Contacts      About the site
home brick houses

How to protect your computer from ransomware banners. We remove the banner from the desktop. Safe Mode - Login

Winlocker Trojans are a type of malware that, by blocking access to the desktop, extorts money from the user - supposedly if he transfers the required amount to the attacker's account, he will receive an unlock code.

If once you turn on the PC you see instead of the desktop:

Or something else in the same spirit - with threatening inscriptions, and sometimes with obscene pictures, do not rush to accuse your loved ones of all sins. They, and maybe you yourself, fell victim to the trojan.winlock ransomware.

How do ransomware blockers get on a computer?

Most often, blockers get on the computer in the following ways:

  • through hacked programs, as well as tools for hacking paid software (cracks, keygens, etc.);
  • are downloaded via links from messages in social networks, sent supposedly by acquaintances, but in fact - by intruders from hacked pages;
  • downloaded from phishing web resources that imitate well-known sites, but in fact created specifically for the spread of viruses;
  • come by e-mail in the form of attachments accompanying letters of intriguing content: “you were sued ...”, “you were photographed at the crime scene”, “you won a million”, and the like.

Attention! Pornographic banners are not always downloaded from porn sites. Can and with the most ordinary.

Another type of ransomware is distributed in the same way - browser blockers. For example, like this:

They demand money for access to web browsing through a browser.

How to remove the banner "Windows is blocked" and the like?

When the desktop is locked, when a virus banner prevents the launch of any programs on the computer, you can do the following:

  • go into safe mode with command line support, start the registry editor and delete the banner's autorun keys.
  • boot from a Live CD (“live” disk), for example, ERD commander, and remove the banner from the computer both through the registry (autorun keys) and through the explorer (files).
  • scan the system from a boot disk with an antivirus, such as Dr.Web LiveDisk or Kaspersky Rescue Disk 10.

Method 1: Removing the winlocker from safe mode with console support.

So, how to remove a banner from a computer via the command line?

On machines with Windows XP and 7, before the system starts, you need to quickly press the F8 key and select the marked item from the menu (in Windows 8 \ 8.1 there is no such menu, so you have to boot from the installation disk and run the command line from there).

Instead of a desktop, a console will open in front of you. To launch the registry editor, enter the command in it regedit and press Enter.

Next, open the registry editor, find virus entries in it and fix it.

Most often, ransomware banners are registered in sections:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon- here they change the values ​​of the Shell, Userinit and Uihost parameters (the last parameter is only in Windows XP). You need to fix them to normal:

  • shell=explorer.exe
  • Userinit = C:\WINDOWS\system32\userinit.exe, (C: is the letter of the system partition. If Windows is on drive D, the path to Userinit will start with D:)
  • Uihost=LogonUI.exe

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows- see AppInit_DLLs parameter. Normally, it may be absent or have an empty value.

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run- here the ransomware creates a new parameter with the value as the path to the blocker file. The parameter name can be a string of letters, such as dkfjghk. It must be removed completely.

The same goes for the following sections:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx

To fix registry keys, right-click on the setting, select Edit, enter a new value, and click OK.

After that, restart your computer in normal mode and do an antivirus scan. It will remove all ransomware files from your hard drive.

Method 2. Removing a winlocker using ERD Commander.

ERD commander contains a large set of tools for restoring Windows, including when it is damaged by blocker trojans. Using the ERDregedit registry editor built into it, you can do the same operations that we described above.

ERD commander will be indispensable if Windows is blocked in all modes. Copies of it are distributed illegally, but they are easy to find on the net.

ERD commander sets for all versions of Windows are called boot disks MSDaRT (Microsoft Diagnostic & Recovery Toolset), they come in ISO format, which is convenient for burning to DVD or transferring to a USB flash drive.

After booting from such a disk, you need to select your version of the system and, by going to the menu, click the registry editor.

In Windows XP, the procedure is slightly different - here you need to open the Start menu (Start), select Administrative Tools and Registry Editor.

After editing the registry, boot Windows again - most likely, you will not see the "Computer is locked" banner.

Method 3. Removing the blocker using the anti-virus "rescue disk".

