Effective methods for removing banner ransomware (Winlocker). How to unblock Windows from ransomware virus

I ask for your possible participation in my problem. My question is this: How to remove a banner: “Send SMS”, operating system Windows 7. By the way, the second system is on mine Windows computer XP was also blocked by a banner a month ago, I’m such a unfortunate user. IN safe mode I can’t log in, but I managed to enter Computer Troubleshooting and run System Restore from there and the error came up - On system disk This computer does not have restore points.

It was not possible to find the unlock code on the Dr.Web website, as well as ESET. Recently, I managed to remove such a banner from a friend using the ESET NOD32 LiveCD System Recovery Disk, but in my case it does not help. I also tried Dr.Web LiveCD. I set the clock in the BIOS forward by a year, the banner did not disappear. On various forums on the Internet, it is advised to correct the UserInit and Shell parameters in the registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon. But how do I get there? Using LiveCD? Almost all LiveCDs they do not connect to the operating system and operations such as editing the registry, viewing startup objects, as well as event logs from such a disk are not available or am I mistaken.

In general, there is information on how to remove a banner on the Internet, but mostly it is not complete and it seems to me that many people copy this information somewhere and publish it on their website, so that it is just there, but ask them how it all works , they will shrug their shoulders. I think this is not your case, but in general I really want to find and remove the virus myself, I’m tired of reinstalling the system. AND last question- is there a fundamental difference in the methods of removing a ransomware banner in the Windows XP and Windows 7 operating systems. Can you help? Sergey.

How to remove a banner

There are quite a few ways to help you get rid of the virus, it is also called Trojan.Winlock, but if you are a novice user, all these methods will require patience, endurance and understanding from you that you have encountered a serious enemy, if you are not afraid, let’s get started.

• The article turned out to be long, but everything said really works like in an operating room Windows system 7, and in Windows XP, if there is a difference somewhere, I will definitely note this point. The most important thing to know is remove banner and get the operating system back quickly, it won’t always work, but it’s useless to put money into the extortionist’s account, you won’t receive any unlock code back, so there is an incentive to fight for your system.
• Friends, in this article we will work with the environment Windows recovery 7, or more precisely with command line recovery environment. Required Commands I will give it to you, but if it is difficult for you to remember them, you can. This will make your work much easier.

Let's start with the simplest and end with the complex. How to remove a banner using safe mode. If your Internet surfing ends unsuccessfully and you inadvertently set yourself malicious code, then you need to start with the simplest thing - try to enter Safe Mode (unfortunately, in most cases you will not be able to do this, but it’s worth a try), but You will definitely be able to enter(more chances), you need to do the same thing in both modes, let's look at both options.

In the initial phase of loading the computer, press F-8, then select, if you manage to log into it, then you can say you are very lucky and the task is simplified for you. The first thing you need to try is to roll back some time using restore points. For those who don’t know how to use system recovery, read in detail here -. If system restore doesn't work, try something else.

In the Run line, type msconfig ,

You shouldn't have anything in the folder either. Or is it located at

C:\Users\Username\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup.

Important Note: Friends, in this article you will have to deal mainly with folders that have the Hidden attribute (for example AppData, etc.), so as soon as you get into Safe mode or Safe Mode with Command Line Support, immediately turn it on in the system showing hidden files and folders, otherwise required folders, in which the virus is hiding, you simply will not see. It's very easy to do.

Windows XP
Open any folder and click on the “Tools” menu, select “Folder Options”, then go to the “View” tab. Then at the very bottom, check the “” item and click OK

Windows 7
Start -> Control Panel->View: Category -Small Icons ->Folder Options ->View. At the very bottom, check the box “ Show hidden files and folders».

So let's return to the article. Let's look at the folder, you shouldn't have anything in it.

Make sure that in the root of the drive (C:), there are no unfamiliar or suspicious folders and files, for example, with such an incomprehensible name OYSQFGVXZ.exe, if there are any, you need to delete them.

Now attention: In Windows XP, we delete suspicious files (an example is visible above in the screenshot) with strange names and

with extension .exe from folders

C:\
C:\Documents and Settings\Username\Application Data
C:\Documents and Settings\Username\Local Settings
C:\Documents and Settings\Username\Local Settings\Temp- delete everything from here, this is the temporary files folder.

Windows 7 has a good level of security and in most cases will not allow malicious programs to make changes to the registry, and the vast majority of viruses also strive to get into the temporary files directory:
C:\USERS\username\AppData\Local\Temp, from here you can run the executable file.exe. For example, I bring an infected computer, on the screenshot we see the virus file 24kkk290347.exe and another group of files created by the system almost at the same time along with the virus; everything needs to be deleted.

There should be nothing suspicious in them; if there is, we delete them.

And also be sure to:

In most cases, the above steps will remove the banner and normal loading systems. After normal boot scan your entire computer for free antivirus scanner With latest updates- Dr.Web CureIt, download it from the Dr.Web website.

• Note: You can immediately infect a normally booted system with a virus again by going online, since the browser will open all pages of sites you have visited recently, among them there will naturally be a virus site, and a virus file may also be present in the temporary folders of the browser. We find and, which you used recently at: C:\Users\Username\AppData\Roaming\Browser name, (Opera or Mozilla for example) and in one more place C:\Users\Username\AppData\Local\Your browser name, where (C:) is the partition with the installed operating system. Of course after of this action All your bookmarks will be lost, but the risk of getting infected again is significantly reduced.

