Removing the ransomware banner from windows 7. How to get rid of the ransomware banner? Methods to unlock your computer
Winlocker Trojans are a type of malware that, by blocking access to the desktop, extorts money from the user - supposedly if he transfers the required amount to the attacker’s account, he will receive an unlock code.
If, once you turn on your PC, you see instead of the desktop:
Or something else in the same spirit - with threatening inscriptions, and sometimes with obscene pictures, do not rush to accuse your loved ones of all sins. They, and maybe you yourself, have become victims of the trojan.winlock ransomware.
How do ransomware blockers get onto your computer?
Most often, blockers get onto your computer in the following ways:
- through hacked programs, as well as tools for hacking paid software (cracks, keygens, etc.);
- downloaded via links from messages on social networks, sent supposedly by acquaintances, but in fact by attackers from hacked pages;
- downloaded from phishing web resources that imitate well-known sites, but in fact are created specifically for spreading viruses;
- come by e-mail in the form of attachments accompanying letters with intriguing content: “you were sued...”, “you were photographed at the crime scene”, “you won a million” and the like.
Attention! Pornographic banners are not always downloaded from porn sites. They can do it from the most ordinary ones.
Another type of ransomware is spread in the same way - browser blockers. For example, like this:
They demand money for access to browsing the web through a browser.
How to remove the “Windows blocked” banner and similar ones?
When your desktop is blocked and a virus banner prevents any programs from running on your computer, you can do the following:
- go into safe mode with command line support, launch the registry editor and delete the banner autorun keys.
- boot from a Live CD ("live" disk), for example, ERD commander, and remove the banner from the computer both through the registry (autorun keys) and through Explorer (files).
- scan the system from a boot disk with an antivirus, for example Dr.Web LiveDisk or Kaspersky Rescue Disk 10.
Method 1. Removing Winlocker from safe mode with console support.
So, how to remove a banner from your computer via the command line?
On machines with Windows XP and 7, before the system starts, you need to quickly press the F8 key and select the marked item from the menu (in Windows 8\8.1 there is no this menu, so you will have to boot from the installation disk and launch the command line from there).
Instead of a desktop, a console will open in front of you. To launch the registry editor, enter the command into it regedit and press Enter.
Next, open the registry editor, find virus entries in it and fix it.
Most often, ransomware banners are registered in the following sections:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon- here they change the values of the Shell, Userinit and Uihost parameters (the last parameter is only available in Windows XP). You need to fix them to normal:
- Shell = Explorer.exe
- Userinit = C:\WINDOWS\system32\userinit.exe, (C: is the letter of the system partition. If Windows is on drive D, the path to Userinit will start with D:)
- Uihost = LogonUI.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows- see the AppInit_DLLs parameter. Normally, it may be absent or have an empty value.
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run- here the ransomware creates a new parameter with a value in the form of the path to the blocker file. The parameter name can be a string of letters, for example, dkfjghk. It needs to be removed completely.
The same goes for the following sections:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx
To correct registry keys, right-click on the parameter, select “Change”, enter a new value and click OK.
After that, restart your computer in normal mode and run an antivirus scan. It will remove all ransomware files from your hard drive.
Method 2. Removing Winlocker using ERD Commander.
ERD commander contains a large set of tools for restoring Windows, including those damaged by blocking Trojans. Using the built-in registry editor ERDregedit, you can perform the same operations as we described above.
ERD commander will be indispensable if Windows is locked in all modes. Copies of it are distributed illegally, but they are easy to find on the Internet.
ERD commander sets for all versions of Windows are called MSDaRT (Microsoft Diagnostic & Recovery Toolset) boot disks; they come in ISO format, which is convenient for burning to DVD or transferring to a flash drive.
After booting from such a disk, you need to select your version of the system and go to the menu and click Registry Editor.
In Windows XP, the procedure is slightly different - here you need to open the Start menu, select Administrative Tools and Registry Editor.
After editing the registry, boot Windows again - most likely, you will not see the “Computer is blocked” banner.
Method 3. Removing the blocker using an antivirus “rescue disk”.
This is the easiest, but also the longest unlocking method. It is enough to burn the Dr.Web LiveDisk or Kaspersky Rescue Disk image to DVD, boot from it, start scanning and wait for it to finish. The virus will be killed.
Removing banners from your computer using both Dr.Web and Kaspersky disks is equally effective.
How to protect your computer from blockers?
- Install a reliable antivirus and keep it active at all times.
- Please check all files downloaded from the Internet for security before launching.
- Don't click on unknown links.
- Do not open email attachments, especially those that come in letters with intriguing text. Even from your friends.
