Effective methods for removing a ransomware banner (winlocker). We remove the banner from the computer on our own How to get rid of the ransomware banner

Computer viruses every year become more and more perfect. Some of them serve as a source of extortion of money from people, and some are aimed at destroying the system and stealing data. There is a computer infection that advertises Internet resources and simply interferes with the normal operation of the PC. Most of the least dangerous viruses are represented by banners. This is the most common spam, but it can cause a lot of trouble. How to remove the banner in this or that case? We have to find the answer to this question next. In addition, it is worth exploring all the ways to protect the OS and places where you can "pick up" a banner virus.

Danger is near

First, let's find out what sources spread the computer "infection". After all, it is always easier to prevent PC infection than to cure the OS.

To date, spam, trojans and other viruses can penetrate:

• through the distribution of letters e-mail;
• while visiting certain websites;
• when using hacker programs;
• while downloading files;
• by installing software from untrusted sources.

This is the most common list of potentially dangerous places for users. In addition, now viruses are actively distributed through torrents and therefore it is recommended to use such software with caution.

Types of viruses

How to remove the banner? Before taking decisive action, the user must find out what specific infection he is dealing with. The further algorithm of actions will depend on this.

Users complain about the following types of banners:

• with a request to send money to the phone;
• offering sending paid SMS;
• with the requirement to replenish the account through payment terminals;
• insisting on transferring money through social networks;
• flooding the desktop with advertisements;
• opening pages and new banners in browsers.

The last 2 options are the least dangerous viruses. They are often referred to as spam. Getting rid of them is easier than you think. But first, let's look at more difficult situations.

Safe Mode - Login

How to remove advertising banners blocking access to the operating system? Typically, such programs require money to enter Windows. But even after the funds are credited, no unlocks will follow. After restarting the computer, the user will see the previous banner.

You can get rid of such an infection in different ways. For example, by using Windows Safe Mode. The user will need:

1. Restart your computer or just turn it on.
2. Press F8 while loading.
3. Select the line " Safe mode..." Requires a section labeled "with command line".
4. Open Start and type regedit in the search bar.
5. Select the appropriate service and press "Enter".

HKEY_LOCAL_MACHINE\Software\Microsoft\WinNT\CurrentVersion\Winlogon.

How to remove the banner? After the done actions, the user will have to conduct a thorough check of the information.

Checking the data

What is it about? After going to the path indicated earlier, you need to look for the following values ​​in the corresponding windows:

Shell - there is an inscription "explorer.exe" and only it;

Userinit - here the text should be "C:\Windows\system32\userinit.exe".

It's about the path:

HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Winlogon.

Anything found here is removed. Once the task is completed, the user will need to delete all misunderstood operations at the following addresses:

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run;

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce;

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run;

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce.

But that won't be enough. To remove the ransomware banner, you need to clean the system. How to do it?

About cleaning the OS in safe mode

There is nothing special or incomprehensible in the procedure. Just follow the basic instructions.

1. Open the "regedit" service according to the principle described earlier.
2. Write a cleanmgr command.
3. Select the partition on which the OS is installed.
4. Scan it.
5. Check all boxes except "Backup files...".
6. Click on "OK".

It remains only to wait. Within a few minutes, the user will have access to the operating system. But this is no reason to rejoice. After all, by the described actions, most likely, the virus was disabled. Now you need to get rid of it.

Remove disabled ransomware

How to remove a banner from a computer? To clean the operating system from disabled viruses, today you can use additional free utilities. There are a lot of them. They work on the principle of antivirus. It is enough to run the program, scan and remove dangerous objects. If possible, you can treat the software or "fix" it automatically.

To remove ransomware viruses represented by banners, it is better to use programs:

• "AntiVinLokerCD";
• AVZ utility.

This software is extremely easy to use. Even a child can handle it. Now it’s clear how to remove the ransomware banner.

