How to get rid of the ransomware banner. How to unblock Windows from ransomware virus
How to get rid of a banner
With a huge sense of gratitude to our reader for this link to a virus site where my computer could possibly be infected with a ransomware banner, I turned off my antivirus and some protection, which will be discussed below, and followed this link. A site opened in which I only managed to see the outline of a guitar, literally a second later, the viral code embedded in the main page of this site, which is javascript, was triggered and my desktop was blocked by a ransomware banner, I didn’t even have time to click on anything (Of course, I won’t give you a link to a site with a virus, the administration of this site, I later wrote a letter and the virus was removed from the site, but in general, anything can happen in life, no site is 100% immune from hacking).
Well, now a detailed story about how to get rid of a banner, if you have already caught him. The information provided is suitable for operating systems, Windows Vista, .
The first thing we will do is go to the websites of leading antivirus companies that provide services to unlock your computer from the ransomware banner.
- Dr.Web https://www.drweb.com/xperf/unlocker
- NOD32 http://www.esetnod32.ru/.support/winlock
- Kaspersky Lab http://sms.kaspersky.ru
Unfortunately, I was unable to find the unlock code; apparently the virus was written recently.
The second thing you can try is to restart the computer and when loading press F-8, let's go to Troubleshooting, this is if you have Windows 7 installed; in the Windows XP operating system, go straight to safe mode with command line support (read what to do there below).
We currently live in the computer era. There is now a computer in every home and office, and not even just one. Computers are used for education and entertainment. And if you have internet, you can pay utilities and make a bank transfer. It's really very convenient and makes our life a lot easier. And everything would be fine if crimes called cyber crime, spoiling our mood and lightening our wallet :-).
Let's take a closer look at what it is and how we can fight it.
Electronic payment systems Webmoney, Qiwi, Yandex money and others - we all used them and appreciated their capabilities. Some of them are more secure and have a link to a specific computer, double authentication via SMS and a mobile application installed on your smartphone or tablet. Some are less secure and store saved passwords directly in the browser, from where, if you really want, you can copy them and gain access to your account. To prevent this from happening, you must protect your computer using antivirus programs.
That's why, You should always have an antivirus program installed on your computer with the latest updates!
For most dummies, it will be enough to install the free Avast antivirus. At least something rather than nothing at all.
Let's look at the situation when on the computer no antivirus at all. What does this mean? Even using the Internet for two to three hours with an uninstalled or disabled antivirus will provide you with a high probability of “picking up” malware from the Internet. For what purpose are these programs written? And the goal is simple: a criminal, when he faces criminal liability for this, will not distribute viruses if he does not have a significant income from this... So are viruses. Lately they have been written with the aim of taking your money. hidden or obvious ways.
Trojans
With a hidden method A malicious program, a so-called Trojan, is installed on your computer. It penetrates through a computer vulnerability, for example, when the firewall is disabled or when accessing a certain group of sites. Most often these include sites with erotic content. With an explicit method to take away money, you yourself transfer money for unlocking the computer in one way or another to the account of the criminals. Moreover, there may not actually be an unlocking, since after transferring the money the criminals will simply not be interested in you.
I decided to conduct a risky experiment). I updated my antivirus database and went to an obviously suspicious site to show you what it looks like. We are immediately offered to download an unknown driver file, even without specifying the webcam model.
The name of the site is visible in the screenshot and it does not carry any semantic meaning. Most likely, this was done deliberately in order to associate this site by name with as many search engine queries as possible, so that you would not be able to notice the discrepancy between the topics. Moreover, on the screen we see a large number of people who downloaded and allegedly thanked them.
Scam sites
Very often, when searching, we see imitation of forum pages with an unclear name and an offer to download the file we need. Next comes a question from the “user”: They ask to send an SMS to download this file. They happily explain to him that this is protection from bots, everything has been checked, don’t worry
Of course, after you send an SMS that turns out to be paid, a tidy sum will be withdrawn from your account under the flimsy pretext of providing entertainment or information services.
