≡× MENU

• Windows 10
• Internet, Wi-fi
• Useful
• Windows 7
• Errors

How to get rid of the ransomware banner. How to get rid of a banner. If all else fails

After restarting the computer, the monitor displays a request to send a paid SMS, or to deposit money into a mobile phone account?

Meet this, this is what a typical ransomware virus looks like! This virus comes in thousands of different forms and hundreds of variations. However, he is easy to recognize by a simple sign: he asks you to put money (call) on an unfamiliar number, and in return promises to unlock your computer. What to do?

First, realize that this is a virus whose goal is to suck as much money out of you as possible. That is why do not give in to his provocations.

Remember a simple thing, do not send any SMS. They will withdraw all the money that is on the balance (usually the request says 200-300 rubles). Sometimes they require you to send two, three or more SMS. Remember, the virus will not go away from your computer, whether you send money to scammers or not. Trojan winloc will remain on your computer until you remove it yourself.

The action plan is as follows: 1. Remove the block from the computer 2. Remove the virus and treat the computer.

Ways to unlock your computer:

1. Enter the unlock code And. The most common way to deal with an obscene banner. You can find the code here: Dr.web, Kasperskiy, Nod32. Don't worry if the code doesn't work, move on to the next step.

2. Try booting into Safe Mode. To do this, after turning on the computer, press F8. When the boot options window appears, select “safe mode with driver support” and wait for the system to boot.

2a. Now let's try restore the system(start-standard-system-restore) to an earlier checkpoint. 2b. Create a new account. Go to Start - Control Panel - Accounts. Add a new account and restart the computer. When you turn it on, select the newly created account. Let's move on to .

3. Try ctrl+alt+del- the task manager should appear. We launch healing utilities through the task manager. (select the file - a new task and our programs). Another way is to hold down Ctrl + Shift + Esc and, while holding these keys, search for and delete all strange processes until the desktop is unlocked.

4. The most reliable way- This means installing a new OS (operating system). If you absolutely need to keep the old OS, then we will look at a more labor-intensive way to deal with this banner. But no less effective!

Another way (for advanced users):

5. Booting from disk LiveCD which has a registry editing program. The system has booted, open the registry editor. In it we will see the registry of the current system and the infected one (its branches on the left side are displayed with a signature in brackets).

We find the key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon - there we look for Userinit - we delete everything after the comma. ATTENTION! The file itself “C:\Windows\system32\userinit.exe” CANNOT be deleted.);

Look at the value of the key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell it should be explorer.exe. We're done with the registry.

If the error “Editing the registry is prohibited by the system administrator” appears, download the AVZ program. Open "File" - "System Restore" - Check "Unlock Registry Editor", then click "Perform selected operations". The editor is available again.

We launch Kaspersky removal tool and dr.web cureit and scan the entire system with them. All that remains is to reboot and return the bios settings. However, the virus has NOT been removed from the computer yet.

Treating your computer from Trojan WinLock

For this we need:
- ReCleaner registry editor
- popular antivirus Tool removal Kaspersky
- famous antivirus Dr.web cureit
- effective antivirus Removeit pro
- Plstfix registry repair utility
- Program for removing temporary files ATF cleaner

1. It is necessary to get rid of the virus in the system. To do this, launch the registry editor. Go to Menu - Tasks - Launch Registry Editor. Need to find:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon - there we look for the Userinit section - we delete everything after the comma. ATTENTION! The file itself “C:\Windows\system32\userinit.exe” CANNOT be deleted.);

Look at the value of the key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell there should be explorer.exe. We're done with the registry.

Now select the "Startup" tab. We look through the startup items, check the boxes and delete (lower right corner) everything that you did not install, leaving only desktop and ctfmon.exe. The remaining svchost.exe and other.exe processes from the windows directory must be removed.
Select Task - Clean the registry - Use all options. The program will scan the entire registry and delete everything permanently.

2. To find the code itself, we need the following utilities: Kaspersky, Dr.Web and RemoveIT. Note: RemoveIT will ask you to update the virus signature databases. It is necessary to establish an Internet connection while it is being updated!
With these programs we scan the system disk and delete everything they find. If you wish, you can check all the computer drives just in case. It will take much longer, but it is more reliable.

