How to remove banners from a Windows 8 computer. Effective methods for removing banner ransomware (Winlocker)

The most unpleasant Banner is a banner that blocks the desktop and any actions with it, the so-called Winlock. Let's consider options for solving this problem.

As I already said, under no circumstances SMS We don’t send to short numbers, we don’t deposit money through the terminal and we don’t wait for a password on a receipt from the terminal. The first thing to do is try to boot your computer in safe mode.

Option 1. This is done this way - when you turn on the computer, after the BIOS splash screen, press the F8 key.

A list of download options will appear. Choose Safe mode and press ENTER(What this menu looks like can be seen in the pictures: Windows XP, Windows Vista, Windows 7). If everything is fine and the computer was able to start, click START-ALL PROGRAMS-STANDARDS-SERVICES-SYSTEM RESTORE and try to return the computer state to the date when Banner there was no beggar. If it works and the Banner disappears - HURRAY!!! If it remains in place, move on to the next point.

Option 2. Write in paragraph EXECUTE(click START-RUN and enter in the box) "msconfig"(you can see the full list of system commands). A window with Windows boot options will open. On the tab AUTOLOAD We look for suspicious or unfamiliar programs that run automatically and uncheck them. Click APPLY and restart the computer. Please note that these operations must be performed on behalf of system administrator, i.e. When loading Safe Mode, log in as the computer administrator - it is shown under the user name. The banner has disappeared - HURRAY!!! If it remains in place, move on to the next point.

Option 3. Boot into again Safe Mode. In point EXECUTE we write "regedit". The Registry Editor will launch. ATTENTION! Here you need to be extremely careful, not to delete or change anything unnecessary, otherwise all attempts to bring your computer back to life may come to nothing and your only option will be number “X” - reinstalling Windows. So let's get started. Looking for a way

in it we look for the presence of subsections "explorer.exe" And "iexplore.exe". If there are any, we mercilessly delete them (to do this, right-click on the subsection, in this case on "explorer.exe", select DELETE and when asked to confirm deletion, click YES), if not, proceed further. Now let's check the launch parameters "explorer.exe". For this we are looking for a way

_____________________________________________________________

Winlocker Trojans are a type of malware that, by blocking access to the desktop, extorts money from the user - supposedly if he transfers the required amount to the attacker’s account, he will receive an unlock code.

If, once you turn on your PC, you see instead of the desktop:

Or something else in the same spirit - with threatening inscriptions, and sometimes with obscene pictures, do not rush to accuse your loved ones of all sins.

They, and maybe you yourself, have become victims of the trojan.winlock ransomware.

How do ransomware blockers get onto your computer?

Most often, blockers get onto your computer in the following ways:

• through hacked programs, as well as tools for hacking paid software (cracks, keygens, etc.);
• downloaded via links from messages on social networks, sent supposedly by acquaintances, but in fact by attackers from hacked pages;
• downloaded from phishing web resources that imitate well-known sites, but in fact are created specifically for spreading viruses;
• come by e-mail in the form of attachments accompanying letters with intriguing content: “you were sued...”, “you were photographed at the crime scene”, “you won a million” and the like.

Attention! Pornographic banners are not always downloaded from porn sites. They can do it from the most ordinary ones.

Another type of ransomware is spread in the same way - browser blockers. For example, like this:

They demand money for access to browsing the web through a browser.

How to remove the “Windows blocked” banner and similar ones?

When your desktop is blocked and a virus banner prevents any programs from running on your computer, you can do the following:

• go into safe mode with command line support, launch the registry editor and delete the banner autorun keys.
• boot from a Live CD ("live" disk), for example, ERD commander, and remove the banner from the computer both through the registry (autorun keys) and through Explorer (files).
• scan the system from a boot disk with an antivirus, for example Dr.Web LiveDisk or Kaspersky Rescue Disk 10.

Method 1. Removing Winlocker from safe mode with console support.

So, how to remove a banner from your computer via the command line?

On machines with Windows XP and 7, before the system starts, you need to quickly press the F8 key and select the marked item from the menu (in Windows 8\8.1 there is no this menu, so you will have to boot from the installation disk and launch the command line from there).

Instead of a desktop, a console will open in front of you. To launch the registry editor, enter the command into it regedit and press Enter.

Next, open the registry editor, find virus entries in it and fix it.

Most often, ransomware banners are registered in the following sections:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon- here they change the values ​​of the Shell, Userinit and Uihost parameters (the last parameter is only available in Windows XP). You need to fix them to normal:

• Shell = Explorer.exe
• Userinit = C:\WINDOWS\system32\userinit.exe, (C: is the letter of the system partition. If Windows is on drive D, the path to Userinit will start with D:)
• Uihost = LogonUI.exe

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows- see the AppInit_DLLs parameter. Normally, it may be absent or have an empty value.

