In response to a small note , with a description of a tiny program - Ransomhide, helping to choose a response SMS code for unlock windows from trojan winlock, Search systems began to show it also when making inquiries related to the well-known company Dr.Web.

The most FAQ The answers to which users who have caught this virus infection on their computer want to find, sound something like this:

• dr web winlock page
• unlock windows trojan winlock doctor web ..
• winlock cure - can DrWeb unlock a computer ...
• where to find a free unlocker from trojan winlock
• etc...

There is a problem. There are many ways to solve this problem. But, if a person drives such queries into the search, then he is far from the "tough admin", normal life and family affairs are more interesting to him than the registry bushes and the decryption of some kind of Cookies.

Reinstallation of the system - threatens with the loss of family photos, and sometimes even documents.
- Backup, system archive - yes, no, somehow the hands did not reach, now that's too ..
- Download from rescue disk or in " safe mode"- a set of incomprehensible sounds ..
- Etc.

In general, normal ordinary people, not "turned full head" on computers and methods of its treatment. And accordingly, he needs the same simple and understandable methods of "treating a computer from trojan winlock".

DrWeb and unlock windows trojan winlock

The easiest way to "show a figurine" to ransomware is to use the extended Internet databases of well-known antivirus companies, and it is very likely that the key you need is already there:

1. Mobile version of the Dr.Web website Allows you to connect to the service even from a mobile phone:

2. Free SMS ransomware unblocker from Dr.Web:

3. Deblocker - Trojan winlock unblocker from Kaspersky:

4. winlock treatment free of charge from ESET:

5. Unlocking windows trojan winlock on the Vrusinfo service:

How to get the Trojan unlock code using these services:

To receive a PC unlock code, you need to enter the data:

• In field " Phone number»Specify the number to which the SMS is proposed to be sent ( The most common numbers today: 8353, 9691, 5121, 3649, 5373, 7122, 4125, 4460).
• In field " Message text»Specify the text that is proposed to be sent to this number.
• We press the button " to get the code».

The page will display the unlock code, which must be entered into the Trojan window.

Dr.Web mobile - get the code:

January 27 company Dr.Web launched mobile version Windows unlock service from different modifications trojan winlock A service that allows you to use free unblocker through your cellular telephone... This is especially useful for those who have been blocked from accessing the websites of antivirus companies.

For illustrative example the simplicity of obtaining the "anticode", I will give two screenshots:

You will see such a window, there is nothing else on the page. Having filled in all the fields correctly, as described above, click on the button with the arrows.

In a couple of seconds we will be given a whole "sheet" of possible unlock codes.

Good luck and may your computers be always fast and clean from windows trojan winlock!

Can't access our website? Most likely, the reason is in SpIDer Gate - the module of the Dr.Web anti-virus program. Security space... This module is the most common reason problems associated with the use of our resources: Publishing houses Info-DVD, Infoclub platforms, etc. (see. full list group "Cybersant-Media")

Blocking is carried out on the basis of getting into the so-called list of "deprecated sites". According to Doctor Web, this list designed to protect users from potentially dangerous, infected, etc. sites.

On the one hand, it is good that such concern for users is manifested, but, on the other hand, in fact, it turns out that absolutely normal sites also fall into this list. This is due to an absolutely non-transparent and ambiguous policy based on subjective opinion of Dr.Web and critical imperfection of algorithms of its software. How do you like this formulation of the reason for blocking: the site, according to the company, is engaged in “wrong activities”, or sending letters, or training in an “inappropriate format”?

It is not uncommon for situations when, only on the basis of some suspicion in relation to a specific site, access to all other sites using, for example, the same service or platform ( mailing service, hosting, etc.). That is, any sites with normal content can easily be included in the list of "unwanted" sites if they are on the same server with a "bad" site (the same IP address).

In addition, Dr.Web (more precisely, SpiDer Gate) may block the ability to subscribe to newsletters or prevent users from following links from a letter to a normal website.