3. The next utility is Plstfix. It restores the registry after our actions on it. As a result, the task manager and safe mode will start working again.

4. Just in case, delete all temporary files. Often copies of the virus are hidden in these folders. This is how even well-known antiviruses may not detect them. It is better to manually remove anything that will not significantly affect the operation of the system. Install ATF Cleaner, mark everything and delete it.

5. Reboot the system. Everything is working! even better than before :).

Surely, every fourth user of a personal computer has encountered various scams on the Internet. One type of deception is a banner that blocks the operation of Windows and requires you to send an SMS to a paid number or demands cryptocurrency. Essentially it's just a virus.

To fight banner ransomware, you need to understand what it is and how it penetrates your computer. Typically a banner looks like this:

But there may be all sorts of other variations, but the essence is the same - scammers want to make money from you.

Ways a virus gets into a computer

The first option for “infection” is pirated applications, utilities, and games. Of course, Internet users are accustomed to getting most of what they want online “for free,” but when downloading pirated software, games, various activators, and other things from suspicious sites, we risk becoming infected with viruses. In this situation it usually helps.

Windows may be blocked due to a downloaded file with the extension " .exe" This does not mean that you should refuse to download files with this extension. Just remember that " .exe"may only apply to games and programs. If you download a video, song, document or picture, and its name has “.exe” at the end, then the chance of a ransomware banner appearing increases sharply to 99.999%!

There is also a tricky trick with supposedly the need to update the Flash player or browser. It may happen that you will work on the Internet, move from page to page, and one day you will find an inscription that “your Flash player is out of date, please update.” If you click on this banner and it does not lead you to the official adobe.com website, then it is 100% a virus. Therefore, check before clicking the “Update” button. The best option would be to ignore such messages altogether.

Lastly, outdated Windows updates weaken your system's security. To keep your computer protected, try to install updates on time. This feature can be configured in “Control Panels -> Windows Update” to automatic mode so as not to be distracted.

How to unlock Windows 7/8/10

One of the simple options to remove the ransomware banner is. It helps 100%, but it makes sense to reinstall Windows when you do not have important data on drive “C” that you did not have time to save. When you reinstall the system, all files will be deleted from the system disk. Therefore, if you do not want to reinstall software and games, then you can use other methods.

After treatment and successful launch of the system without the ransomware banner, you need to take additional steps, otherwise the virus may resurface, or there will simply be some problems in the operation of the system. All this is at the end of the article. All information has been verified by me personally! So, let's begin!

Kaspersky Rescue Disk + WindowsUnlocker will help us!

We will use a specially developed operating system. The whole difficulty is that you need to download the image on your work computer and or (scroll through the articles, it’s there).

When this is ready, you need. At the moment of startup, a small message will appear, such as “Press any key to boot from CD or DVD.” Here you need to press any button on the keyboard, otherwise the infected Windows will start.

When loading, press any button, then select the language – “Russian”, accept the license agreement using the “1” button and use the launch mode – “Graphic”. After starting the Kaspersky operating system, we do not pay attention to the automatically launched scanner, but go to the “Start” menu and launch “Terminal”

A black window will open, where we write the command:

windowsunlocker

A small menu will open:

Select “Unlock Windows” with the “1” button. The program itself will check and correct everything. Now you can close the window and check the entire computer with the scanner already running. In the window, put a checkmark on the disk with Windows OS and click “Run object scan”

We wait for the check to finish (it can take a long time) and finally reboot.

If you have a laptop without a mouse and the touchpad does not work, then I suggest using the text mode of the Kaspersky disk. In this case, after starting the operating system, you must first close the menu that opens with the “F10” button, then enter the same command in the command line: windowsunlocker

Unlocking in safe mode, without special images

Today, viruses like Winlocker have become smarter and block Windows from loading in safe mode, so most likely you won’t succeed, but if there is no image, then try. Viruses are different and different methods can work for everyone, but the principle is the same.

Reboot the computer. During boot, you need to press the F8 key until the Windows Advanced Startup Options menu appears. We need to use the down arrows to select from the list an item called "Safe Mode with Command Line Support".

This is where we need to go and select the desired line:

Next, if everything goes well, the computer will boot and we will see the desktop. Great! But this does not mean that everything is working now. If you don’t remove the virus and just reboot in normal mode, the banner will pop up again!