This is the easiest, but also the longest unlocking method. It is enough to burn the image of Dr.Web LiveDisk or Kaspersky Rescue Disk to DVD, boot from it, start scanning and wait for the end. The virus will be killed.

It is equally effective to remove banners from a computer using both Dr.Web and Kaspersky discs.

How to protect your computer from blockers?

  • Install a reliable antivirus and keep it active at all times.
  • Check all files downloaded from the Internet for security before launching.
  • Don't click on unknown links.
  • Do not open email attachments, especially those that come in letters with intriguing text. Even from your friends.
  • Keep track of what websites your children visit. Use parental controls.
  • If possible, do not use pirated software - many paid programs can be replaced with safe free ones.

After restarting the computer, does the monitor display a request to send a paid SMS, or put money on a mobile phone account?

Meet what a typical ransomware virus looks like! This virus takes thousands different forms and hundreds of variations. However, it is easy to recognize him by a simple sign: he asks you to put money (call) on an unknown number, and in return promises to unlock your computer. What to do?

First, realize that this is a virus, the purpose of which is to suck out of you as much as possible. more money. That is why do not give in to his provocations.

Remember a simple thing, do not send any SMS. They will withdraw all the money that is on the balance sheet (usually 200-300 rubles are written in the requirement). Sometimes they require you to send two, three or more SMS. Remember, the virus will not go anywhere from the computer, whether you send money to scammers or not. Trojan winloc will remain on your computer until you remove it yourself.

The action plan is as follows: 1. Remove the block from the computer 2. Remove the virus and treat the computer.

Ways to unlock your computer:

1. Enter unlock code and. The most common way to deal with the obscene banner. You can find the code here: Dr.web , Kasperskiy , Nod32 . Don't worry if the code doesn't work, move on to the next step.

2. Try booting into safe mode. To do this, after turning on the computer, press F8. When the boot options window appears, select "safe mode with driver support" and wait for the system to boot.

2a. Now we try restore system(Start-Accessories-Utilities-System Restore) to an earlier checkpoint. 2b. Create a new account. Go to Start - Control Panel - Accounts. Add a new account, restart the computer. When enabled, select the newly created account. Let's go to .

3. Try ctrl+alt+del- the task manager should appear. We launch healing utilities through the task manager. (select the file - a new task and our programs). Another way - hold down Ctrl + Shift + Esc and holding these keys, look for and delete all strange processes until the desktop is unlocked.

4. The most reliable way- this is to install the OS (operating system) on a new one. If you fundamentally need to keep the old OS, then we will consider a more time-consuming way to deal with this banner. But no less effective!

Another way (for advanced users):

5. Booting from disk live CD which has a registry editor. The system has booted, open the registry editor. In it we will see the registry of the current system and the infected one (its branches on the left side are displayed with a signature in brackets).

We find the key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon - we are looking for Userinit there - we delete everything after the comma. ATTENTION! The file "C:\Windows\system32\userinit.exe" CANNOT be deleted.);

Look at the key value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell, it should be explorer.exe. Done with the registry.

If the error "Registry editing is prohibited by the system administrator" appears, download the AVZ program. Open "File" - "System Restore" - Check the item "Unlock the registry editor", then click "Perform marked operations." The editor is back.

Run the Kaspersky removal tool and dr.web cureit and scan the entire system with them. It remains to reboot and return the bios settings. However, the virus has NOT yet been removed from the computer.

We treat a computer from Trojan WinLock

For this we need:
- ReCleaner Registry Editor
- popular antivirus Tool removal kaspersky
- well-known antivirus Dr.web cureit
- effective antivirus Removeit pro
- Plstfix registry repair utility
- Program to remove temporary files ATF cleaner

1. It is necessary to get rid of the virus in the system. To do this, launch the registry editor. We go Menu - Tasks - Launch the registry editor. Need to find:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon - we are looking for the Userinit section there - we delete everything after the comma. ATTENTION! The file "C:\Windows\system32\userinit.exe" CANNOT be deleted.);

Look at the key value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell there should be explorer.exe. Done with the registry.