Safe Mode with Command Line Support.

If after all this your banner is still alive, don’t give up and read on. Or at least go to the middle of the article and read complete information about correcting registry settings in case of infection with banner ransomware.

What should I do if I couldn’t enter safe mode? Try it Safe Mode with Command Line Support, there we do the same thing, but there is a difference V Windows commands XP and Windows 7.

Apply System Restore.
In Windows 7, enter rstrui.exe and press Enter - we get to the System Restore window.

Or try typing the command: explorer - something like a desktop will load, where you can open my computer and do everything the same as in safe mode - check your computer for viruses, look at the Startup folder and the root of the drive (C:), as well as the directory temporary files: edit the registry as necessary, and so on.

To get into Windows XP System Restore, type in the command line - %systemroot%\system32\restore\rstrui.exe,

To get into Windows XP in Explorer and the My Computer window, as in the seven, we type the command explorer.

here you first need to type the command explorer and you will be taken directly to the desktop. Many people cannot switch the default Russian keyboard layout to English in the command line using the alt-shift combination, then try shift-alt the other way around.

Already here go to the Start menu, then Run.

then select Startup - delete everything from it, then do everything you did in the root of the drive (C:), delete the virus from the temporary files directory: C:\USERS\username\AppData\Local\Temp, edit the registry as necessary ( everything is described above with details).

System Restore. Things will be a little different for us if you are unable to get into Safe Mode and Safe Mode with Command Line Support. Does this mean that you and I will not be able to use System Restore? No, this does not mean that you can roll back using restore points, even if your operating system does not boot in any mode. In Windows 7 you need to use the recovery environment; in the initial phase of booting the computer, press F-8 and select from the menu Troubleshooting your computer,

In the Recovery Options window, select System Restore again.

Now pay attention, if when you press F-8 menu Troubleshooting is not available, it means your files containing the Windows 7 recovery environment are damaged.

• Is it possible to do without a Live CD? In principle, yes, read the article to the end.

Now let's think about what we will do if we cannot start System Restore by any means or it was completely disabled. First, let's see how to remove the banner using the unlock code, which is kindly provided by the companies that develop anti-virus software - Dr.Web, as well as ESET NOD32 and Kaspersky Lab, in this case you will need the help of friends. It is necessary for one of them to go to the unlocking service, for example Dr.Web

https://www.drweb.com/xperf/unlocker/

http://www.esetnod32.ru/.support/winlock/

as well as Kaspersky Lab

http://sms.kaspersky.ru/ and entered in this field the phone number to which you need to transfer money to unlock the computer and clicked on the button - Search for codes. If you find the unlock code, enter it into the banner window and click Activation or whatever it says, the banner should disappear.

Another simple way to remove the banner is to use a recovery disk or as they are also called rescues from and. The entire process from downloading, burning the image to a blank CD and checking your computer for viruses, in more detail described in our articles, you can follow the links, we won’t dwell on this. By the way, rescue disks from data from antivirus companies are not bad at all, they can be used like LiveCDs - to carry out various file operations, for example, copy personal data from an infected system or run the healing utility from Dr.Web - Dr.Web CureIt - from a flash drive. And in the ESET NOD32 rescue disk there is a wonderful thing that has helped me more than once - Userinit_fix, which corrects important registry settings on a computer infected with the banner - Userinit, branches HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon.

How to fix all this manually, read on.
Well, my friends, if anyone else is reading the article further, then I am very glad for you, now the fun begins, if you manage to learn and, even more so, apply this information in practice, many simple people The people you free from the ransomware banner will consider you a real hacker.

Let's not deceive ourselves, personally, everything described above helped me in exactly half of the cases where my computer was blocked by a blocking virus - Trojan.Winlock. The other half requires a more careful consideration of the issue, which is what we will do.
In fact, by blocking your operating system, it’s still Windows 7 or Windows XP, the virus makes its changes to the registry, as well as to the Temp folders containing temporary files and the C:\Windows->system32 folder. We must correct these changes. Don’t forget about the Start->All Programs->Startup folder. Now about all this in detail.

• Take your time, friends, first I will describe where exactly what needs to be fixed is located, and then I will show you how and with what tools.

In Windows 7 and Windows XP, the ransomware banner affects the same UserInit and Shell parameters in the registry in the branch

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon.
Ideally they should be like this:
Userinit - C:\Windows\system32\userinit.exe,
Shell - explorer.exe

Check everything by letter, sometimes instead of userinit you come across, for example, usernit or userlnlt.
You also need to check the AppInit_DLLs parameter in the registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs, if you find something there, for example C:\WINDOWS\SISTEM32\uvf.dll, all this needs to be deleted.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce, there should be nothing suspicious about them.

And also be sure to:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce

HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell (must be empty) and in general there should be nothing superfluous here either. ParseAutoexec must be equal to 1 .

You also need to delete EVERYTHING from temporary folders (there is also an article on this topic), but in Windows 7 and Windows XP they are located slightly differently:

Windows 7:
C:\Users\Username\AppData\Local\Temp. Viruses especially like to settle here.
C:\Windows\Temp
C:\Windows\
Windows XP:
From:\Documents and Settings\User Profile\Local Settings\Temp
From:\Documents and Settings\User Profile\Local Settings\Temporary Internet Files.
C:\Windows\Temp
C:\Windows\Prefetch
It will not be superfluous to look at the folder C:\Windows->system32 in both systems, all files ending in .exe and dll with the date on the day your computer was infected by the banner. These files need to be deleted.

