• Remove virus banner. We remove the banner from the computer ourselves

    IN lately computers began to be infected with the so-called ransomware virus (Trojan.Winlock), to unlock which it is proposed to send a paid SMS. In this article you will learn how you can get rid of this virus absolutely free. In situations where antivirus sites do not open, download and run this utility.

    1 way. For the case when Windows boots and a banner appears on the screen.

    The easiest way to get rid of a virus on your desktop is to go to the website of the antivirus developer software Kaspersky Lab and use the form to obtain an unlock key. A similar operation can be performed by going to the Doctor Web website. After the banner disappears from your desktop, be sure to scan your computer for viruses.

    Sequence of actions:
    1. Go to the Kaspersky Lab website or Doctor Web. and use the unlock key.

    2 and the following methods, for cases when the UNLOCK KEY IS NOT SUITABLE.

    If a banner appears on the desktop when you turn on your computer, use free utility for treatment of CureIt viruses- Download, or utility Kaspersky Virus Removal Tool Download These healing utilities can be run even if you already have another antivirus installed on your computer.

    Sequence of actions:

    Download and run CureIt utility- Download, or Kaspersky Virus Removal Tool Download

    3 way. For the case when Windows does not boot.

    If, when you turn on the computer, instead of loading the operating system, an offer to part with a couple of hundred rubles appears on the monitor screen, boot the computer in safe mode. To do this, restart your computer and constantly press the “F8” key on your keyboard. After a few seconds you will be asked to select an option Windows boot. Select "Safe Mode with Boot" network drivers". Next, we get rid of the virus using one of the methods described above.

    Sequence of actions:
    1. Boot into Safe Mode
    2. Delete using a key from one of the Kaspersky Lab or Doctor Web sites.
    3. Restart your computer.
    4. Scan your computer for viruses.

    4 way. For the case when Windows does not boot in safe mode.

    In a situation where you need to remove a banner from the desktop, and the operating system does not boot in either normal or safe mode, the best option there will be either a second home computer, or a neighbor's computer. If there are any, we do everything as in the “first or second method.” Also, it will not be bad if you have a LiveCD, download LiveCD from Dr.Web, by booting from which you can check your computer for viruses. Almost all antivirus programs with latest updates treat the computer from a banner on the desktop.

    Sequence of actions:
    1. Enter the unlock key using another computer, or by booting from a LiveCD, download LiveCD from Dr.Web, download LiveCD from Kaspersky Lab.
    2. Scan your computer for viruses.

    5 way to remove a banner.

    For Windows 7: after pressing the Win + U keys, click on the link “Help with settings” - “Privacy Statement”. Next, go to point 5

    1. After your computer starts, press the keyboard shortcut button windows icon+U
    2. Select onscreen keyboard and click "Run".
    3. Click "Help" - "About"
    4. In the window that appears at the bottom, select “Microsoft Web Site”
    5. In the address field, write http://devbuilds.kaspersky-labs.com/devbuilds/AVPTool/
    6. A file save window will pop up, save to your desktop.
    7. In the browser, click “File” - “Open” - “Browse” at the top.
    8. On the left, click "Desktop". At the very bottom “File type” - “All files”
    9. Find the downloaded program and run it.
    10. Select Full Scan.

    6th way to remove a banner.

    If the banner appears before the desktop loads, the screen is locked.

    1. Press Ctrl+Shift+Esc until the task manager starts blinking.
    2. Without releasing the Ctrl+Shift+Esc keys, click on the task manager " Cancel task".
    3. In Task Manager, click " new task" and enter " regedit"
    4. Go to HKEY_LOCAL_MACHINE /SOFTWARE/MicrosoftWindows NT/CurrentVersion/Winlogon
    5. Go to the right pane of the Registry Editor and check the two options “ Shell" And " Userinit" The Shell parameter value must be " Explorer.exe". Userinit parameter – " C:\WINDOWS\system32\userinit.exe," (no spaces, always a comma at the end)!
    6. If the “Shell” and “Userinit” options are ok, find the HKEY_LOCAL_MACHINE /SOFTWARE/Microsoft/Windows NT/CurrentVersion/Image File Execution Options section and expand it. If there is a subkey explorer.exe, delete it (Right click => Delete).
    7. Restart your computer.
    8. Be sure to check your computer for viruses.

