How to get rid of virus banners in different browsers.
Winlocker Trojans are a type of malware that, by blocking access to the desktop, extorts money from the user - supposedly if he transfers the required amount to the attacker’s account, he will receive an unlock code.
If, once you turn on your PC, you see instead of the desktop:
Or something else in the same spirit - with threatening inscriptions, and sometimes with obscene pictures, do not rush to accuse your loved ones of all sins.
They, and maybe you yourself, have become victims of the trojan.winlock ransomware.
How do ransomware blockers get onto your computer?
Most often, blockers get onto your computer in the following ways:
- through hacked programs, as well as tools for hacking paid software (cracks, keygens, etc.);
- downloaded via links from messages on social networks, sent supposedly by acquaintances, but in fact by attackers from hacked pages;
- downloaded from phishing web resources that imitate well-known sites, but in fact are created specifically for spreading viruses;
- come by e-mail in the form of attachments accompanying letters with intriguing content: “you were sued...”, “you were photographed at the crime scene”, “you won a million” and the like.
Attention! Pornographic banners are not always downloaded from porn sites. They can do it from the most ordinary ones.
Another type of ransomware is spread in the same way - browser blockers. For example, like this:
They demand money for access to browsing the web through a browser.
How to remove the “Windows blocked” banner and similar ones?
When your desktop is blocked and a virus banner prevents any programs from running on your computer, you can do the following:
- go into safe mode with command line support, launch the registry editor and delete the banner autorun keys.
- boot from a Live CD ("live" disk), for example, ERD commander, and remove the banner from the computer both through the registry (autorun keys) and through Explorer (files).
- scan the system from a boot disk with an antivirus, for example Dr.Web LiveDisk or Kaspersky Rescue Disk 10.
Method 1. Removing Winlocker from safe mode with console support.
So, how to remove a banner from your computer via command line?
On machines with Windows XP and 7, before the system starts, you need to quickly press the F8 key and select the marked item from the menu (in Windows 8\8.1 there is no this menu, so you will have to boot from installation disk and run the command line from there).
Instead of a desktop, a console will open in front of you. To launch the registry editor, enter the command into it regedit and press Enter.
Next, open the registry editor, find virus entries in it and fix it.
Most often, ransomware banners are registered in the following sections:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon- here they change the values of the Shell, Userinit and Uihost parameters (the last parameter is only available in Windows XP). You need to fix them to normal:
- Shell = Explorer.exe
- Userinit = C:\WINDOWS\system32\userinit.exe, (C: is the letter system partition. If Windows is on drive D, the path to Userinit will start with D:)
- Uihost = LogonUI.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows- see the AppInit_DLLs parameter. Normally, it may be absent or have an empty value.
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run- here the ransomware creates new parameter with the value as the path to the blocker file. The parameter name can be a string of letters, for example, dkfjghk. It needs to be removed completely.
The same goes for the following sections:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx
To fix registry keys, click right click parameter, select Change, enter a new value, and click OK.
After this, restart your computer in normal mode and do an antivirus scan. It will remove all ransomware files from hard drive.
Method 2. Removing Winlocker using ERD Commander.
ERD commander contains a large set of tools for Windows recovery, including when damaged by Trojan blockers.
Using the built-in registry editor ERDregedit, you can perform the same operations as we described above.
ERD commander will be indispensable if Windows is locked in all modes. Copies of it are distributed illegally, but they are easy to find on the Internet.
ERD commander kits for everyone Windows versions called boot disks MSDaRT (Microsoft Diagnostic & Recovery Toolset), they go to ISO format, which is convenient for burning to DVD or transferring to a flash drive.
Removing banners from your computer using both Dr.Web and Kaspersky disks is equally effective.
How to protect your computer from blockers?
- Install reliable antivirus and keep it constantly active.
- Please check all files downloaded from the Internet for security before launching.
- Don't click on unknown links.
- Do not open mail attachments, especially those who came in letters with intriguing text. Even from your friends.
- Keep track of what sites your children visit. Use parental controls.
- If possible, do not use pirated software - many paid programs can be replaced with secure free ones.
Many owners of PCs and laptops have at least once in their lives encountered what appears on their computer screen after surfing on dubious sites or after downloading suspicious file Extortionist SMS messages started popping up. Their contents are shocking and in some situations even surprising. Fraudsters write on behalf of the police, intelligence services, hackers and introduce themselves as the government of the country. Involuntarily, the user believes in the text of the attackers, because removing a banner from a computer is not so easy, a person cannot perform any actions on the desktop or in the browser, everything is blocked.
