Banners "Windows is locked - send SMS to unlock" and their numerous variations immensely love to limit the access rights of free users of Windows. At the same time, often the standard ways out of an unpleasant situation - correcting the problem from Safe Mode, unlock codes on the ESET and DR Web sites, as well as moving the time on the BIOS clock to the future, do not always work.
Do you really have to reinstall the system or pay extortionists? Of course, you can go the simplest way, but wouldn't it be better for us to try to deal with the obsessive monster named Trojan.WinLock on our own and with the available funds, especially since we can try to solve the problem quickly enough and completely free of charge.
Who are we fighting?
The first ransomware became active in December 1989. Many users then received floppy disks in the mail giving information about the AIDS virus. After installing a small program, the system came into an inoperable state. For her resuscitation, users were offered to fork out. Malicious activity of the first SMS blocker that introduced users to the concept of “blue screen of death” was noted in October 2007.Trojan.Winlock (Winlocker) is a representative of an extensive family of malicious programs, the installation of which leads to a complete blockage or significant difficulty in working with the operating system. Using the successful experience of their predecessors and advanced technologies, winlocker developers have rapidly turned a new page in the history of Internet fraud. Users received the most modifications of the virus in the winter of 2009-2010, when, according to statistics, not one million personal computers and laptops were infected. The second peak of activity occurred in May 2010. Despite the fact that the number of victims of a whole generation of Trojan.Winlock Trojans has recently decreased significantly, and the fathers of the idea have been imprisoned, the problem is still relevant.
The number of different versions of winlockers has exceeded thousands. In earlier versions (Trojan.Winlock 19, etc.), attackers demanded 10 rubles for unlocking access. The absence of any user activity after 2 hours led to the self-deletion of the program, which left behind only unpleasant memories. Over the years, appetites grew, and to unlock the capabilities of Windows in later versions, it took already 300 - 1000 rubles and more, the developers modestly forgot about the self-deletion of the program.
As payment options, the user is offered SMS - a payment to a short number or an electronic wallet in WebMoney, Yandex Money systems. The factor that “stimulates” an inexperienced user to make a payment is the likely viewing of porn sites, the use of unlicensed software ... And to increase efficiency, the extortionist text message contains threats to destroy data on the user’s computer when trying to deceive the system.
Trojan.Winlock Distribution Paths
In most cases, infection occurs due to a browser vulnerability. The risk zone is all the same “adult” resources. The classic version of infection is an anniversary visitor with a valuable prize. Another traditional way of infection is programs that masquerade as reputable installers, self-extracting archives, updates - Adobe Flash, etc. The interface of Trojans is colorful and varied, the technique of disguising itself as windows of an anti-virus program is traditionally used, less often - animation, etc.Among the variety of modifications encountered, Trojan.Winlock can be divided into 3 types:
- Pornoformers or banners that are forced only when you open a browser window.
- Banners that remain on the desktop after the browser is closed.
- Banners that appear after loading the Windows desktop and block the launch of the task manager, access to the registry editor, loading in safe mode, and in some cases, the keyboard.
Bad habits of Trojan.Winlock
To ensure distribution and autorun, viruses of the Trojan.Winlock family modify registry keys:-[...\Software\Microsoft\Windows\CurrentVersion\Run] "svhost" = "%APPDATA%\svhost\svhost.exe"
-[...\Software\Microsoft\Windows\CurrentVersion\Run] "winlogon.exe" = "
In order to make it difficult to detect in the system, the virus blocks the display of hidden files, creates and launches for execution:
- %APPDATA%\svhost\svhost.exe
\winlogon.exe - %WINDIR%\explorer.exe
\cmd.exe /c """%TEMP%\uAJZN.bat"" " \reg.exe ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "svhost" /t REG_SZ /d "%APPDATA%\svhost\svhost.exe" /f
- %WINDIR%\Explorer.EXE
Creates the following files:
- %APPDATA%\svhost\svhost.exe
- %TEMP%\uAJZN.bat
- %APPDATA%\svhost\svhost.exe
- ClassName: "Shell_TrayWnd" WindowName: ""
- ClassName: "Indicator" WindowName: ""
Treatment. Method 1. Selection of a code combination by payment details or phone number
The prevalence and severity of the problem prompted anti-virus software developers to look for effective solutions to the problem. So on the Dr.Web website, the unlocking interface is presented in the public domain in the form of a window where you need to enter the phone number or electronic wallet used for extortion. Entering the appropriate data in the box (see figure below) in the presence of a virus in the database will allow you to get the desired code.