    If unsuccessful, repeat this method in safe mode.

    If none of the above methods help you, you can contact our company at

    Most users sooner or later encounter ransomware banners. They appear on the desktop and demand money from the user to remove them. At the same time, very often they contain various kinds of threats. These could be threats complete removal information from a computer, criminal prosecution for committing some actions on the Internet and similar various nonsense. You shouldn’t believe all this, all these inscriptions are intended only to put as much pressure on the user as possible so that he quickly goes and deposits money on the specified number or sends an SMS.

    However, you shouldn’t do this; in the vast majority of cases, it won’t help at all. Also not worth it completely reinstall the system, especially if it is suggested by a called specialist. Most likely, in this way they are trying to get more money from you for additional services. Also, you should not rely on programs for generating codes; they often cannot find it for one simple reason - such a code does not exist, it is not profitable for ransomware that the user can get rid of their creation so easily. This article will provide several ways to get rid of the pest on your desktop, however, if the blocker appears before windows downloads, then these tips will not work.

    Using the registry editor to remove the banner

    To run the required utility you will need restart your computer. Immediately after starting the BIOS, before loading Windows, you need pressf8 several times. This will bring up a similar screen.

    You should select safe mode with command line support. After this, you just have to wait a while until the command line starts. It should be entered regedit.exe. This will help launch the necessary utility. In the editor you will need to follow the path HKEY_CURRENT_USER - Software - Microsoft - Window - CurrentVersion - Run.

    Here you will need to find all utilities that are unknown to the user or have suspicious names. They all start at the same time as the system starts, so it’s worth getting rid of all suspicious elements. There is no need to be afraid to delete something critical; the utilities will be available later return to startup. It’s worth doing the same for a directory starting with HKEY_LOCAL_MACHINE.

    You also need to check the directory HKEY_CURRENT_USER – Software – Microsoft – WindowsNT – CurrentVersion – Winlogon. There should be no Shell and userinit variables here. If they are, then they should be erased. After this you should go to the directory HKEY_LOCAL_MACHINE – Software – Microsoft – WindowsNT – CurrentVersio – Winlogon. These variables should be here. The first value should be explorer.exe, and the second should have the path C:\Windows\system32\userinit.exe.

    After this, the program can be closed. IN command line you can write explorer.exe, which will take you to the desktop. Here you can delete all suspicious and unknown files, after which you should reboot the device. If it is not possible to start the computer in safe mode, then you can use one of the live sites that have access to the registry editor.

    Removing the blocker from the boot area before Windows boots

    This doesn't happen often, but it is still possible. In this case, you definitely won’t be able to get by with the built-in utilities; you will need to use a LiveCD. However, if the user has XP installed and has available installation disk, then you can use it. When at the time of installation the system prompts you to proceed to recovery, you should agree to this. In the console that appears, enter one of the commands FIXBOOT, if there is only one disk and is not partitioned or FIXMBR if there is a breakdown. You will then need to confirm the action.

    For other systems you will have to use a live SD, perhaps one of those that will be given in the next section. You will also have to download the program BOOTICE and put it on the same media as the recovery disk. After downloading from it, you will need run the utility, in which you will need to select your hard drive, press Process MBR, then click on the desired section, and then select install/Config, and then click OK. After this, the boot sector will be restored and the user will be able to boot the computer without banners.

    Third-party utilities for removing blocker virus

    You can use disk images that will do everything for the user. For example, it contains an unlocking program. All you need is to burn the image to a flash drive. Boot from it and launch the application, then follow its instructions.

    Other antivirus software manufacturers also have similar utilities, for example, Dr.Web LiveCD, AVG Rescue, Vba32 Rescue Image. You can download any of them and unlock the system.

    The most unpleasant Banner is a banner that blocks the desktop and any actions with it, the so-called Winlock. Let's consider options for solving this problem.

    As I already said, under no circumstances SMS we do not ship to short numbers, we do not deposit money through the terminal and do not wait for the password on the receipt from the terminal. The first thing to do is try to boot your computer in safe mode.