We are treated using Windows

You need to restore the system when the blocker banner did not yet exist. Read the article carefully and do everything that is written there. There is a video below the article.

If it doesn’t help, then press the “Win ​​+ R” buttons and write the command in the window to open the registry editor:

regedit

If, instead of the desktop, a black command line is launched, then simply enter the command “regedit” and press “Enter”. We have to check some sections of the registry for the presence of viruses, or, to be more precise, malicious code. To start this operation, go to this path:

HKEY_LOCAL_MACHINE\Software\Microsoft\WinNT\CurrentVersion\Winlogon

Now we check the following values ​​in order:

• Shell – “explorer.exe” must be written here, there should be no other options
• Userinit – here the text should be “C:\Windows\system32\userinit.exe,”

If the OS is installed on a different drive other than C:, then the letter there will be different. To change incorrect values, right-click on the line you want to edit and select “edit”:

Then we check:

HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Winlogon

There should be no Shell and Userinit keys here at all; if there are, delete them.

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce

And also be sure to:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce

If you are not sure whether you need to delete the key, you can simply add a “1” to the parameter first. The path will be incorrect, and the program will simply not start. Then you can return it to how it was.

Now you need to run the built-in system cleaning utility, we do it in the same way as we launched the “regedit” registry editor, but we write:

cleanmgr

Select the drive with the operating system (C: by default) and after scanning, check all the boxes except “Update package backup files”

And click “OK”. With this action, we may have disabled the autorun of the virus, and then we need to clean up traces of its presence in the system, and read about this at the end of the article.

AVZ utility

The idea is that in safe mode we will launch the well-known anti-virus utility AVZ. In addition to scanning for viruses, the program has just a lot of functions for fixing system problems. This method repeats the steps to close holes in the system after the virus has worked, incl. To get acquainted with it, move on to the next point.

Fixing problems after removing ransomware

Congratulations! If you are reading this, it means the system started without a banner. Now they need to check the entire system. If you used the Kaspersky rescue disk and checked there, then you can skip this point.

There may also be one more problem associated with the activities of the villain - the virus can encrypt your files. And even after completely deleting it, you simply will not be able to use your files. To decrypt them you need to use programs from the Kaspersky website: XoristDecryptor and RectorDecryptor. There are also instructions for use there.

But that's not all, because... Winlocker has most likely played a dirty trick on the system, and various glitches and problems will be observed. For example, the Registry Editor and Task Manager will not start. To treat the system we will use the AVZ program.

There may be a problem when downloading using Google Chrome because... This browser considers the program malicious and does not allow you to download it! This question has already been raised on the official Google forum, and at the time of writing this article everything it's already normal.

To still download the archive with the program, you need to go to “Downloads” and there click “Download malicious file” :) Yes, I understand that this looks a little stupid, but apparently Chrome believes that the program can harm the average user. And this is true if you poke it anywhere! Therefore, we strictly follow the instructions!

We unpack the archive with the program, write it to external media and run it on the infected computer. Let's go to the menu "File -> System Restore", check the boxes as in the picture and perform the operations:

Now we follow the following path: "File -> Troubleshooting Wizard", then go to “System problems -> All problems” and click on the “Start” button. The program will scan the system, and then in the window that appears, check all the boxes except “Disable automatic operating system updates” and those that begin with the phrase “Allow autorun from...”.

Click on the “Fix noted problems” button. After successful completion, go to: “Browser settings and tweaks -> All problems”, here we check all the boxes and click on the “Fix noted problems” button in the same way.

We do the same with “Privacy”, but here do not check the boxes that are responsible for clearing bookmarks in browsers and whatever else you think is necessary. We complete the check in the “System Cleaning” and “Adware/Toolbar/Browser Hijacker Removal” sections.

Finally, close the window without leaving the AVZ. In the program we find “Tools -> Explorer Extension Editor” and uncheck those items that are marked in black. Now let's move on to: “Tools -> Internet Explorer Extension Manager” and completely erase all the lines in the window that appears.

I have already said above that this section of the article is also one of the ways to cure Windows from banner ransomware. So, in this case, you need to download the program on your work computer and then write it to a flash drive or disk. We carry out all actions in a safe mode. But there is another option to launch AVZ, even if safe mode is not working. You need to start from the same menu when the system boots, in the “Troubleshoot your computer” mode

If you have it installed, it will be displayed at the very top of the menu. If it’s not there, then try starting Windows until the banner appears and unplugging the computer. Then turn it on - a new launch mode may be offered.