Now watch how a beginner and then an experienced user will do all this. Let's start with Windows 7 and then move on to XP.

How to remove a banner in Windows 7 if System Restore was disabled?

Let's imagine the worst case scenario. Login to Windows 7 is blocked by a ransomware banner. System Restore is disabled. The easiest way is to log into Windows 7 using simple disk recovery (you can do it directly in the Windows 7 operating system - described in detail in our article), you can also use a simple installation disk Windows 7 or any simple LiveCD. Boot into the recovery environment, select System Restore, then select the command line

and type –notepad in it, get into Notepad, then File and Open.

We go into the real explorer, click My Computer.

We go to the folder C:\Windows\System32\Config, here we indicate the File Type - All files and see our registry files, we also see the RegBack folder,

in it, every 10 days the Task Scheduler makes a backup copy of the registry keys - even if you have System Restore disabled. What you can do here is to delete the SOFTWARE file from the C:\Windows\System32\Config folder, which is responsible for the HKEY_LOCAL_MACHINE\SOFTWARE registry hive; most often the virus makes its changes here.

And in its place, copy and paste a file with the same name SOFTWARE from the backup copy of the RegBack folder.

In most cases, this will be enough, but if you wish, you can replace all five registry hives from the RegBack folder in the Config folder: SAM, SECURITY, SOFTWARE, DEFAULT, SYSTEM.

Next, we do everything as written above - delete files from temporary Temp folders, look through the C:\Windows->system32 folder for files with the extension .exe and dll with the date on the day of infection and of course look at the contents of the Startup folder.

In Windows 7 it is located:

C:\Users\ALEX\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup.

Windows XP:

C:\Documents and Settings\All Users\Main Menu\Programs\Startup.

• How do experienced users do the same thing, do you think they use a simple LiveCD or a Windows 7 recovery disc? Far from friends, they use a very professional tool - Microsoft Diagnostic and Recovery Toolset (DaRT) Version: 6.5 for Windows 7- this is a professional assembly of utilities located on the disk and necessary system administrators For quick recovery important parameters operating system. If you are interested this tool, read our article.

By the way, it can connect perfectly to your Windows 7 operating system. By booting the computer from the disk Microsoft recovery(DaRT), you can edit the registry, reassign passwords, delete and copy files, use system recovery and much more. Without a doubt, not every LiveCD has such functions.
We boot our computer from this, as it is also called, Microsoft recovery disk (DaRT), Initialize the network connection in background, if we don’t need the Internet, we refuse.

Assign drive letters in the same way as on the target system - we say Yes, it’s more convenient to work this way.

I will not describe all the tools, since this is the topic for a large article and I am preparing it.
Let's take the first tool Registry Editor a tool that allows you to work with the registry of the connected Windows 7 operating system.

We go to the Winlogon parameter of the HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon branch and simply manually edit the files – Userinit and Shell. You already know what their significance should be.

Userinit - C:\Windows\system32\userinit.exe,
Shell - explorer.exe

In our case, we need to clear all temporary Temp folders; you already know how many there are and where they are in Windows 7 from the middle of the article.
But attention! Since the Microsoft Diagnostic and Recovery Toolset is fully connected to your operating system, you will not be able to delete, for example, the registry files -SAM, SECURITY, SOFTWARE, DEFAULT, SYSTEM, because they are in progress, and please make changes.

How to remove a banner in Windows XP

Again, it’s a matter of the tool, I suggest using ERD Commander 5.0 (link to the article above), as I said at the beginning of the article, it is specifically designed to solve similar problems in Windows XP. ERD Commander 5.0 will allow you to directly connect to the operating system and do everything we did with using Microsoft Diagnostic and Recovery Toolset in Windows 7.
We boot our computer from the recovery disk. We select the first option - connecting to an infected operating system.

Select the registry.

We look at the UserInit and Shell parameters in the HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon branch. As I said above, they should have this meaning.
Userinit - C:\Windows\system32\userinit.exe,
Shell - explorer.exe

Also look at HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs - it should be empty.

Next, go to Explorer and delete everything from the temporary Temp folders.
How else can you remove a banner in Windows XP using ERD Commander (by the way, this method is applicable to any Live CD). You can try to do this even without connecting to the operating system. Download ERD Commander and work without connecting to Windows XP,

in this mode, you and I will be able to delete and replace registry files, since they will not be involved in the work. Select Explorer.

Registry files in the Windows XP operating system are located in the C:\Windows\System32\Config folder. And backup copies of the registry files created during the installation of Windows XP are located in the repair folder, located at C:\Windows\repair.

We do the same, copy the SOFTWARE file first,

and then you can do the rest of the registry files - SAM, SECURITY, DEFAULT, SYSTEM in turn from the repair folder and replace them with the same ones in the C:\Windows\System32\Config folder. Replace file? We agree - Yes.

I want to say that in most cases it is enough to replace one SOFTWARE. When you replace the registry files from the repair folder, there is a good chance to boot the system, but most of the changes you made after installing Windows XP will be lost. Consider whether this method is right for you. Don't forget to remove everything unfamiliar from startup. In principle, you shouldn't delete the MSN Messenger client if you need it.