The reason is that Doctor Web considers bulk emails sent as such, especially from some services. mailing lists!

Doctor Web decides for you whether to follow the links in the letter, the receipt of which you yourself ordered by subscribing to the newsletter. It is especially unpleasant if the link contains useful information.

At the same time, the antivirus does not block all mailing services, but only the "selected" ones, without any objective justification.

Similar problems have surfaced more than once, here one example.

The policy of DrWeb is such that a normal dialogue regarding solutions to these problems is simply impossible, and seeking justice in the legal field is a troublesome and not always justified occupation ( example).

Do you still want to use Dr.Web services? If not, then we recommend switching to some more adequate and quality service, for example, Kaspersky Anti-Virus. If you want to continue to trust the "quality" of Dr.Web algorithms, but sometimes want to make adjustments, then in the SpiDer Gate settings you will have to remove the ban on visiting non-recommended sites or add the desired site to the list of exclusions.

The configuration process is described in detail in the corresponding sections of the Dr.Web product Help, as well as in the online documentation on the Doctor Web website at the following address:

A list of our main domains that need to be added to exclusions:

cybersant-media.ru

infoclub.info

e.infoclub.info

V Lately computers began to be infected with the so-called ransomware virus (Trojan.Winlock), to unblock which, it is proposed to send paid sms... In this article, you will learn how you can get rid of this virus completely free of charge. In situations where antivirus sites do not open, download and run this utility.

1 way. For the case when Windows boots up and a banner appears on the screen.

The easiest way to get rid of a virus on your desktop is to visit the antivirus developer's website. software Kaspersky Lab and use the form to obtain the unlock key. A similar operation can be performed by going to the Doctor Web site. After the banner disappears from the desktop, be sure to check your computer for viruses.

1. Go to the website of Kaspersky Lab or Doctor Web. and use the unlock key.

2 and the following methods, for cases when the UNLOCK KEY is NOT SUITABLE.

If a banner appears on the desktop when you turn on your computer, use free utility for the treatment of viruses CureIt - Download, or the Kaspersky utility Virus Removal Tool Download These healing utilities can be run even if you already have a different antivirus installed on your computer.

Download and run the CureIt utility- Download, or Kaspersky Virus Removal Tool Download

Method 3. For the case when Windows does not boot.

If, when you turn on the computer, instead of loading operating system an offer to part with a couple of hundred rubles appears on the monitor screen, boot the computer in safe mode. To do this, restart your computer and constantly press the "F8" key on your keyboard. After a few seconds, you will be prompted to choose a Windows boot option. Select "Safe Mode with Boot network drivers". Next, we get rid of the virus using one of the methods described above.

1. Boot into Safe Mode
2. Delete using a key from one of the sites of Kaspersky Lab or Doctor Web.
3. To restart a computer.
4. Check your computer for viruses.

Method 4. For the case when Windows does not boot in Safe Mode.

In a situation where you need to remove a banner from the desktop, and the operating system does not boot in either normal or safe mode, the best option will be either the second home computer, or a neighbor's computer. If there are any, we do everything as in the "first or second method" Also, it will not be bad if you have a LiveCD download a LiveCD from Dr.Web, after booting from which you can check your computer for viruses. Almost all antivirus software With latest updates treat the computer from the banner on the desktop.

1. Enter the unlock key using another computer, or by booting from the LiveCD, download the LiveCD from Dr.Web, download the LiveCD from Kaspersky Lab.
2. Check your computer for viruses.

5 way to remove a banner.

For Windows 7: after clicking Win keys+ U click on the link "Help with setting options" - "Privacy Statement". Then go to step 5

1. After starting your computer, press the keyboard shortcuts button windows icon+ U
2. Please select on-screen keyboard and click "Run".
3. Click "Help" - "About"
4. In the window that appears below, select "Microsoft Web Site"
5. In the address field, rewrite http://devbuilds.kaspersky-labs.com/devbuilds/AVPTool/
6. A save file window will pop up, save to your desktop.
7. In the browser, click on the top "File" - "Open" - "Browse".
8. Click on "Desktop" on the left. At the very bottom, "Files of type" - "All files"
9. Find the downloaded program and run it.
10. Select full check.

