money to unlock it. What to do, how to remove the banner?

Reasons for blocking. Why does anyone need this?

There are several ways to lock your computer. Most often this happens due to the user visiting pornographic sites or downloading and installing malware that is distributed throughout the world. As a result, if this happened to you for the first time, you may even be afraid of what appears on the computer screen. The message may accuse you of collecting illegal information on the Internet and many other sins. Then they will ask you to pay for the unlocking option. They will tell you in detail where and how much to transfer money for this. The asking price is from 500 to 2000 rubles. But the most important thing is that after sending an SMS, no one will unblock you anything. So you don't need to pay anyone anything. On this moment time, there are several ways to solve the problem yourself, without throwing money away.

What are the dangers of locking Windows?

Firstly, such a problem can only happen with an unlicensed version of the operating system. The license is constantly and regularly updated, so it is more securely protected. Such a virus is constantly being improved, that is, it becomes more and more dangerous in order to generate income for its authors. Why is he so dangerous? The fact that it is not only registered in startup, but is “buried” much deeper, thanks to which it can work when loading only services and drivers, as well as in safe mode. After this it is quite difficult to get your device to work. But still, this is not a completely hopeless matter. Let's look at several ways to revive your computer, how to remove the banner and get the opportunity to work fully again.

Unlock Windows with Malwarebytes Anti-Malware

This method does not always ensure the completion of the task. In this case, you can use another method.

Removing a virus using Dr.Web LiveCD

It’s one thing when a virus requires you to send a paid SMS to unlock your computer. In this case, sometimes after payment the issue can be resolved. Not a fact at all, as has already been written, but there is a possibility.

It's another matter when your device is infected with malware called Winlock. This virus can easily delete all your data, and even accuse you of distributing pornography. But the worst thing is that it blocks the system even before the operating system starts. That is, the above method cannot be applied here. Nothing, we’ll use another option for destroying the infection - a boot disk from our favorite company Dr.Web. Let's create such a disk and get started.

1. We insert it into the drive and then reboot the device.
2. If a virus appears, which is possible, then go to the BIOS, where we set it to boot from a flash drive or drive. We reboot again.
3. Now, most likely, everything will be fine. Set the language to Russian and move on.
4. You need to wait a while for the download to take place. The antivirus window will appear. Click the “Go” button opposite “Scanner”.
5. The computer scan for viruses has started. We are waiting for Dr.Web to find our ransomware and remove it. After that, select full scan and run it.
6. When the antivirus detects a threat, it will notify us.

Finally, using Dr.Web LiveCD we disinfect the registry, and vice versa. Sometimes the ransomware virus disappears after this, and there is no need to run a full scan anymore. We make an attempt to turn on the computer and hope that we have completed the task of removing the banner. Windows should no longer be blocked; this is a thing of the past. And we have mastered another method of fighting the virus.

Unlock codes and Avz utility

There is an option that in some cases can also help us. Codes for unlocking the OS are posted on the Dr.Web website. You need to select a screenshot of our virus from the list and we will see the required code. You can also enter the phone number to which you want to send an SMS, click search - and we get the code. After unlocking, you need to disinfect your computer using a regular antivirus. If that doesn’t work, you can use the well-known Avz utility.

1. For this we need: a disk/flash drive and a computer.
2. Download and save the utility to removable media.
3. Select the boot option “Secure with command line support” by pressing F8 at the beginning of the process.
4. If the process is normal, the command line will appear.
5. We insert the removable media into the device.
6. We write explorer and press the enter button.
7. Before us is “My Computer”.
8. Find the avz.exe utility on the removable drive and run it.
9. We follow the course: “File - Troubleshooting Wizard, System problems - All problems”, check all the boxes except “Automatic system updates are disabled” and all “Autostart is allowed from...”. After that, click “Fix noted problems.”
10. We also check all the problems in “Browser settings and tweaks” and click “Fix”.
11. In the “Privacy” section, by analogy, we note all the problems.
12. Staying in avz, close the window. Click “Service”, then click “Explorer Extensions Manager” and uncheck all the items written in black.
13. Now turn on “Service” and then “IE Extension Manager”. A list appears in front of us, we delete all the lines.
14. We reboot the computer, after which there will most likely be no more problems. We launch a traditional antivirus to clean it. The problem of how to remove the banner has been resolved.

Conclusion

These are far from the only ways to remove ransomware. You can use scripts, Kaspersky's Virus Removal Tool, and reinstall the operating system. It also happens that deleting a banner is not painless for the computer. The desktop may be empty and the mouse cursor will not work. The first option to fix these errors is safe mode and disinfecting the device under it. But this doesn't always help. In this case, you need to start the computer from removable media. Windows has special distributions for this. We launch and cure the device. Now we have finally figured out how to remove a banner from the desktop. Important advice: the treatment described is not easy for the “non-advanced” computer user. For such people, if they are not confident in their abilities, it is better to turn to specialists.

The most unpleasant Banner is a banner that blocks the desktop and any actions with it, the so-called Winlock. Let's consider options for solving this problem.

As I already said, under no circumstances SMS We don’t send to short numbers, we don’t deposit money through the terminal and we don’t wait for a password on a receipt from the terminal. The first thing to do is try to boot your computer in safe mode.

Option 1. This is done this way: when you turn on the computer, after the BIOS splash screen, press the F8 key.

A list of download options will appear. Choose Safe mode and press ENTER(What this menu looks like can be seen in the pictures: Windows XP, Windows Vista, Windows 7). If everything is fine and the computer was able to start, click START-ALL PROGRAMS-STANDARDS-SERVICES-SYSTEM RESTORE and try to return the computer state to the date when Banner there was no beggar. If it works and the Banner disappears - HURRAY!!! If it remains in place, move on to the next point.