"Kaspersky" to the rescue

But this is only one scenario. Modern users can use various methods of computer treatment.

You can disable the ransomware virus and get rid of it using the Kaspersky utility - Deblocker. This free service, which quickly and without problems gets rid of various banners. The main thing is that the user has access to an Internet browser. By the way, operations can be performed from a computer that is not infected.

The algorithm of actions is reduced to the following steps:

1. Open website in any browser sms.kaspersky.com.
2. Indicate in the corresponding field the phone number or the specified account of the extortionist.
3. Enter the code you are asked to send.
4. Click on the "Get Code..." button.
5. Try all possible issued codes.

That's all. By enumerating the available codes, the user will be able to get rid of the ransomware virus.

Browser attack

How to remove the pop-up banner in the browser? The action algorithms proposed earlier help to clean the PC from ransomware. But most often, people are faced with the usual spam. It opens ads and banners in browsers, steals citizens' personal data, and also downloads CPU computer.

Accordingly, the virus will have to get rid of. But this can be done in different ways. Next, we will consider the most common scenarios for the development of events. The suggested tips will help even a novice user to quickly correct the situation.

Extra software away!

The user will:

1. Open "Start" - "Control Panel".
2. Select "Uninstall programs...".
3. Examine the displayed list.
4. Select all suspicious and unnecessary components. For example, "Baidu" or "Casino Volcano".
5. Right-click and click on the "Delete" button in the drop-down list.
6. Follow the instructions on the screen to complete the uninstall wizard.

The first phase of the fight against spam on PC has been completed. What's next?

Processes and viruses

Now it's worth thinking about what processes work in the operating system. Some of them may turn out to be malicious. If they are not disabled, then there is no point in thinking how to remove advertising banners in the browser. The operations will not lead to the final result - after the first restart of the PC, the spam will be restored.

How to remove a banner from a computer? Programs removed? Then you need:

1. Press Ctrl + Alt + Del on the keyboard.
2. Select the Task Manager service.
3. Go to the "Processes" tab.
4. Highlight all suspicious and misunderstood operations with the cursor.
5. Press the "Finish..." button.

A warning will appear on the display. It states that terminating processes can break the OS. By agreeing to the condition, the user must stop suspicious operations.

Clear cache and history

How to remove banners in the browser? It's not the easiest, but quite available operation. Sometimes it is enough to simply clear the history in the Internet browser, as well as clear the cache.

In all browsers, the list of visited pages can be found in the settings. For example, the following actions are possible:

1. Open settings in Chrome or Yandex.
2. Go to the block "History".
3. Click on the "Clear History" button.
4. Check the boxes next to "All History" and "Clear Cache".

In some versions of Internet browsers, after entering the settings, you have to look for the "Advanced Options" section. It contains both history and cache data.

And Cleaning the mentioned sections comes down to finding and deleting the folder located at:

C:\Documents and Settings\username\Application Data\Opera.

Mozilla is another popular web browser. In it, resetting the parameters is carried out as follows:

1. Go to browser settings.
2. Open the Help menu.
3. Click on the line "Information for the decision ...".
4. Click on the inscription "Reset ...".

Now all that remains is to restart the browser. Everything is working? Then you don't need to do anything else. But what if ads and banners still appear?

Shortcut properties

For example, checking the web browser shortcut property helps some users. To remove a banner ad, a person will have to:

1. Highlight the shortcut of the browser you are using.
2. click on it right click mice.
3. Go to "Properties".
4. In the "General" block, look at the "Object" line.
5. Erase everything written after executable file(.exe format) with the name of the browser.
6. Save changes.

These actions are suitable for all Internet access programs. After them, it is better to restart the computer.

Host and crystal clear

How to remove a banner from a computer? Some viruses are registered in host file. Therefore, you will have to work with it a little.

The user needs to go to:

C:\Windows\System32\drivers\etc.

1. Open the host file with notepad.
2. Erase everything that is written in the document.
3. Save the modified file.
4. Delete all duplicate "Host", if any.