6 way to remove a banner.

If the banner appears before the desktop loads, the screen is locked.

1. Press Ctrl + Shift + Esc and hold until the task manager starts blinking.
2. Without releasing the keys Ctrl + Shift + Esc, click on the task manager with the mouse " Remove task".
3. In the task manager, click " new task"and enter" regedit"
4. Go to HKEY_LOCAL_MACHINE / SOFTWARE / MicrosoftWindows NT / CurrentVersion / Winlogon
5. Go to right panel Registry Editor and check the two parameters “ Shell" and " Userinit”. The Shell parameter must be " Explorer.exe". Parameter Userinit -" C: \ WINDOWS \ system32 \ userinit.exe,"(no spaces, always a comma at the end)!
6. If the Shell and Userinit options are OK, find the HKEY_LOCAL_MACHINE / SOFTWARE / Microsoft / Windows NT / CurrentVersion / Image File Execution Options section and expand it. If it contains the explorer.exe subsection, delete it (Click right click mouse => Delete).
7. Reboot your computer.
8. Be sure to check your computer for viruses.

If unsuccessful, repeat this method in safe mode.

If none of the above methods helped you, you can contact our company by

If on your monitor screen, one fine day, an inscription appeared " Windows is locked! " (Is Windows masculine?), and the reasons for blocking are trivial and possibly described in the virus blocking window itself Trojan.Winlock - "unlawful access to non-standard content ... "etc. see screenshot of Winlock window.

At the sight of this happiness, a user in a pre-shock state gradually gets a question - , and even without payment, and even so that this muck does not erase this ... well, in general, you yourself know what Windows, "operating rules"which violated ( has anyone seen these rules?).

We read: on "you will find the check ... the code", where to find it? Maybe this is the tax number (TIN) of this individual entrepreneur ( work on a large scale!) or the terminal itself in a share, or maybe he is a villain-extortionist and a virus in one terminal, which prints activation numbers for every unfortunate user for 1000 rubles .

And the last phrase: " Attempting to reinstall the system will cause your computer to malfunction!", finally and irrevocably kills all hopes of escaping from the virus, how much more disturbances in the operation of the system, if there is no way at all here and now?

But let's muster up the courage and return to the text of the blocker that brought our user into a stressful state.

These " actions"rather refer to the author of the virus Trojan.Winlock, and not to the poor fellow to the user who is already in a pre-infarction state crawling to the terminal with a thousandth bill in his hands, hoping to unlock the computer.

And proceeding from the verdict of the virus writer, he also violated: license "for software exploitation" the whole corporation! A complete program of violations of everything and everyone, which means it's time to buy an indulgence.

This frightening text in the window was probably written just in case, so that the lucky one of the locked computer would not think of complaining to the authorities, because for contradictions Of the Criminal Code RF, there certainly will not be patted on the head!

- Contradicted the Criminal Code ?! Violated the operation ?!- then answer, such and such, by full program, in front of the whole Russian Federation and a volume RF Criminal Code over the head so that next time consistent.

It turns out there is also some kind of secret agreement. " software operation manual " between Microsoft and ... by someone ?, which only the well-wishing author knows about ( wants good this is not a dirty word!) defending the interests of a small, poor and unprotected foreign corporation located somewhere overseas- okiyanom.

Complete graphomania, if it was to scare, it was necessary to scare really, seriously, like:

pink bunny, in the form of a long-legged girl with fake bunny ears, showing an erotic striptease on your computer desktop and coyly offering an unprecedented action ( just today and now!) free unlock computer per purchase cashier's check in the nearest terminal in the amount of 1000 rubles,
for 2000 rubles - free to activate 2 computers,
and for 3000 rubles. strip naked for free only you, and even on your desktop, your personal computer!

