How to remove advertising banners from your desktop. Host and crystal clear

All tips

Hello, friends! In this article we will look at ways to remove banner from desktop. This can happen not only due to visiting sites with erotic content, but also when using cracks or keygens downloaded from unknown sources. Therefore, try to download software only from manufacturers' websites. If you receive a suspicious file, do not be lazy and check it for viruses online. Typically, such banners are called extortionists, as they demand money from the user. This can be like sending an SMS to a short number or topping up your account in the system electronic payments. Fraudsters usually write on such banners that the user has violated the law, for which they are required to pay a fine. In this article we will tell you how to unblock your computer from such banners.

These services are easy to use, but there are no guarantees. You can spend a lot of time but still not unlock the system. But you definitely need to try it.

To use, you need a device (another computer, tablet or phone) with Internet access. Go to any of the listed addresses. Let's take Kaspersky for example.

In a special field you must enter the phone number or account to which you want to transfer money. If you are asked to send an SMS to short number, then write down this number and, separated by a colon, the text that needs to be sent. Afterwards, press to get the code

The search results will appear below. Choose your banner and try the codes against it.

If you haven’t found your banner, try on the Dr.Web or Eset website. If this method did not help remove the banner from your desktop, read on.

Using System Restore

This option is good if you have this function enabled. If System Restore was disabled, proceed to the next step.

In order to remove the banner from the desktop using system recovery- restart the computer and click on boot F8 repeatedly. If a list of devices from which booting is possible appears, select your drive (hard drive or SSD) and continue pressing F8 again. You should see a similar picture below. You need to select the item System Troubleshooting highlighted by default

A window will load where you need to select a language, then a user. Next there will be a window with a choice of several recovery options. Choose System Restore. Then select a restore point and return the computer to that point in time. First, take the nearest restore point; if that doesn’t help, restore to an earlier one.

You can read more about how to use System Restore.

Removing the banner from safe mode

By checking Dr.Web Cureit or analogues

There are banners that are not active in safe mode. You need to take advantage of this. To prepare for treatment, you need to download the Dr.Web Cureit utility on a healthy computer by opening the following link in your browser.

To remove a banner from your desktop by cleaning the registry, you need to check several points in the registry.

On the left side of the window go to the address

HKEY_CURRENT_USER -> Software -> Microsoft -> Windows -> CurrentVersion -> Run

Go to the right side and delete all items except one (Default) for which the value is not assigned. Click right click at the point and choose Delete. With this action we will remove the banner from Windows startup. (How to manage Windows startup 7 and Windows 8 when the computer is in working order you can read.)

All the above steps must also be performed in the section

HKEY_LOCAL_MACHINE -> Software -> Microsoft -> Windows -> CurrentVersion -> Run

There are two more places left to check

HKEY_CURRENT_USER -> Software -> Microsoft -> Windows NT -> CurrentVersion -> Winlogon

In this we check the absence of points Shell And Userinit. If they are there, delete them.

HKEY_LOCAL_MACHINE -> Software -> Microsoft -> Windows NT -> CurrentVersion -> Winlogon

check the values of the above points

Shell = explorer.exe

Userinir = C:\Windows\system32\userinit.exe, (comma required)

If the values are different, we correct them to the correct ones.

Close the registry editor and, to be on the safe side, check the computer with the Dr.Web Cureit utility or an analogue if you did not check it before editing the registry.

After checking, reboot into normal mode and check whether the banner is removed.

Using Kaspersky WindowsUnlocker to remove a banner from the desktop

Using this utility, you can disinfect all operating systems installed on your computer. It does automatically what we did manually in the previous paragraph. This utility included in Kaspersky Rescue Disk.

Download Kaspersky image Rescue Disk can be found on the official website via the link

To register on USB device It’s better to use the utility from the manufacturer

In the program window using the button Review specify the path to the Kaspersky Rescue Disk image. Paste USB storage into the computer and it immediately appears in the appropriate section. If this does not happen, select it manually.

Attention! Save all important data from your USB drive.

After all the settings, press the button START

The image will be written to the USB drive. If the process completes successfully you will see the following window. Click OK and close the rescue2usb program

Now you need to boot from the prepared USB storage on an infected computer. To do this, insert the USB flash drive into the computer and reboot. When you boot your computer, press F8 several times to call up a list of devices from which it can boot. Select the connected USB drive. (There may be two inscriptions in this list suggesting booting from USB. Try one first, then the other). If you can’t boot from a flash drive, you need to set boot from a USB drive in the BIOS. You can read how to do this.