    Option 1. This is done this way - when you turn on the computer, after the BIOS splash screen, press the F8 key.

    A list of download options will appear. Choose Safe Mode and press ENTER(What this menu looks like can be seen in the pictures: Windows XP, Windows Vista, Windows 7). If everything is fine and the computer was able to start, click START-ALL PROGRAMS-STANDARDS-SERVICES-SYSTEM RESTORE and try to return the computer state to the date when Banner there was no beggar. If it works and the Banner disappears - HURRAY!!! If it remains in place, move on to the next point.

    Option 2. Write in paragraph EXECUTE(click START-RUN and enter in the box) "msconfig" (full list system commands you can see). A window with Windows boot options will open. On the tab AUTOLOAD We look for suspicious or unfamiliar programs that start automatically and uncheck them. Click APPLY and restart the computer. Please note that these operations must be performed on behalf of system administrator, i.e. When loading Safe Mode, log in as the computer administrator - it is shown under the user name. The banner has disappeared - HURRAY!!! If it remains in place, move on to the next point.

    Option 3. Boot into again Safe Mode. At point EXECUTE we write "regedit". The Registry Editor will launch. ATTENTION! Here you need to be extremely careful, not to delete or change anything unnecessary, otherwise all attempts to bring the computer back to life may come to naught and your only option will be number “X” - reinstalling Windows. So let's get started. Looking for a way

    in it we look for the presence of subsections "explorer.exe" And "iexplore.exe". If there are any, we mercilessly delete them (to do this, right-click on the subsection, in in this case on "explorer.exe", select DELETE and when asked to confirm deletion, click YES), if not, proceed further. Now let's check the launch parameters "explorer.exe". For this we are looking for a way

    _____________________________________________________________

    banner from your desktop personal computer, download the LiveCD program from another computer ( http://www.freedrweb.com/livecd), write it to disk and insert it into the infected computer. Reboot your PC and the program will begin automatically. This software will scan the system and cure it.

    If the LiveCD program did not help you, then you can use the following method. Go to the websites of antivirus manufacturers, for example, the Kaspersky website ( http://support.kaspersky.ru/viruses/deblocker), Doctor Web ( http://www.drweb.com/unlocker/index) or nod32 ( http://www.esetnod32.ru/.support/winlock/) enter the number to which you want to send SMS, or the message code. You will be provided with a number of codes with which you can remove banner.

    Can be deleted banner from the desktop using System Restore. Go to the “Task Manager” by pressing Ctrl+Alt+Delete. Next, call the command line. Enter the following command: %systemroot%system32
    estore
    strui.exe and press Enter.

    After removing the virus, update your antivirus program and completely scan your computer.

    Despite the huge number of existing antivirus programs, viruses on the Internet continue to exist and evolve. About six years ago, ransomware viruses began to actively spread, one of which was a porn banner.

    Instructions

    This banner usually appears in the browser or on the desktop, existing on top of other windows. It can not only cause moral distress, but also blocks some functions of the operating system. If the banner appears exclusively in the browser, just clear the settings of your web browser.

    For Internet Explorer You should carefully check the active add-ons, the subsection is located in the "Tools" menu. Define malware It’s not easy to see by eye, so you can proceed using the selection method - disabling add-ons one at a time and checking the result by restarting the browser.

    In Opera, a malicious banner writes itself to the user java scripts folder, the settings of which must be changed. To do this, call the "Tools" menu, the "Settings" submenu. Select the "Advanced" tab, "Content" section. Click the "Settings" button Java Script" and in the window that appears, clear the "Folder" field user files Java Script". You also need to follow the path specified in this field and delete all files with the .js extension or the entire uscriprs folder - if there is one.

    After restarting the computer, the monitor displays a request to send a paid SMS, or to deposit money into a mobile phone account?

    Meet this, this is what a typical ransomware virus looks like! This virus takes thousands different forms and hundreds of variations. However, it is easy to recognize him by simple sign: he asks you to put money (call) on an unknown number, and in return promises to unlock your computer. What to do?

    First, realize that this is a virus whose goal is to suck as much money out of you as possible. That is why do not give in to his provocations.