Now select the "Startup" tab. We look through the startup items, check the boxes and delete (lower right corner) everything that you did not install, leaving only desktop and ctfmon.exe. The remaining svchost.exe processes and other .exe processes from the windows directory must be removed.
Select Task - Registry Cleanup - Use all options. The program will scan the entire registry, delete everything permanently.

2. To find the code itself, we need the following utilities: Kaspersky, Dr.Web and RemoveIT. Note: RemoveIT will ask you to update the virus signature databases. An internet connection must be established during the update!
With these programs, we scan the system disk and delete everything that they find. If you wish, you can just in case check all the disks of the computer. It will take much longer, but it is more reliable.

3. The next utility is Plstfix. It restores the registry after our actions on it. As a result, the task manager and safe mode will start working again.

4. Just in case, delete all temporary files. Often copies of the virus are hidden in these folders. This is how even well-known antiviruses can not detect them. It is better to manually remove something that does not significantly affect the operation of the system. Install ATF Cleaner, mark and delete everything.

5. We overload the system. Everything is working! even better than before :).

Surely, every fourth user of a personal computer has encountered various fraud on the Internet. One type of deception is a banner that blocks Windows and requires you to send SMS to a paid number or requires cryptocurrency. Basically, it's just a virus.

To fight a ransomware banner, you need to understand what it is and how it penetrates your computer. The banner usually looks like this:

But there may be all sorts of other variations, but the essence is the same - crooks want to make money on you.

How a virus enters a computer

The first variant of "infection" is pirated applications, utilities, games. Of course, Internet users are used to getting most of what they want online “for free”, but when downloading pirated software, games, various activators and other things from suspicious sites, we run the risk of becoming infected with viruses. In this situation, it usually helps.

Windows may be blocked due to a downloaded file with the extension " .exe". This does not mean that you need to refuse to download files with this extension. Just remember that " .exe” can only apply to games and programs. If you download a video, song, document or picture, and its name contains “.exe” at the end, then the chance of the ransomware banner appearing increases dramatically to 99.999%!

There is also a tricky move with, supposedly, the need to update the Flash player or browser. It may be that you will work on the Internet, move from page to page and one day you will find an inscription that "your Flash player is out of date, please update." If you click on this banner and it does not lead you to the official adobe.com website, then it is 100% a virus. Therefore, check before clicking on the "Update" button. The best option such messages will be ignored altogether.

Lastly, outdated Windows updates weaken system protection. To keep your computer protected, try to install updates on time. This feature can be configured in "Control Panel -> Windows Update" to automatic mode, so as not to be distracted.

How to unlock Windows 7/8/10

One of the simple options to remove the ransomware banner is . It helps 100%, but it makes sense to reinstall Windows when you do not have important data on the C drive that you did not have time to save. When you reinstall the system, all files will be deleted from system disk. Therefore, if you do not have the desire to reinstall software and games, then you can use other methods.

After curing and successfully launching the system without the ransomware banner, additional steps must be taken, otherwise the virus may resurface, or there will simply be some problems in the system. All this is at the end of the article. All information is personally verified by me! So, let's begin!

Kaspersky Rescue Disk + WindowsUnlocker will help us!

We will use a specially designed operating system. The whole difficulty is that on a working computer you need to download an image and or (scroll through the articles, there are).

When it's ready, you need. At the time of startup, a small message will appear, such as "Press any key to boot from CD or DVD". Here you need to press any button on the keyboard, otherwise the infected Windows will start.

When loading, press any button, then select the language - "Russian", accept the license agreement using the "1" button and use the launch mode - "Graphic". After launch operating system Kaspersky, we do not pay attention to the automatically launched scanner, but go to the "Start" menu and launch the "Terminal"


A black window will open where we write the command:

windows unlocker

A small menu will open:


Select "Unlock Windows" with the "1" button. The program itself will check and fix everything. Now you can close the window and check the entire computer with the already running scanner. In the window, put a tick on the disk with Windows OS and click "Perform object check"


We are waiting for the end of the check (may be a long time) and, finally, we reboot.