In some cases, it is easier to select the mentioned document and delete it by holding down the Shift button.

Antiviruses come to the rescue

Need to figure out how to remove a banner from Yandex? If these tips don't work, then you'll have to move on. For example, you can scan your computer for viruses.

To do this, you only need to start the anti-virus system and click on the "Deep Scan" button. Any software will do - and "Kaspersky", and "NOD32", and "Avast". As soon as the procedure is completed, the person will need to treat all potentially dangerous objects. And what did not succumb to treatment - to remove.

Such operations are activated through standard antivirus controls. Therefore, no skills and knowledge from the user is required.

Computer registry must be clean

We figured out how to remove the banner. What other tips will help you to cope with this task?

To automatically clean the computer registry, you will need to:

1. Launch CCleaner.
2. Click on the "Registry" section.
3. Click on the "Analyze" button.
4. Select the Cleanup option. It will appear after the system scan.

After the procedure is completed, the registry will be cleared. You can reboot the OS and see if there is a result. It is important that all browsers are closed while working with the utility.

Extreme measures

But that's not all. To answer how to remove the pop-up banner in the browser, some people are ready to go to extreme measures. Usually they do not reach them, but it is also not necessary to exclude such layouts. What is it about?

In order to get rid of any virus in the browser, you can simply delete the Internet browser with all user data. By reinstalling (not to be confused with updating) the software, it will be possible to resume work with serviceable software. Before uninstalling, it is better to make copies of the bookmarks, if any.

In some cases, recovery operating system happens after the OS is rolled back. The operation is carried out by standard means Windows. You can find the desired section in the "Start", in the folder "All Programs" - "Accessories" - "Utilities". Following the instructions on the screen, the "victim" will restore the system in a few minutes.

The last way to get rid of banners and viruses in general is to completely reinstalling Windows. She needs installation disk. During the operation, it is recommended to completely format the hard disk of the "machine". This is the only way to get rid of all existing computer infection by 100%.

Winlocker Trojans are a type of malware that, by blocking access to the desktop, extorts money from the user - supposedly if he transfers the required amount to the attacker's account, he will receive an unlock code.

If once you turn on the PC you see instead of the desktop:

Or something else in the same vein - with threatening inscriptions, and sometimes with obscene pictures, do not rush to accuse your loved ones of all sins. They, and maybe you yourself, fell victim to the trojan.winlock ransomware.

How do ransomware blockers get on a computer?

Most often, blockers get on the computer in the following ways:

• through hacked programs, as well as tools for hacking paid software (cracks, keygens, etc.);
• are downloaded via links from messages in social networks, sent supposedly by acquaintances, but in fact - by intruders from hacked pages;
• downloaded from phishing web resources that imitate well-known sites, but in fact created specifically for the spread of viruses;
• come by e-mail in the form of attachments accompanying letters of intriguing content: “you were sued ...”, “you were photographed at the crime scene”, “you won a million”, and the like.

Attention! Pornographic banners are not always downloaded from porn sites. Can and with the most ordinary.

Another type of ransomware is distributed in the same way - browser blockers. For example, like this:

They demand money for access to web browsing through a browser.

How to remove the banner "Windows is blocked" and the like?

When the desktop is locked, when a virus banner prevents the launch of any programs on the computer, you can do the following:

• go into safe mode with command line support, start the registry editor and delete the banner's autorun keys.
• boot from a Live CD (“live” disk), for example, ERD commander, and remove the banner from the computer both through the registry (autorun keys) and through the explorer (files).
• scan the system from a boot disk with an antivirus, such as Dr.Web LiveDisk or Kaspersky Rescue Disk 10.

Method 1: Removing the winlocker from safe mode with console support.

So, how to remove a banner from a computer via the command line?

On machines with Windows XP and 7, before the system starts, you need to quickly press the F8 key and select the marked item from the menu (in Windows 8 \ 8.1 there is no such menu, so you have to boot from the installation disk and run the command line from there).

