14.04.2016
Currently, there is a huge number of viruses, fortunately, modern antivirus software is able to cope with most "pests". Viruses can be conventionally divided into several groups, but the most common are spyware, adware and Trojans, which include ransomware viruses... It is about the latter that will be discussed in this article.
Recognize the computer ransomware infected pretty simple. An image of a business, pornographic or other nature appears and hangs on the screen. At the same time, the computer either does not respond to commands at all, or responds, but the picture occupies almost the entire visible area. This is our client - trojan familyWinlock or, more simply,.
The banner on the screen has the following content: “ Your computer is locked, send money to your account or a paid SMS ”. After that, the banner, along with the computer lock, promises to disappear. Also in the picture there is a field in which you should enter the code that you allegedly receive after payment. Do not panic and rush to part with your money. We will tell you.
The virus in question has several varieties, depending on the generation. Older ones can be neutralized with a couple of mouse clicks. Others will require much more serious preparation. Don't worry, we will give you all the ways out of such a difficult situation that will definitely help you remove any such Trojan.
Method # 1 - Task Manager
This method will help in the fight against old, primitive Trojans. We call the task manager ( Ctrl+ Shift+ Esc on Windows 10 either Ctrl+ Alt+ Del on older versions of Windows). If the dispatcher starts, try to find the suspicious item in the list of processes. Complete this process.
If the manager does not start, try starting the process manager (keys Win+ R). Enter the command “ notepad" in field " Open”. After that, Notepad should open. Type arbitrary characters in the window that opens and press briefly (sharply) the power button on a PC or laptop. All processes along with the trojan should automatically terminate. The computer will remain on.
Now is the time to delete all infected files. You need to find them and delete or scan disks .
Let's suppose that, by an absurd accident, you did not install an antivirus on your computer in advance. How to be? Offspring Winlock are usually taken into temporary files, including browser files. Try checking the following paths:
C: \ Users \ folder with username \ App Data \ Roaming \
C: \ Documents and Settings \ directory with username \
Find " ms.exe"Or other suspicious files, for example, with an arbitrary combination of characters like" 89sdfh2398.exe" or " Hgb.hd.exe". Delete them.
Method # 2 - Safe Mode
The first method failed and you still don't understand how to unlock your computer from ransomware? You shouldn't be upset. It's just that our Trojan is more advanced. He changed the system components and installed a lock on the launch of the task manager.
To fix the problem, restart your computer while holding down the F8 key while starting the system. From the displayed menu, select " Safe mode with command line support».
Then type “ explorer”In the console and press Enter... Such manipulation will launch the explorer. We write down the word “ regedit"In the command line, click again Enter... Then the registry editor will start. Here you will find the place from where the virus starts automatically, as well as the entries created by it.
Look for ransomware components in the keys Userinit and Shell... In the first, it is easy to find it by comma, in Shell it is prescribed as explorer. exe... Let's copy the full name of the dangerous file we found to the clipboard using the right mouse button. We write “ del”In the command line, then a space, and then paste the name you copied earlier. We press Enter and enjoy the result of your manipulations. Now you know how to unlock your computer from ransomware... We carry out this operation with all suspicious files.
Method # 3 - System Restore
After the done manipulations, you must re-enter using the method described in method number 2... Write the following on the command line: “ C: \ WINDOWS \ system32 \ Restore \ rstrui.exe "Or in modern versions the laconic" rstrui”, Then press Enter... A window appears on the screen “ System Restore”.
You should choose a date that precedes the appearance of the virus. This date is called the restore point. It could be a year or just a day earlier than that unfortunate date when your PC was attacked by a virus. In other words, pick a date when your computer was healthy and 100% clean. This completes the unlocking.
Method # 4 - Rescue Disk
For this method, you need to download the necessary software in advance, use a second computer, or visit a friend for this purpose. System recovery and repair software is usually built into antivirus software. However, they can be downloaded for free, separately, without registration.
That's all, now you know how to unlock your computer from ransomware... Be careful henceforth.
At the present time, with the modern development of technologies and high data transfer rates, users of personal computers, laptops, tablets and smartphones very often (even with installed anti-virus protection) catch some kind of virus. Now hackers are very popular with programs that infect a device, while blocking access to it with a banner on the desktop. How can I unlock my computer in this case? How to restore access to it?