Method 2. Search for the desired unlock code by image in the database of Dr.Web service
On another page of the site, the authors presented another choice - a ready-made database of unlock codes for common versions of Trojan.Winlock, classified by images.A similar code search service is provided by the ESET antivirus studio, which has a database of almost 400,000 unlock code options and the Kaspersky Lab, which offered not only access to the code base, but also its own healing utility - Kaspersky Windows Unlocker.
Method 3. Utilities - unlockers
Quite often there are situations when, due to the activity of a virus or a system failure, Safe Mode with command line support, which allows you to carry out the necessary operational manipulations, is not available, and for some reason the system rollback is also impossible. In such cases, Computer Troubleshooting and the Windows Recovery Disc are useless, and you have to use the recovery options from the Live CD.To resolve the situation, it is recommended to use a specialized healing utility, the image of which will need to be loaded from a CD or USB drive. To do this, the corresponding boot capability must be provided in the BIOS. After the boot disk with the image is set to the highest priority in the BIOS settings, the CD or flash drive with the image of the healing utility can boot first.
In the general case, it is most often possible to enter BIOS on a laptop using the F2 key, on a PC - DEL / DELETE, but the keys and their combinations for entering may differ (F1, F8, less often F10, F12 ..., keyboard shortcuts Ctrl + Esc, Ctrl +Ins, Ctrl+Alt, Ctrl+Alt+Esc, etc.). You can find out the keyboard shortcut for logging in by watching the text information in the lower left area of the screen in the first seconds of logging in. You can learn more about the settings and capabilities of the BIOS of various versions.
Since only later versions of the BIOS support the mouse, you will most likely have to navigate up and down the menu using the “up” - “down” arrows, the “+” “-“, “F5” and “F6” buttons.
AntiWinLockerLiveCD
One of the most popular and simple utilities that effectively deal with ransomware banners, the “banner killer” AntiWinLockerLiveCD has well earned its reputation.
Main functions of the program:
- Fixing changes in the most important parameters of the Operating System;
- Fixing the presence of unsigned files in the autoload area;
- Protection against replacement of some system files in WindowsXP userinit.exe, taskmgr.exe;
- Protection against virus shutdown of Task Manager and Registry Editor;
- Protecting the boot sector from Trojan.MBR.lock viruses;
- Protecting the area of replacing the program image with another. If the banner does not allow your computer to boot, AntiWinLocker LiveCD / USB will help to remove it automatically and restore normal boot.
- Restores the correct values in all critical areas of the shell;
- Disables unsigned files from startup;
- Eliminates the blocking of the Task Manager and Registry Editor;
- Clearing all temporary files and executable files from the user profile;
- Elimination of all system debuggers (HiJack);
- Restoring HOSTS files to their original state;
- Restore system files if it is not signed (Userinit, taskmgr, logonui, ctfmon);
- Move all unsigned jobs (.job) to the AutorunsDisabled folder;
- Deleting all Autorun.inf files found on all drives;
- Boot sector recovery (in WinPE environment).
The program is a real find for novice users, because it allows you to select the automatic check and correction mode, during which the virus and the consequences of its activity will be found and neutralized in a few minutes with little or no user intervention. After the reboot, the machine will be ready to continue working normally.
The sequence of actions is extremely simple:
Download the AntiWinLockerLiveCD file of the required version to a third-party computer in ISO format, insert the CD-ROM into its drive and then, by right-clicking on the file, select "Open with", then select "Windows Disc Image Burner" - "Burn" and copy the image to a CD. The boot disk is ready.
- We place the disk with the image in the drive of a locked PC / laptop with pre-configured BIOS settings (see above);
- We are waiting for the LiveCD image to be loaded into RAM.