Instead of a desktop, a console will open in front of you. To launch the registry editor, enter the command in it regedit and press Enter.

Next, open the registry editor, find virus entries in it and fix it.

Most often, ransomware banners are registered in sections:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon- here they change the values ​​of the Shell, Userinit and Uihost parameters (the last parameter is only in Windows XP). You need to fix them to normal:

• shell=explorer.exe
• Userinit = C:\WINDOWS\system32\userinit.exe, (C: is the letter of the system partition. If Windows is on drive D, the path to Userinit will start with D:)
• Uihost=LogonUI.exe

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows- see AppInit_DLLs parameter. Normally, it may be absent or have an empty value.

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run- here the ransomware creates new parameter with the value as the path to the blocker file. The parameter name can be a string of letters, such as dkfjghk. It must be removed completely.

The same goes for the following sections:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx

To fix registry keys, right-click on the setting, select Edit, enter a new value, and click OK.

After that, restart your computer in normal mode and do an antivirus scan. It will remove all ransomware files from your hard drive.

Method 2. Removing a winlocker using ERD Commander.

ERD commander contains a large set of tools for Windows recovery, including when hit by blocker trojans. Using the ERDregedit registry editor built into it, you can do the same operations that we described above.

ERD commander will be indispensable if Windows is blocked in all modes. Copies of it are distributed illegally, but they are easy to find on the net.

ERD commander kits for everyone Windows versions called boot disks MSDaRT (Microsoft Diagnostic & Recovery Toolset), they come in ISO format, which is convenient for burning to DVD or transferring to a USB flash drive.

After booting from such a disk, you need to select your version of the system and, by going to the menu, click the registry editor.

In Windows XP, the procedure is slightly different - here you need to open the Start menu (Start), select Administrative Tools and Registry Editor.

After editing the registry, boot Windows again - most likely, you will not see the "Computer is locked" banner.

Method 3. Removing the blocker using the anti-virus "rescue disk".

This is the easiest, but also the longest unlocking method. It is enough to burn the image of Dr.Web LiveDisk or Kaspersky Rescue Disk to DVD, boot from it, start scanning and wait for the end. The virus will be killed.

It is equally effective to remove banners from a computer using both Dr.Web and Kaspersky discs.

How to protect your computer from blockers?

• Install a reliable antivirus and keep it active at all times.
• Check all files downloaded from the Internet for security before launching.
• Don't click on unknown links.
• Do not open email attachments, especially those that come in letters with intriguing text. Even from your friends.
• Keep track of what websites your children visit. Use parental controls.
• If possible, do not use pirated software- very many paid programs can be replaced with safe free ones.

After restarting the computer, the monitor displays a request to send a paid SMS, or to deposit money into the account mobile phone?

Meet what a typical ransomware virus looks like! This virus takes thousands of different forms and hundreds of variations. However, it is easy to recognize him by a simple sign: he asks you to put money (call) on an unknown number, and in return promises to unlock your computer. What to do?

First, realize that this is a virus, the purpose of which is to suck out of you as much as possible. more money. That is why do not give in to his provocations.

Remember simple thing don't send any sms. They will withdraw all the money that is on the balance sheet (usually 200-300 rubles are written in the requirement). Sometimes they require you to send two, three or more SMS. Remember, the virus will not go anywhere from the computer, whether you send money to scammers or not. Trojan winloc will remain on your computer until you remove it yourself.

The action plan is as follows: 1. Remove the block from the computer 2. Remove the virus and treat the computer.

Ways to unlock your computer:

1. Enter unlock code and. The most common way to deal with the obscene banner. You can find the code here: Dr.web , Kasperskiy , Nod32 . Don't worry if the code doesn't work, move on to the next step.

2. Try booting into safe mode. To do this, after turning on the computer, press F8. When the boot options window appears, select "safe mode with driver support" and wait for the system to boot.