Running from the Windows installation disc

Another surefire way is to boot from any Windows 7-10 installation disk and select not “Install” there, but "System Restore". When the troubleshooter is running:

• You need to select “Command Line” there
• In the black window that appears, write: “notepad”, i.e. launch a regular notepad. We will use it as a mini conductor
• Go to the menu “File -> Open”, select the file type “All files”
• Next, find the folder with the AVZ program, right-click on the file to be launched “avz.exe” and launch the utility using the “Open” menu item (not the “Select” item!).

If all else fails

Refers to cases when, for some reason, you cannot boot from a flash drive with a recorded Kaspersky image or the AVZ program. All you have to do is remove the hard drive from your computer and connect it as a second drive to your work computer. Then boot from an UNINFECTED hard drive and scan YOUR drive with a Kaspersky scanner.

Never send SMS messages that scammers ask for. Whatever the text, do not send messages! Try to avoid suspicious sites and files, and generally read. Follow the instructions, and then your computer will be safe. And don’t forget about antivirus and regular operating system updates!

Here is a video where you can see everything with an example. The playlist consists of three lessons:

PS: which method helped you? Write about it in the comments below.

Computer viruses are becoming more sophisticated every year. Some of them serve as a source of extorting money from people, while others are aimed at destroying the system and stealing data. There is a computer infection that advertises Internet resources and simply interferes with the normal operation of the PC. The bulk of the least dangerous viruses are represented by banners. This is the most common spam, but it can cause a lot of trouble. How to remove a banner in one case or another? We will have to find the answer to this question further. In addition, it is worth studying all the ways to protect the OS and the places where you can “pick up” a banner virus.

Danger is near

First, let's find out which sources spread the computer "infection." After all, it is always easier to prevent a PC infection than to cure the OS.

Today, spam, Trojans and other viruses can penetrate:

• by distributing letters by email;
• when visiting certain websites;
• when using hacker programs;
• while downloading files;
• by installing software from untrusted sources.

This is the most common list of potentially dangerous places for users. In addition, viruses are now actively distributed through torrents and therefore it is recommended to use such software with caution.

Types of viruses

How to remove a banner? Before taking decisive action, the user must find out what specific infection he is dealing with. The further algorithm of actions will depend on this.

Users complain about the following types of banners:

• with a request to send money to the phone;
• offering to send paid SMS;
• requiring account replenishment through payment terminals;
• insisting on transferring money through social networks;
• filling the desktop with advertisements;
• opening pages and new banners in browsers.

The last 2 options are the least dangerous viruses. They are often called spam. Getting rid of them is easier than it seems. But first let's look at more difficult situations.

Safe Mode - Login

How to remove advertising banners that block access to the operating system? Typically, such programs require money to log into Windows. But even after the funds are credited, no unlocking will follow. After restarting the computer, the user will see the same banner.

You can get rid of such an infection in different ways. For example, by using Windows Safe Mode. The user will need:

1. Restart your computer or just turn it on.
2. During loading, press F8.
3. Select the line "Safe Mode..." in the list that appears. A section labeled "command line" is required.
4. Open Start and type regedit in the search bar.
5. Select the appropriate service and press "Enter".

HKEY_LOCAL_MACHINE\Software\Microsoft\WinNT\CurrentVersion\Winlogon.

How to remove a banner? After these steps, the user will have to conduct a thorough check of the information.

Checking the data

What is it about? After following the previously specified path, you need to see that the corresponding windows contain the following values:

Shell - there is the inscription “explorer.exe” and only that;

Userinit - here the text should be “C:\Windows\system32\userinit.exe”.

This is the path:

HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Winlogon.

Anything found here is deleted. Once the task is completed, the user will need to delete all ununderstood operations at the following addresses:

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run;

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce;

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run;

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce.

But this won't be enough. To remove the ransomware banner, you need to clean the system. How to do it?

About cleaning the OS in safe mode

There is nothing special or incomprehensible about the procedure. It is enough to follow the basic instructions.