Also, never install various kinds of Toolbars on your computer, despite all the advantages of this installation, which specially hired experienced authors will colorfully describe to you:
It is better to refrain from visiting sites if we see this warning:
Although it’s possible – this is just reinsurance from Yandex programmers. This also applies to various extensions from unverified sources. Under the guise of this, all kinds of viruses are often hidden.
Banners
Let's look at how a computer with an antivirus installed, but not with the latest databases and firewall enabled, gets infected?
Most often, an inexperienced user downloads malicious software onto his computer without knowing it. It can be disguised as anything, for example, as a utility or driver with a self-extracting archive with the *.exe extension, or even, as happened with my boss, as an important letter, supposedly from an arbitration court. This is what one of the possible ransomware banners that may appear on your desktop looks like:
Business people often have a lot of problems. Having lost their minds, they immediately download the attachment from the email and open it. Moreover, in this case the file was called “Letter”. And even the icon was in the form of an envelope. For people with little education in the computer field, this, unfortunately, is enough. It is the non-standard file extension and its icon that will alert us, more experienced users.
After that, a banner with the name Watnik 91 appeared on the desktop
It is unclear who they were going to mislead in this way, apparently this is all their imagination was capable of.
So on this banner there was printed text that all your files with the extension DOC, PDF, XLS, JPEG, and possibly some others were encrypted. We managed to decrypt them, but only after two weeks of correspondence and sending samples of encrypted files to a special site for providing assistance to helpers.
Removing a banner using AntiSMS
I have encountered ransomware banners before. For this case, I have a boot disk called Anti SMS, specially created to combat ransomware banners. It's very easy to work with. It is enough to press the BIOS key several times in the first 5 seconds after the computer starts. For different versions of motherboards these are different keys, for example Delete, F2, F11 and others, see the prompts on the monitor screen immediately after starting the PC.
After the stripped-down version of the OS (operating system) is loaded into the computer’s RAM, we must press just one button-icon on the monitor screen and wait for a message that the computer has been cleaned. The autostart of the computer into which the virus registers itself will be cleared. After restarting the computer, we will see that the ransomware banner has disappeared.
Boot disk or flash
What to do if your computer is infected, there is a similar banner on the screen that blocks access to the Internet and the operation of the computer, and you do not have such a disk? Well, you turned out to be unprepared for such a turn of events!?
Then you can boot from a Linux Live Cd disk, for example Ubuntu or Runtu, with default support for Internet access via Ethernet. Those who are in the know will understand
And then download the utility Dr web CureIt to a flash drive
Or log in and perform these actions from another computer. This utility will allow you to clean your computer from viruses after you boot into Windows in safe mode. To do this, you need to write the utility onto a flash drive, and after loading Windows in safe mode, run this utility from the flash drive.
This utility is completely free and comes with the latest versions of the database.
I hope that after reading this article, your computer will be reliably protected. And if a ransomware banner does appear on your desktop, you can quickly and independently remove it.
After restarting the computer, the monitor displays a request to send a paid SMS, or to deposit money into a mobile phone account?
Meet this, this is what a typical ransomware virus looks like! This virus comes in thousands of different forms and hundreds of variations. However, he is easy to recognize by a simple sign: he asks you to put money (call) on an unfamiliar number, and in return promises to unlock your computer. What to do?
First, realize that this is a virus whose goal is to suck as much money out of you as possible. That is why do not give in to his provocations.
Remember a simple thing, do not send any SMS. They will withdraw all the money that is on the balance (usually the request says 200-300 rubles). Sometimes they require you to send two, three or more SMS. Remember, the virus will not go away from your computer, whether you send money to scammers or not. Trojan winloc will remain on your computer until you remove it yourself.
The action plan is as follows: 1. Remove the block from the computer 2. Remove the virus and treat the computer.