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run- here the ransomware creates a new parameter with a value in the form of the path to the blocker file. The parameter name can be a string of letters, for example, dkfjghk. It needs to be removed completely.

The same goes for the following sections:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx

To correct registry keys, right-click on the parameter, select “Change”, enter a new value and click OK.

After that, restart your computer in normal mode and run an antivirus scan. It will remove all ransomware files from your hard drive.

Method 2. Removing Winlocker using ERD Commander.

ERD commander contains a large set of tools for restoring Windows, including those damaged by blocking Trojans.

Using the built-in registry editor ERDregedit, you can perform the same operations as we described above.

ERD commander will be indispensable if Windows is locked in all modes. Copies of it are distributed illegally, but they are easy to find on the Internet.

ERD commander sets for all versions of Windows are called MSDaRT (Microsoft Diagnostic & Recovery Toolset) boot disks; they come in ISO format, which is convenient for burning to DVD or transferring to a flash drive.

Removing banners from your computer using both Dr.Web and Kaspersky disks is equally effective.

How to protect your computer from blockers?

• Install a reliable antivirus and keep it active at all times.
• Please check all files downloaded from the Internet for security before launching.
• Don't click on unknown links.
• Do not open email attachments, especially those that come in letters with intriguing text. Even from your friends.
• Keep track of what sites your children visit. Use parental controls.
• If possible, do not use pirated software - many paid programs can be replaced with safe free ones.

Recently, computers have become infected with the so-called ransomware virus (Trojan.Winlock), to unlock which you are offered to send a paid SMS. In this article you will learn how you can get rid of this virus absolutely free. In situations where antivirus sites do not open, download and run this utility.

1 way. For the case when Windows boots and a banner appears on the screen.

The easiest way to get rid of a virus on your desktop is to go to the website of the antivirus software developer Kaspersky Lab and use the form to obtain an unlock key. A similar operation can be performed by going to the Doctor Web website. After the banner disappears from your desktop, be sure to scan your computer for viruses.

1. Go to the Kaspersky Lab website or Doctor Web. and use the unlock key.

2 and the following methods, for cases when the UNLOCK KEY IS NOT SUITABLE.

If, when you turn on your computer, a banner appears on your desktop, use the free virus treatment utility CureIt - Download, or the Kaspersky Virus Removal Tool Download. These treatment utilities can be run even if you already have another antivirus installed on your computer.

Download and run the CureIt utility - Download, or Kaspersky Virus Removal Tool Download

3 way. For the case when Windows does not boot.

If, when you turn on the computer, instead of loading the operating system, an offer to part with a couple of hundred rubles appears on the monitor screen, boot the computer in safe mode. To do this, restart your computer and constantly press the “F8” key on your keyboard. After a few seconds, you will be asked to select an option to boot into Windows.

1. Select "Safe Mode with Networking". Next, we get rid of the virus using one of the methods described above.
2. Boot into Safe Mode
3. Delete using a key from one of the Kaspersky Lab or Doctor Web sites.
4. To restart a computer.

Scan your computer for viruses.

4 way. For the case when Windows does not boot in safe mode.

1. In a situation where you need to remove a banner from your desktop, and the operating system does not boot in either normal or safe mode, the best option would be either a second home computer or a neighbor’s computer. If there are any, we do everything as in the “first or second method.” Also, it will not be bad if you have a LiveCD, download LiveCD from Dr.Web, by booting from which you can check your computer for viruses. Almost all antivirus programs with the latest updates cure the computer from the banner on the desktop.
2. To restart a computer.

Enter the unlock key using another computer, or by booting from a LiveCD, download LiveCD from Dr.Web, download LiveCD from Kaspersky Lab.

5 way to remove a banner.

1. For Windows 7: after pressing the Win + U keys, click on the link “Help with settings” - “Privacy Statement”. Next, go to point 5
2. After the computer starts, press the keyboard shortcuts windows icon button + U
3. Select On-Screen Keyboard and click Launch.
4. Click "Help" - "About"
5. In the window that appears at the bottom, select “Microsoft Web Site”
6. In the address field, write http://devbuilds.kaspersky-labs.com/devbuilds/AVPTool/
7. A file save window will pop up, save to your desktop.
8. In the browser, click “File” - “Open” - “Browse” at the top.
9. On the left, click "Desktop". At the very bottom “File type” - “All files”
10. Find the downloaded program and run it.

Select Full Scan.

6th way to remove a banner.

1. If the banner appears before the desktop loads, the screen is locked.
2. Press Ctrl+Shift+Esc until the task manager starts blinking. Without releasing the Ctrl+Shift+Esc keys, click on the task manager "".
3. Cancel task regedit"
4. Go to HKEY_LOCAL_MACHINE /SOFTWARE/MicrosoftWindows NT/CurrentVersion/Winlogon
5. Go to the right pane of the Registry Editor and check the two options “ Shell" And " Userinit" The Shell parameter value must be " Explorer.exe". Userinit parameter – " C:\WINDOWS\system32\userinit.exe," (no spaces, always a comma at the end)!
6. If the “Shell” and “Userinit” options are ok, find the HKEY_LOCAL_MACHINE /SOFTWARE/Microsoft/Windows NT/CurrentVersion/Image File Execution Options section and expand it. If there is a subkey explorer.exe, delete it (Right click => Delete).
7. Restart your computer.
8. Be sure to check your computer for viruses.

If unsuccessful, repeat this method in safe mode.

If none of the above methods help you, you can contact our company at

Banner- a type of computer fraud that appeared relatively recently and its popularity is constantly growing. If you have become a victim of this most often banner and your computer is locked, then in this article we will tell you how to remove, unlock, remove a virus from your desktop without resorting to the help of specialists.

Antiviruses most often do not protect against the banner virus.

How the virus works

A program is downloaded to your computer from the Internet that blocks access to the system, informing you that you are a lawbreaker, have viewed pornography, etc. This is done in order to put pressure on your conscience and force you to send the attacker a certain amount of money, upon receipt of which he will supposedly send you an unlock code.
The first versions of this virus actually had an unlock code, but the virus did not turn off completely, and after a week or two it made itself known again, demanding that the money be sent again. Now, often, no codes help and the ransomware banner blocks your system thoroughly and for a long time.
“Akhtung, what should I do?, help” - the most important thing is don’t panic:
1. Under no circumstances run to deposit money into the account indicated in the banner.
2. Do not send SMS to the specified numbers.
3. Don't trust that your computer will be formatted.
4. Infection with a virus does not require reinstalling the operating system, no matter what they tell you.
Otherwise, your wallet will be empty, but the problem will remain. The main task of scammers is to intimidate the user in order to make a profit. I am sure that many have already been caught by this bait.

1. The best way to remove a virus is to edit the registry

Don't be scared)), it's very simple and won't take much time. If you don’t want to do this, call us and we will do everything for you (8-918-474-111-5). Let's do everything in order. To access the registry, you need to boot the computer into command line-enabled mode. To do this, when you turn on the computer, press the F8 key and select Safe Mode with Command Line Support in the boot menu that pops up.

We wait for the command line to load and enter regedit.exe in it and press Enter. The registry editor opened - this is where our virus settled, or rather registered itself. Let’s check the possible locations of the virus and smoke it out.”
1. HKEY_CURRENT_USER /Software /Microsoft /Windows /CurrentVersion /Run

here we see a list of startup programs (run along with the operating system), as well as their location on your PC (so that you can then remove them from the disk). All suspicious programs need to be removed (right-click and delete) and remember the path to them (for example: grg54545.exe, bh.exe along the path C:/Documents and Settings/; C:/Windows/System, etc.)
2.HKEY_LOCAL_MACHINE /Software /Microsoft /Windows /CurrentVersion /Run- we repeat the above.
3. HKEY_CURRENT_USER /Software /Microsoft /Windows NT/ CurrentVersion /Winlogon—

There should be no Shell and Userinit parameters here. If you find them, feel free to delete them.
4. HKEY_LOCAL_MACHINE /Software /Microsoft /WindowsNT /CurrentVersion /Winlogon- on the contrary, they must be present and correspond to these values
Userinit - C:Windowssystem32userinit.exe
Shell - explorer.exe

If this is not the case, then correct it manually. Has everything been fixed? Now close the registry editor and enter Explorer.exe in the command line and press enter to launch the desktop. We delete the files whose paths we remembered and reboot. Voila! Everything should work.

Let's imagine an ordinary computer user. This is a person who most often has minimal knowledge of protecting his device from viruses. Nevertheless, he “travels” to all the desired sites, follows the suggested links, without thinking at all about the possible danger of his actions. And at one moment he sees the following picture in front of him: the computer screen is locked, and the attackers are demanding money to unlock it. What to do, how to remove the banner?

Reasons for blocking. Why does anyone need this?