1. Open the "regedit" service according to the principle described earlier.
2. Write the cleanmgr command.
3. Select the partition on which the OS is installed.
4. Scan it.
5. Check all the boxes except for “Backup files...”.
6. Click on "OK".

All that remains is to wait. Within a few minutes the user will have access to the operating system. But this is no reason to rejoice. After all, through the described actions, most likely, the virus was disabled. Now we need to get rid of it.

Removing disabled ransomware

How to remove a banner from your computer? To clean the operating system of disabled viruses, today you can use additional free utilities. There are a lot of them. They work on the principle of an antivirus. It is enough to launch the program, scan and remove dangerous objects. If possible, you can treat the software or “fix” it automatically.

To remove ransomware viruses presented as banners, it is better to use the following programs:

• "AntiWinLockerCD";
• AVZ utility.

This software is extremely easy to learn. Even a child can handle it. Now it’s clear how to remove the ransomware banner.

Kaspersky to help

But this is only one option for the development of events. Modern users can use various methods of treating their computer.

You can disable the ransomware virus and get rid of it using the Kaspersky utility “Deblocker”. This is a free service that quickly and easily gets rid of various banners. The main thing is that the user has access to an Internet browser. By the way, operations can be carried out from a computer that is not infected.

The algorithm of actions is reduced to the following stages:

1. Open the site in any browser sms.kaspersky.ru.
2. Indicate in the appropriate field the telephone number or the specified account of the extortionist.
3. Enter the code you are asked to send.
4. Click on the "Get code..." button.
5. Try all possible issued codes.

That's all. By searching through the available codes, the user will be able to get rid of the ransomware virus.

Browser attack

How to remove a pop-up banner in a browser? The previously proposed action algorithms help clean your PC from ransomware. But most often people encounter regular spam. It opens advertisements and banners in browsers, steals personal data of citizens, and also loads the computer's central processor.

Accordingly, the virus will have to get rid of. But this can be done in different ways. Next we will look at the most common scenarios. The suggested tips will help even a novice user quickly correct the situation.

Extra software away!

The user will have to:

1. Open "Start" - "Control Panel".
2. Select "Remove programs...".
3. Examine the list displayed on the screen.
4. Highlight all suspicious and unnecessary components. For example, "Baidu" or "Vulcan Casino".
5. Right-click and click on the “Delete” button in the drop-down list.
6. Follow the on-screen instructions to complete the uninstall wizard.

The first stage of fighting spam on PCs has been completed. What's next?

Processes and viruses

Now it’s worth thinking about what processes are running in the operating system. Some of them may be malicious. If you don’t disable them, then there’s no point in thinking about how to remove advertising banners in your browser. The operations will not lead to the final result - after the first reboot of the PC, the spam will be restored.

How to remove a banner from your computer? Are the programs removed? Then you need:

1. Press Ctrl + Alt + Del on your keyboard.
2. Select the "Task Manager" service.
3. Go to the "Processes" tab.
4. Select with the cursor all suspicious and unclear operations.
5. Press the "Finish..." button.

A warning will appear on the display. It states that terminating processes can disrupt the operation of the OS. Having agreed to the condition, the user must stop suspicious transactions.

Clear cache and history

How to remove banners in the browser? This is not the simplest, but quite accessible operation. Sometimes it is enough to simply clear the history in the Internet browser, as well as clear the cache.

In all browsers, a list of visited pages can be found in the settings. For example, the following actions are possible:

1. Open settings in Chrome or Yandex.
2. Go to the "History" block.
3. Click on the "Clear history" button.
4. Check the boxes next to “All history” and “Clear cache”.

In some versions of Internet browsers, after entering the settings, you have to look for the “Advanced settings” section. You can find both history and cache data in it.

And cleaning the mentioned partitions comes down to searching and deleting the folder located at:

C:\Documents and Settings\username\Application Data\Opera.

Mozilla is another popular Internet browser. In it, the parameters are reset as follows:

1. Go to browser settings.
2. Open the Help menu.
3. Click on the line "Information for solution...".
4. Click on the inscription "Reset...".

Now all that remains is to restart the browser. Everything is working? Then you don't need to do anything else. But what if advertisements and banners still appear?