What banners exist?
The most common are the following: Internet access is blocked, Windows is blocked, the rules for using the Internet have been violated, your account has been hacked and now spam is being sent from it, and so on. Help is offered to the owner of the computer in solving the problem. For this, he is asked to send only one SMS to a short number. By doing this, you will lose at least 250-300 rubles. And, accordingly, the banner in almost all cases does not go anywhere.
The main ways to solve the problem
What to do? How to unlock your computer from a virus and continue using your device? There are various ways of salvation. The main ones are:
- Restoring the operating system.
- Removing a virus program from OS startup.
- Application of special unlock codes from Dr.Web and Kaspersky sites.
- Engaging antivirus.
It should be remembered that there is no universal way to unblock a computer from a virus. Each of the above is only suitable for a specific situation. Now let's dwell on this.
Solving the problem via the Internet
This option is good for someone who has access to the network or has a connection with someone who is ready to help. The official websites of Kaspersky and Doctor Web have codes that can unlock your device. If they were not there, we go the other way.
Removing the banner from startup
How do I unlock my computer this way? This path is quite simple. You must boot your device in Safe Mode. To do this, when loading it, press F8. Before us will appear a menu with options for loading Windows. Choosing the right one. Then one of two things: the banner is still there, or the system will boot without a virus. In the latter case, click "Start" and enter msconfig in the command line. Go to startup, uncheck suspicious items there and restart the PC.
Outdated way to unlock
If the banner has not disappeared anywhere, then you can try to unblock the computer from the virus using an outdated, but sometimes effective method. To do this, we reboot it in safe mode, and move the clock about a week ahead. This may help, but most likely not for long, as the viruses are also regularly updated. The system time can also be changed in the BIOS. It is also possible to perform a system restore.
Powerful professional way
If all the above does not help to solve the problem of how to unlock the computer, we will fight the banner with the help of antivirus. If access to the desktop is possible in safe mode, then we use the Removal-tool of Kaspersky or Cureit of Doctor Web, the most famous of all. If this is not possible, we use the LiveCD - a special bootable disk that loads the antivirus without any problems and removes the banner. To do this, we write its image to a USB flash drive or disc, then to a computer, after which we scan the system for viruses. This option can be difficult for an ordinary user to use, so it is recommended to consult a professional. So we figured out how to unlock your computer.
How to unlock your computer yourself without sending money to request ransomware and without using special tools.
This article is a supplement to my article Ransomware viruses. ... It provides specific recommendations for removing the most common blockers.
Two types of blocking are considered here: complete blocking of the hard drive and, accordingly, the computer, and blocking the explorer (explorer) Windows.
In the first case, the hard disk master boot record (MBR) is changed. An attempt to boot the computer can end only with a blinking cursor in the left corner on a black background or a picture like the following:
In the second case, the computer boots up, comes to the moment of drawing icons on the desktop, but instead of them we see the following:
Only the current Windows is blocked here. Other operating systems, if installed, will boot smoothly.
Unlock MBR.
For Windows XP
We boot from any CD / DVD with a Windows XP distribution kit that supports the recovery console. We go to the recovery console
and execute the command fixmbr.
We ignore the warning that you have a non-standard boot record and it may end badly.
After executing the command and rebooting, the Windows boot is restored.
For Windows 7
Boot from the original Windows 7 installation distribution that supports the restore option
Choose "System Restore"
In the "System Recovery Options" window, select the operating system that you want to restore, and click "Next".
In the next window, select the "Command line"
The command line interpreter window cmd.exe will open, where you should enter:
Bootrec.exe / FixMbr
Launched with the / FixMbr switch, the utility writes a Windows 7 compatible Master Boot Record (MBR) to the system partition.
In most cases, this is enough to restore the normal boot of Windows 7. If the system does not boot, then repeat the above operation and additionally enter the command:
Bootrec.exe / FixBoot
Launched with a key / FixBoot, the utility writes a new boot sector compatible with Windows 7 to the system partition.
Unlock Windows
The variant for Windows XP is described here. For the seven, everything is the same.Loading into " Safe mode with command line support".
Attention! Namely "Safe Mode with Command Line Support". It's just that Safe Mode won't give you anything. The lock will remain.