2a. Now we try restore system(Start-Accessories-Utilities-System Restore) to an earlier checkpoint. 2b. Create a new account. Go to Start - Control Panel - Accounts. Add a new account, restart the computer. When enabled, select the newly created account. Let's go to .

3. Try ctrl+alt+del- the task manager should appear. We launch healing utilities through the task manager. (select the file - a new task and our programs). Another way - hold down Ctrl + Shift + Esc and holding these keys, look for and delete all strange processes until the desktop is unlocked.

4. Most reliable way - this is to install the OS (operating system) on a new one. If you fundamentally need to keep the old OS, then we will consider a more time-consuming way to deal with this banner. But no less effective!

Another way (for advanced users):

5. Booting from disk live CD which has a registry editor. The system has booted, open the registry editor. In it we will see the registry of the current system and the infected one (its branches on the left side are displayed with a signature in brackets).

We find the key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon - we are looking for Userinit there - we delete everything after the comma. ATTENTION! The file "C:\Windows\system32\userinit.exe" CANNOT be deleted.);

Look at the key value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell, it should be explorer.exe. Done with the registry.

If the error "Registry editing is prohibited by the system administrator" appears, download the AVZ program. Open "File" - "System Restore" - Check the item "Unlock the registry editor", then click "Perform marked operations." The editor is back.

Run the Kaspersky removal tool and dr.web cureit and scan the entire system with them. It remains to reboot and return bios settings. However, the virus has NOT yet been removed from the computer.

We treat a computer from Trojan WinLock

For this we need:
- ReCleaner Registry Editor
- popular antivirus Tool removal kaspersky
- well-known antivirus Dr.web cureit
- effective antivirus Removeit pro
- Plstfix registry repair utility
- Program to remove temporary files ATF cleaner

1. It is necessary to get rid of the virus in the system. To do this, launch the registry editor. We go Menu - Tasks - Launch the registry editor. Need to find:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon - we are looking for the Userinit section there - we delete everything after the comma. ATTENTION! The file "C:\Windows\system32\userinit.exe" CANNOT be deleted.);

Look at the key value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell there should be explorer.exe. Done with the registry.

Now select the "Startup" tab. We look through the startup items, check the boxes and delete (lower right corner) everything that you did not install, leaving only desktop and ctfmon.exe. The remaining svchost.exe processes and other .exe processes from the windows directory must be removed.
Select Task - Registry Cleanup - Use all options. The program will scan the entire registry, delete everything permanently.

2. To find the code itself, we need the following utilities: Kaspersky, Dr.Web and RemoveIT. Note: RemoveIT will ask you to update the virus signature databases. An internet connection must be established during the update!
With these programs, we scan the system disk and delete everything that they find. If you wish, you can just in case check all the disks of the computer. It will take much longer, but it is more reliable.

3. The next utility is Plstfix. It restores the registry after our actions on it. As a result, the task manager and safe mode will start working again.

4. Just in case, delete all temporary files. Often copies of the virus are hidden in these folders. This is how even well-known antiviruses can not detect them. It is better to manually remove something that does not significantly affect the operation of the system. Install ATF Cleaner, mark and delete everything.

5. We overload the system. Everything is working! even better than before :).

Probably every fourth user personal computer faced various scams on the Internet. One type of deception is a banner that blocks Windows work and requires sending SMS to a paid number or requires cryptocurrency. Basically, it's just a virus.

To fight a ransomware banner, you need to understand what it is and how it penetrates your computer. The banner usually looks like this:

But there may be all sorts of other variations, but the essence is the same - crooks want to make money on you.

How a virus enters a computer

The first variant of "infection" is pirated applications, utilities, games. Of course, Internet users are used to getting most of what they want online “for free”, but when downloading pirated software, games, various activators and other things from suspicious sites, we run the risk of becoming infected with viruses. In this situation, it usually helps.