Shortcut Properties

For example, some users find it helpful to check the shortcut properties of network browsers. To remove a banner advertisement, a person will have to:

1. Select the shortcut for the browser you are using.
2. Right-click on it.
3. Go to "Properties".
4. In the "General" block, look at the "Object" line.
5. Erase everything written after the executable file (.exe format) with the name of the browser.
6. Save changes.

These steps are suitable for all Internet access programs. After them it is better to restart the computer.

Host and crystal clear

How to remove a banner from your computer? Some viruses are registered in the host file. Therefore, you will have to work with him a little.

The user needs to go to:

C:\Windows\System32\drivers\etc.

1. Open the "Host" file with notepad.
2. Erase everything written on the document.
3. Save the modified file.
4. Remove all duplicate "Host" if any.

In some cases, it is easier to select the mentioned document and delete it by holding down the Shift button.

Antiviruses come to the rescue

Need to figure out how to remove a banner from Yandex? If the above tips do not bring results, you will have to move on. For example, you can scan your computer for viruses.

To do this, you just need to launch the anti-virus system and click on the “Deep scan” button. Any software will do - Kaspersky, NOD32, and Avast. Once the procedure is completed, the person will need to treat all potentially dangerous objects. And what did not respond to treatment should be removed.

Such operations are activated through standard antivirus controls. Therefore, no skills or knowledge are required from the user.

The computer registry must be clean

We figured out how to remove the banner. What other tips will help you cope with this task?

To automatically clean your computer's registry, you will need to:

1. Launch CCleaner.
2. Click on the "Register" section.
3. Click on the "Analysis" button.
4. Select the "Cleanup" option. It will appear after scanning the system.

After the procedure is completed, the registry will be clean. You can reboot the OS and see if there is any result. It is important that all browsers are closed when working with the utility.

Extreme measures

But that's not all. To answer how to remove a pop-up banner in a browser, some people are ready to go to extreme measures. Usually it doesn’t come to them, but there is no need to exclude such situations either. What is it about?

In order to get rid of any virus in the browser, you can simply delete the Internet browser with all user data. By reinstalling (not to be confused with updating) the software, you will be able to resume work with working software. Before uninstalling, it is better to make copies of your bookmarks, if any.

In some cases, the operation of the operating system is restored after an OS rollback. The operation is carried out using standard Windows tools. You can find the desired section in “Start”, in the folder “All Programs” - “Accessories” - “System Tools”. Following the instructions on the screen, the “victim” will restore the system in a few minutes.

The last way to get rid of banners and viruses in general is to completely reinstall Windows. It requires an installation disk. During the operation, it is recommended to completely format the hard drive of the “machine”. This is the only way to 100% get rid of all existing computer infections.

Often, users become victims of viruses that seriously interfere with working in Windows. A striking example is blocking the desktop using a banner. This happens if you haven't taken care of protecting your computer. You cannot perform any actions, the OS is locked, and the screen says something like “You have broken the law. Top up such and such a mobile number, otherwise you will lose all your data.” This article describes how to remove such a banner from the desktop of your computer.

Please understand that this is a scam. You didn’t violate anything; there are no provisions in the law regarding blocking users’ desktops. Under no circumstances follow the lead of scammers and do not send them your money.

Most likely, this will not even help - unlocking using a code is unlikely to help get rid of the virus, and the banner will remain on the computer.

Often, to get rid of such problems, it is recommended to simply reinstall the operating system. Of course, uninstalling and reinstalling Windows will definitely help. But this is a long way. Don't forget that you still need to install all the necessary drivers and programs.

This article discusses simpler and faster ways to get rid of ransomware banners.

Starting in Safe Mode

If you find that when you start Windows, a banner pops up that blocks all functions of the computer, you need to start the operating system in diagnostic mode. To do this, follow the instructions provided:

This will take you to Windows diagnostic mode. If you succeeded and the banner is not here, move on to the next part of the guide. If there is a lock in this mode, you will need to start the PC using LiveCD (described below).

Typically, a banner virus modifies some entries in the registry, which causes Windows to malfunction. Your task is to find all these changes and eliminate them.

Editing the Registry

Open the Run dialog using the Win + R key combination. In the window that opens, enter the command “regedit” and press Enter. You will be taken to the Windows Registry Editor. Follow the instructions carefully so you don't miss anything.