- After launching the program window, select a blocked account;
- We select the Professional or Lite version for data processing. The free version (Lite) is suitable for solving almost all tasks;
- After selecting the version, select the disk on which the locked Windows is installed (if not automatically selected by the program), the User account used by the OS and set the search parameters.
Press "Start" / "Start treatment".
We are waiting for the test results. Problematic files at the end of it will be highlighted in red on the screen.
As we expected, when searching for a virus in the above example, the program paid special attention to its traditional habitats. The utility fixed changes in the Shell parameters that are responsible for the graphical shell of the OS. After curing and closing all the windows of the program in reverse order, pressing the "Exit" button and rebooting, the familiar Windows splash screen again took its usual position. Our issue has been successfully resolved.
Among the additional useful tools of the program:
- Registry editor;
- Command line;
- Task Manager;
- Disk utility TestDisk;
- AntiSMS.
If automatic cleaning fails, you can always use the File Manager features by checking the paths C: or D:\Documents and Settings\Username\Local Settings\Temp (For Windows XP) and C: or D:\Users\Name User\AppData\Local\Temp (For Windows 7). If the banner is registered in autoload, it is possible to analyze the results of the check in manual mode, which allows you to disable autoload elements.
Trojan.Winlock generally doesn't burrow too deep, and is fairly predictable. All it takes to remind him of his place is a couple of good programs and tips, and, of course, discretion in the boundless cyberspace.
Prevention
Purely not where they often clean, but where they do not litter! - Well said, and in the case of the cheerful Trojan, more than ever! In order to minimize the likelihood of infection, you should follow a few simple and quite feasible rules.Think of a more complicated password for the Admin account, which will not allow straight-line malware to pick it up using a simple brute-force search.
In the browser settings, check the option to clear the cache after the session, prohibit the execution of files from the browser's temporary folders, etc.
Always have at hand a healing disk/flash drive LiveCD (LiveUSB), recorded from a trusted resource (torrent).
Save the installation disk with Windows and always remember where it is located. At the hour "H" from the command line, you can restore the vital files of the system to their original state.
Create a restore point at least every two weeks.
Run any dubious software - cracks, kaygens, etc. under a virtual PC (VirtualBox, etc.). This will provide the ability to easily restore damaged segments using the virtual PC shell.
Back up to external media regularly. Prevent dubious programs from writing to files.
Good luck in your endeavors and only pleasant, and most importantly - safe meetings!
Afterword from the iCover team
We hope that the information provided in this material will be useful to readers of the iCover blog and will help you easily cope with the described problem in a matter of minutes. And we also hope that in our blog you will find a lot of useful and interesting things, you will be able to get acquainted with the results of unique tests and examinations of the latest gadgets, you will find answers to the most pressing questions, the solution of which was often required yesterday.).
Greetings!
In connection with the mass distribution of gadgets and devices that run the Android operating system, the issue of protecting them and getting rid of malicious software is becoming more and more urgent.
Malicious software is divided into categories, each of which has its own properties and characteristics. In this article, we will analyze the most common categories of malware for the Android operating system and consider the most effective methods to combat this evil.
Trojan removal
The most popular type of malware is trojan. Its destructive activity consists in collecting and sending confidential information to criminals, ranging from personal correspondence in instant messengers to bank card details when making a payment. In addition, this malware can covertly send SMS to short paid numbers, which causes financial damage to the owner of the device.
To get rid of malware, follow the instructions: 
1)
Install from Play market one of the popular antivirus solutions for android: AVG, Kaspersky, Dr. Web and scan your system for viruses.
2)
After the scan is complete, delete all found suspicious files.
As a rule, voiced actions are enough to clean android system from trojans.
Ad virus removal
Applications that add ads are also quite common. Unlike Trojans, their malicious action is to add ads to the system interface and browser. As a result, the responsiveness of the interface slows down and the traffic consumption increases!
The most common way this type of malware enters the system is through the installation of pseudo-free games.
The most effective way is to install the AdAvay application, which will block access to addresses from which advertising content is downloaded.
However, this method is associated with some difficulties, namely the need to obtain root access on the device being installed (the application does not work without it) and installation of the application from the site, for which in the device settings you need to check the box unknown sources, which is located in Settings -> Safety.
