How to get rid of the ransomware banner. We remove banner viruses in different ways

I ask for your possible participation in my problem. My question is this: How to remove a banner: “Send SMS”, Windows 7 operating system. By the way, the second system on my Windows XP computer was also blocked by a banner a month ago, I’m such a unfortunate user. I can’t enter safe mode, but I managed to enter Computer Troubleshooting and from there run System Restore and the error came up - There are no restore points on the system disk of this computer.

It was not possible to find the unlock code on the Dr.Web website, as well as ESET. Recently, I managed to remove such a banner from a friend using the ESET NOD32 LiveCD System Recovery Disk, but in my case it does not help. I also tried Dr.Web LiveCD. I set the clock in the BIOS forward by a year, the banner did not disappear. On various forums on the Internet, it is advised to correct the UserInit and Shell parameters in the registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon. But how do I get there? Using LiveCD? Almost all LiveCD disks do not connect to the operating system and operations such as editing the registry, viewing startup objects, as well as event logs are not available from such a disk or I am mistaken.

In general, there is information on how to remove a banner on the Internet, but mostly it is not complete and it seems to me that many people copy this information somewhere and publish it on their website, so that it is just there, but ask them how it all works , they will shrug their shoulders. I think this is not your case, but in general I really want to find and remove the virus myself, I’m tired of reinstalling the system. And the last question - is there a fundamental difference in the methods of removing ransomware banners in the Windows XP and Windows 7 operating systems. Can you help?

How to remove a banner

There are quite a few ways to help you get rid of the virus, it is also called Trojan.Winlock, but if you are a novice user, all these methods will require patience, endurance and understanding from you that you have encountered a serious enemy, if you are not afraid, let’s get started.

• The article turned out to be long, but everything said actually works both in the Windows 7 and Windows XP operating systems, if there is a difference somewhere, I will definitely note this point. The most important thing to know is remove banner and get the operating system back quickly, it won’t always work, but it’s useless to put money into the extortionist’s account, you won’t receive any unlock code back, so there is an incentive to fight for your system.
• Friends, in this article we will work with the Windows 7 recovery environment, or more precisely with the recovery environment command line. I will give you the necessary commands, but if it is difficult for you to remember them, you can. This will make your work much easier.

Let's start with the simplest and end with the complex. How to remove a banner using safe mode. If your Internet surfing ended unsuccessfully and you unintentionally installed malicious code, then you need to start with the simplest thing - try to enter Safe Mode (unfortunately, in most cases you will not succeed, but it’s worth a try), but You will definitely be able to enter(more chances), you need to do the same thing in both modes, let's look at both options.

In the initial phase of loading the computer, press F-8, then select, if you manage to log into it, then you can say you are very lucky and the task is simplified for you. The first thing you need to try is to roll back some time using restore points. For those who don’t know how to use system recovery, read in detail here -. If system restore doesn't work, try something else.

In the Run line, type msconfig ,

You shouldn't have anything in the folder either. Or is it located at

C:\Users\Username\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup.

Important Note: Friends, in this article you will have to deal mainly with folders that have the Hidden attribute (for example AppData, etc.), so as soon as you get into Safe mode or Safe Mode with Command Line Support, immediately turn it on in the system showing hidden files and folders, otherwise you simply won’t see the necessary folders in which the virus is hidden. It's very easy to do.

Windows XP
Open any folder and click on the “Tools” menu, select “Folder Options”, then go to the “View” tab. Then at the very bottom, check the “” item and click OK

Windows 7
Start -> Control Panel->View: Category -Small Icons ->Folder Options ->View. At the very bottom, check the box “ Show hidden files and folders».

So let's return to the article. Let's look at the folder, you shouldn't have anything in it.

Make sure that in the root of the drive (C:), there are no unfamiliar or suspicious folders and files, for example, with such an incomprehensible name OYSQFGVXZ.exe, if there are any, you need to delete them.