Using the directory on the left side of the program window, users need to open the following directories:

· HKEY_LOCAL_MACHINE/Software/Microsoft/Windows/Current Version/Run

Here you need to find the entry responsible for autorunning your banner when the system starts. Next, it should be removed. Right-click on the entry and select the “Delete” option from the context menu that opens. Feel free to delete anything suspicious; it will not affect the operation of your system in any way. If you delete something unnecessary, such as Skype autostart, you can get everything back.

· HKEY_LOCAL_MACHINE/Software/Microsoft/Windows NT/CurrentVersion/Winlogon

In this folder you need to find a parameter called “Shell” and assign it the value “explorer.exe”. Next, find the “Userinit” entry and give it a value "C:\Windows\system32\userinit.exe". To edit entries, simply double-click on them.

· HKEY_CURRENT_USER/Software/Microsoft/Windows NT/CurrentVersion/Winlogon

Also look for the "Userinit" and "Shell" options. Write down their meanings somewhere - these are the paths to your banner. Delete both entries. They shouldn't be in this directory.

Prevention

Once you have managed to remove all unnecessary entries from the Windows registry, you can close the editor and restart your computer. The system should start without any problems.

Now you need to remove the “tails” that are left from the malicious script. Open Windows Explorer (My Computer). Find the files that were referenced by the "incorrect" Shell and Userinit parameters and delete them.

After this, it is very important to scan the system using an antivirus program. Preferably with the deepest scan available in your antivirus. If you do not have any system protection, download and install immediately. For example, you can use a free program from Microsoft - Security Essentials. You can download it from this link - https://www.microsoft.com/ru-ru/download/details.aspx?id=5201.

The following guide describes how to remove the banner if it opens even while starting Windows Safe Mode.

Creating a Live CD from Kaspersky

If you are unable to remove the banner through safe mode, you should use a LiveCD. This is a special mini-OS that is recorded on a disk or flash drive. With it, you can boot up and edit a damaged registry or run an automatic troubleshooting utility.

For example, you can use a free service from Kaspersky Lab. To do this, you need to create a bootable USB flash drive or disk on another, working computer:

Unlocking via Kaspersky Live CD

To remove the effects of virus infection, you will need to do the following:

Installation disk

You can also use the installation disk from your operating system to get rid of the consequences of virus infection. You have to resort to this when the banner appears immediately after the BIOS beep, and you do not have the opportunity to use other means.

Insert the installation disk or bootable USB flash drive with an image of your system and restart the PC. Call the Boot Menu and select boot from external media. If necessary, press any key on the keyboard. Next, removing the consequences of a virus attack is described using Windows 7 as an example.

Select the interface language and click “Next”. At the bottom of the screen, click on the hyperlink "System Restore". A new window will open in which you will need to select "Command line".

In the console that opens, enter the command “bootrec.exe /FixMbr” and press Enter. After that, enter another command - “bootrec.exe /FixBoot” and press Enter again. Also enter the line “bcdboot.exe c:\windows” (If the system is installed on a different drive, you need to specify it). Reboot your PC and the problem will be solved.

We currently live in the computer era. There is now a computer in every home and office, and not even just one. Computers are used for education and entertainment. And if you have internet, you can pay utilities and make a bank transfer. It's really very convenient and makes our life a lot easier. And everything would be fine if crimes called cyber crime, spoiling our mood and lightening our wallet :-).

Let's take a closer look at what it is and how we can fight it.

Electronic payment systems Webmoney, Qiwi, Yandex money and others - we all used them and appreciated their capabilities. Some of them are more secure and have a link to a specific computer, double authentication via SMS and a mobile application installed on your smartphone or tablet. Some are less secure and store saved passwords directly in the browser, from where, if you really want, you can copy them and gain access to your account. To prevent this from happening, you must protect your computer using antivirus programs.

That's why, You should always have an antivirus program installed on your computer with the latest updates!

For most dummies, it will be enough to install the free Avast antivirus. At least something rather than nothing at all.

Let's look at the situation when on a computer no antivirus at all. What does this mean? Even using the Internet for two to three hours with an uninstalled or disabled antivirus will provide you with a high probability of “picking up” malware from the Internet. For what purpose are these programs written? And the goal is simple: a criminal, when he faces criminal liability for this, will not distribute viruses if he does not have a significant income from this... So are viruses. Lately they have been written with the aim of taking your money. hidden or obvious ways.