If these difficulties do not stop you, then as a result you will practically completely get rid of from annoying pop-up and flickering ads in apps as well as the browser.
Removing the ransomware banner
This category of malware blocks access to the gadget's interface and requires the owner to transfer money to unlock it. Never transfer money to scammers. there is no guarantee that after payment you will return access to your gadget.
If you find this malware, do the following:
1) Turn off the device and remove the SIM card.
2) Turn on the device and as quickly as possible (before the blocker banner appears) go to Settings -> For developers and check the box next to USB Debugging, and then select the suspicious app from the menu. And finally, check the box next to the item that has become active Wait for the debugger to connect.
If the menu Select application to debug you have a lot of applications displayed, and you find it difficult to identify a malicious one, then its name with a very high degree of probability can be underlined in Settings –> Safety –> Device administrators.
To increase its own privileges and make it harder to remove, the malware usually adds itself to this list.
The menu section may also be missing. For developers. To activate it, you need to go to the menu About Tablet PC and click on the item several times in a row Build number.
You may have to reboot the device several times in order to have time to do the necessary manipulations.
3) After the manipulations, the system interface will be unlocked and you only have to Settings –> Safety –> Device administrators uncheck the malicious application. This must be done in order to remove privileges that block the removal of a malicious application by regular system tools.
4) Remove the malicious application using regular means, to do this, follow the Settings -> Applications -> <имя приложения>
Summary
By following these instructions, you can quickly and effortlessly deal with the most diverse types of malware that are found on smartphones and tablets running on the Android operating system.
Hello dear readers of the blog site For a long time I wanted to write an article on how to remove the ransomware virus (Winlocker) blocking the login to your computer.
Most often, such a problem is faced by inexperienced users who, by pure chance or because of their negligence, became victims of scammers. Due to their inexperience, many send SMS to unlock the banner with the hope of receiving a code and spend a lot of money at the same time before it becomes clear that this is just a ransomware virus that has infected your computer, which you can fight without any investment.
I will say right away that in no case do not pay money to scammers, everything that is written on such an SMS banner is a pure scam. Even if you decide to go for the path of least resistance and are going to pay, it is not a fact that this will solve your problem.
Also, do not resort to the least - do not reinstall the system. Any malicious program can be removed in a simple way and without consequences. Reinstalling the system may entail the complete removal of all necessary information. You can resort to it only if there is nothing valuable on your computer.
The impact of the ransomware virus on your system
Winlocker completely suspends the operating system, closes access to the launch of programs and the desktop. The ransomware virus blocks access to the task manager and starts right after windows starts loading. Sometimes it happens that a malicious program closes the ability to start the system in safe mode, in this situation, solving the problem will be much more difficult.
When a virus program enters a device, it records itself several times in different places, so that it is difficult to identify it and even more so to remove it.
Let me tell you a couple of words in connection with what is happening in this situation. Most often, the appearance of this type of virus can be observed on those computers where there is no anti-virus protection. To protect your device from malware, I advise you to read the article . You also need to understand that on sites with you need to be extremely careful and not follow unfamiliar links. Another very high probability of catching such an infection may arise after downloading and installing a program from an unverified resource. When browsing the Internet, do not forget to protect your PC, the slightest vigilance will help to avoid further problems.
Be sure to prevent your computer, update your antivirus, periodically scan your device for malware (you can set up automatic scanning on a specific day and time). If you follow simple rules, you can avoid infection.
So, if you still decide to deal with this problem on your own, then let's look at several options for how to unlock the ransomware virus. We will start with the simplest method and gradually move to the more complex. If any of the options help you, then stop on it.
Running commands from the command line
I recently learned about the existence of the simplest way, but it is not able to fix the problem on all machines.
The first thing we need to do is . We reboot the computer and periodically press the F8 key during boot. If you did everything correctly, then you should see a menu of additional Windows boot options. In this menu, you select the ability to start the system in Safe mode with command line support and press Enter. After loading, only the command line will appear without the desktop and the shortcuts and icons present on it. Enter the following commands one by one
- team cleanmgr– the Cleanmgr.exe tool is designed to remove unnecessary and obsolete files;
- team rstrui- the command to start system recovery (this command will only work if you did not disable it in the system settings).