If you have a laptop without a mouse, and the touchpad does not work, then I suggest using the text mode of the Kaspersky disk. In this case, after starting the operating system, you must first close the menu that opens with the "F10" button, then enter the same command on the command line: windowsunlocker

Unlock in safe mode, no special images

Today, viruses like Winlocker have become smarter and block Windows from loading in safe mode, so most likely you will not succeed, but if there is no image, then try. Viruses are different and can work for everyone different ways but the principle is the same.

We restart the computer. During boot, you need to press the F8 key until a menu of additional options for starting Windows appears. We need to use the down arrows to select an item from the list, which is called « Safe mode with command line support".

This is where we need to get to and select the desired line:

Further, if everything goes well, the computer will boot up and we will see the desktop. Fine! But that doesn't mean everything works now. If you do not remove the virus and just reboot in normal mode, the banner will pop up again!

We are treated with Windows tools

You need to restore the system when there was no blocker banner yet. Read the article carefully and do everything that is written there. There is a video below the article.

If it doesn’t help, then press the “Win ​​+ R” buttons and write the command in the window to open the registry editor:

regedit

If, instead of the desktop, a black command line is launched, then simply enter the “regedit” command and press “Enter”. We have to check some registry keys for viruses, or to be more precise, malicious code. To start this operation, go here on this path:

HKEY_LOCAL_MACHINE\Software\Microsoft\WinNT\CurrentVersion\Winlogon

Now, in order, we check the following values:

  • Shell - “explorer.exe” must be written here, there should be no other options
  • Userinit - here the text should be "C:\Windows\system32\userinit.exe,"

If the OS is installed on a different drive than C:, then the letter will be different there, respectively. To change incorrect values, right-click on the line you want to edit and select "change":

Then we check:

HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Winlogon

There should be no Shell and Userinit keys here at all, if there are, delete them.

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce

And be sure to:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce

If you are not sure whether you need to delete the key, you can simply add a “1” to the parameter first. The path will be in error, and this program will simply not start. Then you can return it as it was.

Now you need to run the built-in system cleaning utility, we do it in the same way as we launched the registry editor "regedit", but we write:

cleanmgr

Select the disk with the operating system (by default C:) and after scanning, check all the boxes except for "Service Pack Backup Files"

And click "OK". By this action, we may have disabled the autorun of the virus, and then we need to clean up the traces of its presence in the system, and read about this at the end of the article.

AVZ Utility

It consists in the fact that in safe mode we will run the well-known antivirus utility AVZ. In addition to searching for viruses, the program has just a lot of functions to fix system problems. This method repeats the steps for filling holes in the system after the virus has worked, incl. to get acquainted with it, go to the next paragraph.

Fixing issues after ransomware removal

Congratulations! If you are reading this, then the system started without a banner. Now you need to check the whole system with them. If you used the Kaspersky rescue disk and checked it there, then you can skip this item.

There may also be one more trouble associated with the activities of the villain - the virus can encrypt your files. And even after its complete removal, you simply will not be able to use your files. To decrypt them, you need to use programs from the Kaspersky website: XoristDecryptor and RectorDecryptor. There are also instructions for use.

But that's not all, because. Winlocker most likely messed up in the system, and various glitches and problems will be observed. For example, the registry editor and task manager will not start. To treat the system, we will use the AVZ program.

When downloading with Google Chrome there may be a problem, because this browser considers the program to be malicious and does not allow it to be downloaded! This question has already been raised on the official Google forum, and at the time of writing, everything already ok.

To still download the archive with the program, you need to go to "Downloads" and click "Download malicious file" there 🙂 Yes, I understand that it looks a little silly, but apparently chrome thinks that the program can harm the average user. And this is true, if you poke wherever you hit! Therefore, strictly follow the instructions!

We unpack the archive with the program, write it to external media and run it on the infected computer. Let's go to the menu "File -> System Restore", mark the checkboxes as in the picture and perform the following operations:

Now let's take the following path: "File -> Troubleshooting Wizard", then go to « System problems-> All problems" and click on the "Start" button. The program will scan the system, and then in the window that appears, check all the checkboxes except for “Disabling operating system updates in automatic mode” and those that begin with the phrase “Allowed to autorun from ...”.