After all the settings, it will boot from the USB drive and you will see the following window. Any key must be pressed within 10 seconds

Select the required language using the arrows on the keyboard

You must accept the license by pressing button 1 on the keyboard

Select a mode Kaspersky downloads Rescue Disk. If you don't have a mouse, choose text. In all other cases, select graphics mode

In the terminal we type windowsunlocker and press Enter

If you have selected text mode, then press F10 close the menu that appears and type windowsunlocker in the line below file manager. Click Enter

For that to remove the banner from the desktop press 1

After all the manipulations, you must press 0 - Exit.

After unlocking the operating system, you need to update the Kaspersky Rescue Disk databases and run full check computer. To do this, open the main menu and select Kaspersky Rescue Disk. Go to the update tab and click Perform update. In this case, the Internet must be connected to the computer

Go to the tab Checking objects and select all objects in field 2 with checkboxes. Click Perform object check

Wait until the scan is completed and delete or cure the found ones. malicious files. Afterwards, reboot in normal mode and check whether the banner is removed from the desktop.

Fixing the boot record

If the virus loads immediately when you turn on the computer before the operating system logo appears, then this infection has changed the boot record of your drive.

You need to log into the console Windows recovery and try to restore the boot record.

To open the recovery console, you must press the key at boot F8 as when selecting safe mode. When a window appears with a choice of download options. The item selected by default will appear at the very top - System Troubleshooting. Select this item by clicking Enter

Afterwards, a window for selecting a user and entering a password will appear. Select a user and enter a password if you have one and click Further

A window will then appear with system recovery options. There you can choose to restore the computer from an image (which is done by backing up data in Windows) or perform a system restore (if it is enabled. See point 3 of this article) and much more. You select the last item Command line.

You type in it BOOTREC.EXE /FixBoot

Then reboot and check whether the banner has been removed from the desktop.

Checking the drive on a healthy computer

If you have the opportunity to check your drive on another computer, do so.

Turn off your computer. Disconnect the hard drive. With it turned off, connect it to another computer. Boot up. Update antivirus databases and check the connected disk for viruses. I like this option the most because it is possible. If it is not there, use the options described above.

Reinstalling Windows

This last resort. If none of the above helps, then you need to reinstall the operating system. if you have important information on the desktop or in the My Documents folder, boot from any boot disk (for example, from Kaspersky Rescue Disk) and copy the information from drive C to any other one.

Windows XP with a USB system recovery drive can be a big help in critical situations. I highly recommend turning it on and allocating several gigabytes for it in the settings. If recovery fails, then proceed to treatment in safe mode. Unless, of course, the virus blocks everything there with its banner.
If it doesn't work with safe mode, then Kaspersky Windows Unlocker as part of Kaspersky Rescue Disk it is perfect solution. If possible, you can and should check your drive on the healthy machine of your relative, friend or neighbor. Don't worry, the virus won't jump to another computer. If the virus is registered in boot entry, then try through the recovery console. If all else fails (which is unlikely), then it is better to reinstall the operating system.

Video on how to unlock a computer from a banner

Winlocker Trojans are a type of malware that, by blocking access to the desktop, extorts money from the user - supposedly if he transfers the required amount to the attacker’s account, he will receive an unlock code.

If, once you turn on your PC, you see instead of the desktop:

Or something else in the same spirit - with threatening inscriptions, and sometimes with obscene pictures, do not rush to accuse your loved ones of all sins.

They, and maybe you yourself, have become victims of the trojan.winlock ransomware.

How do ransomware blockers get onto your computer?

Most often, blockers get onto your computer in the following ways:

through hacked programs, as well as tools for hacking paid software (cracks, keygens, etc.);
downloaded via links from messages on social networks, sent supposedly by acquaintances, but in fact by attackers from hacked pages;
downloaded from phishing web resources that imitate well-known sites, but in fact are created specifically for spreading viruses;
come by e-mail in the form of attachments accompanying letters with intriguing content: “you were sued...”, “you were photographed at the crime scene”, “you won a million” and the like.

Attention! Pornographic banners are not always downloaded from porn sites. They can do it from the most ordinary ones.

Another type of ransomware is spread in the same way - browser blockers. For example, like this:

They demand money for access to browsing the web through a browser.

How to remove the “Windows blocked” banner and similar ones?