Windows may be blocked due to a downloaded file with the extension " .exe". This does not mean that you need to refuse to download files with this extension. Just remember that " .exe” can only apply to games and programs. If you download a video, song, document or picture, and its name contains “.exe” at the end, then the chance of the ransomware banner appearing increases dramatically to 99.999%!

There is another tricky move with supposedly the need to update flash player or browser. It may be that you will work on the Internet, go from page to page and one day you will find an inscription that "your Flash player is out of date, please update." If you click on this banner and it does not lead you to the official adobe.com website, then it is 100% a virus. Therefore, check before clicking on the "Update" button. The best option such messages will be ignored altogether.

And finally, obsolete windows updates weaken the security of the system. To keep your computer protected, try to install updates on time. This feature can be configured in "Control Panel -> Windows Update" to automatic mode, so as not to be distracted.

How to unlock Windows 7/8/10

One of the simple options to remove the ransomware banner is . It helps 100%, but it makes sense to reinstall Windows when you do not have important data on the C drive that you did not have time to save. When you reinstall the system, all files will be deleted from system disk. Therefore, if you do not want to reinstall software and games, then you can use other methods.

After curing and successfully launching the system without the ransomware banner, additional steps must be taken, otherwise the virus may resurface, or there will simply be some problems in the system. All this is at the end of the article. All information is personally verified by me! So, let's begin!

Kaspersky Rescue Disk + WindowsUnlocker will help us!

We will use a specially designed operating system. The whole difficulty is that on a working computer you need to download an image and or (scroll through the articles, there are).

When it's ready, you need. At the time of startup, a small message will appear, such as "Press any key to boot from CD or DVD". Here you need to press any button on the keyboard, otherwise the infected Windows will start.

When loading, press any button, then select the language - "Russian", accept license agreement using the button "1" and use the launch mode - "Graphic". After starting the Kaspersky operating system, we do not pay attention to the automatically launched scanner, but go to the "Start" menu and launch the "Terminal"

A black window will open where we write the command:

windows unlocker

A small menu will open:

Select "Unlock Windows" with the "1" button. The program itself will check and fix everything. Now you can close the window and check the entire computer with the already running scanner. In the window, put a tick on the disk with Windows OS and click "Perform object check"

We are waiting for the end of the check (may be a long time) and, finally, we reboot.

If you have a laptop without a mouse, and the touchpad does not work, then I suggest using the text mode of the Kaspersky disk. In this case, after starting the operating system, you must first close the menu that opens with the "F10" button, then enter the same command on the command line: windowsunlocker

Unlock in safe mode, no special images

Today, viruses like Winlocker have grown wiser and block Windows boot in safe mode, so most likely you will not succeed, but if there is no image, then try. Viruses are different and can work for everyone different ways but the principle is the same.

We restart the computer. Press F8 while booting until the menu appears additional options Windows startup. We need to use the down arrows to select an item from the list, which is called "Safe Mode with Command Line Support".

This is where we need to get to and select the desired line:

Further, if everything goes well, the computer will boot up and we will see the desktop. Fine! But that doesn't mean everything works now. If you do not remove the virus and just reboot in normal mode, the banner will pop up again!

We are treated with Windows tools

You need to restore the system when there was no blocker banner yet. Read the article carefully and do everything that is written there. There is a video below the article.

If it doesn’t help, then press the “Win ​​+ R” buttons and write the command in the window to open the registry editor:

regedit

If, instead of the desktop, a black command line, then simply enter the command "regedit" and press "Enter". We have to check some registry keys for viruses, or to be more precise - malicious code. To start this operation, go here on this path:

HKEY_LOCAL_MACHINE\Software\Microsoft\WinNT\CurrentVersion\Winlogon

Now, in order, we check the following values:

• Shell - “explorer.exe” must be written here, there should be no other options
• Userinit - here the text should be "C:\Windows\system32\userinit.exe,"

If the OS is installed on a different drive than C:, then the letter will be different there, respectively. To change incorrect values, right-click on the line you want to edit and select "change":

Then we check:

HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Winlogon

There should be no Shell and Userinit keys here at all, if there are, delete them.