Now attention: In Windows XP, we delete suspicious files (an example is visible above in the screenshot) with strange names and

with extension .exe from folders

C:\
C:\Documents and Settings\Username\Application Data
C:\Documents and Settings\Username\Local Settings
C:\Documents and Settings\Username\Local Settings\Temp- delete everything from here, this is the temporary files folder.

Windows 7 has a good level of security and in most cases will not allow malicious programs to make changes to the registry, and the vast majority of viruses also strive to get into the temporary files directory:
C:\USERS\username\AppData\Local\Temp, from here you can run the executable file.exe. For example, I bring an infected computer, on the screenshot we see the virus file 24kkk290347.exe and another group of files created by the system almost at the same time along with the virus; everything needs to be deleted.

There should be nothing suspicious in them; if there is, we delete them.

And also be sure to:

In most cases, the above steps will remove the banner and allow the system to boot normally. After normal boot scan your entire computer with a free anti-virus scanner with the latest updates - Dr.Web CureIt, download it from the Dr.Web website.

• Note: You can immediately infect a normally booted system with a virus again by going online, since the browser will open all pages of sites you have visited recently, among them there will naturally be a virus site, and a virus file may also be present in the temporary folders of the browser. We find and, which you used recently at: C:\Users\Username\AppData\Roaming\Browser name, (Opera or Mozilla for example) and in one more place C:\Users\Username\AppData\Local\Your browser name, where (C:) is the partition with the installed operating system. Of course, after this action, all your bookmarks will disappear, but the risk of becoming infected again is significantly reduced.

Safe Mode with Command Line Support.

If after all this your banner is still alive, don’t give up and read on. Or at least go to the middle of the article and read the full information about correcting registry settings in case of infection with banner ransomware.

What should I do if I couldn’t enter safe mode? Try it Safe Mode with Command Line Support, there we do the same thing, but there is a difference in Windows XP and Windows 7 commands.

Apply System Restore.
In Windows 7, enter rstrui.exe and press Enter - we get to the System Restore window.

Or try typing the command: explorer - something like a desktop will load, where you can open my computer and do everything the same as in safe mode - check your computer for viruses, look at the Startup folder and the root of the drive (C:), as well as the directory temporary files: edit the registry as necessary, and so on.

To get into Windows XP System Restore, type in the command line - %systemroot%\system32\restore\rstrui.exe,

To get into Windows XP in Explorer and the My Computer window, as in the seven, we type the command explorer.

here you first need to type the command explorer and you will be taken directly to the desktop. Many people cannot switch the default Russian keyboard layout to English in the command line using the alt-shift combination, then try shift-alt the other way around.

Already here go to the Start menu, then Run.

then select Startup - delete everything from it, then do everything you did in the root of the drive (C:), delete the virus from the temporary files directory: C:\USERS\username\AppData\Local\Temp, edit the registry as necessary ( everything is described above with details).

System Restore. Things will be a little different for us if you are unable to get into Safe Mode and Safe Mode with Command Line Support. Does this mean that you and I will not be able to use System Restore? No, this does not mean that you can roll back using restore points, even if your operating system does not boot in any mode. In Windows 7 you need to use the recovery environment; in the initial phase of booting the computer, press F-8 and select from the menu Troubleshooting your computer,

In the Recovery Options window, select System Restore again.

Now pay attention, if when you press F-8 menu Troubleshooting is not available, it means your files containing the Windows 7 recovery environment are damaged.

• Is it possible to do without a Live CD? In principle, yes, read the article to the end.

Now let's think about what we will do if we cannot start System Restore by any means or it was completely disabled. First, let's see how to remove the banner using the unlock code, which is kindly provided by the companies that develop anti-virus software - Dr.Web, as well as ESET NOD32 and Kaspersky Lab, in this case you will need the help of friends. It is necessary for one of them to go to the unlocking service, for example Dr.Web

https://www.drweb.com/xperf/unlocker/

http://www.esetnod32.ru/.support/winlock/

as well as Kaspersky Lab

http://sms.kaspersky.ru/ and entered in this field the phone number to which you need to transfer money to unlock the computer and clicked on the button - Search for codes. If you find the unlock code, enter it into the banner window and click Activation or whatever it says, the banner should disappear.