When your desktop is blocked and a virus banner prevents any programs from running on your computer, you can do the following:

go to safe mode with the support command line, launch the registry editor and delete the banner autorun keys.
boot from a Live CD ("live" disk), for example, ERD commander, and remove the banner from the computer both through the registry (autorun keys) and through Explorer (files).
scan the system from a boot disk with an antivirus, for example Dr.Web LiveDisk or Kaspersky Rescue Disk 10.

Method 1. Removing Winlocker from safe mode with console support.

So, how to remove a banner from your computer via the command line?

On machines with Windows XP and 7, before the system starts, you need to quickly press the F8 key and select the marked item from the menu (in Windows 8\8.1 there is no this menu, so you will have to boot from the installation disk and launch the command line from there).

Instead of a desktop, a console will open in front of you. To launch the registry editor, enter the command into it regedit and press Enter.

Next, open the registry editor, find virus entries in it and fix it.

Most often, ransomware banners are registered in the following sections:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon- here they change the values of the Shell, Userinit and Uihost parameters (the last parameter is only available in Windows XP). You need to fix them to normal:

Shell = Explorer.exe
Userinit = C:\WINDOWS\system32\userinit.exe, (C: is the letter system partition. If Windows is on drive D, the path to Userinit will start with D:)
Uihost = LogonUI.exe

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows- see the AppInit_DLLs parameter. Normally, it may be absent or have an empty value.

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run- here the ransomware creates new parameter with the value as the path to the blocker file. The parameter name can be a string of letters, for example, dkfjghk. It needs to be removed completely.

The same goes for the following sections:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx

To correct registry keys, right-click on the parameter, select “Change”, enter a new value and click OK.

After this, restart your computer in normal mode and do an antivirus scan. It will remove all ransomware files from your hard drive.

Method 2. Removing Winlocker using ERD Commander.

ERD commander contains a large set of tools for restoring Windows, including those damaged by blocking Trojans.

Using the built-in registry editor ERDregedit, you can perform the same operations as we described above.

ERD commander will be indispensable if Windows is locked in all modes. Copies of it are distributed illegally, but they are easy to find on the Internet.

ERD commander kits for everyone Windows versions called boot disks MSDaRT (Microsoft Diagnostic & Recovery Toolset), they go to ISO format, which is convenient for burning to DVD or transferring to a flash drive.

Removing banners from your computer using both Dr.Web and Kaspersky disks is equally effective.

How to protect your computer from blockers?

Install reliable antivirus and keep it constantly active.
Please check all files downloaded from the Internet for security before launching.
Don't click on unknown links.
Do not open mail attachments, especially those who came in letters with intriguing text. Even from your friends.
Keep track of what sites your children visit. Use parental controls.
If possible, do not use pirated software - many paid programs can be replaced with secure free ones.

banner from your desktop personal computer, download the LiveCD program from another computer ( http://www.freedrweb.com/livecd), write it to disk and insert it into the infected computer. Reboot your PC and it will start automatic action programs. This software will scan the system and cure it.

If the LiveCD program did not help you, then you can use the following method. Go to the websites of antivirus manufacturers, for example, the Kaspersky website ( http://support.kaspersky.ru/viruses/deblocker), Doctor Web ( http://www.drweb.com/unlocker/index) or nod32 ( http://www.esetnod32.ru/.support/winlock/) enter the number to which you want to send SMS, or the message code. You will be provided with a number of codes with which you can remove banner.

Can be deleted banner from the desktop using System Restore. Go to the “Task Manager” by pressing Ctrl+Alt+Delete. Next, call the command line. Enter next command: %systemroot%system32
estore
strui.exe and press Enter.

After removing the virus, update your antivirus program and fully scan your computer.

Despite great amount existing antivirus programs, viruses on the Internet continue to exist and evolve. About six years ago, ransomware viruses began to actively spread, one of which was a porn banner.

Instructions

This banner usually appears in the browser or on the desktop, existing on top of other windows. It can not only cause moral distress, but also blocks some functions of the operating system. If the banner appears exclusively in the browser, just clear the settings of your web browser.

For Internet Explorer You should carefully check the active add-ons, the subsection is located in the "Tools" menu. It is not easy to identify a malicious program by eye, so you can use the selection method - disabling add-ons one at a time and checking the result by restarting the browser.