Super! Have something to pay for, otherwise replenish number, and if the number is not replenished? suddenly the number is already full, ... some kind of nonsense. Yes, but where do they give discounts ?, where are the bonuses finally?

How to unblock Windows from Trojan.Winlock ransomware for free?.

Attention. For cool specialists who do not want to read how to unlock Windows, we give the easiest way to remove a virus- delete all partitions of the disk, reformat the hard drive and you will receive an almost 100 percent guarantee of the destruction of the enemy, unless of course boot disk not infected, but you can avoid it low-level formatting if the microcircuit is not infected, etc. until we reach a Chinese manufacturer.

Here is an image of a monitor screen with a window of the Trojan.WinlockTrojan virus.

The easiest way to unblock your favorite Windows is free and easy is to go to the website of the online antivirus service Dr.Web, using any still live computer with Internet access, as a last resort, make a call to a friend.

On the antivirus developers page Dr.Web in the window: " Computer unlocking service ", enter the number in in this case phone number from the text of the ransomware, blocker virus: " top up MTS subscriber number: 79874498961".

As you understand, everything here is real and Trojan.Winlock virus, and the subscriber 79874498961 , who is a real criminal with real details, address and passport data, because non-cash money always has specific address, even if the passport is fake and phone numbers are bought in bulk.

And sites (domains are registered in Russia and paid according to passport data) that distribute this malicious code do not hide or hide in the corners, but are very respected by search engines and delight Internet users with such and such chips

Not all owners of viral sites are rabid pests, many sites are simply hacked and infected with viruses. Yes, and lately we must pay tribute, search system Yandex warns the user about infected sites.

Screenshot of Dr.Web page - "Computer unlocking service"

After entering the digits of the ransomware number, press the button "Search for codes" and if we are lucky, we will get the required unlock code long-suffering Windows.

But in this moment, chagrin, I can't quickly get the code from the online antivirus service Dr.Web and get rid of the ransomware window with its stupid apocalypse inscriptions.

AND antivirus service Dr.Web proposes to go to next step - determine the name of the virus from the image.

We follow the received link and on the first page of the antivirus service Dr.Web, we find exactly the same image of the blocker virus window Trojan.Winlock with the appropriate content ( the content in all the pictures is practically the same, the hand of the "poet" is felt).

Next to the identified snapshot, on the antivirus web page Dr.Web, there is a column of activation codes, from which we select the necessary numbers to enter on the locked computer.

A random sample of unlock codes did not solve the problem.

Then, monotonously and in order, we begin to enter and check the numbers for activation.

It is very inconvenient to crawl with the cursor over the buttons in the window of a locked computer, whose movements are limited viral program... But on the fifth or sixth attempt, the virus swallowed the numbers and the long-awaited desktop of Windows, exhausted by idleness, appeared.

Aha! ( or type: wow, cool pepper)

Bang! and again the same funny picture overlaps open windows on your desktop.

A bast hangs on a pole, start over.

There is no desire to brute force, we enter the same numbers, the virus is not greedy, unblocked access.

We are waiting, maybe something else will otubuchit. No is silent, calmed down. No variety. Boredom, some honest virus, not by definition.

But if the option with ready-made codes unlocking Windows did not work or you simply are not interested in it, then the service Dr.Web offers to use free bootable discs (you must download the disc image and burn it): Dr.Web LiveCD or Dr.Web LiveUSB, on the base Linux.

After booting from the selected media, you can scan your computer with a free antivirus program Dr.Web.

Photo of the bootloader menu Dr.Web LiveCD

With the always updated anti-virus database Dr.Web on the online service you can check for viruses for free separate files and links to web pages, and for everyone popular browsers there is also a separate plug-in for antivirus Dr.Web LinkChecker

If you did not find the unlock code, do not despair, there are alternative unlockers and the ability to send the code for free to specialists from the Dr.Web page

That's all, the proverb is over and the tale begins.