Click on the "Fix flagged issues" button. After successful completion, go to: "Browser settings and tweaks -> All problems", here we put all the checkboxes and in the same way click on the button "Fix flagged problems".

We do the same with “Privacy”, but here do not check the boxes that are responsible for cleaning bookmarks in browsers and what else you think you need. We finish the check in the sections "Cleaning the system" and "Adware/Toolbar/Browser Hijacker Removal".

At the end, close the window without leaving AVZ. In the program we find "Tools -> Explorer Extensions Editor" and remove the checkmarks from those items that are marked in black. Now let's go to: "Tools -> Internet Explorer Extension Manager" and completely erase all the lines in the window that appears.

I already said above that this section of the article is also one of the ways to cure Windows from a ransomware banner. So, in this case, you need to download the program on a working computer and then write it to a USB flash drive or to a disk. All actions are carried out in a safe mode. But there is another option to run AVZ even if safe mode is not working. You need to start, from the same menu when the system boots, in the "Computer Troubleshooting" mode

If you have it installed, it will be displayed at the very top of the menu. If not there, then try to start Windows until the banner appears and turn off the computer from the outlet. Then turn it on - a new launch mode will probably be offered.

Starting from a Windows installation disc

Another the right way- this is to boot from any Windows 7-10 installation disk and select there not "Install", but "System Restore". When the troubleshooter is running:

  • You need to select "Command Prompt"
  • In the black window that appears, write: "notepad", i.e. Launch a regular notepad. We will use it as a mini conductor
  • Go to the menu "File -> Open", select the file type "All files"
  • Next, we find the folder with the AVZ program, right-click on the launched file “avz.exe” and launch the utility using the “Open” menu item (not the “Select” item!).

If nothing helps

Refers to cases when, for some reason, you cannot boot from a flash drive with a recorded image of Kaspersky or the AVZ program. You just have to get it from the computer HDD and connect it with a second disk to a working computer. Then boot from UNINfected hard drive and scan YOUR disk with a Kaspersky scanner.

Never send SMS messages requested by scammers. Whatever the text, do not send messages! Try to avoid suspicious sites and files, but in general read. Follow the instructions and then your computer will be safe. And do not forget about the antivirus and regular updates of the operating system!

Here is a video showing everything in an example. The playlist consists of three lessons:

PS: what method helped you? Write about it in the comments below.

Often, users become victims of viruses that seriously interfere with working in Windows. A striking example is the blocking of the desktop with a banner. This happens if you have not taken care of protecting your computer. You cannot perform any actions, the OS is locked, and something like “You broke the law is written on the screen. Replenish such and such a mobile number, otherwise you will lose all your data. This article describes how to remove such a banner from the desktop of your computer.

You have to understand that this is a scam. You did not violate anything, there are no clauses in the legislation about blocking the user's desktop. In no case do not follow the scammers and do not send them your money.

Most likely, this will not even help - unlocking with a code is unlikely to help get rid of the virus, and the banner will remain on the computer.

Often, to get rid of such problems, it is recommended to simply reinstall the operating system. Of course, deletion and re- Windows installation will definitely help. But it's a long way. Do not forget that you still need to install all the necessary drivers and programs.

This article discusses simpler and quick ways get rid of ransomware banners.

Starting in safe mode

If you find that when you start Windows, a banner pops up that blocks all computer functions, you need to start the operating system in diagnostic mode. To do this, follow the instructions provided:


This will take you to the diagnostic mode of Windows. If you succeeded and the banner is not here, move on to the next part of the guide. If there is a lock in this mode, you will need to start the PC using the LiveCD (described below).

As a rule, a banner virus modifies some entries in the registry, which leads to a malfunctioning Windows. Your task is to find all these changes and eliminate them.

Registry editing

Call the "Run" dialog using the keyboard shortcut "Win" and "R". In the window that opens, you need to enter the command "regedit" and press Enter. You will be taken to the Windows Registry Editor. Follow the instructions carefully so you don't miss anything.