- Keep track of what sites your children visit. Use parental controls.
- If possible, do not use pirated software - many paid programs can be replaced with safe free ones.
How to get rid of a banner
With a huge sense of gratitude to our reader for this link to a virus site where my computer could possibly be infected with a ransomware banner, I turned off my antivirus and some protection, which will be discussed below, and followed this link. A site opened in which I only managed to see the outline of a guitar, literally a second later, the viral code embedded in the main page of this site, which is javascript, was triggered and my desktop was blocked by a ransomware banner, I didn’t even have time to click on anything (Of course, I won’t give you a link to a site with a virus, the administration of this site, I later wrote a letter and the virus was removed from the site, but in general, anything can happen in life, no site is 100% immune from hacking).
Well, now a detailed story about how to get rid of a banner, if you have already caught him. The information provided is suitable for operating systems, Windows Vista, .
The first thing we will do is go to the websites of leading antivirus companies that provide services to unlock your computer from the ransomware banner.
- Dr.Web https://www.drweb.com/xperf/unlocker
- NOD32 http://www.esetnod32.ru/.support/winlock
- Kaspersky Lab http://sms.kaspersky.ru
Unfortunately, I was unable to find the unlock code; apparently the virus was written recently.
The second thing you can try is to restart the computer and when loading press F-8, let's go to Troubleshooting, this is if you have Windows 7 installed; in the Windows XP operating system, go straight to safe mode with command line support (read what to do there below).
Hello, dear readers of the blog site. For a long time I wanted to write an article about how to remove the ransomware virus (Winlocker) that blocks login to your computer.
Most often, this problem is encountered by inexperienced users who, by pure chance or due to their negligence, have become victims of scammers. Due to their inexperience, many people send SMS to unblock a banner with the hope of receiving a code and spend a lot of money before it becomes clear that this is just a ransomware virus that has infected your computer, which can be fought without investing money.
I will say right away that under no circumstances pay money to scammers, everything that is written on such an SMS banner is a pure scam. Even if you decide to follow the path of least resistance and are going to pay, it is not a fact that this will solve your problem.
Also, do not resort to the last resort - do not reinstall the system. Any malicious program can be removed in a simple way and without consequences. Reinstalling the system may entail complete deletion of all necessary information. You can only use it if there is nothing valuable on your computer.
The impact of ransomware on your system
Winlocker completely suspends the operating system and blocks access to launching programs and the desktop. The ransomware virus blocks access to the task manager and starts immediately after Windows starts loading. Sometimes it happens that a malicious program prevents the system from starting in safe mode; in this situation, solving the problem will be much more difficult.
When a virus program gets onto a device, it records itself several times in different places, making it difficult to identify, much less remove.
I’ll tell you a few words about why this situation occurs. Most often, the appearance of this type of virus can be observed on those computers where there is no anti-virus protection. To protect your device from malware, I advise you to read the article . You also need to understand that on websites you need to be extremely careful and not click on unfamiliar links. There is still a very high probability of contracting such an infection after downloading and installing a program from an unverified resource. When working on the Internet, do not forget to protect your PC; the slightest vigilance will help to avoid further problems.
Be sure to perform computer maintenance, update your antivirus, and periodically scan your device for malware (you can set up automatic scanning on a certain day and time). If you follow simple rules, you can avoid infection.
So, if you still decide to deal with this problem on your own, then let’s look at several options on how to unblock the ransomware virus. We will start with the simplest method and gradually move towards a more complex one. If any of the options helps you, then stick with it.
Running commands from the command line
I recently learned about the existence of the simplest method, but it is not able to fix the problem on all machines.
The first thing we need to do is . We reboot the computer and periodically press the F8 key while loading. If you did everything correctly, then you should see a menu of additional Windows boot options. In this menu, select the option to start the system in Safe mode with command line support and press Enter. After loading, only the command line will appear without the desktop and the shortcuts and icons present on it. Enter the following commands one by one
- team cleanmgr– Cleanmgr.exe tool is designed to remove unnecessary and outdated files;
- team rstrui– command to start system recovery (this command will only work if you have not disabled it in the system settings).
After sequentially entering commands, we reboot the computer and check for the presence of the banner. If it is missing, then this method helped us; if not, then move on to the next one.
Removing the blocker from startup
As in the first method, we launch the device and press the F8 key to load the menu of additional options. Then select the item Safe mode and press Enter. We launch the Run function through the Start menu or by simultaneously pressing the Ctrl+R keys and in the field execute enter the command msconfig. This will open the Windows boot options window. Open the Startup tab and try to find suspicious programs.