To clean up and remove the remaining viruses, we will use the following general algorithm:

The last point from the above is practically not done by any of the specialists, it is too expensive, time-consuming and requires specific knowledge of setting up and administering Windows.
- And you never know what you yourself have done before? Correct, and then listen to compliments.

Unblock Windows with other free online antivirus services.

Kaspersky Lab

Kaspersky Lab, Deblocker page: "Removing a banner from the desktop, unlock windows":
online service

Kaspersky Lab, page: " Anti-Ransomware Kaspersky WindowsUnlocker",
here is all the information about working with WindowsUnlocker and you can also download special version image Kaspersky Rescue Disk (CD disc) or Kaspersky USB Rescue Disk (USB device) to disinfect the computer:
For links to anti-virus programs, see the bottom of the page at support.kaspersky.com

ESET LLC (NOD32 Antivirus)

Company ESET, LLC (NOD32 Antivirus), Windows Unlock- online service

ESET Online Scanner, online scan page ESET antivirus NOD32 - Online Scanner

Free boot disk LiveCD ESET NOD32 for operating system recovery - LiveCD

Kaspersky Lab and VirusInfo

Joint free online service Kaspersky Lab and the VirusInfo portal.

Service page "Deactivate ransomware-blockers" - virusinfo.info

Here is such a short algorithm, but it takes time ... So, we remember wonderful poems Korney Chukovsky:

"Little children! For no reason in the world Do not go to Africa, To Africa for a walk! In Africa, sharks, In Africa, gorillas, In Africa, big Angry crocodiles Will bite you, Beat and offend you, - Do not go, children, To go for a walk in Africa. A robber in Africa, A villain in Africa, A terrible Bar-ma-lei in Africa! "

Foundations of Creation Psychology malware(read viruses, Trojans, etc.) is simple: first force the user to press a button and infect the computer, then intimidate the user, and then solve the problem for money.

Combating Trojans of the WinLock and MbrLock Families

(Windows blockers)

Relevance of the issue

Trojans that block Windows operation have been one of the most widespread in terms of frequency since September 2009. For example, in December 2010 more than 40% of detected viruses are Windows blockers. The common name for such malicious programs is Trojan.Winlock.XXX, where XXX is the number assigned to a signature that allows identifying several (often several hundred) similar viruses. Also, such programs may be of the Trojan.Inject or Trojan.Siggen types, but this happens much less frequently.

Outwardly, the Trojan can be of two principal types. First: a full-screen splash screen, because of which the desktop is not visible, second: a small window in the center. The second option does not completely cover the screen, but the banner still makes it impossible useful work from a PC, since it always stays on top of any other windows.

Here is a classic example of the appearance of the Trojan.Winlock program:

The Trojan's goal is simple: to get more money for virus writers from the victims of a virus attack.

Our task is to learn how to quickly and losslessly eliminate any banners without paying cybercriminals. After fixing the problem, you must write a statement to the police and provide the employees law enforcement all the information you know.

Attention! There are various threats in the texts of many blockers (“you have 2 hours left”, “10 attempts to enter the code left”, “in case reinstall Windows all data will be destroyed ”, etc.). Basically, this is nothing more than a bluff.

Algorithm of actions to combat Trojan.Winlock

There are a great many modifications of blockers, but the number of known copies is very large. In this regard, the treatment of an infected PC may take several minutes in a mild case, and several hours if the modification is not yet known. But in any situation, the following algorithm should be followed:

1. Selection of the unlock code.

Unlock codes for many Trojans are already known and entered into a special database created by Doctor Web specialists. To use the database, follow the linkhttps://www.drweb.com/xperf/unlocker/ and try to pick up the code. Instructions for working with the unlock base: http : // support. drweb. com / show_ faq? qid = 46452743 & lng = ru

First of all, try to get the unlock code using the form that allows you to enter the text of the message and the number to which you want to send it. Pay attention to the following rules:

If you want to transfer money to an account or telephone number, in field Number you must specify the account or phone number, in the field Text you do not need to write anything.