Another simple way to remove the banner is to use a recovery disk or as they are also called rescues from and. The whole process from downloading, burning the image onto a blank CD and checking your computer for viruses is described in detail in our articles, you can follow the links, we won’t dwell on this. By the way, rescue disks from data from antivirus companies are not bad at all, they can be used like LiveCDs - to carry out various file operations, for example, copy personal data from an infected system or run the healing utility from Dr.Web - Dr.Web CureIt - from a flash drive. And in the ESET NOD32 rescue disk there is a wonderful thing that has helped me more than once - Userinit_fix, which corrects important registry settings on a computer infected with the banner - Userinit, branches HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon.

How to fix all this manually, read on.
Well, my friends, if anyone else is reading the article further, then I am very glad for you, now the fun begins, if you manage to learn and, especially, apply this information in practice, many ordinary people whom you free from the ransomware banner will quite consider you for a real hacker.

Let's not deceive ourselves, personally, everything described above helped me in exactly half of the cases where my computer was blocked by a blocking virus - Trojan.Winlock. The other half requires a more careful consideration of the issue, which is what we will do.
In fact, by blocking your operating system, it’s still Windows 7 or Windows XP, the virus makes its changes to the registry, as well as to the Temp folders containing temporary files and the C:\Windows->system32 folder. We must correct these changes. Don’t forget about the Start->All Programs->Startup folder. Now about all this in detail.

• Take your time, friends, first I will describe where exactly what needs to be fixed is located, and then I will show you how and with what tools.

In Windows 7 and Windows XP, the ransomware banner affects the same UserInit and Shell parameters in the registry in the branch

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon.
Ideally they should be like this:
Userinit - C:\Windows\system32\userinit.exe,
Shell - explorer.exe

Check everything by letter, sometimes instead of userinit you come across, for example, usernit or userlnlt.
You also need to check the AppInit_DLLs parameter in the registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs, if you find something there, for example C:\WINDOWS\SISTEM32\uvf.dll, all this needs to be deleted.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce, there should be nothing suspicious about them.

And also be sure to:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce

HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell (must be empty) and in general there should be nothing superfluous here either. ParseAutoexec must be equal to 1 .

You also need to delete EVERYTHING from temporary folders (there is also an article on this topic), but in Windows 7 and Windows XP they are located slightly differently:

Windows 7:
C:\Users\Username\AppData\Local\Temp. Viruses especially like to settle here.
C:\Windows\Temp
C:\Windows\
Windows XP:
From:\Documents and Settings\User Profile\Local Settings\Temp
From:\Documents and Settings\User Profile\Local Settings\Temporary Internet Files.
C:\Windows\Temp
C:\Windows\Prefetch
It will not be superfluous to look at the folder C:\Windows->system32 in both systems, all files ending in .exe and dll with the date on the day your computer was infected by the banner. These files need to be deleted.

Now watch how a beginner and then an experienced user will do all this. Let's start with Windows 7 and then move on to XP.

How to remove a banner in Windows 7 if System Restore was disabled?

Let's imagine the worst case scenario. Login to Windows 7 is blocked by a ransomware banner. System Restore is disabled. The easiest way is to enter the Windows 7 system using a simple recovery disk (you can do it directly in the Windows 7 operating system - described in detail in our article), you can also use a simple Windows 7 installation disk or any simple LiveCD. Boot into the recovery environment, select System Restore, then select the command line

and type –notepad in it, get into Notepad, then File and Open.

We go into the real explorer, click My Computer.