Most often, the name of such programs consists of a random set of letters. If you have found such a program, then uncheck the box next to it. You also need to look at what folder it is stored in and delete it. Before performing these actions, I advise you to read the materials in the article.
After completing the operations, restart the computer and check if the problem is resolved. If the SMS virus still denies access, then move on to the next method.
Cleaning the registry from traces of the banner
If you have reached this point and previous attempts were in vain, then this method should help you unblock the ransomware virus by 98%.
I would like to note that all the actions listed below must be carried out extremely carefully and strictly according to the instructions. By editing registry keys, incorrect actions can cause irreparable harm to the system and all that remains is to reinstall Windows.
So, let’s start the system in safe mode; how to do this is described above. We wait for the download and launch the “Run” option in the field of the window that opens, enter the command regedit. After entering the command, a Registry Editor window will open in front of you.
Then go to the following path HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon
In the right column you will be able to see two parameters Shell and Userinit. Opposite these parameters there is a value column. There should not be anything superfluous in these columns (opposite the Shell parameter there should be the value explorer.exe, opposite Userinit the value userinit.exe). If there are additional values there, then this is the result of a virus and you can safely delete everything.
Also, to ease your conscience, I advise you to go to the following address in the registry settings …..
\
Microsoft\
Windows\
CurrentVersion\
Run
and check if there are any unnecessary or unfamiliar programs in the right field of the window; if any are found, then delete them.
Reboot the computer and rejoice that the virus has disappeared.
I am almost one hundred percent sure that if everything is done correctly, the banner blocking the launch of Windows will disappear. But just in case, I’ll give you another way to remove ransomware. Of course, it is not as serious as the others, but sometimes it is no less effective.
Converting date in Bios
When the system boots, go into Bios and change the date and time to a week in advance. It happens that the banner disappears, but this happens very rarely.
Be sure to scan your computer for malware after you have been able to get rid of the Windows blocker. A full scan must be performed, not a quick one. You also need to think about high-quality protection for your device. If you do not have money for a paid antivirus such as, then you can download a free antivirus called.
And the final step will be to check your PC for malware. There are several free programs for this, which I will discuss in the following articles of my blog.
I really hope that I helped you figure out how to remove the ransomware banner, but if you have any questions, feel free to ask them in the comments and I will be happy to try to help.
Hi all! Today I decided to write an article from my computer. There are more and more scammers on the Internet every day. Therefore, the threat of computer infection increases. Ransomware viruses are very common now, blocking your desktop and extorting money. It is clear that we will not pay money for this, but will clean the computer from this infection.
I believe that ransomware banners are a form of irresponsibility and impudence. Before we remove this virus, let's look at where it came from, so that we can be as armed as possible for the future. By the way, banners come across with different contents so that you panic more and send money to scammers. Many people get lost and send money, but this cannot be done! So, where do ransomware banners come from?
Pirated apps
Naturally, everyone loves a freebie, but have you ever thought about what a freebie actually is? It turns out that when downloading pirated programs, activators, cracks, tablets, we risk catching a virus program on the computer. Each download of such files can be fatal and lead to bad consequences. To avoid catching viruses, use official programs.
Downloading from the World Wide Web
Every time you download any files, there is a chance that you can infect your PC. There are many cases when a person downloaded a certain file, and after a reboot a banner appeared. Therefore, I recommend downloading files of any kind from trusted or recommended sites, where thousands of visitors download every day.
Flash player update
While spending your time on the Internet, you may have probably seen somewhere a banner saying “Your player needs to be updated” or “Your player is out of date.” Know - it's a virus! Of course, if this kind of banner does not lead to the Adobe website.
I have described the most common reasons why a virus gets onto your computer. To reduce the likelihood of malicious code getting onto your computer, you need to have a fresh antivirus, don’t forget about it! Now let's take a look how to remove banner ransomware from a personal computer. However, I repeat once again - never send your money to these scammers. It is very important!!! Even if you send it, the banner will not go anywhere, and the scammers will get rich thanks to you.
The easiest way is to reinstall the operating system. I already wrote. However, all your installed programs, components, antivirus and settings will need to be reinstalled again.
There is another way to remove the ransomware banner without reinstalling the operating system. We will consider it. The first thing you need to do is restart your computer. While Windows is loading, press the button F8.
Use the arrows on the keyboard to move the cursor and select the Safe Mode with Command Line Support section.
After this, the computer should start and you will see the desktop. Next, click Start and type the word regedit into the search box Find programs and files.
After entering and pressing Enter, the Windows registry will open.
Here you need to check all sections for the presence of malicious code or a virus.
You need to check the following values:
Userinit - there should be “C:Windowssystem32userinit.exe”
Shell - "explorer.exe"
To change the values, you need to right-click on the line and select Edit at the top.