And the last way for today to get rid of the ransomware banner using the ERD Commander disk or any Live CD

If you had System Restore enabled in Windows XP, but you can’t apply it, you can try this. Go to the C:\Windows\System32\Config folder containing the registry files.

Use the slider to open the full file name and delete SAM, SECURITY, SOFTWARE, DEFAULT, SYSTEM. By the way, before deleting them, you can copy them somewhere just in case, you never know. You might want to play it back.

Next we go to the folder System Volume Information\_restore(E9F1FFFA-7940-4ABA-BEC6- 8E56211F48E2)\RP\ snapshot, here we copy files that are backup copies of our registry branch HKEY_LOCAL_MACHINE\
REGISTRY_MACHINE\SAM
REGISTRY_MACHINE\SECURITY
REGISTRY_MACHINE\SOFTWARE
REGISTRY_MACHINE\DEFAULT
REGISTRY_MACHINE\SYSTEM

Paste them into the folder C:\Windows\System32\Config

Then we go to the Config folder and rename them, deleting REGISTRY_MACHINE\, thereby leaving the new registry files SAM, SECURITY, SOFTWARE, DEFAULT, SYSTEM.

Then we delete the contents of the Temp and Prefetch folders, and delete everything from the Startup folder as shown above. I will be glad if it helps someone. In addition to the article, a short and interesting one was written, you can read it.

Description of the problem: When you open any website in the browser, advertising pops up. Pop-up viral banners obscure content and web pages load slowly. When you click on links in your browser, windows and tabs with advertising open. This article describes how to remove ads in the browser Google Chrome, Yandex, Opera, Mozilla, Internet Explorer.

Example of a window with third-party banners:

Where do third-party browser ads come from?

Why doesn't my antivirus remove ads from my browser?

An advertising banner is not a virus as such. The user himself launches a program that makes changes to the system, thinking that he has downloaded a game or something safe. And the antivirus sees that the file was not launched itself, as is the case with a virus, but was launched by the user on his own behalf.

How to remove ads in the browser - detailed effective instructions

1 Go to Control Panel and select Programs and components. Review the list carefully installed programs. Remove the following unwanted programs, if they are present in the list:

Also, the browser cleaning utility from Avast can help you:

3 Check your start page settings. Remove the start pages that the virus prescribed. (Instructions for Google Chrome:)

Attention! Instead of points 2 and 3, you can. But keep in mind that in this case you will delete everything applications, extensions, settings search engines and start pages. After the reset, you will have to configure browsers from scratch.

6 Check for changes in browser shortcuts. More often malware write the start page there. If in the field An object completed start page kind http://sitename.ru , then in order to remove advertising in the browser, erase the site address and save the shortcut with the OK button:

If you are unable to save the shortcut, check that the tab Are common there was no daw Only reading. If it is there, remove it and press Apply. After that, go to the tab Label, delete the postscript and save the change in the shortcut using the button OK.

Postscripts often appear to go to the following (often malicious) sites:
(Don't even try to paste these lines into your browser!)

mygooglee.ru
www.pribyldoma.com
rugooglee.ru
sweet-page.com
dengi-v-internete.net
delta-homes.com
v-inet.net
otvetims.net
business-ideia.net
newsray.ru
default-search.net

7 Install CCleaner program. Perform cleaning:

• caches in all browsers;
• cookies;
• cleaning temporary system files;

8 Install MalwareBytes program AntiMalware. (Read our article on how to remove ads, malware and viruses with it:)
Update your databases.
Perform a full system scan and remove all viruses found, which often cause third-party advertising to appear in Chrome, Firefox, Opera and other browsers on a computer running any version of Windows:

Removing malware that causes ads to appear in your browser

9 Important point! Download the AdwCleaner program. ()
Perform a system scan and remove any malware found, followed by a reboot. In many cases, only this one program allows you to completely eradicate advertisements that appear in the browser due to unwanted extensions:

This little program very often helps to remove ads in the browser in just a couple of clicks!

10 Perform a system check using trial version programs HitmanPro. (Read detailed instructions about registering and using the program: ). This powerful utility It often helps to get rid of advertisements, annoying banners and pop-ups that other antiviruses cannot cope with.

If the above steps do not help, it is likely that malware has modified browser settings in the registry or has seriously damaged the system. Continue to the next point.

What to do if nothing helps to remove ads in the browser

11 You need to remove all browsers and clean the registry manually. How to do it?

• Uninstall the Opera browser.
• Reboot.
• Delete a folder C:\Program Files (x86)\Opera .
• Run regedit, look in the registry for all keys containing the word opera, and delete them manually.
  However, you should be careful not to accidentally delete keys that contain similar words, for example, opera tion opera ting.
  
• Delete Chrome browser, Firefox and everyone else.
• Reboot.
• Remove their folders from Program Files And Program Files (x86).
• Look for the names of browsers in the keys and names of registry sections and delete them.

After removing all browsers:

• Execute ;
• Install your favorite browser again and look at the results.
• If there are no banners, install other browsers if you need them.

Computer viruses are becoming more sophisticated every year. Some of them serve as a source of extorting money from people, while others are aimed at destroying the system and stealing data. There is a computer infection that advertises Internet resources and simply interferes normal operation PC. The bulk of the least dangerous viruses are represented by banners. This is the most common spam, but it can cause a lot of trouble. How to remove a banner in one case or another? We will have to find the answer to this question further. In addition, it is worth studying all the ways to protect the OS and the places where you can “catch” banner virus.