In Opera, a malicious banner writes itself to the user java scripts folder, the settings of which must be changed. To do this, you need to call the "Tools" menu, the "Settings" submenu. Select the "Advanced" tab, "Content" section. Click the "Java Script Settings" button and in the window that appears, clear the "User Java files Script". You also need to follow the path specified in this field and delete all files with the .js extension or the entire uscriprs folder - if there is one.

Every fifth owner of a personal computer was attacked by fraudsters during world wide web. A popular type of deception are Winlocker Trojans - these are banners that block working Windows processes and requiring you to send SMS to paid number. To get rid of such ransomware, you need to figure out what threats it poses and how it gets into the system. In particularly difficult cases, you will have to contact service center.

How do virus banners get onto a computer?

First on the list of sources of infection are pirated programs for work and leisure. We must not forget that Internet users have become accustomed to obtaining software online for free. But loading software from sites that cause suspicion entails a high risk of banner infection.

Windows often locks when opening a downloaded file with the “.exe” extension. Of course, this is not an axiom; it makes no sense to refuse to download software with such an extension. Just remember a simple rule - “.exe” is a game or program installation extension. And its presence in the name of video, audio, image or document files maximizes the likelihood of a computer being infected by a Winlocker Trojan.

The second most common method is based on a call to update your flash player or browser. It looks like this: when moving from page to page while surfing the Internet, the following message pops up - “your browser is out of date, install an update.” Such banners do not lead to the official website. Agreement with the upgrade offer to third party resource in 100% of cases it will lead to system infection.

How to remove banner ransomware from your computer

There is only one way with a 100% guarantee - reinstalling Windows. The only downside here is a very big one - if you do not have an archive of important data from the C drive, then during a standard reinstallation they will be lost. Are you eager to reinstall programs and games because of the banner? Then it’s worth taking note of other methods. They all fall into two main categories:

There is access to safe mode;
You cannot use Safe Startup mode.

Viruses are constantly being improved and can disable any OS boot mode. Therefore, the first option to remove the banner from your computer is not always possible.

With all the variety of methods of pest control, all operations come down to one principle. Upon completion of the removal procedure and a successful reboot of the system (when there are no ransomware banners), you will need additional measures. Otherwise, the virus will appear again, or the computer will freeze. Let's look at the two most common ways to avoid this.

Safe mode

Reboot the computer by pressing the F8 key until a menu of other OS boot options appears. In it, using the arrows on the keyboard, select the line “Safe Mode with Command Line Support” from the list.

If the malware has not penetrated deeply into the system, the desktop will be displayed. Through the “Start” button, select “Search files and programs.” In the window that appears, fill in the “regedit” command. Here you will need basic knowledge computer systems to clean the registry of the virus and remove its consequences.

Let's start with the directory:

HKEY_LOCAL_MACHINE\Software\Microsoft\WinNT\CurrentVersion\Winlogon. In it we study 2 subparagraphs sequentially. Shell - only the “explorer.exe” item should be present. Other values - a sign of a banner - are deleted. Userinit should contain "C:\Windows\system32\userinit.exe". Instead of the letter “C” there may be another one if the operating system is running from a different local drive.

HKEY_CURRENT_USER (similar subdirectories). If the sub-items listed above are present, they must be deleted.
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run. All suspicious lines with meaningless names must be cleared - for example, “skjgghydka.exe”. Do you have any doubts about the harm of the registry file? In fact, the removal process is not necessary. Add "1" to the beginning of its name. Having an error, it will not start, and if necessary, you can return the original value.
HKEY_CURRENT_USER (subdirectories). Actions are the same as in the previous paragraph.
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce. We repeat all operations.
HKEY_CURRENT_USER (further path, as in the paragraph above). We are carrying out similar actions.

After all actions are completed, we launch system utility"cleanmgr". By selecting local disk with Windows, start scanning. Next, in the window that appears, check all the boxes except “Update package backup files.” After running the utility, all that remains is to clean and remove the consequences of the virus.

Restoring the system to a checkpoint

To remove a banner from your computer, use standard recovery system to the existing save point preceding the appearance of the winlocker. The process is started via the command line by entering the value "rstrui". In the window that opens, you can select a recommended date or set your own from the available list.

The recovery will take some time and will end with a system reboot. The result will be complete removal malware. In some cases, a message may appear indicating that it is impossible to restore the system. With this option, all you have to do is contact the service center. It’s better to do this if you don’t have the necessary skills to work with the registry.

Protect your computer from being blocked

Anyone can encounter a Winlocker Trojan. Avoiding a nervous situation is easy if you follow simple rules security:

Install a working antivirus program;
Do not open suspicious emails;
Do not click on pop-up messages on the Internet;
Update your operating system regularly.