We go to the folder C:\Windows\System32\Config, here we indicate the File Type - All files and see our registry files, we also see the RegBack folder,

in it, every 10 days the Task Scheduler makes a backup copy of the registry keys - even if you have System Restore disabled. What you can do here is to delete the SOFTWARE file from the C:\Windows\System32\Config folder, which is responsible for the HKEY_LOCAL_MACHINE\SOFTWARE registry hive; most often the virus makes its changes here.

And in its place, copy and paste a file with the same name SOFTWARE from the backup copy of the RegBack folder.

In most cases, this will be enough, but if you wish, you can replace all five registry hives from the RegBack folder in the Config folder: SAM, SECURITY, SOFTWARE, DEFAULT, SYSTEM.

Next, we do everything as written above - delete files from the Temp temporary folders, look through the C:\Windows->system32 folder for files with the extension .exe and dll with the date on the day of infection, and of course look at the contents of the Startup folder.

In Windows 7 it is located:

C:\Users\ALEX\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup.

Windows XP:

C:\Documents and Settings\All Users\Main Menu\Programs\Startup.

• How do experienced users do the same thing, do you think they use a simple LiveCD or a Windows 7 recovery disc? Far from friends, they use a very professional tool - Microsoft Diagnostic and Recovery Toolset (DaRT) Version: 6.5 for Windows 7- this is a professional assembly of utilities located on the disk and needed by system administrators to quickly restore important operating system parameters. If you are interested in this tool, read our article.

By the way, it can perfectly connect to your Windows 7 operating system. By booting your computer from a Microsoft recovery disk (DaRT), you can edit the registry, reassign passwords, delete and copy files, use system recovery, and much more. Without a doubt, not every LiveCD has such functions.
We boot our computer from this, as it is also called, Microsoft recovery disk (DaRT). We refuse to initialize the network connection in the background, if we do not need the Internet.

Assign drive letters in the same way as on the target system - we say Yes, it’s more convenient to work this way.

Russian layout and beyond. At the very bottom we see what we need - Microsoft Diagnostic and Recovery Toolset. in the registry branch HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs - it should be empty.

You and I can also access startup using the Computer Management tool.

Explorer tool - no comments, here we can carry out any operations with our files: copy, delete, run an anti-virus scanner from a flash drive, and so on.

In our case, we need to clear all temporary Temp folders; you already know how many there are and where they are in Windows 7 from the middle of the article.
But attention! Since the Microsoft Diagnostic and Recovery Toolset is fully connected to your operating system, you will not be able to delete, for example, the registry files -SAM, SECURITY, SOFTWARE, DEFAULT, SYSTEM, because they are in progress, and please make changes.

How to remove a banner in Windows XP

Again, it’s a matter of the tool, I suggest using ERD Commander 5.0 (link to the article above), as I said at the beginning of the article, it is specially designed to solve similar problems in Windows XP. ERD Commander 5.0 will allow you to directly connect to the operating system and do everything we did with the Microsoft Diagnostic and Recovery Toolset in Windows 7.
We boot our computer from the recovery disk. We select the first option - connecting to an infected operating system.

Select the registry.

We look at the UserInit and Shell parameters in the HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon branch. As I said above, they should have this meaning.
Userinit - C:\Windows\system32\userinit.exe,
Shell - explorer.exe

Also look at HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs - it should be empty.

Next, go to Explorer and delete everything from the temporary Temp folders.
How else can you remove a banner in Windows XP using ERD Commander (by the way, this method is applicable to any Live CD). You can try to do this even without connecting to the operating system. Download ERD Commander and work without connecting to Windows XP,

in this mode, you and I will be able to delete and replace registry files, since they will not be involved in the work. Select Explorer.

Registry files in the Windows XP operating system are located in the C:\Windows\System32\Config folder. And backup copies of the registry files created during the installation of Windows XP are located in the repair folder, located at C:\Windows\repair.

We do the same, copy the SOFTWARE file first,

and then you can do the rest of the registry files - SAM, SECURITY, DEFAULT, SYSTEM in turn from the repair folder and replace them with the same ones in the C:\Windows\System32\Config folder. Replace file? We agree - Yes.