Danger is near

First, let's find out which sources spread the computer "infection." After all, it is always easier to prevent a PC infection than to cure the OS.

Today, spam, Trojans and other viruses can penetrate:

• by distributing letters throughout e-mail;
• when visiting certain websites;
• using hacker programs;
• while downloading files;
• by installing software from untrusted sources.

This is the most common list of potentially dangerous places for users. In addition, viruses are now actively distributed through torrents and therefore it is recommended to use such software with caution.

Types of viruses

How to remove a banner? Before taking decisive action, the user must find out what specific infection he is dealing with. The further algorithm of actions will depend on this.

Users complain about the following types of banners:

• with a request to send money to the phone;
• offering to send paid SMS;
• requiring account replenishment through payment terminals;
• insisting on transferring money through social networks;
• filling the desktop with advertisements;
• opening pages and new banners in browsers.

The last 2 options are the least dangerous viruses. They are often called spam. Getting rid of them is easier than it seems. But first let's look at more difficult situations.

Safe Mode - Login

How to remove advertising banners blocking access to the operating system? Typically, such programs require money to log into Windows. But even after the funds are credited, no unlocking will follow. After restarting the computer, the user will see the same banner.

You can get rid of such an infection in different ways. For example, by using secure Windows mode. The user will need:

1. Restart your computer or just turn it on.
2. During loading, press F8.
3. Select the line "Safe Mode..." in the list that appears. A section labeled "command line" is required.
4. Open Start and type regedit in the search bar.
5. Select the appropriate service and press "Enter".

HKEY_LOCAL_MACHINE\Software\Microsoft\WinNT\CurrentVersion\Winlogon.

How to remove a banner? After these steps, the user will have to conduct a thorough check of the information.

Checking the data

What is it about? After following the previously specified path, you need to see that the corresponding windows contain the following values:

Shell - there is the inscription “explorer.exe” and only that;

Userinit - here the text should be “C:\Windows\system32\userinit.exe”.

It's about about the way:

HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Winlogon.

Anything found here is deleted. Once the task is completed, the user will need to delete all ununderstood operations at the following addresses:

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run;

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce;

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run;

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce.

But this won't be enough. To remove the ransomware banner, you need to clean the system. How to do it?

About cleaning the OS in safe mode

There is nothing special or incomprehensible about the procedure. It is enough to follow the basic instructions.

1. Open the "regedit" service according to the principle described earlier.
2. Write the cleanmgr command.
3. Select the partition on which the OS is installed.
4. Scan it.
5. Check all the boxes except for "Files" backup copies...".
6. Click on "OK".

All that remains is to wait. Within a few minutes the user will have access to the operating system. But this is no reason to rejoice. After all, through the described actions, most likely, the virus was disabled. Now we need to get rid of it.

Removing disabled ransomware

How to remove a banner from your computer? To clean the operating system from disabled viruses, today you can use additional free utilities. There are a lot of them. They work on the principle of an antivirus. Just run the program, scan and delete dangerous objects. If possible, you can treat the software or “fix” it automatically.

To remove ransomware viruses presented as banners, it is better to use the following programs:

• "AntiWinLockerCD";
• AVZ utility.

This software is extremely easy to learn. Even a child can handle it. Now it’s clear how to remove the ransomware banner.

Kaspersky to help

But this is only one option for the development of events. Modern users can use various methods computer treatment.

You can disable the ransomware virus and get rid of it using the Kaspersky utility “Deblocker”. This is a free service that quickly and easily gets rid of various banners. The main thing is that the user has access to an Internet browser. By the way, operations can be carried out from a computer that is not infected.

The algorithm of actions is reduced to the following stages:

1. Open the site in any browser sms.kaspersky.ru.
2. Indicate in the appropriate field the telephone number or the specified account of the extortionist.
3. Enter the code you are asked to send.
4. Click on the "Get code..." button.
5. Try all possible issued codes.

That's all. By searching through the available codes, the user will be able to get rid of the ransomware virus.

Browser attack

How to remove a pop-up banner in a browser? The previously proposed action algorithms help clean your PC from ransomware. But most often people encounter regular spam. It opens advertisements and banners in browsers, steals personal data of citizens, and also downloads CPU computer.

Accordingly, the virus will have to get rid of. But this can be done in different ways. Next, we will look at the most common scenarios. The suggested tips will help even a novice user quickly correct the situation.

Extra software away!

The user will have to:

1. Open "Start" - "Control Panel".
2. Select "Remove programs...".
3. Examine the list displayed on the screen.
4. Highlight all suspicious and unnecessary components. For example, "Baidu" or "Vulcan Casino".
5. Right-click and click on the “Delete” button in the drop-down list.
6. Follow the on-screen instructions to complete the uninstall wizard.

The first stage of fighting spam on PCs has been completed. What's next?

Processes and viruses

Now it’s worth thinking about what processes are running in the operating system. Some of them may be malicious. If you don’t disable them, then there’s no point in thinking about how to remove advertising banners in your browser. The operations will not lead to the final result- after the first reboot of the PC, spam will be restored.