But if trouble has already arisen, the Recomp service center will help you. Our specialists will remove blocking programs and other viruses, eliminate traces of their presence and improve the operation of the operating system. With us it is easy to avoid the loss of important data, and if necessary, we will restore lost files!

For free

I ask for your possible participation in my problem. My question is this: How to remove a banner: “Send SMS”, operating system Windows 7. By the way, the second system is on mine Windows computer XP was also blocked by a banner a month ago, I’m such a unfortunate user. I can’t enter safe mode, but I managed to enter Computer Troubleshooting and run System Restore from there and the error came up - On system disk This computer does not have restore points.

It was not possible to find the unlock code on the Dr.Web website, as well as ESET. Recently, I managed to remove such a banner from a friend using the ESET NOD32 LiveCD System Recovery Disk, but in my case it does not help. I also tried Dr.Web LiveCD. I set the clock in the BIOS forward by a year, the banner did not disappear. On various forums on the Internet, it is advised to correct the UserInit and Shell parameters in the registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon. But how do I get there? Using LiveCD? Almost all LiveCDs do not connect to operating system and such operations as editing the registry, viewing startup objects, as well as event logs from such a disk are not available or am I mistaken.

In general, there is information on how to remove a banner on the Internet, but mostly it is not complete and it seems to me that many people copy this information somewhere and publish it on their website, so that it is just there, but ask them how it all works , they will shrug their shoulders. I think this is not your case, but in general I really want to find and remove the virus myself, I’m tired of reinstalling the system. AND last question- is there a fundamental difference in the methods of removing a ransomware banner in the Windows XP and Windows 7 operating systems. Can you help? Sergey.

How to remove a banner

There are quite a few ways to help you get rid of the virus, it is also called Trojan.Winlock, but if you are a novice user, all these methods will require patience, endurance and understanding from you that you have encountered a serious enemy, if you are not afraid, let’s get started.

The article turned out to be long, but everything said really works like in an operating room Windows system 7, and in Windows XP, if there is a difference somewhere, I will definitely note this point. The most important thing to know is remove banner and get the operating system back quickly, it won’t always work, but it’s useless to put money into the extortionist’s account, you won’t receive any unlock code back, so there is an incentive to fight for your system.
Friends, in this article we will work with the Windows 7 recovery environment, or more precisely with the recovery environment command line. Required Commands I will give it to you, but if it is difficult for you to remember them, you can. This will make your work much easier.

Let's start with the simplest and end with the complex. How to remove a banner using safe mode. If your Internet surfing ends unsuccessfully and you inadvertently set yourself malicious code, then you need to start with the simplest thing - try to go into Safe Mode (unfortunately, in most cases you won’t be able to do this, but it’s worth a try), but You will definitely be able to enter(more chances), you need to do the same thing in both modes, let's look at both options.

In the initial phase of loading the computer, press F-8, then select, if you manage to log into it, then you can say you are very lucky and the task is simplified for you. The first thing you need to try is to roll back some time using restore points. For those who don’t know how to use system recovery, read in detail here -. If system restore doesn't work, try something else.

In the Run line, type msconfig ,

You shouldn't have anything in the folder either. Or is it located at

C:\Users\Username\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup.

Important Note: Friends, in this article you will have to deal mainly with folders that have the Hidden attribute (for example AppData, etc.), so as soon as you get into Safe mode or Safe Mode with Command Line Support, immediately turn it on in the system showing hidden files and folders, otherwise required folders, in which the virus is hiding, you simply will not see. It's very easy to do.

Windows XP
Open any folder and click on the “Tools” menu, select “Folder Options”, then go to the “View” tab. Then at the very bottom, check the “” item and click OK

Windows 7
Start -> Control Panel->View: Category -Small Icons ->Folder Options ->View. At the very bottom, check the box “ Show hidden files and folders».

So let's return to the article. Let's look at the folder, you shouldn't have anything in it.

Make sure that in the root of the drive (C:), there are no unfamiliar or suspicious folders and files, for example, with such an incomprehensible name OYSQFGVXZ.exe, if there are any, you need to delete them.

Now attention: In Windows XP we delete suspicious files(an example is visible above in the screenshot) with strange names and

with extension .exe from folders

C:\
C:\Documents and Settings\Username\Application Data
C:\Documents and Settings\Username\Local Settings
C:\Documents and Settings\Username\Local Settings\Temp- delete everything from here, this is the temporary files folder.