If a banner appears on your desktop, don’t worry, removing it won’t be difficult
The scammers’ method of unblocking is simple, after sending the specified amount to their mobile phone or online wallet, they will send special code to remove the banner. At the same time, the amount mentioned in the message is significant, and several hundred rubles cannot be done. Experts advise not to send money in such a situation; it is better to pay computer specialists who can easily screen it. Or you can do it yourself; now they offer several options for getting rid of a computer lock. The banner is a significant problem for the PC, so it’s worth familiarizing yourself with the popular sources of its appearance. Knowing how to get rid of viruses is great, but it’s better not to deal with them.
WATCH THE VIDEO
Where does the banner blocker come from?
On unknown resources, when viewing information, a menu may suddenly appear in which the user will be prompted to update or. Without such a program, the quality of the PC is in question, so the person agrees to the terms of the menu. As a result, the player program is not downloaded, and a ransomware banner appears instead. You can avoid falling victim to such a trap by downloading software only from official developer portals.
Using pirated programs
Banner infection occurs different methodsSelf-installation of viral advertising
The procedure for searching for something on the Internet can be difficult, when writing course work the student downloads dozens of essays, electronic versions books and magazines. Most of these files are contained in an archive, and the user receives a virus along with the abstract or even instead of it.
Arises new task How to remove the ransomware banner? To open access to downloaded data, scammers offer to install special software. In the installation procedure it will appear license agreement(which no one will read and accept all the terms) with permission for advertising. It turns out that the user independently allowed the virus to live in his computer. The antivirus should always work and detect pests.
OS security weaknesses
Vulnerabilities in operating systems and browsers are actively exploited by pests. Therefore, all programs that are often used must be updated regularly, because the appearance of a banner, which is very difficult to get rid of, is due to the fault of the computer owner himself. Sometimes users themselves disable the security system in order to carry out some configurations, and then forget to turn it on. Viruses are instantly found weak spots, and removing the banner from your computer will no longer be easy.
How to remove a banner from your computer
You can remove the banner from your computer, the main thing is not to panic. First you need to remember 4 important rules and adhere to them when a similar situation arises:
- You should never send it to criminals cash. Firstly, this will hit your pocket hard, and secondly, it is unlikely to solve the problem and unlock Windows.
- To remove the banner, it is not necessary to reinstall or update the operating system. If the “Master”, who decided to fix the problem, does not agree with this rule, then either he is not really a master, or he wants to “sell” a more expensive service.
The process of getting rid of a banner is not complicated
- The operating principle of such viruses is no different, and even if the text is written on behalf of the FSB, SBU or other reputable structures, standard methods will help to unblock Windows 7 from the ransomware virus.
- An antivirus program may be the newest and most effective, but it will not protect against brazen ransomware. Moreover, the culprit for the appearance of the blocker is the person himself.
How to remove a banner from a computer through the registry
Important! This option may not work in situations where the virus text is opened before the OS boots (immediately after entering the BIOS menu).
In other situations, this option will work without problems. Even inexperienced users will cope with this task and will be able to remove information from the registry. You must carefully go through all the points.
First you need to enter the Registry Editor menu. The easiest way to do this is to restart the PC and then press the F8 key to select the power-on type. You need to boot the equipment in safe mode with the ability to work on the command line. It happens that F8 opens a special disk selection menu, where you need to select the main one and confirm the action by pressing “Enter”, then F8 again. A window for selecting boot modes will appear on the screen.
Login in safe modeNext, wait until the console window opens. Enter the value regedit.exe in it and press “Enter”. A special menu will open and you can find the virus in Windows registry 7. It contains all the OS data, including information about startup applications when you turn on the computer. This menu is where you should look for a harmful banner that demands money.
On the left side of the menu there is special folders, they are also called sections. Folders in which the hated virus could appear should be checked and, if present, extra files, they should be removed. There are several possible locations, and everything needs to be analyzed.
First, find the “Run” folder (it’s in the “Current Version” of the OS data). In this folder, the entire list of applications that are turned on automatically when the equipment starts will be available. You can also see the path to their storage location. Anything that seemed suspicious to the user should leave autorun forever.
You need to correct the banner entry in the registryMost often, the file name consists of an incomprehensible set of alphabetic characters and numbers: aklh25171156. You can find the pest in the “documents and settings” folder (with different subfolder names). The source of the virus is the ms.exe file or other data from system folder. Unclear entries should be blocked and deleted. For this purpose, right-click on the line and select the “Delete” option.