Using the directory on the left side of the program window, users need to open the following directories:

HKEY_LOCAL_MACHINE/Software/Microsoft/Windows/Current Version/Run

Here you need to find the entry responsible for autorunning your banner at system startup. Next, it should be removed. Right-click on the entry and select the "Delete" option from the context menu that opens. Feel free to delete everything suspicious, it will not affect the operation of your system in any way. If you remove something superfluous, such as Skype autostart, you can return everything.

HKEY_LOCAL_MACHINE/Software/Microsoft/Windows NT/CurrentVersion/Winlogon

In this folder, you need to find a parameter called "Shell" and assign it a value "explorer.exe". Next, find the "Userinit" entry and set its value to "C:\Windows\system32\userinit.exe". To edit entries, simply double-click on them.

HKEY_CURRENT_USER/Software/Microsoft/Windows NT/CurrentVersion/Winlogon

Also look for the "Userinit" and "Shell" options. Write down their values ​​somewhere - these are the paths to your banner. Delete both entries. They should not be in this directory.

Prevention

After you have managed to remove all unnecessary entries from the Windows registry, you can close the editor and restart your computer. The system should start without any problems.

Now you need to remove the "tails" that are left from the malicious script. Open Windows Explorer (My Computer). Find the files referenced by the "wrong" "Shell" and "Userinit" options and delete them.

After that, it is very important to scan the system with an antivirus program. Preferably the most in-depth check that your antivirus has. If you do not have any system protection, download and install immediately. For example, you can use the free program from Microsoft - Security Essentials. You can download it from this link - https://www.microsoft.com/en-us/download/details.aspx?id=5201 .

The following guide describes how to remove the banner if it opens even during the start of Windows Safe Mode.

Creating a Live CD from Kaspersky

If you are unable to remove the banner through safe mode, you should use the LiveCD. This is a special mini-OS that is written to a disk or flash drive. With it, you can boot and edit a corrupted registry or run an automatic troubleshooting utility.

For example, you can use free service from Kaspersky Lab. To do this, you need to create a bootable USB flash drive or disk on another working computer:

Unlock via Live CD of Kaspersky

To remove the effects of a virus infection, you will need to do the following:

Installation disk

You can also use the installation disk of your operating system to get rid of the consequences of a virus infection. You have to resort to this when the banner appears immediately after the BIOS beep, and you do not have the opportunity to use other means.

Insert the installation disk or bootable USB flash drive with your system image and reboot your PC. Call the Boot Menu and select boot from external media. If required, press any key on the keyboard. Further, the removal of the consequences of a virus attack is described using the example of Windows 7.

Select the interface language and click Next. Click on the hyperlink at the bottom of the screen "System Restore". A new window will open asking you to select "Command line".

In the console that opens, type the command "bootrec.exe /FixMbr" and press Enter. After that, enter another command - "bootrec.exe /FixBoot" and press Enter again. Also enter the line "bcdboot.exe c:\windows" (If the system is installed on a different drive, you need to specify it). Restart your PC and the problem will be solved.

Every fifth owner of a personal computer has been attacked by scammers on the World Wide Web. A popular type of deception is winlocker trojans - these are banners that block Windows workflows and require you to send SMS to a paid number. To get rid of such ransomware, you need to figure out what threats it poses and how it gets into the system. In particularly difficult cases, you will need to contact service center.

How do virus banners get on a computer?

The first in the list of sources of infection are pirated programs for work and leisure. Do not forget that Internet users have become accustomed to getting software online for free. But loading software from suspicious sites entails a high risk of banner infection.

Windows blocking often occurs when opening a downloaded file with the ".exe" extension. Of course, this is not an axiom; it makes no sense to refuse to download software with such an extension. Just remember a simple rule - ".exe" is the extension of the installation of games or programs. And the presence of it in the name of video, audio, images or documents files maximizes the likelihood of infecting a computer with a Trojan “winlocker”.