How to remove a banner from your computer? Are the programs removed? Then you need:

1. Press Ctrl + Alt + Del on your keyboard.
2. Select the "Task Manager" service.
3. Go to the "Processes" tab.
4. Select with the cursor all suspicious and unclear operations.
5. Press the "Finish..." button.

A warning will appear on the display. It states that terminating processes can disrupt the operation of the OS. Having agreed to the condition, the user must stop suspicious transactions.

Clear cache and history

How to remove banners in the browser? It's not the easiest, but quite accessible operation. Sometimes it is enough to simply clear the history in the Internet browser, as well as clear the cache.

In all browsers, a list of visited pages can be found in the settings. For example, it is possible the following actions:

1. Open settings in Chrome or Yandex.
2. Go to the "History" block.
3. Click on the "Clear history" button.
4. Check the boxes next to “All history” and “Clear cache”.

In some versions of Internet browsers, after entering the settings, you have to look for the section " Extra options". You can find both history and cache data in it.

And cleaning the mentioned partitions comes down to searching and deleting the folder located at:

C:\Documents and Settings\username\Application Data\Opera.

Mozilla is another popular Internet browser. In it, the parameters are reset as follows:

1. Go to browser settings.
2. Open the Help menu.
3. Click on the line "Information for solution...".
4. Click on the inscription "Reset...".

Now all that remains is to restart the browser. Everything is working? Then you don't need to do anything else. But what if advertisements and banners still appear?

Shortcut Properties

For example, some users find it helpful to check the shortcut properties of network browsers. To remove a banner advertisement, a person will have to:

1. Select the shortcut for the browser you are using.
2. Click on it right click mice.
3. Go to "Properties".
4. In the "General" block, look at the "Object" line.
5. Erase everything written after executable file(.exe format) with the name of the browser.
6. Save changes.

These steps are suitable for all Internet access programs. After them it is better to restart the computer.

Host and crystal clear

How to remove a banner from your computer? Some viruses are registered in host file. Therefore, you will have to work with him a little.

The user needs to go to:

C:\Windows\System32\drivers\etc.

1. Open the "Host" file with notepad.
2. Erase everything written on the document.
3. Save the modified file.
4. Remove all duplicate "Host" if any.

In some cases, it is easier to select the mentioned document and delete it by holding down the Shift button.

Antiviruses come to the rescue

Need to figure out how to remove a banner from Yandex? If the above tips do not bring results, you will have to move on. For example, you can scan your computer for viruses.

To do this you just need to run antivirus system and click on the "Deep Scan" button. Any software will do - Kaspersky, NOD32, and Avast. Once the procedure is completed, the person will need to treat all potentially dangerous objects. And what did not respond to treatment should be removed.

Such operations are activated via standard elements antivirus management. Therefore, no skills or knowledge are required from the user.

The computer registry must be clean

We figured out how to remove the banner. What other tips will help you cope with this task?

To automatically clean your computer's registry, you will need to:

1. Launch CCleaner.
2. Click on the "Register" section.
3. Click on the "Analysis" button.
4. Select the "Cleanup" option. It will appear after scanning the system.

After the procedure is completed, the registry will be clean. You can reboot the OS and see if there is any result. It is important that all browsers are closed when working with the utility.

Extreme measures

But that's not all. To answer how to remove a pop-up banner in a browser, some people are ready to go to extreme measures. Usually it doesn’t come to them, but there is no need to exclude such situations either. What is it about?

In order to get rid of any virus in the browser, you can simply delete the Internet browser with all user data. By reinstalling (not to be confused with updating) the software, you will be able to resume work with working software. Before uninstalling, it is better to make copies of your bookmarks, if any.

In some cases, the operation of the operating system is restored after an OS rollback. The operation is carried out using standard Windows tools. Find required section You can go to "Start", in the folder "All Programs" - "Accessories" - "Service". Following the instructions on the screen, the “victim” will restore the system in a few minutes.

The last way to get rid of banners and viruses in general is to completely reinstall Windows installation. It requires an installation disk. During the operation, it is recommended to completely format HDD"cars". This is the only way to 100% get rid of all existing computer infections.

Hello, friends! In this article we will look at ways to remove banner from desktop. This can happen not only due to visiting sites with erotic content, but also when using cracks or keygens downloaded from unknown sources. Therefore, try to download software only from manufacturers' websites. If you got suspicious file, don't be lazy and check it for viruses online. Typically, such banners are called extortionists, as they demand money from the user. This can be like sending an SMS to a short number or topping up your account in the system electronic payments. Fraudsters usually write on such banners that the user has violated the law, for which they are required to pay a fine. In this article we will tell you how to unblock your computer from such banners.

These services are easy to use, but there are no guarantees. You can spend a lot of time but still not unlock the system. But you definitely need to try it.

To use, you need a device (another computer, tablet or phone) with Internet access. Go to any of the listed addresses. Let's take Kaspersky for example.

In a special field you must enter the phone number or account to which you want to transfer money. If you are asked to send an SMS to short number, then write down this number and, separated by a colon, the text that needs to be sent. Afterwards, press to get the code

The search results will appear below. Choose your banner and try the codes against it.

If you haven’t found your banner, try on the Dr.Web or Eset website. If this method did not help remove the banner from your desktop, read on.

Using System Restore

This option is good if you have this function enabled. If System Restore was disabled, proceed to the next step.