I want to say that in most cases it is enough to replace one SOFTWARE. When you replace the registry files from the repair folder, there is a good chance to boot the system, but most of the changes you made after installing Windows XP will be lost. Consider whether this method is right for you. Don't forget to remove everything unfamiliar from startup. In principle, you shouldn't delete the MSN Messenger client if you need it.

And the last way for today to get rid of the ransomware banner using the ERD Commander disk or any Live CD

If you had System Restore enabled in Windows XP, but you can’t apply it, you can try this. Go to the C:\Windows\System32\Config folder containing the registry files.

Use the slider to open the full file name and delete SAM, SECURITY, SOFTWARE, DEFAULT, SYSTEM. By the way, before deleting them, you can copy them somewhere just in case, you never know. You might want to play it back.

Next we go to the folder System Volume Information\_restore(E9F1FFFA-7940-4ABA-BEC6- 8E56211F48E2)\RP\ snapshot, here we copy files that are backup copies of our registry branch HKEY_LOCAL_MACHINE\ story, you can read it.

Today I want to talk about SMS extortionvia the Internet and computer . That is, cases when your computer, after visiting certain sites, becomes infected with banners that block the operation of the system completely or partially. To unblock you need to send a message to a short number.

First, let's figure out what types of ransomware banners there are. TO first type include banners that appear only when Internet browsers are launched (Internet Explorer, Opera, Mozilla Firefox, Google Chrome, etc.). These banners are also called informers .

Second type banners are placed on the desktop and occupy most of it, without blocking the launch of other programs, allowing you to open the Main Menu, Task Manager, etc.

Third type banners are the most disgusting. It completely blocks the computer's operation, requiring you to send an SMS message to a short number. In response, an unlock code is promised. It is impossible to log into the system normally even in Safe Mode. Remember one thing: never send SMS to the specified numbers! This is pure fraud, falling under the relevant articles of the Criminal Code. Not a single user has ever received a response SMS message with a banner unlock code.

So, no one knows how, but the banner got onto your computer. Whether this happened after you clicked on the link provided in the email, or simply downloaded something - there are many options. What to do in this case? First, you need to decide what type of ransomware banner is on your computer. If it closes along with the browser, this is the first type; if Task Manager, Notepad, Word or any other applications are launched, this is the second type; if nothing helps and the banner hangs, this is the third.

To remove the first type of ransomware, you need to carefully review all browser settings and remove all plugins, add-ons and extensions that you did not install. We do the same for JavaScript applets and DLLs.

The second type of SMS ransomware is not so easy to clean out of the system, but it is also possible. The first way is to visit the website of an antivirus company. All more or less large companies have long ago posted information on their official websites about how to remove a ransomware banner using “legal” methods. You need to find information on the website that relates specifically to the short number to which you are asked to send an SMS message. There, on the website, an unlock code is also given, and it’s absolutely free. After unlocking, update the antivirus signature databases for the antivirus you have installed and run a full scan of the entire computer. Remove any infection you find mercilessly. If you do not have any antivirus installed, then download the free CureIt utility from the Dr.Web website and check your computer with it. After checking, clean the registry with a special utility - a registry cleaner, or do it manually, if, of course, you understand this.

If you have the third type of ransomware banner, then you cannot do without a LiveCD disk or without removing your hard drive and connecting it to another computer. The procedure here is as follows: boot from the disk, launch CureIt, check the computer for infection, and delete everything found. Again, run the registry cleaner and delete the keys that were related to malware. If you don’t have a LiveCD, then connect your hard drive to another computer and run the antivirus on it, having previously, of course, updated the virus databases. After that, we reboot and enjoy life.