This is how you can simply remove the ransomware banner from your computer. The last step is to restart the computer and enjoy the desktop. That's all and be careful on the Internet!
After restarting the computer, the monitor displays a request to send a paid SMS, or to deposit money into a mobile phone account?
Meet this, this is what a typical ransomware virus looks like! This virus comes in thousands of different forms and hundreds of variations. However, he is easy to recognize by a simple sign: he asks you to put money (call) on an unfamiliar number, and in return promises to unlock your computer. What to do?
First, realize that this is a virus whose goal is to suck as much money out of you as possible. That is why do not give in to his provocations.
Remember a simple thing, do not send any SMS. They will withdraw all the money that is on the balance (usually the request says 200-300 rubles). Sometimes they require you to send two, three or more SMS. Remember, the virus will not go away from your computer, whether you send money to scammers or not. Trojan winloc will remain on your computer until you remove it yourself.
The action plan is as follows: 1. Remove the block from the computer 2. Remove the virus and treat the computer.
Ways to unlock your computer:
1. Enter the unlock code And. The most common way to deal with an obscene banner. You can find the code here: Dr.web, Kasperskiy, Nod32. Don't worry if the code doesn't work, move on to the next step.
2. Try booting into Safe Mode. To do this, after turning on the computer, press F8. When the boot options window appears, select “safe mode with driver support” and wait for the system to boot.
2a. Now let's try restore the system(start-standard-system-restore) to an earlier checkpoint. 2b. Create a new account. Go to Start - Control Panel - Accounts. Add a new account and restart the computer. When you turn it on, select the newly created account. Let's move on to .
3. Try ctrl+alt+del- the task manager should appear. We launch healing utilities through the task manager. (select the file - a new task and our programs). Another way is to hold down Ctrl + Shift + Esc and, while holding these keys, search for and delete all strange processes until the desktop is unlocked.
4. The most reliable way- This means installing a new OS (operating system). If you absolutely need to keep the old OS, then we will look at a more labor-intensive way to deal with this banner. But no less effective!
Another way (for advanced users):
5. Booting from disk LiveCD which has a registry editing program. The system has booted, open the registry editor. In it we will see the registry of the current system and the infected one (its branches on the left side are displayed with a signature in brackets).
We find the key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon - there we look for Userinit - we delete everything after the comma. ATTENTION! The file itself “C:\Windows\system32\userinit.exe” CANNOT be deleted.);
Look at the value of the key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell it should be explorer.exe. We're done with the registry.
If the error “Editing the registry is prohibited by the system administrator” appears, download the AVZ program. Open "File" - "System Restore" - Check "Unlock Registry Editor", then click "Perform selected operations". The editor is available again.
We launch Kaspersky removal tool and dr.web cureit and scan the entire system with them. All that remains is to reboot and return the bios settings. However, the virus has NOT been removed from the computer yet.
Treating your computer from Trojan WinLock
For this we need:
- ReCleaner registry editor
- popular antivirus Tool removal Kaspersky
- famous antivirus Dr.web cureit
- effective antivirus Removeit pro
- Plstfix registry repair utility
- Program for removing temporary files ATF cleaner
1. It is necessary to get rid of the virus in the system. To do this, launch the registry editor. Go to Menu - Tasks - Launch Registry Editor. Need to find:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon - there we look for the Userinit section - we delete everything after the comma. ATTENTION! The file itself “C:\Windows\system32\userinit.exe” CANNOT be deleted.);
Look at the value of the key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell there should be explorer.exe. We're done with the registry.
Now select the "Startup" tab. We look through the startup items, check the boxes and delete (lower right corner) everything that you did not install, leaving only desktop and ctfmon.exe. The remaining svchost.exe and other.exe processes from the windows directory must be removed.
Select Task - Clean the registry - Use all options. The program will scan the entire registry and delete everything permanently.
2. To find the code itself, we need the following utilities: Kaspersky, Dr.Web and RemoveIT. Note: RemoveIT will ask you to update the virus signature databases. It is necessary to establish an Internet connection while it is being updated!
With these programs we scan the system disk and delete everything they find. If you wish, you can check all the computer drives just in case. It will take much longer, but it is more reliable.
3. The next utility is Plstfix. It restores the registry after our actions on it. As a result, the task manager and safe mode will start working again.
4. Just in case, delete all temporary files. Often copies of the virus are hidden in these folders. This is how even well-known antiviruses may not detect them. It is better to manually remove anything that will not significantly affect the operation of the system. Install ATF Cleaner, mark everything and delete it.
5. Reboot the system. Everything is working! even better than before :).