In order to remove the banner from the desktop using system recovery- restart the computer and click on boot F8 repeatedly. If a list of devices from which booting is possible appears, select your drive (hard drive or SSD) and continue pressing F8 again. You should see a similar picture below. You need to select the item System Troubleshooting highlighted by default

A window will load where you need to select a language, then a user. Next there will be a window with a choice of several recovery options. Choose System Restore. Then select control point restore and return the state of the computer to that point in time. First, take the nearest restore point; if that doesn’t help, restore to an earlier one.

You can read more about how to use System Restore.

Removing the banner from safe mode

By checking Dr.Web Cureit or analogues

There are banners that are not active in safe mode. You need to take advantage of this. To prepare for treatment, you need to download the Dr.Web Cureit utility on a healthy computer by opening the following link in your browser.

To remove a banner from your desktop by cleaning the registry, you need to check several points in the registry.

On the left side of the window go to the address

HKEY_CURRENT_USER -> Software -> Microsoft -> Windows -> CurrentVersion -> Run

Go to the right side and delete all items except one (Default) for which the value is not assigned. Right-click on the item and select Delete. With this action we will remove the banner from Windows startup. (How to manage Windows startup 7 and Windows 8 when the computer is in working order you can read.)

All the above steps must also be performed in the section

HKEY_LOCAL_MACHINE -> Software -> Microsoft -> Windows -> CurrentVersion -> Run

There are two more places left to check

HKEY_CURRENT_USER -> Software -> Microsoft -> Windows NT -> CurrentVersion -> Winlogon

In this we check the absence of points Shell And Userinit. If they are there, delete them.

HKEY_LOCAL_MACHINE -> Software -> Microsoft -> Windows NT -> CurrentVersion -> Winlogon

check the values ​​of the above points

Shell = explorer.exe

Userinir = C:\Windows\system32\userinit.exe, (comma required)

If the values ​​are different, we correct them to the correct ones.

Close the registry editor and, to be on the safe side, check the computer with the Dr.Web Cureit utility or an analogue if you did not check it before editing the registry.

After checking, reboot into normal mode and check whether the banner is removed.

Using Kaspersky WindowsUnlocker to remove a banner from the desktop

Using this utility, you can disinfect all operating systems installed on your computer. It does automatically what we did manually in the previous paragraph. This utility included in Kaspersky Rescue Disk.

You can download the Kaspersky Rescue Disk image from the official website here

To register at USB device It’s better to use the utility from the manufacturer

In the program window using the button Review specify the path to the Kaspersky Rescue Disk image. Paste USB storage into the computer and it immediately appears in the appropriate section. If this does not happen, select it manually.

Attention! Save all important data from your USB drive.

After all the settings, press the button START

The image will be written to the USB drive. If the process completes successfully you will see the following window. Click OK and close the rescue2usb program

Now you need to boot from the prepared USB storage on an infected computer. To do this, insert the USB flash drive into the computer and reboot. When you boot your computer, press F8 several times to call up a list of devices from which it can boot. Select the connected USB drive. (There may be two inscriptions in this list suggesting booting from USB. Try one first, then the other). If you can’t boot from a flash drive, you need to set boot from a USB drive in the BIOS. You can read how to do this.

After all the settings, it will boot from the USB drive and you will see the following window. Any key must be pressed within 10 seconds

Select the required language using the arrows on the keyboard

You must accept the license by pressing button 1 on the keyboard

Select a mode Kaspersky downloads Rescue Disk. If you don't have a mouse, choose text. In all other cases, select graphics mode

In the terminal we type windowsunlocker and press Enter

If you have selected text mode, then press F10 close the menu that appears and type windowsunlocker in the line below file manager. Click Enter

For that to remove the banner from the desktop press 1

After all the manipulations, you must press 0 - Exit.

After unlocking the operating system, you need to update Kaspersky databases Rescue Disk and execute full check computer. To do this, open the main menu and select Kaspersky Rescue Disk. Go to the update tab and click Perform update. In this case, the Internet must be connected to the computer

Go to the tab Checking objects and select all objects in field 2 with checkboxes. Click Perform object check

Wait until the scan is completed and delete or cure the found ones. malicious files. Afterwards, reboot in normal mode and check whether the banner is removed from the desktop.

Fixing the boot record

If the virus loads immediately when you turn on the computer before the operating system logo appears, then this infection has changed the boot record of your drive.

You need to go to the Windows Recovery Console and try to restore the boot record.

To open the recovery console, you must press the key at boot F8 as when selecting safe mode. When a window appears with a choice of download options. The item selected by default will appear at the very top - System Troubleshooting. Select this item by clicking Enter

Afterwards, a window for selecting a user and entering a password will appear. Select a user and enter a password if you have one and click Further

A window will then appear with system recovery options. There you can choose to restore the computer from an image (which is done by backing up data in Windows) or perform a system restore (if it is enabled. See point 3 of this article) and much more. You select the last item Command line.

You type in it BOOTREC.EXE /FixBoot

Then reboot and check whether the banner has been removed from the desktop.

Checking the drive on a healthy computer

If you have the opportunity to check your drive on another computer, do so.

Turn off your computer. Disconnect the hard drive. With it turned off, connect it to another computer. Boot up. Update antivirus databases and check the connected disk for viruses. I like this option the most because it is possible. If it is not there, use the options described above.

Reinstalling Windows

This last resort. If none of the above helps, then you need to reinstall the operating system. if you have important information on the desktop or in the My Documents folder, boot from any boot disk(for example from Kaspersky Rescue Disk) and copy the information from drive C to any other one.