How to get rid of a banner

With a huge sense of gratitude to our reader for this link to a virus site where my computer could possibly be infected with a ransomware banner, I turned off my antivirus and some protection, which will be discussed below, and followed this link. A site opened in which I only managed to see the outline of a guitar, literally a second later, the viral code embedded in the main page of this site, which is javascript, was triggered and my desktop was blocked by a ransomware banner, I didn’t even have time to click on anything (Of course, I won’t give you a link to a site with a virus, the administration of this site, I later wrote a letter and the virus was removed from the site, but in general, anything can happen in life, no site is 100% immune from hacking).

Well, now a detailed story about how to get rid of a banner, if you have already caught him. The information provided is suitable for operating systems, Windows Vista, .

The first thing we will do is go to the websites of leading antivirus companies that provide services to unlock your computer from the ransomware banner.

1. Dr.Web https://www.drweb.com/xperf/unlocker
2. NOD32 http://www.esetnod32.ru/.support/winlock
3. Kaspersky Lab http://sms.kaspersky.ru

Unfortunately, I was unable to find the unlock code; apparently the virus was written recently.
The second thing you can try is to restart the computer and when loading press F-8, let's go to Troubleshooting, this is if you have Windows 7 installed; in the Windows XP operating system, go straight to safe mode with command line support (read what to do there below).

On old Windows, for example, on XP, this problem quite often arose - after downloading any content from Internet resources or simply visiting sites, a “Trojan” was introduced into the OS startup. There were many such Trojan programs, but most of them were in the form of advertising - banners. After the advent of Win7, the problem seemed to disappear, but after a while the banners resumed. Most banners can be removed very simply, with a few keystrokes, but to do this you have to pay scammers.

In this article you will learn how to get rid of the ransomware banner absolutely free. The article is written without using any obscure terms, so you should not have any problems.

Method 1.

Let's describe how to remove a banner that is loaded along with the operating system.

The easiest way to remove it is by unlocking the desktop. To do this, go to the website of the antivirus manufacturer - Kaspersky Lab or Doctor Web. On these sites we look for keys designed to unlock the desktop. You will need to use the recovery form. You should also check your HDD for viruses.

Method 2 .

In this case, it is better to use free programs - CureIt and Kaspersky Virus Removal Tool. These programs will help, with them you don’t need to think about how to get rid of the banner virus. They are downloaded absolutely free of charge, and after verification they are automatically deleted. They will not interfere with other antivirus utilities.

3 Method. Let's consider a more complicated method - Windows OS does not load.

In some cases, Windows cannot load due to a pop-up banner, because... Instead of a loading screen, a window pops up asking you to pay a certain amount of money to unlock your OS. In this case, it is better for you to log in in safe mode. It is necessary to restart the computer, if it was turned on, and if it was not, then turn it on, then, when the screen lights up, we begin to press the F8 button (on some motherboards, the F11 button). After clicking it, you will see a screen with a choice of how to boot the OS; from all that is offered, select safe mode. Then we try to remove the banner using the methods suggested above.

Method 4. Safe mode doesn't work.

How to get rid of the porn banner in this case? In such situations, the solution may be to reinstall Windows. But if you don’t want to lose the information stored on your hard drives, you can disconnect your HD drive and take it to a friend or to a special service, where it will be checked for viruses.

Method 5. Convenient for older operating systems, such as XP.

• As soon as the OS boots, press the “Windows + U” keys.
• Click on the on-screen keyboard, then click “Run”.
• Then click “Help” - “About the program”.
• In the window, click on “Microsoft Web Site”.
• When the address bar appears, you need to write the following: http://devbuilds.kaspersky-labs.com/devbuilds/AVPTool/
• Save the file that appears on your desktop.
• "File" / "Open" / "Browse".
• On the left side of the screen you need to select “Desktop”. At the bottom there will be “File Type” - “All Files”.
• We find and launch the program we downloaded.
• As soon as the program window appears, select a full computer scan.

In Windows 7, everything is much simpler - you need to press Win + U, then click on the “Help with settings settings” / “Privacy Statement” link. Then we move straight to point 5.