Option 2. Write in paragraph EXECUTE(click START-RUN and enter in the box) "msconfig" (full list system commands can be viewed). A window with Windows boot options will open. On the tab AUTOLOAD We look for suspicious or unfamiliar programs that run automatically and uncheck them. Click APPLY and restart the computer. Please note that these operations must be performed on behalf of system administrator, i.e. When loading Safe Mode, log in as the computer administrator - it is shown under the user name. The banner has disappeared - HURRAY!!! If it remains in place, move on to the next point.

Option 3. Boot into again Safe Mode. In point EXECUTE we write "regedit". The Registry Editor will launch. ATTENTION! Here you need to be extremely careful, not to delete or change anything unnecessary, otherwise all attempts to bring your computer back to life may come to nothing and your only option will be number “X” - reinstalling Windows. So let's get started. Looking for a way

in it we look for the presence of subsections "explorer.exe" And "iexplore.exe". If there are any, we mercilessly delete them (to do this, right-click on the subsection, in this case on "explorer.exe", select DELETE and when asked to confirm deletion, click YES), if not, proceed further. Now let's check the launch parameters "explorer.exe". For this we are looking for a way

_____________________________________________________________

After restarting the computer, the monitor displays a request to send a paid SMS, or to deposit money into a mobile phone account?

Meet this, this is what a typical ransomware virus looks like! This virus comes in thousands of different forms and hundreds of variations. However, he is easy to recognize by a simple sign: he asks you to put money (call) on an unfamiliar number, and in return promises to unlock your computer. What to do?

First, realize that this is a virus whose goal is to suck as much money out of you as possible. That is why do not give in to his provocations.

Remember a simple thing, do not send any SMS. They will withdraw all the money that is on the balance (usually the request says 200-300 rubles). Sometimes they require you to send two, three or more SMS. Remember, the virus will not go away from your computer, whether you send money to scammers or not. Trojan winloc will remain on your computer until you remove it yourself.

The action plan is as follows: 1. Remove the block from the computer 2. Remove the virus and treat the computer.

Ways to unlock your computer:

1. Enter the unlock code And. The most common way to deal with an obscene banner. You can find the code here: Dr.web, Kasperskiy, Nod32. Don't worry if the code doesn't work, move on to the next step.

2. Try booting into Safe Mode. To do this, after turning on the computer, press F8. When the boot options window appears, select “safe mode with driver support” and wait for the system to boot.

2a. Now let's try restore the system(start-standard-system-restore) to an earlier checkpoint. 2b. Create a new one account. Go to Start - Control Panel - Accounts. Add a new account and restart the computer. When you turn it on, select the newly created account. Let's move on to .

3. Try ctrl+alt+del- the task manager should appear. We launch healing utilities through the task manager. (select the file - a new task and our programs). Another way is to hold down Ctrl + Shift + Esc and, while holding these keys, search for and delete all strange processes until the desktop is unlocked.

4. The most reliable way- This means installing a new OS (operating system). If you absolutely need to keep the old OS, then we will look at a more labor-intensive way to deal with this banner. But no less effective!

Another way (for advanced users):

5. Booting from disk LiveCD which has a registry editing program. The system has booted, open the registry editor. In it we will see the registry of the current system and the infected one (its branches on the left side are displayed with a signature in brackets).

We find the key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon - there we look for Userinit - we delete everything after the comma. ATTENTION! The file itself “C:\Windows\system32\userinit.exe” CANNOT be deleted.);

Look at the value of the key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell it should be explorer.exe. We're done with the registry.

If the error “Editing the registry is prohibited by the system administrator” appears, download the AVZ program. Open "File" - "System Restore" - Check "Unlock Registry Editor", then click "Perform selected operations". The editor is available again.

We launch Kaspersky removal tool and dr.web cureit and scan the entire system with them. All that remains is to reboot and return the bios settings. However, the virus has NOT been removed from the computer yet.

Treating your computer from Trojan WinLock

For this we need:
- ReCleaner registry editor
- popular antivirus Tool removal Kaspersky
- famous antivirus Dr.web cureit
- effective antivirus Removeit pro
- Plstfix registry repair utility
- Program for removing temporary files ATF cleaner

1. It is necessary to get rid of the virus in the system. To do this, launch the registry editor. Go to Menu - Tasks - Launch Registry Editor. Need to find:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon - there we look for the Userinit section - we delete everything after the comma. ATTENTION! The file itself “C:\Windows\system32\userinit.exe” CANNOT be deleted.);

Look at the value of the key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell there should be explorer.exe. We're done with the registry.

Now select the "Startup" tab. We look through the startup items, check the boxes and delete (lower right corner) everything that you did not install, leaving only desktop and ctfmon.exe. The remaining svchost.exe and other.exe processes from the windows directory must be removed.
Select Task - Clean the registry - Use all options. The program will scan the entire registry and delete everything permanently.

2. To find the code itself, we need the following utilities: Kaspersky, Dr.Web and RemoveIT. Note: RemoveIT will ask you to update the virus signature databases. It is necessary to establish an Internet connection while it is being updated!
With these programs we scan the system disk and delete everything they find. If you wish, you can check all the computer drives just in case. It will take much longer, but it is more reliable.

3. The next utility is Plstfix. It restores the registry after our actions on it. As a result, the task manager and safe mode will start working again.

4. Just in case, delete all temporary files. Often copies of the virus are hidden in these folders. This is how even well-known antiviruses may not detect them. It is better to manually remove anything that will not significantly affect the operation of the system. Install ATF Cleaner, mark everything and delete it.

5. Reboot the system. Everything is working! even better than before :).