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce

And be sure to:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce

If you are not sure whether you need to delete the key, you can simply add a “1” to the parameter first. The path will be in error, and this program will simply not start. Then you can return it as it was.

Now you need to run the built-in system cleaning utility, we do it in the same way as we launched the registry editor "regedit", but we write:

cleanmgr

Select the drive with the operating system (by default C:) and after scanning, check all the boxes except for “Files backup upgrade package"

And click "OK". By this action, we may have disabled the autorun of the virus, and then we need to clean up the traces of its stay in the system, and read about this at the end of the article.

AVZ Utility

It consists in the fact that in safe mode we will run the well-known anti-virus AVZ utility. In addition to searching for viruses, the program has just a lot of functions to fix system problems. This method repeats the steps for filling holes in the system after the virus has worked, incl. to get acquainted with it, go to the next paragraph.

Fixing issues after ransomware removal

Congratulations! If you are reading this, then the system started without a banner. Now you need to check the whole system with them. If you used the Kaspersky rescue disk and checked it there, then you can skip this item.

There may also be one more trouble associated with the activities of the villain - the virus can encrypt your files. And even after its complete removal, you simply will not be able to use your files. To decrypt them, you need to use programs from the Kaspersky website: XoristDecryptor and RectorDecryptor. There are also instructions for use.

But that's not all, because. Winlocker most likely messed up in the system, and various glitches and problems will be observed. For example, the registry editor and task manager will not start. To treat the system, we will use the AVZ program.

When downloading with Google Chrome there may be a problem, because this browser considers the program to be malicious and does not allow it to be downloaded! This question has already been raised on the official Google forum, and at the time of writing, everything already ok.

To still download the archive with the program, you need to go to "Downloads" and click "Download a malicious file" 🙂 Yes, I understand that it looks a little stupid, but apparently chrome thinks that the program can harm ordinary user. And this is true, if you poke wherever you hit! Therefore, strictly follow the instructions!

We unpack the archive with the program, write it to external media and run it on the infected computer. Let's go to the menu "File -> System Restore", mark the checkboxes as in the picture and perform the following operations:

Now let's take the following path: "File -> Troubleshooting Wizard", then go to « System problems-> All problems" and click on the "Start" button. The program will scan the system, and then in the window that appears, set all the checkboxes except "Disabling operating system updates in automatic mode" and those that begin with the phrase "Allow autorun from ...".

Click on the "Fix flagged issues" button. After successful completion, go to: "Browser settings and tweaks -> All problems", here we put all the checkboxes and in the same way click on the button "Fix flagged problems".

We do the same with “Privacy”, but here do not check the boxes that are responsible for cleaning bookmarks in browsers and what else you think you need. We finish the check in the sections "Cleaning the system" and "Adware/Toolbar/Browser Hijacker Removal".

At the end, close the window without leaving AVZ. In the program we find "Tools -> Explorer Extensions Editor" and remove the checkmarks from those items that are marked in black. Now let's go to: "Tools -> Extension Manager Internet Explorer» and completely erase all the lines in the window that appears.

I already said above that this section of the article is also one of the ways to cure Windows from a ransomware banner. So, in this case, you need to download the program on a working computer and then write it to a USB flash drive or to a disk. All actions are carried out in a safe mode. But there is another option to run AVZ even if safe mode is not working. You need to start, from the same menu when the system boots, in the "Computer Troubleshooting" mode

If you have it installed, it will be displayed at the very top of the menu. If not there, then try to start Windows until the banner appears and turn off the computer from the outlet. Then turn it on - a new launch mode will probably be offered.