Trojans

With a hidden method A malicious program, a so-called Trojan, is installed on your computer. It penetrates through a computer vulnerability, for example, when the firewall is disabled or when accessing a certain group of sites. Most often these include sites with erotic content. With an explicit method to take away money, you yourself transfer money for unlocking the computer in one way or another to the account of the criminals. Moreover, there may not actually be an unlocking, since after transferring the money the criminals will simply not be interested in you.

I decided to conduct a risky experiment). I updated my antivirus database and went to an obviously suspicious site to show you what it looks like. We are immediately offered to download an unknown driver file, even without specifying the webcam model.

The name of the site is visible in the screenshot and it does not carry any semantic meaning. Most likely, this was done deliberately in order to associate this site by name with as many search engine queries as possible, so that you would not be able to notice the discrepancy between the topics. Moreover, on the screen we see a large number of people who downloaded and allegedly thanked them.

Scam sites

Very often, when searching, we see imitation of forum pages with an unclear name and an offer to download the file we need. Next comes a question from the “user”: They ask to send an SMS to download this file. They happily explain to him that this is protection from bots, everything has been checked, don’t worry

Of course, after you send an SMS that turns out to be paid, a tidy sum will be withdrawn from your account under the flimsy pretext of providing entertainment or information services.

Also, never install various kinds of Toolbars on your computer, despite all the advantages of this installation, which specially hired experienced authors will colorfully describe to you:

It is better to refrain from visiting sites if we see this warning:

Although it’s possible – this is just reinsurance from Yandex programmers. This also applies to various extensions from unverified sources. Under the guise of this, all kinds of viruses are often hidden.

Banners

Let's look at how a computer with an antivirus installed, but not with the latest databases and firewall enabled, gets infected?

Most often, an inexperienced user downloads malicious software onto his computer without knowing it. It can be disguised as anything, for example, as a utility or driver with a self-extracting archive with the *.exe extension, or even, as happened with my boss, as an important letter, supposedly from an arbitration court. This is what one of the possible ransomware banners that may appear on your desktop looks like:

Business people often have a lot of problems. Having lost their minds, they immediately download the attachment from the email and open it. Moreover, in this case the file was called “Letter”. And even the icon was in the form of an envelope. For people with little education in the computer field, this, unfortunately, is enough. It is the non-standard file extension and its icon that will alert us, more experienced users.

After that, a banner with the name Watnik 91 appeared on the desktop

It is unclear who they were going to mislead in this way, apparently this is all their imagination was capable of.

So on this banner there was printed text that all your files with the extension DOC, PDF, XLS, JPEG, and possibly some others were encrypted. We managed to decrypt them, but only after two weeks of correspondence and sending samples of encrypted files to a special site for providing assistance to helpers.

Removing a banner using AntiSMS

I have encountered ransomware banners before. For this case, I have a boot disk called Anti SMS, specially created to combat ransomware banners. It's very easy to work with. It is enough to press the BIOS key several times in the first 5 seconds after the computer starts. For different versions of motherboards these are different keys, for example Delete, F2, F11 and others, see the prompts on the monitor screen immediately after starting the PC.

After the stripped-down version of the OS (operating system) is loaded into the computer’s RAM, we must press just one button-icon on the monitor screen and wait for a message that the computer has been cleaned. The autostart of the computer into which the virus registers itself will be cleared. After restarting the computer, we will see that the ransomware banner has disappeared.

Boot disk or flash

What to do if your computer is infected, there is a similar banner on the screen that blocks access to the Internet and the operation of the computer, and you do not have such a disk? Well, you turned out to be unprepared for such a turn of events!?

Then you can boot from a Linux Live Cd disk, for example Ubuntu or Runtu, with default support for Internet access via Ethernet. Those who are in the know will understand

And then download the utility Dr web CureIt to a flash drive

Or log in and perform these actions from another computer. This utility will allow you to clean your computer from viruses after you boot into Windows in safe mode. To do this, you need to write the utility onto a flash drive, and after loading Windows in safe mode, run this utility from the flash drive.

This utility is completely free and comes with the latest versions of the database.

I hope that after reading this article, your computer will be reliably protected. And if a ransomware banner does appear on your desktop, you can quickly and independently remove it.