Detailed instructions for unlocking your computer if you become a victim of a so-called banner informing you that your computer is locked. Several common methods are considered (perhaps the most effective in most cases is editing the Windows registry).
If the banner appears immediately after the BIOS screen, before the Windows starts, then the solutions in the new article How to remove the banner
Desktop banner (click to enlarge)
Such a misfortune as SMS ransomware banners is one of the most common problems for today's users - I say this as a person repairing computers at home. Before talking about the methods of removing SMS banner, I note some general points that may be useful for those who are faced with this for the first time.
So, first of all, remember:
- you don’t need to send any money to any number - in 95% of cases this will not help, you should also not send SMS to short numbers (although there are fewer and fewer banners with this requirement).
- as a rule, in the text of the window that appears on the desktop, there are references to what terrible consequences await you if you disobey and act in your own way: deleting all data from the computer, criminal prosecution, etc. - you don’t need to believe anything written, all this is aimed only at the unprepared user, without understanding, quickly goes to the payment terminal to put 500, 1000 or more rubles.
- Utilities that allow you to get an unlock code very often do not know this code - simply because it is not provided in the banner - there is a window for entering the unlock code, but there is no code: fraudsters do not need to complicate their lives and provide for the removal of their ransomware SMS, they need get your money.
- if you decide to contact specialists, you may encounter the following: some companies that provide computer assistance, as well as individual wizards, will insist that in order to remove the banner, you must reinstall Windows. This is not so, reinstalling the operating system in this case is not required, and those who claim the opposite either do not have sufficient skills and use reinstallation as the easiest way to solve the problem, which does not require them; or they set the task of getting a large amount of money, since the price of a service such as installing an OS is higher than removing a banner or treating viruses (in addition, some charge a separate cost for saving user data during installation).
Perhaps, an introduction to the topic is enough. We pass to the main topic.
How to remove a banner - video instruction
This video demonstrates the most effective way to remove the ransomware banner using the Windows registry editor in safe mode. If something is not clear from the video, then below the same method is described in detail in a text format with pictures.
Removing a banner using the registry
(it is not suitable in rare cases when the ransomware message appears before loading Windows, i.e. immediately after initialization in the BIOS, without the appearance of the Windows logo at startup, the banner text pops up)
In addition to the case described above, this method works almost always. Even if you are new to working with a computer, you should not be afraid - just follow the instructions and everything will work out.
First you need to access the Windows registry editor. The easiest and most reliable way to do this is to boot the computer in safe mode with command line support. To do this: turn on the computer and press F8 until a list of boot modes appears. In some BIOSes, the F8 key can bring up a menu with the choice of the drive from which to boot - in this case, select your main hard drive, press Enter and immediately after that again F8. We select the already mentioned - safe mode with command line support.
Choosing safe mode with command line support
After that, we wait for the console to load with a suggestion for entering commands. Enter: regedit.exe, press Enter. As a result, you should see the regedit Windows registry editor in front of you. The Windows registry contains system information, including data on the automatic launch of programs when the operating system starts. Somewhere there, our banner and himself recorded and now we will find and delete it there.
We use the registry editor to remove the banner
On the left in the registry editor we see folders called sections. We have to check that in those places where this so-called virus can register itself, there are no extraneous records, and if they are there, delete them. There are several such places and everything needs to be checked. Getting started.
We go to
HKEY_CURRENT_USER -> Software -> Microsoft -> Windows -> CurrentVersion -> Run - on the right we will see a list of programs that start automatically when the operating system boots, as well as the path to these programs. We need to remove those that look suspicious.
Startup options where the banner may hide
As a rule, they have names consisting of a random set of numbers and letters: asd87982367.exe, another distinguishing feature is the location in the C: / Documents and Settings / folder (subfolders may vary), it can also be ms.exe or other files located in the C: / Windows or C: / Windows / System folders. You should remove such suspicious registry entries. To do this, right-click in the Name column by the parameter name and select "delete". Do not be afraid to delete something wrong - it does not threaten anything: it’s better to remove more unfamiliar programs from there, this will not only increase the likelihood that there will be a banner among them, but also, perhaps, accelerate the work of the computer in the future startup costs a lot of all unnecessary and unnecessary, because of which the computer slows down). Also, when deleting parameters, you should remember the path to the file, in order to later remove it from its location.
Repeat all the above for
HKEY_LOCAL_MACHINE -> Software -> Microsoft -> Windows -> CurrentVersion -> Run
The following sections of the action are slightly different:
HKEY_CURRENT_USER -> Software -> Microsoft -> Windows NT -> CurrentVersion -> Winlogon
. Here you need to make sure that parameters such as Shell and Userinit are missing. Otherwise, delete, here they do not belong.
HKEY_LOCAL_MACHINE -> Software -> Microsoft -> Windows NT -> CurrentVersion -> Winlogon
. In this section, you need to make sure that the value of the USerinit parameter is set as: C: \ Windows \ system32 \ userinit.exe, and the Shell parameter is set to explorer.exe.
Winlogon for Current User should not have Shell parameter
That's all. Now you can close the registry editor, enter explorer.exe in the still not open command line (the Windows desktop will start), delete the files whose location we found out while working with the registry, restart the computer in normal mode (since it is now in safe mode ) With high probability, everything will work.
If it fails to boot in safe mode, then you can use some kind of Live CD, which includes a registry editor, for example, Registry Editor PE, and do all the above operations in it.
We remove the banner using special utilities
One of the most powerful utilities for this is Kaspersky WindowsUnlocker. In fact, it does the same thing that you can do manually using the method described above, but automatically. In order to use it, you must download Kaspersky Rescue Disk from the official website, burn the disk image to a blank CD (on an uninfected computer), and then boot from the created disk and do all the necessary operations. The use of this utility, as well as the necessary disk image file is available at http://support.kaspersky.com/viruses/solutions?qid=208642240 . Another great and simple program that will help you easily remove the banner is described here .
Similar products from other companies:
You can try to find out the code for deactivating ransomware SMS on the following special services designed for this:
We learn the code in order to unlock Windows
Banner appears before loading Windows
It’s a rather rare case when the ransomware loads immediately after turning on the computer, which means that the fraudulent program was downloaded to the main boot record of the MBR hard disk. In this case, you won’t be able to get into the registry editor, moreover, the banner is not loaded from there. In some cases, a Live CD will help us, which you can download from the links above.
If you have installed Windows XP, then you can fix the boot partition of the hard disk using the installation disk of the operating system. To do this, you need to boot from this disk, and when you are prompted to enter Windows recovery mode by pressing the R key, do it. As a result, the command line should appear. In it we need to execute the command: FIXBOOT (confirm by pressing Y on the keyboard). Also, if your disk is not divided into several partitions, you can execute the FIXMBR command.
If there is no installation disk or if you have another version of Windows installed, you can fix MBR using the BOOTICE utility (or other utilities for working with boot sectors of the hard disk). To do this, download it on the Internet, save it to a USB drive and start the computer from the Live CD, then run the program from the USB flash drive.
You will see the following menu where you need to select your main hard drive and click the Process MBR button. In the next window, select the type of boot record you need (usually it is automatically selected), click install / Config, and then click OK. After the program has completed all the necessary actions, restart the computer without a LIve CD - everything should work as before.