    Remember simple thing, do not send any SMS. They will withdraw all the money that is on the balance (usually the request says 200-300 rubles). Sometimes they require you to send two, three or more SMS. Remember, the virus will not go away from your computer, whether you send money to scammers or not. Trojan winloc will remain on your computer until you remove it yourself.

    The action plan is as follows: 1. Remove the block from the computer 2. Remove the virus and treat the computer.

    Ways to unlock your computer:

    1. Enter the unlock code And. The most common way to deal with an obscene banner. You can find the code here: Dr.web, Kasperskiy, Nod32. Don't worry if the code doesn't work, move on to the next step.

    2. Try booting into Safe Mode. To do this, after turning on the computer, press F8. When the boot options window appears, select “safe mode with driver support” and wait for the system to boot.

    2a. Now let's try restore the system(start-standard-utilities-system-restore) to an earlier control point. 2b. Create a new one account. Go to Start - Control Panel - Accounts. Add a new account and restart the computer. When you turn it on, select the newly created account. Let's move on to .

    3. Try ctrl+alt+del- the task manager should appear. We launch healing utilities through the task manager. (select the file - a new task and our programs). Another way is to hold down Ctrl + Shift + Esc and, while holding these keys, search for and delete all strange processes until the desktop is unlocked.

    4. The most reliable way - this is to install a new OS ( operating system). If you absolutely need to keep the old OS, then we will look at a more labor-intensive way to deal with this banner. But no less effective!

    Another way (for advanced users):

    5. Booting from disk LiveCD which has a registry editing program. The system has booted, open the registry editor. In it we will see the registry of the current system and the infected one (its branches on the left side are displayed with a signature in brackets).

    We find the key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon - there we look for Userinit - we delete everything after the comma. ATTENTION! The file itself “C:\Windows\system32\userinit.exe” CANNOT be deleted.);

    Look at the value of the key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell it should be explorer.exe. We're done with the registry.

    If the error “Editing the registry is prohibited by the system administrator” appears, download the AVZ program. Open "File" - "System Restore" - Check "Unlock Registry Editor", then click "Perform selected operations". The editor is available again.

    We launch Kaspersky removal tool and dr.web cureit and scan the entire system with them. All that remains is to reboot and return bios settings. However, the virus has NOT been removed from the computer yet.

    Treating your computer from Trojan WinLock

    For this we need:
    - ReCleaner registry editor
    - popular antivirus Tool removal Kaspersky
    - famous antivirus Dr.web cureit
    - effective antivirus Removeit pro
    - Plstfix registry repair utility
    - Program for removing temporary files ATF cleaner

    1. It is necessary to get rid of the virus in the system. To do this, launch the registry editor. Go to Menu - Tasks - Launch Registry Editor. Need to find:

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon - there we look for the Userinit section - we delete everything after the comma. ATTENTION! The file itself “C:\Windows\system32\userinit.exe” CANNOT be deleted.);

    Look at the value of the key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell there should be explorer.exe. We're done with the registry.

    Now select the "Startup" tab. We look through the startup items, check the boxes and delete (lower right corner) everything that you did not install, leaving only desktop and ctfmon.exe. The remaining svchost.exe and other.exe processes from the windows directory must be removed.
    Select Task - Clean the registry - Use all options. The program will scan the entire registry and delete everything permanently.

    2. To find the code itself, we need the following utilities: Kaspersky, Dr.Web and RemoveIT. Note: RemoveIT will ask you to update the virus signature databases. It is necessary to establish an Internet connection while it is being updated!
    We scan with these programs system disk and delete everything they find. If you wish, you can check all the computer drives just in case. It will take much longer, but it is more reliable.

    3. The next utility is Plstfix. It restores the registry after our actions on it. As a result, the task manager and safe mode will start working again.

    4. Just in case, delete all temporary files. Often copies of the virus are hidden in these folders. This is how even well-known antiviruses may not detect them. It is better to manually remove anything that will not significantly affect the operation of the system. Install ATF Cleaner, mark everything and delete it.

    5. Reboot the system. Everything works! even better than before :).

    Read more: