Menu
homePhoto and video

Windows banner codes are blocked. Outdated unlocking method. How to unlock your computer if you forgot your password

At the present time, with modern development technologies and high data transfer rates, users of personal computers, laptops, tablets and smartphones very often (even with installed antivirus protection) catch some kind of virus. Nowadays, programs that infect a device while blocking access to it with a banner on the desktop are very popular among hackers. How to unlock the computer in this case? How can I regain access to it?

What banners exist?

The most common are the following: Internet access is blocked, Windows is blocked, Internet rules have been violated, your account has been hacked and now spam is being sent from it, and so on. The computer owner is offered help in solving the problem. For this he is asked to send just one SMS via short number. By doing this, you will lose at least 250-300 rubles. And, accordingly, the banner in almost all cases does not go anywhere.

Basic ways to solve the problem

What to do? How to unlock your computer from a virus and continue to use your device? Exist various ways salvation. The main ones:

  1. Recovery operating system.
  2. Removing a virus program from OS startup.
  3. Application of special unlock codes from Dr.Web and Kaspersky websites.
  4. Using an antivirus.

It must be remembered that universal method There is no way to unlock your computer from a virus. Each of the above is only suitable for a specific situation. Now let's dwell on this a little.

Solving the problem via the Internet

This option is good for someone who has access to the network or has a connection with someone willing to help. The official websites of Kaspersky and Doctor Web have codes that can unlock your device. If they are not there, we go another way.

Removing the banner from startup

How to unlock your computer this way? This path is very simple. You need to boot your device in safe mode. To do this, when loading it, press F8. A menu with Windows boot options will appear in front of us. Choose the one you need. Then one of two things: the banner has not gone away, or the system will boot without the virus. In the latter case, click "Start" and enter msconfig in the command line. Go to startup, uncheck suspicious items there and reboot the PC.

Outdated way unlocking

If the banner has not disappeared, then you can try to unlock your computer from the virus using an outdated, but sometimes effective method. To do this, we reboot it in safe mode, and set the clock forward about a week. This may help, but most likely not for long, since viruses are also updated regularly. The system time can also be changed in the BIOS. It is also possible to perform a system restore.

Powerful professional way

If all the previous does not help resolve the issue of how to unlock your computer, we will fight the banner using an antivirus. If you can access the desktop in safe mode, then use Removal-tool Kaspersky or Doctor Web's Cureit, the most famous of all. If this is not possible, we use LiveCD - a special boot disk, which downloads the antivirus without any problems and removes the banner. To do this, we write its image onto a flash drive or disc, then onto a computer, after which we scan the system for viruses. This option may be difficult for the average user to use, so it is recommended that you turn to a professional. So we figured out how to unlock your computer.

If, having once launched an unknown program, your computer stops responding to commands, and the desktop takes on the characteristic appearance:

This means that you have become another victim of Trojan.WinLock, or simply a ransomware Trojan that forces you to pay the attacker a certain amount of money for the opportunity to use your PC. The situation is not uncommon, although the peak of the blocker epidemic Windows already passed. During the existence of this method of extortion, considerable experience has been accumulated in identifying and “treating” infections of this kind, but, nevertheless, the methods Windows locks attackers are still improving.

It must be said that despite the threats of data destruction on the PC in case of non-payment of the “fine”, nothing like this ever happens. And with a skillful approach, any blocking can be removed quite quickly without resorting to reinstalling the system. Therefore, when you see the menacing “Computer is blocked” banner on the screen, do not rush to transfer money to the cyber criminal - you will not receive any unlock code.

So that you don't feel helpless in similar situation, we have prepared for you a description of the operating methods of ransomware Trojans and several ways to combat them.

Types of system blocking

We list the methods by which a computer is usually blocked under Windows control XP.

  • Modification of the main boot entry(MBR), which, if you remember, occupies the first sector of the hard drive. In this case, the boot code is overwritten or moved to another location, and instead, almost immediately after turning on the PC, the malicious program takes control. This type of ransomware is called Trojan.MBRlock.
  • Locking the desktop by modifying the system registry, or more precisely, its areas responsible for starting Windows and automatically starting applications. In this case, either instead of system files or along with them, a Trojan program is launched.
  • Rewriting (patching) files critical to booting Windows. With this blocking method, there is not even a need to modify the registry, because malicious code written into system files will gain control in any case, and it will be much more difficult to detect the blocker. Typically, Userinit.exe, Explorer.exe, LogonUI.exe, Taskmgr.exe, and sometimes some others are targeted.
  • There is also a way to block Windows by preventing you from launching any program or performing any actions on your computer other than reading a message with the ransomware’s demands. In this case, you can freely close the message, but you still cannot work on a PC - attempts to do anything will be “prohibited by the administrator.” Windows is blocked through group policies. The Trojan-Ransom.Win32.Krotten ransomware (according to the Kaspersky Lab classification) works on this principle.

In addition to the “pure” types of blocking listed above, there are also more sophisticated ones that combine several methods of autorunning Trojan code. For example, changes in the registry and patching of system files, as well as placing several copies of the Trojan on the hard drive that can restore each other.

The favorite locations for Trojan files in Windows XP are these directories:

C:\Documents and Settings\Current User\Local Settings\Application Data
C:\Documents and Settings\All Users\Local Settings\Application Data
C:\Documents and Settings\Current User\Local Settings\Temporary Internet Files
C:\Documents and Settings\All Users\Local Settings\Temporary Internet Files
C:\Documents and Settings\Current User\Local Settings\Temp
C:\Documents and Settings\All Users\Local Settings\Temp
C:\Windows
C:\Windows\Temp
C:\Windows\System32
C:\Documents and Settings\Current User\Main Menu\Programs\Startup
C:\Documents and Settings\All Users\Main Menu\Programs\Startup

And autorun is usually carried out using entries in the following registry sections:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
Parameters: Userinit, UIHost, Shell.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\userinit.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\explorer.exe
Debugger parameter
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows
AppInit_DLLs parameter

What to do if Windows XP is locked?

Most blockers work not only in normal mode, but also in safe mode, and in some cases they simply disable the ability to boot into safe mode by deleting the registry keys responsible for this. Therefore, if your Windows XP is blocked, you will have to solve the problem using alternative bootable media– so-called “live” disks (Live CD) with their own operating system. By booting your computer from such media, you will be able to access hard drive, which turned out to be blocked. Next we will look at how to work with a Live CD, but for now we will try simpler methods, which, although not always, help out in many cases.

The easiest method to unlock your computer

This method was discovered by users experimentally. In cases complex blocking it’s unlikely to help, but it’s still worth a try, especially since all the steps will take you no more than 5 minutes.

  • When you see the “Windows blocked” banner on the screen, restart your computer and go to settings before starting the system BIOS Setup. On the first tab “Main” (in Avard BIOS – menu item “Standard CMOS Feature”) translate system date 2 - 3 years forward or backward. To exit and save the settings, press F10 and “Y”.

  • Download Windows, if there is no banner on your desktop, download a free one antivirus utility, For example, Kaspersky Virus Removal Tool or Dr.Web CureIt! and perform a scan. Why download these programs if you already have an antivirus? Then, due to the date change, it most likely does not work.
  • After removing the Trojan, go to BIOS settings and return the previous date. All.

Online services of antivirus companies for unlocking Windows

If previous actions did not help you deal with the “Computer is blocked” banner, you can try to find an unlock code using the online services of antivirus companies. This option helps in 50 - 70% of cases, but it will only be useful to you when you have another PC (phone, tablet, etc.) with Internet access. Below are links and instructions for using these services.

Trojan.WinLosk deactivation service of Kaspersky Lab

  • Rewrite the text of the ransomware message that you see on the screen and paste it into the appropriate field.
  • In the adjacent field, enter the phone number specified in the message to which you are required to transfer money.
  • Click the “Get unlock code” button and try to remove the banner using it.
  • After logging into Windows, antivirus scanning PC, since the Trojan blocker file is still on the system and can block it again.
  • Enter the phone number or wallet number of the ransomware in the appropriate field and click the “Search for codes” button.
  • If nothing is offered, you can try to find a suitable code based on the appearance of the banner.
  • After unlocking, scan your computer for viruses.
  • Enter the text of the message from the “Windows blocked” banner and the phone number indicated there in the appropriate fields.
  • Click the “Submit” button and try using the suggested codes.
  • Once your computer is unlocked, scan it for viruses.

Automatic PC unlocking tools

If the previous measures did not have any effect and your PC is still blocked, you can remove the banner using specialized programs on boot disks (Live CD). Below are tools that allow you to automatically unlock Windows XP and eliminate Trojan horse.

AntiSMS

Fully automatic utility, which cures all known modifications of ransomware Trojans and restores standard settings system boot. Recommended for novice users inexperienced in PC administration. The program does all its work hidden, but it starts double click via a shortcut on the desktop of the bootable media.

Another boot disk that can help if your Windows XP suddenly locks up. The utility will automatically find and remove the Trojan program, and also restore corrupted files And system registry. On a commercial basis, AntiWinLocker can also be used for Windows protection from blockers by installing on your computer.

To remove a banner using this program, you will need a minimum of steps:

  • boot from AntiWinLockerLiveCD, accept license agreement and press the “Start” button;

  • select “Automatic start” from the menu;

  • agree to the offer to replace files (if any) by marking them in the list and clicking “Run”;

  • After finishing the program, start the computer from the hard drive - the lock will be removed.

Another universal tool that can help not only in cases where the computer is locked, but also in any viral infections. Equipped with the function of updating virus databases via the Internet.

To use it, just launch the scanner from your desktop, select the scan areas and click “Start scanning”.

No less easy to use tool than the previous ones. Also allows you to easily solve various virus problems on a PC, including when login to Windows XP was blocked. Has the ability to “ smart scanning”, useful for searching for unknown malicious objects.

Manually unlocking Windows XP when booting from a Live CD

Now let's consider manual methods removal malicious code preventing Windows XP from loading. In order to use them, you must be at least an experienced PC user, otherwise there may be more problems after trying to remove the banner than there were initially. For the first method of treating a computer using a professional utility Universal Virus Sniffer(uVS) we will need any boot disk based on OS Windows. We will use Alkid Live CD.

Alkid Live CD and uVS

This method can be said to be the most labor-intensive, since all operations will have to be performed manually. However, in extreme situations, When native Windows XP is locked, there is no choice, and we will use what is at hand. So let's get started.

  • Download the uVS program on another computer and extract it to a USB flash drive (if there is no other PC, this can also be done on an Alkid Live CD after setting up an Internet connection).
  • Connect the flash drive to the locked computer.
  • Download Alkid Live CD.
  • Run the start.exe file from the uVS directory (which in our case is located at F:uvs).
  • In the “Startup Mode” window, click the “Select Windows directory” button and navigate to the Windows folder of your locked system in Explorer. Click “OK”.
  • Click “Run as current user”.

  • After scanning, a list of suspicious files will open in front of you, and here it is in a prominent place - our ransomware Trojan.

  • To study detailed information about this file, double-click on it - a window will open where, among other things, the method for autorun will be indicated. In our case, this is the registry key that starts Windows Explorer(explorer.exe).

  • Now let's move on to removing the Trojan and restoring normal Windows startup. Close the properties window and click on the file right click mice. Select the “Delete all links along with the file” command in the context menu.

  • Next, to restore the modified registry key, from top menu“Advanced” select the “Tweaks” command.

  • Click “Reset Winlogon keys to initial state”.

  • Close the program and boot your computer from your hard drive. You will no longer see the banner.

Important! If you are on the list of suspicious system file, especially Userinit.exe, LogonUI.exe, Explorer.exe or Taskmgr.exe, it is likely modified and contains blocker code. Such files must be replaced with their clean copies, which are stored in the C:WindowsSystem32dllcache folder.

ERD Commander 5.0

If you have this wonderful Windows XP recovery tool at hand, you can get rid of the “Computer is locked” banner much easier, for example, by using the System Restore function. To access it, boot your PC from the disk ERD Commander version 5.0 and proceed to the next steps.

  • Press the “Start” button (analogous to start), select “System Tools” from the menu, and then “System Restore”.

  • The familiar system recovery program will launch. Choose the right one control point and click “Next”. After the rollback procedure, boot from your hard drive. The “Windows blocked” banner will no longer annoy you.

Removing malicious code from the MBR

If immediately after turning on the PC, even before Windows XP started loading, the following picture appeared to your eyes:

This means that you have suffered from a ransomware Trojan that has entered the MBR. Not every one of the tools listed here can remove malicious code from there - this requires full-fledged anti-virus products, which we will name below. Now let’s spend a couple of minutes on what you shouldn’t do in this case.

The Sure Way to Make Windows XP Unbootable

Many users know the purpose of the fixmbr console command - it is intended to overwrite the first hard sector disk. And, in an amicable way, it should restore the boot code, while simultaneously removing the Trojan sitting there. But it was not there. In the process of rewriting a non-standard MBR (and in the event of a Trojan infection it will be non-standard), the partition table, which is located on the hard drive immediately after the MBR boot code and is part of it, is often damaged.

If we ignore the recovery console warning and run fixmbr, instead of the message that the computer is locked, we will see the following:

which means the partition table is damaged. This means that we will not be able to load the system anymore.

Treating MBR using antivirus utilities

For correct and safe recovery master boot record can be used:

  • AntiSMS;
  • Kaspersky Rescue Disk;
  • Dr.Web Live CD;
  • LiveCD ESET NOD32.

These tools are more than enough to remove any Windows XP lock, including this one.

How to avoid Windows blocking?

It’s unlikely that anyone would argue that preventing a computer from being infected by ransomware Trojans is much easier than fighting them later. And to prevent your PC from being “accidentally” blocked one day, follow these simple rules:

  • install reliable antivirus and do not forget to update its database in a timely manner;
  • before launch unknown file don’t be lazy to scan it for security;
  • do not follow unknown links sent to you by mail and via instant messengers, even from your contacts;
  • install in a timely manner Windows updates XP - This closes many of the loopholes through which malware enters the system. And then, hopefully, you will never have to see “Windows is blocked” messages again, at least on your own computer.

The long-known Winlock blocker does not sleep, and has been “blackmailing” users for about seven years. To date, the representative of the Trojans has achieved clear success - evolution is evident. Users spend not only time to destroy the virus, but also quite often financial resources. But the good news is that there have already been many ways to help unlock the system without much difficulty. Read on to learn how to unlock Windows 7 yourself and absolutely free, and also pay attention to the possibility of preventing this unpleasant moment.

Where can you “pick up” a Trojan and how does it work?

In fact, any user can download a virus and even run it themselves. The Trojan can be in any picture or video file. If you download a file from an unfamiliar site, pay attention to the extension. Standard extension representative of the Winlock family of Trojans - .exe. When started, the active phase begins immediately windows infections. The user may not initially notice the changes, but the Trojan is immediately registered in startup and then limits the actions that the user can perform. A person can continue to “browse” pages on the Internet when a banner appears on the entire screen and completely blocks the work. It is not possible to close or collapse it. The image may be pornographic in nature, or it may use appeal, menacingly appealing to the law. And in mandatory will be asked to pay a fine or send paid message on specified number. Most likely, the Trojan will offer a fine and threaten any consequences for ignoring it. Of course, after payment you won’t get anything, and, naturally, you shouldn’t do this. First you need to pay attention to the number provided and find out the affiliation mobile operator, then contact his security service. There are times when the operator immediately dictates the unlock password, but it’s not always that simple.

To unlock the system, you need to remove the virus from startup and then delete it. There are several ways to do this.

Find out the unlock code

Some antivirus programs can actually provide a removal code windows lock. After entering it into the appropriate field, the Trojan is nobly removed, and in the literal sense of the word. But not always, of course. You can find this code on antivirus websites. Everything is simple here - enter the wallet or phone number indicated on the banner, to which you are asked to send an SMS, and you will receive password combinations and further instructions. You can access sites from another PC or phone.

If you still manage to defeat the Trojan in this way, do not turn off your computer after work! Be sure to fully scan your windows for viruses.

We use improvised means

Don’t rush to connect complex utilities and call a wizard. Try another method. You must open the task manager by pressing CTRL, ALT, DEL or CTRL, SHIFT, ESC. If you managed to do this, then the problem is not that big. We are looking in the list active processes turn off this application. Finding it is not difficult - often the Winlock is suspiciously signed, and there is no description of the program at all. If in doubt, simply complete all incomprehensible applications in order until the banner disappears.

If the operation did not go as smoothly as we would like, and the task manager did not deign to please with his presence, we will make another attempt to call it. Use the Run command, which can be launched by pressing Win+R.

The usual location of the blocker is temporary directories windows files and browsers. However, the Trojan can also take care of copies, so a full check of the system is still necessary.

Another way to remove a simple Trojan

You can get rid of a Trojan (advertising image, for example) by paying attention to the reaction of some programs. For example, when you notice a banner, open WordPad or notepad, hold down “win” - “r” at the same time and type “notepad”.

A new text document will pop up in front of you, enter some characters and turn off the computer using the power button. This action will cause all active tasks to terminate, just like the virus, but your PC will continue to work.

A window remains asking you to save or reject the changes. Now you have gotten rid of the banner in the current session, this makes it possible to thoroughly deal with the virus.

Removing more resistant variants of the Trojan

Some Trojans are more resistant to attempts to destroy it. The virus is resistant and blocks any actions, for example, the task manager does not start or a replacement occurs important components in windows. In this situation, all you have to do is restart your PC; hold “F8” while turning it on. A window will appear in front of you with suggested options for turning on the system; you need to select the line with . Then write “explorer”, confirm, this action will launch the explorer. Next, enter “regedit” and press “enter” again, you will notice a registry editor that will help you determine where the Trojan is hiding and where it comes from automatic start virus.


Most likely, you will be presented with entire paths to the virus in the roots “shell” and “userinit”. In the root “shell” the Trojan will be located in the line instead of explorer.exe, in “userinit” it will be listed after a comma. Having found the information, export the name of the virus to the clipboard, enter “del” in the command line, press the spacebar and right-click to bring up the menu. Paste the selected information and press confirmation (enter). Then you remove one virus after another, and so on until victory.

The next logical action would be to check the registry for remaining viruses, start the search with the name of the Trojan. We immediately eliminate all suspicious files, then delete all copies of created files and folders, and then empty the trash.

As a precaution, use an antivirus and thoroughly check every loophole in your system. It is possible that due to the activity of the virus, the network connection settings have been lost; you can restore them using the “Windows Sockets API” settings using the “AVZ” program.

Thorough infection of the system


If Windows is seriously infected, it is almost useless to try to fix the problem. More productive and effective method- run clean system and cure the underlying one. There are many options for carrying out this process, but one of the most current methods is to use a program that is based on Gentoo Linux. There are several basic file images that are created either by writing to disk or by creating boot file on a flash drive using the Kaspersky USB Rescue Disc Maker program.

When you turn on the infected PC, hold down the appropriate key to enter the BIOS, most often this button is “F2” or “Del”. In the settings, select your file image and save by pressing the “F12” key. Modern BIOS version make it possible to select a boot device without visiting the main settings. Just press "F11" or "F12". Immediately after the reboot, Kaspersry Rescue Disc will launch. The operation involves automatic or manual treatment of your choice.

Removing a threat using the installation disc

Exists separate group Trojan that attacks the MBR boot system, which you can find in the automatic startup slots. In the initial stage of recovery from the virus, it is necessary to recover the initial “MBR” password. For Windows XP this operation is performed using installation disk, by pressing the “R” key, call up the recovery menu and enter “fixmbr” in it, after which we agree using the “Y” button, rebooting. For Windows 7, the same process is performed using BOOTREC.EXE, enter bootrec.exe /Mbr.

Thus, you start Windows and have the opportunity to find infected files using an antivirus.

Working with less powerful PCs On low-end PCs and laptops the process windows recovery It takes a little longer and is more difficult. This is explained by a lack of power and difficulty in checking. external drives An effective solution It may be necessary to remove the infected hard drive and connect it to another, more powerful PC. It is recommended to use boxes with eSATA interface or USB3.0/2.0. To prevent the spread of the virus, it is best to disable automatic starting HDD , this can be done using the AVZ program. It is better to check using another program. Go to the “Troubleshooting Wizard” menu, select"system problems" , "All" and click Start. Select an item“HDD autostart is allowed” and correct everything noted. Before running the infected media, you must ensure that all antivirus database

works without failures and gaps, take this moment seriously. If disk partitions are not detected, then run next operation

: “Start”, “Run”, write and confirm. After this, the partitions of the hard drive should be indicated by letters. To avoid getting your system infected again, install a good antivirus that will perform regular scans.

  • Basic safety rules include:
  • Using a PC with limited rights
  • You must use trusted browsers with good security systems
  • Turn off Java script of unfamiliar sites
  • Get rid of pop-up ads instantly Divide the disks into user files
  • and systemic

Disable autorun of flash drives. To restore your PC in a short period of time, if necessary, it is recommended to use the following utilities: Symantec Ghost, Acronis True Image ", "Paragon Backup and


How the system blocker works or how to unlock windows:
When visiting dubious sites, a program called winlocker may download and run. You can also download it yourself and run it without knowing it. When downloading, always pay attention to the extension of the downloaded file.
Winlockers usually have the extension .exe. Let’s say you are offered to download a video or picture, but the download is not a video (with the extension .avi; .flv; .mp4) and not an image file (.jpg; .png; .gif), but a file with the extension .exe - the extension of the executable file. This is a program that immediately starts working and does its bad things. Firstly, it registers itself in startup so that it starts immediately after turning on the computer. Once launched, it limits all other actions that can be performed using the mouse or keyboard. And of course, he asks to pay a certain amount to unlock windows. Of course, if you pay, you will not receive any password to unlock the system. That's why, to unlock windows, you need to remove winlocker from startup, and then just remove it altogether. How to do this is described below.
If your computer is infected with this virus, you can try unlock windows and remove winlocker on one's own. It is necessary to find out all the functions of the operating room windows systems whether he blocked it or not.

1. Press the key combination that opens the task manager. (ctrl + alt + del), complete unnecessary tasks.
2. You can try to launch the “run” menu with the combination Win keys+ R. Run regedit command, if the registry editor has opened, then read on.
3. If the first two options are blocked, then start the system in safe mode. (press F-8 when loading)
Select safe mode with command line support. When you start the computer in safe mode, no programs are launched that are listed in startup and start automatically.

If all Windows functions are blocked, then to you.

Now we need to enter the regedit command on the command line to launch the registry editor.

1. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
2. HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run

We remove unnecessary and unfamiliar programs, which are automatically downloaded.
These programs (if any) do not need to be removed:
C:\Windows\System32\hkcmd.exe
C:\Windows\System32\igfxtray.exe
C:\Windows\System32\igfxpers.exe

3. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon

This registry section also contains the values ​​of parameters responsible for auto-starting various applications when the user logs into the system:
We need the Shell and Userinit parameter.

The Shell parameter must include explorer.exe
The Userinit parameter must contain the path to the userinit.exe file
In my case (I\Windows\system32\userinit.exe,)
If your system is installed on drive C, then the value will be (C\ Windows\ system32\ userinit.exe,) (a comma is placed after .exe)

If these parameters have a different value, then remember or write it down (this is the path to the winlocker itself, it is hidden at this address.)
We change the values ​​to those that should be.

We only removed the autorun virus. Now, to unlock windows, you need to remove winlocker itself.

But if you don’t find it, then you don’t have to delete it; it still won’t start when the system boots. 😉

To do this, close the registry editor, enter the command explorer.exe in the command line. Explorer will open.
We follow the path you wrote down earlier (the path that was written down instead of the correct values), find and remove the winlocker.
But it can register in hidden system folders and files. To do this, you need to unlock access to hidden files and folders in Explorer:

For Windows7:

In Explorer - Organize / Folder and Search Options / View / Show hidden files, folders and disks.

Show hidden files, folders and drives in Windows 7

For Windows Xp:

In Explorer - menu / Tools / Folder Options / View, in the window that appears, uncheck the box next to hide protected system files,
Check the box to show hidden files and folders.

Show hidden files, folders and drives in Windows Xp

To completely unlock windows, go along the path you wrote down earlier (which was written down instead of the correct values ​​- instead of userinit.exe or explorer.exe), find and delete winlocker.

After restarting the computer, the problem will disappear.

If all windows functions locked, then to unlock Windows, you will need, with it you can start the system directly from a flash drive and unlock your windows deleting malicious file and writing the correct values ​​into the registry.

Surely every fourth user personal computer came across various scams in the Internet. One type of deception is a banner that blocks Windows operation and requires you to send an SMS to paid number or requires cryptocurrency. Essentially it's just a virus.

To fight banner ransomware, you need to understand what it is and how it penetrates your computer. Typically a banner looks like this:

But there may be all sorts of other variations, but the essence is the same - scammers want to make money from you.

Ways a virus gets into a computer

The first variant of “infection” is pirated apps, utilities, games. Of course, Internet users are accustomed to getting most of what they want online “for free,” but when downloading pirated software, games, various activators, and other things from suspicious sites, we risk becoming infected with viruses. In this situation it usually helps.

Windows may be blocked due to a downloaded file with the extension " .exe" This does not mean that you should refuse to download files with this extension. Just remember that " .exe"may only apply to games and programs. If you download a video, song, document or picture, and its name has “.exe” at the end, then the chance of a ransomware banner appearing increases sharply to 99.999%!

There is another tricky move with supposedly necessity Flash updates player or browser. It may happen that you will work on the Internet, move from page to page, and one day you will find the inscription that “your Flash player outdated, please update." If you click on this banner and it does not lead you to the official adobe.com website, then it is 100% a virus. Therefore, check before clicking the “Update” button. The best option such messages will be ignored altogether.

And lastly, outdated updates Windows weakens system security. To keep your computer protected, try to install updates on time. This feature can be configured in “Control Panels -> Windows Update” to automatic mode so as not to be distracted.

How to unlock Windows 7/8/10

One of simple options remove the ransomware banner - this is . It helps 100%, but reinstalling Windows makes sense when you don’t have important data on drive “C” that you didn’t have time to save. When you reinstall the system, all files will be deleted from system disk. Therefore, if you do not want to reinstall software and games, then you can use other methods.

After treatment and successful launch of the system without the ransomware banner, you need to carry out additional actions, otherwise the virus may resurface, or there will simply be some problems in the operation of the system. All this is at the end of the article. All information has been verified by me personally! So, let's begin!

Kaspersky Rescue Disk + WindowsUnlocker will help us!

We will use a specially developed operating system. The whole difficulty is that you need to download the image on your work computer and or (scroll through the articles, it’s there).

When this is ready, you need. At the moment of startup, a small message will appear, such as “Press any key to boot from CD or DVD.” Here you need to press any button on the keyboard, otherwise the infected Windows will start.

When loading, press any button, then select the language – “Russian”, accept the license agreement using the “1” button and use the launch mode – “Graphic”. After starting the Kaspersky operating system, we do not pay attention to the automatically launched scanner, but go to the “Start” menu and launch “Terminal”


A black window will open, where we write the command:

windowsunlocker

A small menu will open:


Select “Unlock Windows” with the “1” button. The program itself will check and correct everything. Now you can close the window and check the entire computer with the scanner already running. In the window, put a checkmark on the disk with Windows OS and click “Run object scan”


We wait for the check to finish (it can take a long time) and finally reboot.

If you have a laptop without a mouse and the touchpad does not work, then I suggest using text mode Kaspersky disk. In this case, after starting the operating system, you must first close the menu that opens with the “F10” button, then enter the same command in the command line: windowsunlocker

Unlocking in safe mode, without special images

Today, viruses like Winlocker have become smarter and block loading Windows in safe mode, so most likely you won’t succeed, but if there is no image, then try. Viruses are different and can work for everyone different ways, but the principle is the same.

Reboot the computer. During boot, you need to press the F8 key until the menu appears additional options start Windows. We need to use the down arrows to select from the list an item called "Safe Mode with Command Line Support".

This is where we need to go and select the desired line:

Next, if everything goes well, the computer will boot and we will see the desktop. Great! But this does not mean that everything is working now. If you don’t remove the virus and just reboot in normal mode, the banner will pop up again!

We are treated using Windows

You need to restore the system when the blocker banner did not yet exist. Read the article carefully and do everything that is written there. There is a video below the article.

If it doesn’t help, then press the “Win ​​+ R” buttons and write the command in the window to open the registry editor:

regedit

If, instead of the desktop, a black command line, then simply enter the command “regedit” and press “Enter”. We have to check some registry sections for the presence virus programs, or to be more precise – malicious code. To start this operation, go to this path:

HKEY_LOCAL_MACHINE\Software\Microsoft\WinNT\CurrentVersion\Winlogon

Now we check the following values ​​in order:

  • Shell – “explorer.exe” must be written here, there should be no other options
  • Userinit – here the text should be “C:\Windows\system32\userinit.exe,”

If the OS is installed on a different drive other than C:, then the letter there will be different. To change incorrect values, right-click on the line you want to edit and select “edit”:

Then we check:

HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Winlogon

There should be no Shell and Userinit keys here at all; if there are, delete them.

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce

And also be sure to:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce

If you are not sure whether you need to delete the key, you can simply add a “1” to the parameter first. The path will be incorrect, and the program will simply not start. Then you can return it to how it was.