After sequentially entering commands, we reboot the computer and check for the presence of a banner. If it is missing, then this method helped us, if not, then proceed to the next one.
Remove the blocker from startup
As in the first method, we start the device and by pressing the F8 key we load the menu of additional options. Then choose the item Safe mode and press Enter. We launch the Run function, through the Start menu or by simultaneously pressing the Ctrl + R keys and in the field execute enter the command msconfig. This will open the Windows Boot Options window. Open the Startup tab and try to find suspicious programs.
Most often, the name of such programs consists of a random set of letters. If such a program was discovered by you, then uncheck the box next to it. You also need to look in which folder it is stored and delete it. Before performing these actions, I advise you to read the materials of the article.
After the done operations, restart the computer and check if the problem is fixed. If the SMS virus still denies access, then proceed to the next method.
We clean the registry from traces of the banner
If you have reached this point and previous attempts were in vain, then this method should help you unlock the ransomware virus by 98%.
I want to note that all the actions listed below must be carried out very carefully and strictly according to the instructions. By editing registry keys, incorrect actions can cause irreparable harm to the system and all that remains is to reinstall windows.
So, we start the system in safe mode, how to do this is described above. We are waiting for the download and launch the “Run” option in the field of the window that opens, enter the command regedit. After entering the command, a registry editor window will open in front of you.
Then go to the following path HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon
In the right column you will be able to see two parameters Shell and Userinit. Opposite these parameters there is a value column. There should be nothing superfluous in these columns (opposite the Shell parameter should be the value explorer.exe, opposite Userinit the value userinit.exe). If there are additional values, then this is the result of the virus and you can safely delete everything.
Also, to calm my conscience, I advise you to go to the following address in the registry settings …..
\
Microsoft\
Windows\
CurrentVersion\
Run
and check if there are any unnecessary and unfamiliar programs in the right field of the window, if any are found, then delete them.
We restart the computer and rejoice at the disappearance of the virus.
I am almost one hundred percent sure that if everything is done correctly, the banner blocking the launch of windows will disappear. But just in case, I will give another way to remove the ransomware. It is certainly not as serious as the others, but sometimes it is no less effective.
Date translation in Bios
When the system boots, we go into Bios and change the date and time for a week ahead. It happens that the banner disappears, but this happens very rarely.
Be sure to scan your computer for malware after you have been able to get rid of the Windows blocker. Scanning must be done full, not quick. And you also need to think about the quality protection of your device. If you don't have money for a paid antivirus like , you can download a free antivirus called .
And the final step will be to check your PC for malware. There are several free programs for this, which I will talk about in the following articles of my blog.
I really hope that I helped you figure out how to remove the ransomware banner, but if you have any questions, feel free to ask them in the comments and I will gladly try to help.
Surely, every fourth user of a personal computer has encountered various fraud on the Internet. One type of deception is a banner that blocks Windows and requires you to send SMS to a paid number or requires cryptocurrency. Basically, it's just a virus.
To fight a ransomware banner, you need to understand what it is and how it penetrates your computer. The banner usually looks like this:
But there may be all sorts of other variations, but the essence is the same - crooks want to make money on you.
How a virus enters a computer
The first variant of "infection" is pirated applications, utilities, games. Of course, Internet users are used to getting most of what they want online “for free”, but when downloading pirated software, games, various activators and other things from suspicious sites, we run the risk of becoming infected with viruses. In this situation, it usually helps.
Windows may be blocked due to a downloaded file with the extension " .exe". This does not mean that you need to refuse to download files with this extension. Just remember that " .exe” can only apply to games and programs. If you download a video, song, document or picture, and its name contains “.exe” at the end, then the chance of the ransomware banner appearing increases dramatically to 99.999%!
There is also a tricky move with, supposedly, the need to update the Flash player or browser. It may be that you will work on the Internet, move from page to page and one day you will find an inscription that "your Flash player is out of date, please update." If you click on this banner and it does not lead you to the official adobe.com website, then it is 100% a virus. Therefore, check before clicking on the "Update" button. The best option would be to ignore such messages altogether.