There are several ways to lock your computer. Most often this happens due to the user visiting pornographic sites or downloading and installing malware that is distributed throughout the world. As a result, if this happened to you for the first time, you may even be afraid of what appears on the computer screen. The message may accuse you of collecting illegal information on the Internet and many other sins. Then they will ask you to pay for the unlocking option. They will tell you in detail where and how much to transfer money for this. The asking price is from 500 to 2000 rubles. But the most important thing is that after sending an SMS, no one will unblock you anything. So you don't need to pay anyone anything. At this point in time, there are several ways to solve the problem yourself, without throwing money away.

What are the dangers of locking Windows?

Firstly, such a problem can only happen with an unlicensed version of the operating system. The license is constantly and regularly updated, so it is more securely protected. Such a virus is constantly being improved, that is, it becomes more and more dangerous in order to generate income for its authors. Why is he so dangerous? The fact that it is not only registered in startup, but is “buried” much deeper, thanks to which it can work when loading only services and drivers, as well as in safe mode. After this it is quite difficult to get your device to work. But still, this is not a completely hopeless matter. Let's look at several ways to revive your computer, how to remove the banner and get the opportunity to work fully again.

Unlock Windows with Malwarebytes Anti-Malware

This method does not always ensure the completion of the task. In this case, you can use another method.

Removing a virus using Dr.Web LiveCD

It’s one thing when a virus requires you to send a paid SMS to unlock your computer. In this case, sometimes after payment the issue can be resolved. Not a fact at all, as has already been written, but there is a possibility.

It's another matter when your device is infected with malware called Winlock. This virus can easily delete all your data, and even accuse you of distributing pornography. But the worst thing is that it blocks the system even before the operating system starts. That is, the above method cannot be applied here. Nothing, we’ll use another option for destroying the infection - a boot disk from our favorite company Dr.Web. Let's create such a disk and get started.

1. We insert it into the drive and then reboot the device.
2. If a virus appears, which is possible, then go to the BIOS, where we set it to boot from a flash drive or drive. We reboot again.
3. Now, most likely, everything will be fine. Set the language to Russian and move on.
4. You need to wait a while for the download to take place. The antivirus window will appear. Click the “Go” button opposite “Scanner”.
5. The computer scan for viruses has started. We are waiting for Dr.Web to find our ransomware and remove it. After that, select full scan and run it.
6. When the antivirus detects a threat, it will notify us.

Finally, using Dr.Web LiveCD we disinfect the registry, and vice versa. Sometimes after this the ransomware virus disappears, and there is no need to run a full scan anymore. We make an attempt to turn on the computer and hope that we have completed the task of removing the banner. Windows should no longer be blocked; this is a thing of the past. And we have mastered another method of fighting the virus.

Unlock codes and Avz utility

There is an option that in some cases can also help us. Codes for unlocking the OS are posted on the Dr.Web website. You need to select a screenshot of our virus from the list and we will see the required code. You can also enter the phone number to which you want to send an SMS, click search - and we get the code. After unlocking, you need to disinfect your computer using a regular antivirus. If that doesn’t work, you can use the well-known Avz utility.

1. For this we need: a disk/flash drive and a computer.
2. Download and save the utility to removable media.
3. Select the boot option “Secure with command line support” by pressing F8 at the beginning of the process.
4. If the process is normal, the command line will appear.
5. We insert the removable media into the device.
6. We write explorer and press the enter button.
7. Before us is “My Computer”.
8. Find the avz.exe utility on the removable drive and run it.
9. We follow the course: “File - Troubleshooting Wizard, System problems - All problems”, check all the boxes except “Automatic system updates are disabled” and all “Autostart is allowed from...”. After that, click “Fix noted problems.”
10. We also check all the problems in “Browser settings and tweaks” and click “Fix”.
11. In the “Privacy” section, by analogy, we note all the problems.
12. Staying in avz, close the window. Click “Service”, then click “Explorer Extensions Manager” and uncheck all the items written in black.
13. Now turn on “Service” and then “IE Extension Manager”. A list appears in front of us, we delete all the lines.
14. We reboot the computer, after which there will most likely be no more problems. We launch a traditional antivirus to clean it. The problem of how to remove the banner has been resolved.

Conclusion

These are far from the only ways to remove ransomware. You can use scripts, Kaspersky's Virus Removal Tool, and reinstall the operating system. It also happens that deleting a banner is not painless for the computer. The desktop may be empty and the mouse cursor will not work. The first option to fix these errors is safe mode and disinfecting the device under it. But this doesn't always help. In this case, you need to start the computer from removable media. Windows has special distributions for this. We launch and cure the device. Now we have finally figured out how to remove a banner from the desktop. Important advice: the treatment described is not easy for the “non-advanced” computer user. For such people, if they are not confident in their abilities, it is better to turn to specialists.