Now you need to run the built-in system cleaning utility, we do it in the same way as we launched the “regedit” registry editor, but we write:

cleanmgr

Select the drive with the operating system (C: by default) and after scanning, check all the boxes except “Files backup copy update package"

And click “OK”. With this action, we may have disabled the autorun of the virus, and then we need to clean up traces of its presence in the system, and read about this at the end of the article.

AVZ utility

The idea is that in safe mode we will launch a well-known antivirus AVZ utility. In addition to scanning for viruses, the program has just a lot of functions for fixing system problems. This method repeats the steps to close holes in the system after the virus has worked, incl. To get acquainted with it, move on to the next point.

Fixing problems after removing ransomware

Congratulations! If you are reading this, it means the system started without a banner. Now they need to check the entire system. If you used life-saving disk Kaspersky and checked there, then you can skip this point.

There may also be one more problem associated with the activities of the villain - the virus can encrypt your files. And even after completely deleting it, you simply will not be able to use your files. To decrypt them you need to use programs from the Kaspersky website: XoristDecryptor and RectorDecryptor. There are also instructions for use there.

But that's not all, because... Winlocker has most likely played a dirty trick on the system, and various glitches and problems will be observed. For example, the Registry Editor and Task Manager will not start. To treat the system we will use AVZ program.

When booting from using Google Chrome may have a problem because... This browser considers the program malicious and does not allow you to download it! This question has already been raised on the official Google forum, and at the time of writing this article everything it's already normal.

To still download the archive with the program, you need to go to “Downloads” and click “Download malicious file” Yes, I understand that it looks a little stupid, but apparently Chrome thinks that the program can cause harm ordinary user. And this is true if you poke it anywhere! Therefore, we strictly follow the instructions!

We unpack the archive with the program, write it to external media and run it on the infected computer. Let's go to the menu "File -> System Restore", check the boxes as in the picture and perform the operations:

Now we go along the following path: "File -> Troubleshooting Wizard", then go to « System problems-> All problems" and click on the “Start” button. The program will scan the system, and then in the window that appears, check all the boxes except “Disable automatic operating system updates” and those that begin with the phrase “Allow autorun from...”.

Click on the “Fix noted problems” button. After successful completion, go to: “Browser settings and tweaks -> All problems”, here we check all the boxes and click on the “Fix marked problems” button in the same way.

We do the same with “Privacy”, but here do not check the boxes that are responsible for cleaning bookmarks in browsers and whatever else you think is necessary. We complete the check in the “System Cleaning” and “Adware/Toolbar/Browser Hijacker Removal” sections.

Finally, close the window without leaving the AVZ. In the program we find “Tools -> Explorer Extension Editor” and uncheck those items that are marked in black. Now let's move on to: "Service -> Manager Internet extensions Explorer" and completely erase all the lines in the window that appears.

I already said above that this section of the article is also one of the ways Windows treatment from a ransomware banner. So, in this case, you need to download the program on your work computer and then write it to a flash drive or disk. We carry out all actions in a safe mode. But there is another option to run AVZ, even if safe mode is not working. You need to start from the same menu when the system boots, in the “Troubleshoot your computer” mode

If you have it installed, it will be displayed at the very top of the menu. If it’s not there, then try starting Windows until the banner appears and unplugging the computer. Then turn it on - it may be offered new mode launch.

Running from a Windows installation disc

Another surefire way is to boot from any Windows 7-10 installation disk and select not “Install” there, but "System Restore". When the troubleshooter is running:

  • You need to select “Command Prompt” there.
  • In the black window that appears, write: “notepad”, i.e. launch a regular notepad. We will use it as a mini conductor
  • Go to the menu “File -> Open”, select the file type “All files”
  • Next, find the folder with the AVZ program, right-click on the file to be launched “avz.exe” and launch the utility using the “Open” menu item (not the “Select” item!).

If all else fails

Refers to cases when, for some reason, you cannot boot from a flash drive with a recorded Kaspersky image or the AVZ program. All you have to do is get it out of your computer HDD and connect it with a second disk to your work computer. Then boot from UNINFECTED hard drive and scan YOUR disk with a Kaspersky scanner.

Never send SMS messages that scammers ask for. Whatever the text, do not send messages! Try to avoid suspicious sites and files, and generally read. Follow the instructions, and then your computer will be safe. And don’t forget about antivirus and regular operating system updates!

Here is a video where you can see everything with an example. The playlist consists of three lessons:

PS: which method helped you? Write about it in the comments below.