Lastly, outdated Windows updates weaken system protection. To keep your computer protected, try to install updates on time. This feature can be configured in "Control Panel -> Windows Update" to automatic mode, so as not to be distracted.
How to unlock Windows 7/8/10
One of the simple options to remove the ransomware banner is . It helps 100%, but it makes sense to reinstall Windows when you do not have important data on the C drive that you did not have time to save. When you reinstall the system, all files will be deleted from the system disk. Therefore, if you do not have the desire to reinstall software and games, then you can use other methods.
After curing and successfully starting the system without the ransomware banner, additional steps must be taken, otherwise the virus may resurface, or there will simply be some problems in the system. All this is at the end of the article. All information is personally verified by me! So, let's begin!
Kaspersky Rescue Disk + WindowsUnlocker will help us!
We will use a specially designed operating system. The whole difficulty is that on a working computer you need to download an image and or (scroll through the articles, there are).
When it's ready, you need. At the time of startup, a small message will appear, such as "Press any key to boot from CD or DVD". Here you need to press any button on the keyboard, otherwise the infected Windows will start.
When loading, press any button, then select the language - "Russian", accept the license agreement using the "1" button and use the launch mode - "Graphic". After starting the Kaspersky operating system, we do not pay attention to the automatically launched scanner, but go to the "Start" menu and launch the "Terminal"
A black window will open where we write the command:
windows unlocker
A small menu will open:
Select "Unlock Windows" with the "1" button. The program itself will check and fix everything. Now you can close the window and check the entire computer with the already running scanner. In the window, put a tick on the disk with Windows OS and click "Perform object check"
We are waiting for the end of the check (may be a long time) and, finally, we reboot.
If you have a laptop without a mouse, and the touchpad does not work, then I suggest using the text mode of the Kaspersky disk. In this case, after starting the operating system, you must first close the menu that opens with the F10 button, then enter the same command on the command line: windowsunlocker
Unlock in safe mode, no special images
Today, viruses like Winlocker have grown wiser and block, so most likely you will not succeed, but if there is no image, then try. Viruses are different and everyone can work in different ways, but the principle is the same.
We restart the computer. During boot, you need to press the F8 key until a menu of additional options for starting Windows appears. We need to use the down arrows to select an item from the list, which is called "Safe Mode with Command Line Support".
This is where we need to get to and select the desired line:
Next, if everything goes well, the computer will boot up and we will see the desktop. Great! But that doesn't mean everything works now. If you do not remove the virus and just reboot in normal mode, the banner will pop up again!
We are treated with Windows tools
You need to restore the system when there was no blocker banner yet. Read the article carefully and do everything that is written there. There is a video below the article.
If it doesn’t help, then press the “Win + R” buttons and write the command in the window to open the registry editor:
regedit
If, instead of the desktop, a black command line is launched, then simply enter the “regedit” command and press “Enter”. We have to check some registry keys for viruses, or to be more precise, malicious code. To start this operation, go here on this path:
HKEY_LOCAL_MACHINE\Software\Microsoft\WinNT\CurrentVersion\Winlogon
Now, in order, we check the following values:
- Shell - “explorer.exe” must be written here, there should be no other options
- Userinit - here the text should be "C:\Windows\system32\userinit.exe,"
If the OS is installed on a different drive than C:, then the letter will be different there, respectively. To change incorrect values, right-click on the line you want to edit and select "change":
Then we check:
HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Winlogon
There should be no Shell and Userinit keys here at all, if there are, delete them.
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce
And be sure to:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce
If you are not sure whether you need to delete the key, you can simply add a “1” to the parameter first. The path will be in error, and this program will simply not start. Then you can return it as it was.
Now you need to run the built-in system cleaning utility, we do it in the same way as we launched the registry editor "regedit", but we write:
cleanmgr
Select the disk with the operating system (by default C:) and after scanning, check all the boxes except for "Service Pack Backup Files"
And click "OK". By this action, we may have disabled the autorun of the virus, and then we need to clean up the traces of its presence in the system, and read about this at the end of the article.