Worries in this procedure are unnecessary - you should not be afraid of deleting important values, you need to get rid of all unknown data from the startup menu, only in such a situation will you be able to remove the virus through the command line. The startup menu contains utilities that are rarely used, so clearing the list will also help speed up your computer.
When cleaning, we remember the locations of harmful files, this will help in the future to send them to the trash without lengthy searches.
All manipulations must be repeated for other registry branches, and in the “WInLogon” folder local machine make sure correct value USerinit lines. Shell in the registry should work according to the explorer.exe value.
Shell in the registry should work according to the explorer.exe valueThis is how you can easily remove the SMS banner and unlock your laptop from the ransomware virus yourself through the registry manager. After this, the editor is closed, and the text explorer.exe is written into the command line (the desktop will open), you need to send unnecessary files, the location of which is already known, away from the computer’s memory. At the final stage, the equipment reboots in normal mode (safe mode was used when working with the registry). Removing banners from your computer with this option is almost always successful.
Advice! When it is not possible to select a safe power-on mode with command line support, you can use a Live disk with recorded PP (suitable Registry Editor PE), and perform all manipulations in the program.
How to remove a banner from your desktop using special software
Software developers have also not avoided this problem, and offer special utilities to remove the ransomware. In particular, you can remove the banner using Kaspersky Windows Unlocker. This utility also performs the task by correcting data in the registry, but does it in automatic mode, which greatly simplifies the task.
To begin with, the application is downloaded from the company’s official website. To complete the task you will need Kaspersky Rescue Disk, then the image of the storage medium is written to a blank CD (this is done on a “healthy” PC). The already recorded storage medium is inserted into the “infected” PC, and after loading, all necessary actions are performed through the program.
Kaspersky Anti-Virus will help you remove the virusIn this way, you can remove the banner using Dr.Web or other products (AVG Rescue, VBA23 Rescue, etc.).
Unlocking a computer from a banner sometimes works through special services selection of code words. For example, the site sms.kaspersky.ru will try to guess the password to remove the pest. For users who find it difficult to work with registry branches, programs that will help remove the banner from the desktop are perfect.
Unlocking a computer from a banner sometimes works through special servicesWhen the message appears before loading
It also rarely happens that a virus begins to appear immediately when you turn on the equipment, which means that the harmful software is located on the main boot entry hard MBR disk. Removing the ransomware banner will be more difficult. It is impossible to go online to search for an unlock code or open the registry editor to fight viruses in such a situation, especially since scam text opens from a different place. Special Live CDs help with this problem. You can remove a banner from your computer as follows:
- At using Windows XP work with boot partition You can use the OS installation disk. First, we load the disk, and when the operating system recovery menu is available, this is done by pressing the R button on the keyboard. After these manipulations, the screen will appear command menu, where the FIXBOOT value is entered (the entry is confirmed by pressing the Y button). When HDD consists of only one section, then the FIXMBR value will help.
- If there is no installation entry or you are using another Microsoft product, the problem with the MBR is corrected by the BOOTICE application (or similar utilities from other companies that allow you to manage sections of hard disk). The software is easy to find on the Internet, download it from there, write it to a flash drive, and launch the PC from the Live CD. Next, the application is turned on from the USB drive.
Now you know how to remove a banner from your computer (desktop).
Banners are not only a way to promote a product or service, but also a serious irritant for the nervous system. Therefore, the desire to remove them from the browser is quite natural. You can do this yourself in several ways. We will tell you how to remove banners from your browser in the easiest way.
One of the easy ways to remove banners yourself is to restore the system to the restore point when there were no banners bothering you. Another option is to clear the cache, history and browser settings. To do this in Google Chrome and Yandex, go through the settings to the “Show additional settings", and from it - to the sub-item "Clear history". Click on it virtual button"Clear." IN Mozilla Firefox You can carry out such cleaning through the corresponding button (“Firefox”), from where you will be taken to the menu. In it, find the “Help” section, and there – the “Information for solving problems” item. At this point, select “Reset Firefox”. For operating room Opera systems the process of clearing history, browser settings and cache is carried out by deleting the folder C:\DocumentsandSettings\username\ApplicationData\Opera.
In addition to all of the listed methods for removing banners in the browser, you can also use tools specially developed for this purpose that remove malware from the computer (in most cases, they are the reason the browser is “clogged” with banners).
Winlocker Trojans are a type of malware that, by blocking access to the desktop, extorts money from the user - supposedly if he transfers the required amount to the attacker’s account, he will receive an unlock code.