If you want to transfer money to a phone number, in the field Number you must specify the phone number in the format 8хххххххххх, even if the banner contains a number without the number 8.

If you need to send a message to a short number, in the field Number indicate the number,

in field Text- Message text.

If the generated codes did not fit - try to calculate the name of the virus using the presented pictures. Under each image of the blocker, its name is indicated. Having found the required banner, remember the name of the virus and select it from the list of known blockers. Specify the name of the virus that infected your PC in the drop-down list and copy the resulting code into the banner line.

Please note that, in addition to the code, other information may be displayed:

Win + D to unlock - press the key combination Windows + D to unlock.

any 7 symbols - enter any 7 characters.

Use the generator above or use generator above- use the form to get the unlock code Number-Text on the right side of the window.

Use the form or Please use the form- use the form to get the unlock code Number-Text on the right side of the window.

If you didn't manage to pick up anything

2. If the system is partially blocked. This step applies to cases when the banner "hangs" in the middle of the screen, without occupying it entirely. If access is completely blocked, go directly to step 3. The Task Manager is blocked in the same way as in the full-screen versions of the Trojan, that is, it is impossible to terminate the malicious process using conventional means.

Using the leftovers free space on the screen, do the following:

1) Check your PC with the latest version of Dr.Web CureIt! http://www.freedrweb.com/cureit/. If the virus is successfully removed, the job can be considered done; if nothing was found, go to step 4.
2) Download the Dr.Web Trojan.Plastix fix recovery utility from the link http://download.geo.drweb.com/pub/drweb/tools/plstfix.exe and run the downloaded file. In the program window, click Continue, and when Plastixfix finishes working, restart your PC.
3) Try to install and run the program Process Explorer(you can download it from the website
Microsoft: http://technet.microsoft.com/ru-ru/sysinternals/bb896653). If the launch was successful -
press the button with the sight icon in the program window and without releasing it,
hover over the banner. When you release the button, Process Explorer will show the process,
which is responsible for the banner.

3. If there is no access at all. Usually blockers completely clutter up the screen with a banner, which makes it impossible to launch any programs, including Dr.Web CureIt! In this case, you need to boot from Dr.Web LiveCD or Dr.Web LiveUSB http://www.freedrweb.com/livecd/ and check your PC for viruses. After checking, boot the computer from hard disk and check if the problem was solved. If not, go to step 4.

4. Manual search virus. If you get to this point, then The Trojan that infected the system is a novelty, and you will have to search for it manually.

To manually remove the blocker, you need to access the Windows registry by booting from external media.
Typically, a blocker is launched in one of two well-known ways.

Through autoload in the registry branches
HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ Windows \ CurrentVersion \ Run
HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ Windows \ CurrentVersion \ RunOnce

By replacing system files (one or more) launched in the branch HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ Windows NT \ CurrentVersion \ Winlogon
or, for example, the taskmgr.exe file.

To work, we need Dr.Web LiveCD / USB (or other tools for working with an external registry).

To work with Dr.Web LiveCD / USB, boot the PC from a CD or flash drive, then copy to flash card following files:

C: \ Windows \ System32 \ config \ software* file has no extension *
C: \ Document and Settings \ Your_username \ ntuser.dat

These files contain system registry of the infected machine. Having processed them in Regedit program, we will be able to clean the registry from the effects of virus activity and at the same time find suspicious files.

Now transfer specified files on a functioning Windows PC and do the following:

Run Regedit, open the bush HKEY_LOCAL_MACHINE and execute File -> Load Hive.
In the window that opens, specify the path to the file software, give the section a name (for example, today's date) and click OK.

In this bush, you need to check the following branches:
Microsoft \ Windows NT \ CurrentVersion \ Winlogon:
Parameter Shell should be equal Explorer.exe... If any other files are listed, you must write down their names and full path to them. Then remove all unnecessary and set the value Explorer.exe.