Windows 7 has a good level of security and in most cases will not allow changes to the registry malware and the vast majority of viruses also strive to get into the temporary files directory:
C:\USERS\username\AppData\Local\Temp, from here you can run the executable file.exe. For example, I bring an infected computer, on the screenshot we see the virus file 24kkk290347.exe and another group of files created by the system almost at the same time along with the virus; everything needs to be deleted.

There should be nothing suspicious in them; if there is, we delete them.

And also be sure to:

In most cases, the above steps will remove the banner and normal loading systems. After normal boot scan your entire computer for free antivirus scanner With latest updates- Dr.Web CureIt, download it from the Dr.Web website.

Note: You can immediately infect a normally booted system with a virus again by going online, since the browser will open all pages of sites you have visited recently, among them there will naturally be a virus site, and a virus file may also be present in the temporary folders of the browser. We find and, which you used recently at: C:\Users\Username\AppData\Roaming\Browser name, (Opera or Mozilla for example) and in one more place C:\Users\Username\AppData\Local\Your browser name, where (C:) is the partition with the installed operating system. Of course after of this action All your bookmarks will be lost, but the risk of getting infected again is significantly reduced.

Safe Mode with Command Line Support.

If after all this your banner is still alive, don’t give up and read on. Or at least go to the middle of the article and read complete information about correcting registry settings in case of infection with banner ransomware.

What should I do if I couldn’t enter safe mode? Try it Safe Mode with Command Line Support, there we do the same thing, but there is a difference V Windows commands XP and Windows 7.

Apply System Restore.
In Windows 7, enter rstrui.exe and press Enter - we get to the System Restore window.

Or try typing the command: explorer - something like a desktop will load, where you can open my computer and do everything the same as in safe mode - check your computer for viruses, look at the Startup folder and the root of the drive (C:), as well as the directory temporary files: edit the registry as necessary, and so on.

To get into Windows XP System Restore, type in the command line - %systemroot%\system32\restore\rstrui.exe,

To get into Windows XP in Explorer and the My Computer window, as in the seven, we type the command explorer.

here you first need to type the command explorer and you will be taken directly to the desktop. Many people cannot switch the default Russian keyboard layout to English in the command line using the alt-shift combination, then try shift-alt the other way around.

Already here go to the Start menu, then Run.

then select Startup - delete everything from it, then do everything you did in the root of the drive (C:), delete the virus from the temporary files directory: C:\USERS\username\AppData\Local\Temp, edit the registry as necessary ( everything is described above with details).

System Restore. Things will be a little different for us if you are unable to get into Safe Mode and Safe Mode with Command Line Support. Does this mean that you and I will not be able to use System Restore? No, this does not mean that you can roll back using restore points, even if your operating system does not boot in any mode. In Windows 7 you need to use the recovery environment; in the initial phase of booting the computer, press F-8 and select from the menu Troubleshooting your computer,

In the Recovery Options window, select System Restore again.

Now pay attention, if when you press F-8 menu Troubleshooting is not available, it means your files containing the Windows 7 recovery environment are damaged.

Is it possible to do without a Live CD? In principle, yes, read the article to the end.

Now let's think about what we will do if we cannot start System Restore by any means or it was completely disabled. First, let's see how to remove the banner using the unlock code, which is kindly provided by the companies that develop anti-virus software - Dr.Web, as well as ESET NOD32 and Kaspersky Lab, in this case you will need the help of friends. It is necessary for one of them to go to the unlocking service, for example Dr.Web

https://www.drweb.com/xperf/unlocker/

http://www.esetnod32.ru/.support/winlock/

as well as Kaspersky Lab

http://sms.kaspersky.ru/ and entered in this field the phone number to which you need to transfer money to unlock the computer and clicked on the button - Search for codes. If you find the unlock code, enter it into the banner window and click Activation or whatever it says, the banner should disappear.

Another simple way to remove the banner is to use a recovery disk or as they are also called rescues from and. The entire process from downloading, burning the image to a blank CD and checking your computer for viruses, in more detail described in our articles, you can follow the links, we won’t dwell on this. By the way, rescue disks from data from antivirus companies are not bad at all, they can be used like LiveCDs - to carry out various file operations, for example, copy personal data from an infected system or run the healing utility from Dr.Web - Dr.Web CureIt - from a flash drive. And in the ESET NOD32 rescue disk there is a wonderful thing that has helped me more than once - Userinit_fix, which corrects important registry settings on a computer infected with the banner - Userinit, branches HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon.