Starting from a Windows installation disc

Another sure way is to boot from any installation Windows disk 7-10 and choose there not "Installation", but "System Restore". When the troubleshooter is running:

• You need to select "Command Prompt"
• In the black window that appears, write: "notepad", i.e. Launch a regular notepad. We will use it as a mini conductor
• Go to the menu "File -> Open", select the file type "All files"
• Next, we find the folder with the AVZ program, right-click on the launched file “avz.exe” and launch the utility using the “Open” menu item (not the “Select” item!).

If nothing helps

Refers to cases when, for some reason, you cannot boot from a flash drive with a recorded image of Kaspersky or the AVZ program. You just have to get it from the computer HDD and connect it with a second disk to a working computer. Then boot from UNINfected hard drive and scan YOUR disk with a Kaspersky scanner.

Never send SMS messages requested by scammers. Whatever the text, do not send messages! Try to avoid suspicious sites and files, but in general read. Follow the instructions and then your computer will be safe. And do not forget about the antivirus and regular updates of the operating system!

Here is a video showing everything in an example. The playlist consists of three lessons:

PS: what method helped you? Write about it in the comments below.

The ransomware banner is special program of a viral nature, which completely blocks access to the controls of the operating Windows systems in order to extort money for unlocking access by sending money to a phone number or online wallet attackers. Despite the fact that the main wave of the influx of virus banners passed a couple of years ago, you still occasionally have to deal with cases of computers being damaged by this dirty trick. Mostly this happens to users who have not bothered to protect their PC from viruses. If you do not have a normal antivirus installed, then one fine day, instead of the usual desktop, you will see a banner that, in order to remove it, will require you to send an SMS to a mobile phone number supposedly to receive an unlock code. This is a complete fraud and no matter how much money you send, of course there will be no answer! Now I will give 3 ways to remove the ransomware banner from a Windows computer. If they don't help, it will only help complete reinstallation operating system.
There are 3 ways to remove a banner in Windows:

The first way to remove the banner

Try using your phone, tablet or other computer to search the Internet for an unlock code by phone number. Code generators for unblocking ransomware are posted on the websites of the largest companies developing anti-virus software. For example, Kaspersky Lab, DrWeb and Deblocker. There, it is usually necessary to enter the phone number to which the attackers demand to send money and SMS, or the number e-wallet. In response, you will receive a code that will help you deactivate the blocker.
The only negative point is that this method works on the oldest and simplest ransomware banners. On a more cunning, complex and advanced “infection”, this trick no longer works, and in order to treat it, it will be necessary to use the following two methods.

The second way to unlock the banner on the computer

Use the Kaspersky WindowsUnlocker utility from Kaspersky Lab.

It is part of Kaspersky Rescue Disk. This is a great free tool that will help you quickly and easily remove ransomware banner from your Windows 10 computer.

The third way to remove the Windows blocker virus

1. You need to boot the system in safe mode. In Windows 7, you need to press the F8 button at startup. In Windows 10 or G8, you need an installation disk or flash drive. More details are well written in the article Windows 10 Safe Mode.
2. Next, you need to open the registry editor. To do this, press the key combination Win + R and in the "Run" window enter the command regedit.
3. In the registry editor we find the branch:

HKEY_LOCAL_MACHINE\ SOFTWARE\ Microsoft\ Windows NT\ CurrentVersion\ Winlogon

It will contain the entry "Shell". We click on it twice and prescribe the standard Windows Explorer - explorer.exe
If the explorer is already registered in the "Shell" entry, then open the branch:

HKEY_LOCAL_MACHINE\ SOFTWARE\ Microsoft\ Windows NT\ CurrentVersion\ Image File Execution Options

Expand it and study it carefully. If there is a subsection “explorer.exe” there, simply delete it by right-clicking and selecting the “Delete” menu item.
4. We restart the computer. Windows should boot normally. After that, be sure to check your computer good antivirus. For example, free DrWeb CureIT.

• Disabling unnecessary Windows Services for increase…