Ways to unlock your computer:
1. Enter the unlock code And. The most common way to deal with an obscene banner. You can find the code here: Dr.web, Kasperskiy, Nod32. Don't worry if the code doesn't work, move on to the next step.
2. Try booting into Safe Mode. To do this, after turning on the computer, press F8. When the boot options window appears, select “safe mode with driver support” and wait for the system to boot.
2a. Now let's try restore the system(start-standard-system-restore) to an earlier checkpoint. 2b. Create a new account. Go to Start - Control Panel - Accounts. Add a new account and restart the computer. When you turn it on, select the newly created account. Let's move on to .
3. Try ctrl+alt+del- the task manager should appear. We launch healing utilities through the task manager. (select the file - a new task and our programs). Another way is to hold down Ctrl + Shift + Esc and, while holding these keys, search for and delete all strange processes until the desktop is unlocked.
4. The most reliable way- This means installing a new OS (operating system). If you absolutely need to keep the old OS, then we will look at a more labor-intensive way to deal with this banner. But no less effective!
Another way (for advanced users):
5. Booting from disk LiveCD which has a registry editing program. The system has booted, open the registry editor. In it we will see the registry of the current system and the infected one (its branches on the left side are displayed with a signature in brackets).
We find the key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon - there we look for Userinit - we delete everything after the comma. ATTENTION! The file itself “C:\Windows\system32\userinit.exe” CANNOT be deleted.);
Look at the value of the key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell it should be explorer.exe. We're done with the registry.
If the error “Editing the registry is prohibited by the system administrator” appears, download the AVZ program. Open "File" - "System Restore" - Check "Unlock Registry Editor", then click "Perform selected operations". The editor is available again.
We launch Kaspersky removal tool and dr.web cureit and scan the entire system with them. All that remains is to reboot and return the bios settings. However, the virus has NOT been removed from the computer yet.
Treating your computer from Trojan WinLock
For this we need:
- ReCleaner registry editor
- popular antivirus Tool removal Kaspersky
- famous antivirus Dr.web cureit
- effective antivirus Removeit pro
- Plstfix registry repair utility
- Program for removing temporary files ATF cleaner
1. It is necessary to get rid of the virus in the system. To do this, launch the registry editor. Go to Menu - Tasks - Launch Registry Editor. Need to find:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon - there we look for the Userinit section - we delete everything after the comma. ATTENTION! The file itself “C:\Windows\system32\userinit.exe” CANNOT be deleted.);
Look at the value of the key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell there should be explorer.exe. We're done with the registry.
Now select the "Startup" tab. We look through the startup items, check the boxes and delete (lower right corner) everything that you did not install, leaving only desktop and ctfmon.exe. The remaining svchost.exe and other.exe processes from the windows directory must be removed.
Select Task - Clean the registry - Use all options. The program will scan the entire registry and delete everything permanently.
2. To find the code itself, we need the following utilities: Kaspersky, Dr.Web and RemoveIT. Note: RemoveIT will ask you to update the virus signature databases. It is necessary to establish an Internet connection while it is being updated!
With these programs we scan the system disk and delete everything they find. If you wish, you can check all the computer drives just in case. It will take much longer, but it is more reliable.
3. The next utility is Plstfix. It restores the registry after our actions on it. As a result, the task manager and safe mode will start working again.
4. Just in case, delete all temporary files. Often copies of the virus are hidden in these folders. This is how even well-known antiviruses may not detect them. It is better to manually remove anything that will not significantly affect the operation of the system. Install ATF Cleaner, mark everything and delete it.
5. Reboot the system. Everything is working! even better than before :).
Today I want to talk about SMS extortionvia the Internet and computer . That is, cases when your computer, after visiting certain sites, becomes infected with banners that block the operation of the system completely or partially. To unblock you need to send a message to a short number.
First, let's figure out what types of ransomware banners there are. TO first type include banners that appear only when Internet browsers are launched (Internet Explorer, Opera, Mozilla Firefox, Google Chrome, etc.). These banners are also called informers .
Second type banners are placed on the desktop and occupy most of it, without blocking the launch of other programs, allowing you to open the Main Menu, Task Manager, etc.
Third type banners are the most disgusting. It completely blocks the computer's operation, requiring you to send an SMS message to a short number. In response, an unlock code is promised. It is impossible to log into the system normally even in Safe Mode. Remember one thing: never send SMS to the specified numbers! This is pure fraud, falling under the relevant articles of the Criminal Code. Not a single user has ever received a response SMS message with a banner unlock code.
So, no one knows how, but the banner got onto your computer. Whether this happened after you clicked on the link provided in the email, or simply downloaded something - there are many options. What to do in this case? First, you need to decide what type of ransomware banner is on your computer. If it closes along with the browser, this is the first type; if Task Manager, Notepad, Word or any other applications are launched, this is the second type; if nothing helps and the banner hangs, this is the third.
To remove the first type of ransomware, you need to carefully review all browser settings and remove all plugins, add-ons and extensions that you did not install. We do the same for JavaScript applets and DLLs.
The second type of SMS ransomware is not so easy to clean out of the system, but it is also possible. The first way is to visit the website of an antivirus company. All more or less large companies have long ago posted information on their official websites about how to remove a ransomware banner using “legal” methods. You need to find information on the website that relates specifically to the short number to which you are asked to send an SMS message. There, on the website, an unlock code is also given, and it’s absolutely free. After unlocking, update the antivirus signature databases for the antivirus you have installed and run a full scan of the entire computer. Remove any infection you find mercilessly. If you do not have any antivirus installed, then download the free CureIt utility from the Dr.Web website and check your computer with it. After checking, clean the registry with a special utility - a registry cleaner, or do it manually, if, of course, you understand this.
If you have the third type of ransomware banner, then you cannot do without a LiveCD disk or without removing your hard drive and connecting it to another computer. The procedure here is as follows: boot from the disk, launch CureIt, check the computer for infection, and delete everything found. Again, run the registry cleaner and delete the keys that were related to malware. If you don’t have a LiveCD, then connect your hard drive to another computer and run the antivirus on it, having previously, of course, updated the virus databases. After that, we reboot and enjoy life.
Surely, every fourth user of a personal computer has encountered various scams on the Internet. One type of deception is a banner that blocks the operation of Windows and requires you to send an SMS to a paid number or demands cryptocurrency. Essentially it's just a virus.
To fight banner ransomware, you need to understand what it is and how it penetrates your computer. Typically a banner looks like this:
But there may be all sorts of other variations, but the essence is the same - scammers want to make money from you.
Ways a virus gets into a computer
The first option for “infection” is pirated applications, utilities, and games. Of course, Internet users are accustomed to getting most of what they want online “for free,” but when downloading pirated software, games, various activators, and other things from suspicious sites, we risk becoming infected with viruses. In this situation it usually helps.
Windows may be blocked due to a downloaded file with the extension " .exe" This does not mean that you should refuse to download files with this extension. Just remember that " .exe"may only apply to games and programs. If you download a video, song, document or picture, and its name has “.exe” at the end, then the chance of a ransomware banner appearing increases sharply to 99.999%!
There is also a tricky trick with supposedly the need to update the Flash player or browser. It may happen that you will work on the Internet, move from page to page, and one day you will find an inscription that “your Flash player is out of date, please update.” If you click on this banner and it does not lead you to the official adobe.com website, then it is 100% a virus. Therefore, check before clicking the “Update” button. The best option would be to ignore such messages altogether.
Lastly, outdated Windows updates weaken your system's security. To keep your computer protected, try to install updates on time. This feature can be configured in “Control Panels -> Windows Update” to automatic mode so as not to be distracted.
How to unlock Windows 7/8/10
One of the simple options to remove the ransomware banner is. It helps 100%, but it makes sense to reinstall Windows when you do not have important data on drive “C” that you did not have time to save. When you reinstall the system, all files will be deleted from the system disk. Therefore, if you do not want to reinstall software and games, then you can use other methods.
After treatment and successful launch of the system without the ransomware banner, you need to take additional steps, otherwise the virus may resurface, or there will simply be some problems in the operation of the system. All this is at the end of the article. All information has been verified by me personally! So, let's begin!
Kaspersky Rescue Disk + WindowsUnlocker will help us!
We will use a specially developed operating system. The whole difficulty is that you need to download the image on your work computer and or (scroll through the articles, it’s there).
When this is ready, you need. At the moment of startup, a small message will appear, such as “Press any key to boot from CD or DVD.” Here you need to press any button on the keyboard, otherwise the infected Windows will start.
When loading, press any button, then select the language – “Russian”, accept the license agreement using the “1” button and use the launch mode – “Graphic”. After starting the Kaspersky operating system, we do not pay attention to the automatically launched scanner, but go to the “Start” menu and launch “Terminal”
A black window will open, where we write the command:
windowsunlocker
A small menu will open:
Select “Unlock Windows” with the “1” button. The program itself will check and correct everything. Now you can close the window and check the entire computer with the scanner already running. In the window, put a checkmark on the disk with Windows OS and click “Run object scan”
We wait for the check to finish (it can take a long time) and finally reboot.
If you have a laptop without a mouse and the touchpad does not work, then I suggest using the text mode of the Kaspersky disk. In this case, after starting the operating system, you must first close the menu that opens with the “F10” button, then enter the same command in the command line: windowsunlocker
Unlocking in safe mode, without special images
Today, viruses like Winlocker have become smarter and block Windows from loading in safe mode, so most likely you won’t succeed, but if there is no image, then try. Viruses are different and different methods can work for everyone, but the principle is the same.
Reboot the computer. During boot, you need to press the F8 key until the Windows Advanced Startup Options menu appears. We need to use the down arrows to select from the list an item called "Safe Mode with Command Line Support".
This is where we need to go and select the desired line:
Next, if everything goes well, the computer will boot and we will see the desktop. Great! But this does not mean that everything is working now. If you don’t remove the virus and just reboot in normal mode, the banner will pop up again!
We are treated using Windows
You need to restore the system when the blocker banner did not yet exist. Read the article carefully and do everything that is written there. There is a video below the article.
If it doesn’t help, then press the “Win + R” buttons and write the command in the window to open the registry editor:
regedit
If, instead of the desktop, a black command line is launched, then simply enter the command “regedit” and press “Enter”. We have to check some sections of the registry for the presence of viruses, or, to be more precise, malicious code. To start this operation, go to this path:
HKEY_LOCAL_MACHINE\Software\Microsoft\WinNT\CurrentVersion\Winlogon
Now we check the following values in order:
- Shell – “explorer.exe” must be written here, there should be no other options
- Userinit – here the text should be “C:\Windows\system32\userinit.exe,”
If the OS is installed on a different drive other than C:, then the letter there will be different. To change incorrect values, right-click on the line you want to edit and select “edit”:
Then we check:
HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Winlogon
There should be no Shell and Userinit keys here at all; if there are, delete them.
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce
And also be sure to:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce
If you are not sure whether you need to delete the key, you can simply add a “1” to the parameter first. The path will be incorrect, and the program will simply not start. Then you can return it to how it was.
Now you need to run the built-in system cleaning utility, we do it in the same way as we launched the “regedit” registry editor, but we write:
cleanmgr
Select the drive with the operating system (C: by default) and after scanning, check all the boxes except “Update package backup files”
And click “OK”. With this action, we may have disabled the autorun of the virus, and then we need to clean up traces of its presence in the system, and read about this at the end of the article.
AVZ utility
The idea is that in safe mode we will launch the well-known anti-virus utility AVZ. In addition to scanning for viruses, the program has just a lot of functions for fixing system problems. This method repeats the steps to close holes in the system after the virus has worked, incl. To get acquainted with it, move on to the next point.