If, once you turn on your PC, you see instead of the desktop:
Or something else in the same spirit - with threatening inscriptions, and sometimes with obscene pictures, do not rush to accuse your loved ones of all sins. They, and maybe you yourself, have become victims of the trojan.winlock ransomware.
How do ransomware blockers get onto your computer?
Most often, blockers get onto your computer in the following ways:
- through hacked programs, as well as tools for hacking paid software (cracks, keygens, etc.);
- downloaded via links from messages on social networks, sent supposedly by acquaintances, but in fact by attackers from hacked pages;
- downloaded from phishing web resources that imitate well-known sites, but in fact are created specifically for spreading viruses;
- come by e-mail in the form of attachments accompanying letters with intriguing content: “you were sued...”, “you were photographed at the crime scene”, “you won a million” and the like.
Attention! Pornographic banners are not always downloaded from porn sites. They can do it from the most ordinary ones.
Another type of ransomware is spread in the same way - browser blockers. For example, like this:
They demand money for access to browsing the web through a browser.
How to remove the “Windows blocked” banner and similar ones?
When your desktop is blocked and a virus banner prevents any programs from running on your computer, you can do the following:
- go into safe mode with command line support, launch the registry editor and delete the banner autorun keys.
- boot from a Live CD ("live" disk), for example, ERD commander, and remove the banner from the computer both through the registry (autorun keys) and through Explorer (files).
- scan the system from a boot disk with an antivirus, for example Dr.Web LiveDisk or Kaspersky Rescue Disk 10.
Method 1. Removing Winlocker from safe mode with console support.
So, how to remove a banner from your computer via the command line?
On machines with Windows XP and 7, before the system starts, you need to quickly press the F8 key and select the marked item from the menu (in Windows 8\8.1 there is no this menu, so you will have to boot from the installation disk and launch the command line from there).
Instead of a desktop, a console will open in front of you. To launch the registry editor, enter the command into it regedit and press Enter.
Next, open the registry editor, find virus entries in it and fix it.
Most often, ransomware banners are registered in the following sections:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon- here they change the values of the Shell, Userinit and Uihost parameters (the last parameter is only available in Windows XP). You need to fix them to normal:
- Shell = Explorer.exe
- Userinit = C:\WINDOWS\system32\userinit.exe, (C: is the letter of the system partition. If Windows is on drive D, the path to Userinit will start with D:)
- Uihost = LogonUI.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows- see the AppInit_DLLs parameter. Normally, it may be absent or have an empty value.
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run- here the ransomware creates a new parameter with a value in the form of the path to the blocker file. The parameter name can be a string of letters, for example, dkfjghk. It needs to be removed completely.
The same goes for the following sections:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx
To correct registry keys, right-click on the parameter, select “Change”, enter a new value and click OK.
After that, restart your computer in normal mode and run an antivirus scan. It will remove all ransomware files from your hard drive.
Method 2. Removing Winlocker using ERD Commander.
ERD commander contains a large set of tools for restoring Windows, including those damaged by blocking Trojans. Using the built-in registry editor ERDregedit, you can perform the same operations as we described above.
ERD commander will be indispensable if Windows is locked in all modes. Copies of it are distributed illegally, but they are easy to find on the Internet.
ERD commander sets for all versions of Windows are called MSDaRT (Microsoft Diagnostic & Recovery Toolset) boot disks; they come in ISO format, which is convenient for burning to DVD or transferring to a flash drive.
After booting from such a disk, you need to select your version of the system and go to the menu and click Registry Editor.
In Windows XP, the procedure is slightly different - here you need to open the Start menu, select Administrative Tools and Registry Editor.
After editing the registry, boot Windows again - most likely, you will not see the “Computer is blocked” banner.
Method 3. Removing the blocker using an antivirus “rescue disk”.
This is the easiest, but also the most long method unlocking. It is enough to burn the Dr.Web LiveDisk or Kaspersky Rescue Disk image to DVD, boot from it, start scanning and wait for it to finish. The virus will be killed.
Removing banners from your computer using both Dr.Web and Kaspersky disks is equally effective.
How to protect your computer from blockers?
- Install a reliable antivirus and keep it active at all times.
- Please check all files downloaded from the Internet for security before launching.
- Don't click on unknown links.
- Do not open email attachments, especially those that come in letters with intriguing text. Even from your friends.
- Keep track of what sites your children visit. Use parental controls.
- If possible, do not use pirated software - many paid programs can be replaced with safe free ones.
Every fifth owner personal computer was attacked by scammers in world wide web. A popular type of deception are Winlocker Trojans - these are banners that block Windows work processes and require you to send an SMS to paid number. To get rid of such ransomware, you need to figure out what threats it poses and how it gets into the system. In particularly difficult cases, you will have to contact service center.
How do virus banners get onto a computer?
First on the list of sources of infection are pirated programs for work and leisure. We must not forget that Internet users have become accustomed to obtaining software online for free. But loading software from sites that cause suspicion entails a high risk of banner infection.
Windows often locks when opening a downloaded file with the “.exe” extension. Of course, this is not an axiom; it makes no sense to refuse to download software with such an extension. Just remember a simple rule - “.exe” is a game or program installation extension. And its presence in the name of video, audio, image or document files maximizes the likelihood of a computer being infected by a Winlocker Trojan.
The second most common method is based on a call to update your flash player or browser. It looks like this: when moving from page to page while surfing the Internet, the following message pops up - “your browser is out of date, install an update.” Such banners do not lead to the official website. Agreement with the upgrade offer to third party resource in 100% of cases it will lead to system infection.
How to remove banner ransomware from your computer
There is only one way with a 100% guarantee - reinstalling Windows. The only downside here is a very big one - if you do not have an archive of important data from the C drive, then during a standard reinstallation they will be lost. Are you eager to reinstall programs and games because of the banner? Then it’s worth taking note of other methods. They all fall into two main categories:
- There is access to safe mode;
- You cannot use Safe Startup mode.
Viruses are constantly being improved and can disable any OS boot mode. Therefore, the first option to remove the banner from your computer is not always possible.
With all the variety of methods of pest control, all operations come down to one principle. Upon completion of the removal procedure and a successful reboot of the system (when there are no ransomware banners), you will need additional measures. Otherwise, the virus will appear again, or the computer will freeze. Let's look at the two most common ways to avoid this.
Safe mode
Reboot the computer by pressing the F8 key until a menu of other OS boot options appears. In it, using the arrows on the keyboard, select the line “ Safe mode with command line support."
If the malware has not penetrated deeply into the system, the desktop will be displayed. Through the “Start” button, select “Search files and programs.” In the window that appears, fill in the “regedit” command. Here you will need basic knowledge computer systems to clean the registry of the virus and remove its consequences.
Let's start with the directory:
HKEY_LOCAL_MACHINE\Software\Microsoft\WinNT\CurrentVersion\Winlogon. In it we study 2 subparagraphs sequentially. Shell - only the “explorer.exe” item should be present. Other values - a sign of a banner - are deleted. Userinit should contain "C:\Windows\system32\userinit.exe". Instead of the letter “C” there may be another one if the operating system is running from a different local drive.
- HKEY_CURRENT_USER (similar subdirectories). If the sub-items listed above are present, they must be deleted.
- HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run. All suspicious lines with meaningless names must be cleared - for example, “skjgghydka.exe”. Do you have any doubts about the harm of the registry file? In fact, the removal process is not necessary. Add "1" to the beginning of its name. Having an error, it will not start, and if necessary, you can return the original value.
- HKEY_CURRENT_USER (subdirectories). Actions are the same as in the previous paragraph.
- HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce. We repeat all operations.
- HKEY_CURRENT_USER (further path, as in the paragraph above). We are carrying out similar actions.
After all actions are completed, we launch system utility"cleanmgr". By selecting local disk with Windows, start scanning. Next, in the window that appears, check all the boxes except “Files backup copy update package." After running the utility, all that remains is to clean and remove the consequences of the virus.
Restoring the system to a checkpoint
To remove a banner from your computer, use standard recovery system to the existing save point preceding the appearance of the winlocker. The process is started via the command line by entering the value "rstrui". In the window that opens, you can select a recommended date or set your own from the available list.
The recovery will take some time and will end with a system reboot. The result will be complete removal malware. In some cases, a message may appear indicating that it is impossible to restore the system. With this option, all you have to do is contact the service center. It’s better to do this if you don’t have the necessary skills to work with the registry.
Protect your computer from being blocked
Anyone can encounter a Winlocker Trojan. Avoiding a nervous situation is easy if you follow simple rules security:
- Install a working antivirus program;
- Do not open suspicious emails;
- Do not click on pop-up messages on the Internet;
- Update your operating system regularly.
But if trouble has already arisen, the Recomp service center will help you. Our specialists will remove blocking programs and other viruses, eliminate traces of their presence and improve the operation operating system. With us it is easy to avoid the loss of important data, and if necessary, we will restore lost files!
For free
For free