Parameter userinit should be equal C: \ Windows \ system32 \ userinit.exe,(exactly like that, with a comma at the end, where C is the name system disk). If files are specified after the comma, you need to write down their names and delete everything that is indicated after the first comma.
There are situations when there is a similar branch with the name Microsoft \ WindowsNT \ CurrentVersion \ winlogon... If this branch exists, it must be deleted.

Microsoft \ Windows \ CurrentVersion \ Run- the branch contains settings for autorun objects.

You should be especially careful about the presence of objects here that meet the following criteria:

The names remind system processes but programs run from other folders
(For example, C: \ Documents and Settings \ Dima \ svchost.exe).

Names like vip-porno-1923.avi.exe.

Applications launched from temporary folders.

Unknown applications starting from system folders(For example, C: \ Windows \ system32 \ install.exe).

Names are made up of random combinations of letters and numbers
(For example, C: \ Documents and Settings \ Dima \ 094238387764 \ 094238387764.exe).

If suspicious objects are present, their names and paths must be recorded, and the corresponding entries must be removed from startup.

Microsoft \ Windows \ CurrentVersion \ RunOnce is also an autoload branch, it needs to be analyzed in the same way.

After completing the analysis, click on the name of the loaded section (in our case, it is called by date) and execute File -> Unload Hive.

Now it is necessary to parse the second file - NTUSER.DAT... Run Regedit, open the bush HKEY_LOCAL_MACHINE and execute File -> Load Hive... In the window that opens, specify the path to the file NTUSER.DAT, give the section a name and click OK.

The branches are of interest here Software \ Microsoft \ Windows \ CurrentVersion \ Run and Software \ Microsoft \ Windows \ CurrentVersion \ RunOnce that define startup objects.

It is necessary to analyze them for the presence of suspicious objects, as indicated above.

Also notice the parameter Shell in a branch Software \ Microsoft \ Windows NT \ CurrentVesion \ Winlogon... It must make a difference Explorer.exe... At the same time, if there is no such branch at all, everything is in order.
After completing the analysis, click on the name of the loaded section (in our case, it is called by date) and execute File -> Unload Hive.

After receiving the corrected registry and the list of suspicious files, you need to do the following:

Save the registry of the affected PC in case something went wrong.

Transfer the fixed registry files to the corresponding folders on the affected PC using Dr.Web LiveCD / USB (copy and replace files). Files, information about which you recorded in the course of work - save on a USB flash drive and delete from the system. Copies of them must be sent to Doctor Web's virus laboratory for analysis.

Try booting the infected machine from the hard drive. If the download was successful
successfully and there is no banner - the problem is solved. If the Trojan is still functional,
repeat all point 4 of this section, but with a more thorough analysis of all vulnerable and frequently used places in the system.

Attention! If after disinfection with Dr.Web LiveCD / USB the computer does not boot
(starts to reboot cyclically, BSOD occurs), you need to do the following:

Make sure there is one file in the config folder software... The problem can arise because on Unix systems, file names are case-sensitive (i.e. Software and software- different names, and these files can be in the same folder), and the corrected file software can be added to the folder without overwriting the old one. At booting Windows, in which the case of letters does not play a role, a conflict occurs and the OS does not boot. If there are two files, delete the older one.

If software one, and the download does not take place, there is a high probability that the system is hit by a "special" modification Winlock... She writes herself to a branch HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ Windows NT \ CurrentVersion \ Winlogon, in parameter Shell and overwrites the file userinit.exe... Original userinit.exe stored in the same folder, but under a different name (most often 03014d3f.exe). Remove infected userinit.exe and rename 03014d3f.exe appropriately (the name may be different, but it is easy to find it).
These steps must be performed after booting from the Dr.Web LiveCD / USB, and then try to boot from the hard disk.

At whatever stage the battle with the Trojan ends, you need to protect yourself from
similar troubles in the future. Install antivirus package Dr.Web and regularly
update virus databases.