Fixing problems after removing ransomware
Congratulations! If you are reading this, it means the system started without a banner. Now they need to check the entire system. If you used the Kaspersky rescue disk and checked there, then you can skip this point.
There may also be one more problem associated with the activities of the villain - the virus can encrypt your files. And even after completely deleting it, you simply will not be able to use your files. To decrypt them you need to use programs from the Kaspersky website: XoristDecryptor and RectorDecryptor. There are also instructions for use there.
But that's not all, because... Winlocker has most likely played a dirty trick on the system, and various glitches and problems will be observed. For example, the Registry Editor and Task Manager will not start. To treat the system we will use the AVZ program.
There may be a problem when downloading using Google Chrome because... This browser considers the program malicious and does not allow you to download it! This question has already been raised on the official Google forum, and at the time of writing this article everything it's already normal.
To still download the archive with the program, you need to go to “Downloads” and there click “Download malicious file” :) Yes, I understand that this looks a little stupid, but apparently Chrome believes that the program can harm the average user. And this is true if you poke it anywhere! Therefore, we strictly follow the instructions!
We unpack the archive with the program, write it to external media and run it on the infected computer. Let's go to the menu "File -> System Restore", check the boxes as in the picture and perform the operations:
Now we follow the following path: "File -> Troubleshooting Wizard", then go to “System problems -> All problems” and click on the “Start” button. The program will scan the system, and then in the window that appears, check all the boxes except “Disable automatic operating system updates” and those that begin with the phrase “Allow autorun from...”.
Click on the “Fix noted problems” button. After successful completion, go to: “Browser settings and tweaks -> All problems”, here we check all the boxes and click on the “Fix marked problems” button in the same way.
We do the same with “Privacy”, but here do not check the boxes that are responsible for clearing bookmarks in browsers and whatever else you think is necessary. We complete the check in the “System Cleaning” and “Adware/Toolbar/Browser Hijacker Removal” sections.
Finally, close the window without leaving the AVZ. In the program we find “Tools -> Explorer Extension Editor” and uncheck those items that are marked in black. Now let's move on to: “Tools -> Internet Explorer Extension Manager” and completely erase all the lines in the window that appears.
I have already said above that this section of the article is also one of the ways to cure Windows from banner ransomware. So, in this case, you need to download the program on your work computer and then write it to a flash drive or disk. We carry out all actions in a safe mode. But there is another option to launch AVZ, even if safe mode is not working. You need to start from the same menu when the system boots, in the “Troubleshoot your computer” mode
If you have it installed, it will be displayed at the very top of the menu. If it’s not there, then try starting Windows until the banner appears and unplugging the computer. Then turn it on - a new launch mode may be offered.
Running from the Windows installation disc
Another surefire way is to boot from any Windows 7-10 installation disk and select not “Install” there, but "System Restore". When the troubleshooter is running:
- You need to select “Command Line” there
- In the black window that appears, write: “notepad”, i.e. launch a regular notepad. We will use it as a mini conductor
- Go to the menu “File -> Open”, select the file type “All files”
- Next, find the folder with the AVZ program, right-click on the file to be launched “avz.exe” and launch the utility using the “Open” menu item (not the “Select” item!).
If all else fails
Refers to cases when, for some reason, you cannot boot from a flash drive with a recorded Kaspersky image or the AVZ program. All you have to do is remove the hard drive from your computer and connect it as a second drive to your work computer. Then boot from an UNINFECTED hard drive and scan YOUR drive with a Kaspersky scanner.
Never send SMS messages that scammers ask for. Whatever the text, do not send messages! Try to avoid suspicious sites and files, and generally read. Follow the instructions, and then your computer will be safe. And don’t forget about antivirus and regular operating system updates!
Here is a video where you can see everything with an example. The playlist consists of three lessons:
PS: which method helped you? Write about it in the comments below.