• Windows XP with a USB system recovery drive can be a big help in critical situations. I highly recommend turning it on and allocating several gigabytes for it in the settings. If recovery fails, then proceed to treatment in safe mode. Unless, of course, the virus blocks everything there with its banner.

  If it doesn't work with safe mode, then Kaspersky Windows Unlocker as part of Kaspersky Rescue Disk it is perfect solution. If possible, you can and should check your drive on the healthy machine of your relative, friend or neighbor. Don't worry, the virus won't jump to another computer. If the virus is registered in boot entry, then try through the recovery console. If all else fails (which is unlikely), then it is better to reinstall the operating system.

  Video on how to unlock a computer from a banner

Often, users become victims of viruses that seriously interfere with working in Windows. A striking example is blocking the desktop using a banner. This happens if you haven't taken care of protecting your computer. You cannot perform any actions, the OS is locked, and the screen says something like “You have broken the law. Top up such and such a mobile number, otherwise you will lose all your data.” This article describes how to remove such a banner from the desktop of your computer.

Please understand that this is a scam. You didn’t violate anything; there are no provisions in the law regarding blocking users’ desktops. Under no circumstances follow the lead of scammers and do not send them your money.

Most likely, this will not even help - unlocking using a code is unlikely to help get rid of the virus, and the banner will remain on the computer.

Often, to get rid of such problems, it is recommended to simply reinstall the operating system. Of course, removal and reinstallation Windows will definitely help. But this long way. Don't forget that you still need to install everything necessary drivers and programs.

This article discusses simpler and quick ways get rid of ransomware banners.

Starting in Safe Mode

If you find that when Windows startup a banner pops up blocking all computer functions, you need to start the operating system in diagnostic mode. To do this, follow the instructions provided:

This will take you to the diagnostic Windows mode. If you succeeded and the banner is not here, move on to the next part of the guide. If there is a lock in this mode, you will need to start the PC using LiveCD (described below).

Typically, a banner virus modifies some entries in the registry, which leads to a faulty Windows work. Your task is to find all these changes and eliminate them.

Editing the Registry

Open the Run dialog using the Win + R key combination. In the window that opens, enter the command “regedit” and press Enter. You will be taken to . Follow the instructions carefully so you don't miss anything.

Using the directory on the left side of the program window, users need to open the following directories:

· HKEY_LOCAL_MACHINE/Software/Microsoft/Windows/Current Version/Run

Here you need to find the entry responsible for autorunning your banner when the system starts. Next, it should be removed. Right-click on the entry and select the “Delete” option in the opened context menu. Feel free to delete anything suspicious; it will not affect the operation of your system in any way. If you delete something unnecessary, such as Skype autostart, you can get everything back.

· HKEY_LOCAL_MACHINE/Software/Microsoft/Windows NT/CurrentVersion/Winlogon

In this folder you need to find a parameter called “Shell” and assign it the value “explorer.exe”. Next, find the “Userinit” entry and give it a value "C:\Windows\system32\userinit.exe". To edit entries, simply double-click on them.

· HKEY_CURRENT_USER/Software/Microsoft/Windows NT/CurrentVersion/Winlogon

Also look for the "Userinit" and "Shell" options. Write down their meanings somewhere - these are the paths to your banner. Delete both entries. They shouldn't be in this directory.

Prevention

After you have managed to remove everything extra entries from Windows registry, you can close the editor and restart your computer. The system should start without any problems.

Now you need to remove the “tails” that are left from the malicious script. Open Windows Explorer (My Computer). Find the files that were referenced by the "incorrect" Shell and Userinit parameters and delete them.

After this, it is very important to scan the system using antivirus program. Preferably with the deepest scan available in your antivirus. If you do not have any system protection, download and install immediately. For example, you can use free program from Microsoft - Security Essentials. You can download it from this link - https://www.microsoft.com/ru-ru/download/details.aspx?id=5201.

The guide goes on to describe how to remove the banner if it opens even during startup.

Creating a Live CD from Kaspersky

If you are unable to remove the banner through safe mode, you should use a LiveCD. This is a special mini-OS that is recorded on a disk or flash drive. With its help, you can boot and edit a damaged registry or run a utility for automatic elimination problems.

For example, you can use free service from Kaspersky Lab. To do this you need to create bootable USB flash drive or a disk on another, working computer:

Unlocking via Kaspersky Live CD

To remove the effects of virus infection, you will need to do the following:

Installation disk

You can also use the installation disk from your operating system to get rid of the consequences of virus infection. This has to be resorted to when the banner appears immediately after sound signal BIOS, and you do not have the opportunity to use other means.

Insert the installation disk or bootable USB flash drive with an image of your system and restart the PC. Call Boot Menu and select download from external media. If necessary, press any key on the keyboard. Further removal of consequences virus attack described on Windows example 7.

Select the interface language and click “Next”. At the bottom of the screen, click on the hyperlink "System Restore". A new window will open in which you will need to select "Command line".

In the console that opens, enter the command “bootrec.exe /FixMbr” and press Enter. After that, enter another command - “bootrec.exe /FixBoot” and press Enter again. Also enter the line “bcdboot.exe c:\windows” (If the system is installed on a different drive, you need to specify it). Reboot your PC and the problem will be solved.