AVZ Utility
It consists in the fact that in safe mode we will run the well-known antivirus utility AVZ. In addition to searching for viruses, the program has just a lot of functions to fix system problems. This method repeats the steps for filling holes in the system after the virus has worked, incl. to get acquainted with it, go to the next paragraph.
Fixing issues after ransomware removal
Congratulations! If you are reading this, then the system started without a banner. Now you need to check the whole system with them. If you used the Kaspersky rescue disk and checked it there, then you can skip this item.
There may also be one more trouble associated with the activities of the villain - the virus can encrypt your files. And even after its complete removal, you simply will not be able to use your files. To decrypt them, you need to use programs from the Kaspersky website: XoristDecryptor and RectorDecryptor. There are also instructions for use.
But that's not all, because. Winlocker most likely messed up in the system, and various glitches and problems will be observed. For example, the registry editor and task manager will not start. To treat the system, we will use the AVZ program.
When downloading using Google Chrome, there may be a problem, because. this browser considers the program to be malicious and does not allow it to be downloaded! This question has already been raised on the official Google forum, and at the time of writing, everything already ok.
To still download the archive with the program, you need to go to "Downloads" and click "Download malicious file" there 🙂 Yes, I understand that it looks a little silly, but apparently chrome thinks that the program can harm the average user. And this is true, if you poke wherever you hit! Therefore, strictly follow the instructions!
We unpack the archive with the program, write it to external media and run it on the infected computer. Let's go to the menu "File -> System Restore", mark the checkboxes as in the picture and perform the following operations:
Now let's take the following path: "File -> Troubleshooting Wizard", then go to "System problems -> All problems" and click on the "Start" button. The program will scan the system, and then in the window that appears, set all the checkboxes except "Disabling operating system updates in automatic mode" and those that begin with the phrase "Allow autorun from ...".
Click on the "Fix flagged issues" button. After successful completion, go to: "Browser settings and tweaks -> All problems", here we put all the checkboxes and in the same way click on the button "Fix flagged problems".
We do the same with “Privacy”, but here do not check the boxes that are responsible for cleaning bookmarks in browsers and what else you think you need. We finish the check in the sections "Cleaning the system" and "Adware/Toolbar/Browser Hijacker Removal".
At the end, close the window without leaving AVZ. In the program we find "Tools -> Explorer Extensions Editor" and remove the checkmarks from those items that are marked in black. Now let's go to: "Tools -> Internet Explorer Extension Manager" and completely erase all the lines in the window that appears.
I already said above that this section of the article is also one of the ways to cure Windows from a ransomware banner. So, in this case, you need to download the program on a working computer and then write it to a USB flash drive or to a disk. All actions are carried out in a safe mode. But there is another option to run AVZ even if safe mode is not working. You need to start, from the same menu when the system boots, in the "Computer Troubleshooting" mode
If you have it installed, it will be displayed at the very top of the menu. If not there, then try to start Windows until the banner appears and turn off the computer from the outlet. Then turn it on - a new launch mode will probably be offered.
Starting from a Windows installation disc
Another sure way is to boot from any Windows 7-10 installation disk and select not "Install" there, but "System Restore". When the troubleshooter is running:
- You need to select "Command Prompt"
- In the black window that appears, write: "notepad", i.e. Launch a regular notepad. We will use it as a mini conductor
- Go to the menu "File -> Open", select the file type "All files"
- Next, we find the folder with the AVZ program, right-click on the launched file "avz.exe" and launch the utility using the "Open" menu item (not the "Select" item!).
If nothing helps
Refers to cases when, for some reason, you cannot boot from a flash drive with a recorded image of Kaspersky or the AVZ program. You just have to get a hard drive out of the computer and connect it with a second drive to a working computer. Then boot from an UNINFECTED hard drive and scan YOUR drive with a Kaspersky scanner.
Never send SMS messages requested by scammers. Whatever the text, do not send messages! Try to avoid suspicious sites and files, but in general read. Follow the instructions and then your computer will be safe. And do not forget about the antivirus and regular updates of the operating system!
Here is a video showing everything in an example. The playlist consists of three lessons:
PS: what method helped you? Write about it in the comments below.