How to fix all this manually, read on.
Well, my friends, if anyone else is reading the article further, then I am very glad for you, now the fun begins, if you manage to learn and, even more so, apply this information in practice, many simple people The people you free from the ransomware banner will consider you a real hacker.

Let's not deceive ourselves, personally, everything described above helped me in exactly half of the cases where my computer was blocked by a blocking virus - Trojan.Winlock. The other half requires a more careful consideration of the issue, which is what we will do.
In fact, by blocking your operating system, it’s still Windows 7 or Windows XP, the virus makes its changes to the registry, as well as to the Temp folders containing temporary files and the C:\Windows->system32 folder. We must correct these changes. Don’t forget about the Start->All Programs->Startup folder. Now about all this in detail.

Take your time, friends, first I will describe where exactly what needs to be fixed is located, and then I will show you how and with what tools.

In Windows 7 and Windows XP, the ransomware banner affects the same UserInit and Shell parameters in the registry in the branch

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon.
Ideally they should be like this:
Userinit - C:\Windows\system32\userinit.exe,
Shell - explorer.exe

Check everything by letter, sometimes instead of userinit you come across, for example, usernit or userlnlt.
You also need to check the AppInit_DLLs parameter in the registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs, if you find something there, for example C:\WINDOWS\SISTEM32\uvf.dll, all this needs to be deleted.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce, there should be nothing suspicious about them.

And also be sure to:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce

HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell (must be empty) and in general there should be nothing superfluous here either. ParseAutoexec must be equal to 1 .

You also need to delete EVERYTHING from temporary folders (there is also an article on this topic), but in Windows 7 and Windows XP they are located slightly differently:

Windows 7:
C:\Users\Username\AppData\Local\Temp. Viruses especially like to settle here.
C:\Windows\Temp
C:\Windows\
Windows XP:
From:\Documents and Settings\User Profile\Local Settings\Temp
From:\Documents and Settings\User Profile\Local Settings\Temporary Internet Files.
C:\Windows\Temp
C:\Windows\Prefetch
It will not be superfluous to look at the folder C:\Windows->system32 in both systems, all files ending in .exe and dll with the date on the day your computer was infected by the banner. These files need to be deleted.

Now watch how a beginner and then an experienced user will do all this. Let's start with Windows 7 and then move on to XP.

How to remove a banner in Windows 7 if System Restore was disabled?

Let's imagine the worst case scenario. Login to Windows 7 is blocked by a ransomware banner. System Restore is disabled. The easiest way is to log into Windows 7 using simple disk recovery (you can do it directly in the Windows 7 operating system - described in detail in our article), you can also use a simple installation disk Windows 7 or any simple LiveCD. Boot into the recovery environment, select System Restore, then select the command line

and type –notepad in it, get into Notepad, then File and Open.

We go into the real explorer, click My Computer.

We go to the folder C:\Windows\System32\Config, here we indicate the File Type - All files and see our registry files, we also see the RegBack folder,

in it, every 10 days the Task Scheduler makes a backup copy of the registry keys - even if you have System Restore disabled. What you can do here is to delete the SOFTWARE file from the C:\Windows\System32\Config folder, which is responsible for the HKEY_LOCAL_MACHINE\SOFTWARE registry hive; most often the virus makes its changes here.

And in its place, copy and paste a file with the same name SOFTWARE from the backup copy of the RegBack folder.

In most cases, this will be enough, but if you wish, you can replace all five registry hives from the RegBack folder in the Config folder: SAM, SECURITY, SOFTWARE, DEFAULT, SYSTEM.

Next, we do everything as written above - delete files from temporary Temp folders, look through the C:\Windows->system32 folder for files with the extension .exe and dll with the date on the day of infection and of course look at the contents of the Startup folder.

In Windows 7 it is located:

C:\Users\ALEX\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup.

Windows XP:

C:\Documents and Settings\All Users\Main Menu\Programs\Startup.

How do experienced users do the same thing, do you think they use a simple LiveCD or a Windows 7 recovery disk? Far from friends, they use a very professional tool - Microsoft Diagnostic and Recovery Toolset (DaRT) Version: 6.5 for Windows 7- this is a professional assembly of utilities located on the disk and necessary system administrators For quick recovery important parameters operating system. If you are interested this tool, read our article.