The second most common method is based on a call to update the flash player or browser. It looks like this: when you go from page to page while surfing the Internet, an inscription of the following type pops up - “your browser is out of date, install an update”. Such banners do not lead to the official website. Agreeing with the offer of an upgrade on a third-party resource in 100% of cases will lead to infection of the system.

How to remove banner ransomware from computer

There is only one way with a 100% guarantee - reinstalling Windows. The only minus here, but very bold - if you do not have an archive of important data from the "C" drive, then they will be lost during a standard reinstallation. Do not burn with the desire to re-install programs and games because of the banner? Then it is worth taking note of other methods. They all fall into two main categories:

  • There is access to safe mode;
  • Can't use safe start mode.

Viruses are constantly improving and can disable any OS boot modes. Therefore, the first option to remove the banner from the computer will not always work.

With all the variety of methods of pest control, all operations are reduced to one principle. Upon completion of the removal procedure and a successful reboot of the system (when there are no ransomware banners), additional measures are required. Otherwise, the virus will reappear, or the computer will freeze. Let's look at the two most common ways to avoid this.

Safe mode

We restart the computer by pressing the F8 key until a menu of other OS boot options is displayed. In it, using the arrows on the keyboard, select the line "Safe Mode with Command Line Support" from the list.

If the malware has not penetrated deeply into the system, then the desktop will be displayed. Through the "Start" button, select "Search files and programs". In the window that appears, fill in the "regedit" command. Here you will need basic knowledge of computer systems in order to clean the registry from a virus and remove its consequences.

We start with a directory:

HKEY_LOCAL_MACHINE\Software\Microsoft\WinNT\CurrentVersion\Winlogon. In it, we sequentially study 2 subparagraphs. Shell - only the “explorer.exe” item should be present. Other values ​​- a sign of a banner - are deleted. Userinit should contain "C:\Windows\system32\userinit.exe". Instead of the letter "C", it may be different if the operating system is running from a different local drive.

  • HKEY_CURRENT_USER (similar subdirectories). If there are sub-items listed above, then they must be deleted.
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run. All suspicious lines with meaningless names are subject to cleaning - for example, "skjgghydka.exe". There are doubts about the harm of the registry file? In fact, the removal process is not necessary. Add "1" to the beginning of its name. Having an error, it will not start, and if necessary, you can return the original value.
  • HKEY_CURRENT_USER (subdirectories). Actions as in the previous paragraph.
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce. We repeat all operations.
  • HKEY_CURRENT_USER (further path, as in the paragraph above). We are taking similar steps.

At the end of all actions, run the system utility "cleanmgr". After selecting the local disk with Windows, we start the scan. Next, in the window that appears, check all the items except "Service Pack Backup Files". After the utility has run, it remains to clean and remove the effects of the virus.

Restoring the system to a checkpoint

To remove the banner from the computer, we will use the standard system restore to the existing save point that preceded the appearance of the winlocker. The process is started via the command line by entering the value "rstrui". In the window that opens, you can select the recommended date or set your own from the list.

The recovery will take some time and will end with a system reboot. The result will be the complete removal of the malware. In some cases, a message may appear stating that the system cannot be restored. With this option, it remains only to contact the service center. It is better to do this if you do not have the necessary skills to work with the registry.

Protect your computer from blocking

Anyone can encounter a Winlocker Trojan. Avoiding a nervous situation is easy if you follow simple safety rules:

  • Install a working anti-virus program;
  • Do not open suspicious emails in email;
  • Do not click on pop-up messages on the Internet;
  • Update your operating system regularly.

But if trouble has already arisen, the Recomp service center will help you. Our specialists will remove blocking programs and other viruses, eliminate traces of their presence and improve the operation of the operating system. With us, it is easy to avoid the loss of important data, and if necessary, we will restore lost files!

For free

For free

Share with friends or save for yourself:

Loading...
Recommended related articles
The meaning of the word
The meaning of the word "probability
Jealousy of the wife's past A divorced woman can have children
Jealousy of the wife's past A divorced woman can have children
Big things for small molecules: how small RNAs orchestrate bacterial genes The spread and evolution of piRNAs
Big things for small molecules: how small RNAs orchestrate bacterial genes The spread and evolution of piRNAs