By the way, it can connect perfectly to your Windows 7 operating system. By booting the computer from the disk Microsoft recovery(DaRT), you can edit the registry, reassign passwords, delete and copy files, use system recovery and much more. Without a doubt, not every LiveCD has such functions.
We boot our computer from this, as it is also called, Microsoft recovery disk (DaRT), Initialize the network connection in background, if we don’t need the Internet, we refuse.

Assign drive letters in the same way as on the target system - we say Yes, it’s more convenient to work this way.

I will not describe all the tools, since this is the topic for a large article and I am preparing it.
Let's take the first tool Registry Editor a tool that allows you to work with the registry of the connected Windows 7 operating system.

We go to the Winlogon parameter of the HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon branch and simply manually edit the files – Userinit and Shell. You already know what their significance should be.

Userinit - C:\Windows\system32\userinit.exe,
Shell - explorer.exe

In our case, we need to clear all temporary Temp folders; you already know how many there are and where they are in Windows 7 from the middle of the article.
But attention! Since the Microsoft Diagnostic and Recovery Toolset is fully connected to your operating system, you will not be able to delete, for example, the registry files -SAM, SECURITY, SOFTWARE, DEFAULT, SYSTEM, because they are in progress, and please make changes.

How to remove a banner in Windows XP

Again, it’s a matter of the tool, I suggest using ERD Commander 5.0 (link to the article above), as I said at the beginning of the article, it is specifically designed to solve similar problems in Windows XP. ERD Commander 5.0 will allow you to directly connect to the operating system and do everything we did with using Microsoft Diagnostic and Recovery Toolset in Windows 7.
We boot our computer from the recovery disk. We select the first option - connecting to an infected operating system.

Select the registry.

We look at the UserInit and Shell parameters in the HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon branch. As I said above, they should have this meaning.
Userinit - C:\Windows\system32\userinit.exe,
Shell - explorer.exe

Also look at HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs - it should be empty.

Next, go to Explorer and delete everything from the temporary Temp folders.
How else can you remove a banner in Windows XP using ERD Commander (by the way, this method is applicable to any Live CD). You can try to do this even without connecting to the operating system. Download ERD Commander and work without connecting to Windows XP,

in this mode, you and I will be able to delete and replace registry files, since they will not be involved in the work. Select Explorer.

Registry files in the Windows XP operating system are located in the C:\Windows\System32\Config folder. A backups The registry files created during the installation of Windows XP are located in the repair folder, located at C:\Windows\repair.

We do the same, copy the SOFTWARE file first,

and then you can do the rest of the registry files - SAM, SECURITY, DEFAULT, SYSTEM in turn from the repair folder and replace them with the same ones in the C:\Windows\System32\Config folder. Replace file? We agree - Yes.

I want to say that in most cases it is enough to replace one SOFTWARE. When replacing registry files from the repair folder, there is a good chance to boot the system, but most of the changes you made after Windows installations XP will be lost. Consider whether this method is right for you. Don't forget to remove everything unfamiliar from startup. In principle, you shouldn't delete the MSN Messenger client if you need it.

And the last way for today to get rid of the ransomware banner using the ERD Commander disk or any Live CD

If you had System Restore enabled in Windows XP, but you can’t apply it, you can try this. Go to the C:\Windows\System32\Config folder containing the registry files.

Use the slider to open the full file name and delete SAM, SECURITY, SOFTWARE, DEFAULT, SYSTEM. By the way, before deleting them, you can copy them somewhere just in case, you never know. You might want to play it back.

Next we go to the folder System Volume Information\_restore(E9F1FFFA-7940-4ABA-BEC6- 8E56211F48E2)\RP\ snapshot, here we copy files that are backup copies of our registry branch HKEY_LOCAL_MACHINE\
REGISTRY_MACHINE\SAM
REGISTRY_MACHINE\SECURITY
REGISTRY_MACHINE\SOFTWARE
REGISTRY_MACHINE\DEFAULT
REGISTRY_MACHINE\SYSTEM

Paste them into the folder C:\Windows\System32\Config

Then we go to the Config folder and rename them, deleting REGISTRY_MACHINE\, thereby leaving the new registry files SAM, SECURITY, SOFTWARE, DEFAULT, SYSTEM.

Then we delete the contents of the Temp and Prefetch folders, and delete everything from the Startup folder as shown above. I will be glad if it helps someone. In addition to the article, a short and interesting one was written, you can read it.