Let me remind you that to boot into safe mode after turning on the computer, you must press the F8 key. In some BIOS F8 displays the boot menu from where the computer should boot (FDD, CD / DVD, HDD). In this case, you need to select HDD, press Enter and then F8 again.
In the shell, we type: regedit and press Enter. The registry editor starts, in which we go to the next branch
HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ Windows NT \ CurrentVersion \ Winlogon
Here we fix the parameters below to be exactly the same:
Shell = Explorer.exe
Userinit = C: \\ WINDOWS \\ system32 \\ userinit.exe,(if Windows is on drive C :)
Those who are not in trouble with the registry can download this file in advance, and in case of blocking, run it on the command line explorer- an explorer with a graphical shell will open, with which you will find the downloaded file and run it, agreeing to make changes to the registry.
We close the registry editor and also check if our malware is in startup. Otherwise, all of our correction will be canceled on reboot.
To do this, first, through Ctrl + Alt + Del, we call the task manager, in which we select the "new task", where we type msconfig and click OK.
The system settings window will open, where we go to the tab
When browsing the startup items, you should especially pay attention to the "Command" column. This is where the files are launched from. If it's a folder Temp or Temporary Internet Files then it is almost 100% virus. We write down where it is located, remove it from startup and, then, by running Explorer, find and delete the malicious file itself. If you are not sure, then you can simply rename it by setting, for example, such a # sign in front of the name.
The simplest blocking methods are discussed here. The cybercriminals' technical thought does not stand still, and in the future they may have to face more sophisticated methods. To protect yourself from possible surprises, it is necessary to periodically make archive copies of the system partition, preferably on an external medium.
As a rule, it is a "Trojan" from the Winlock family. It is easy to define it: if a pornographic or, conversely, business image appears on the screen, and at the same time the computer stops responding to commands - this is our client.
At the same time, the banner often contains the message "Your computer is blocked" and an offer to send a paid SMS or deposit money to the specified account - supposedly only after that the harmful banner (and with it the PC blocking) will disappear. The image even has a field where you need to enter a special code that should come after the above requirements are met. The principle of operation of such malicious elements is reduced to the substitution of Shell parameters in the shell of the operating system and the leveling of the functions of the Windows Explorer
There are several generations of ransomware viruses. Some of them are neutralized in a couple of clicks, others require more serious manipulation. We will show you the methods that you can use to deal with any Trojan of this kind.
Method number 1
Task Manager
This method will work against primitive Trojans. Try to invoke the regular Task Manager (key combination CTRL + ALT + DEL or CTRL + SHIFT + ESC). If successful, find in the list of processes what should not be running and terminate it.
If the dispatcher is not called, you can still use the process manager via the Win + R keys. In the "Open" field, enter the word "notepad" and press ENTER - this will open the Notepad application. In the application window that opens, type arbitrary characters and shortly press the on / off button on your laptop or stationary PC. All processes, including the Trojan, will end immediately, but the computer will not turn off. While the virus is deactivated, you can find the files related to it and eliminate them, or run an anti-virus scan.
If you haven't installed the anti-virus software in time, you may ask: How do you remove the ransomware virus from your computer? In most cases, the offspring of the evil Winlock family sneak into directories of some temporary files or temporary files of the browser. First of all check the paths:
C: \ Documents and Settings \ directory where username is specified \ and
C: \ Users \ directory by username \ AppData \ Roaming \.
Look for "ms.exe" there, as well as suspicious files with arbitrary character set like "0.277949.exe" or "Hhcqcx.exe" and delete them.
Method number 2
Deleting virus files in safe mode
If the first method does not work and Windows is blocked - what to do in this case? You shouldn't be upset here either. This means that we are faced with an advanced Trojan that replaces system components and blocks the launch of the Task Manager.
In this case, we will have to choose to work in safe mode. Reboot your computer. Hold F8 while Windows starts. From the menu that appears, select Safe Mode with Command Prompt.
Further in the console you should write: "explorer" and press ENTER - you will start the explorer. After that, we register the word "regedit" in the command line and again press ENTER. This will invoke the Registry Editor. In it, you can find the entries created by the trojan, and also the place from where it starts autorun.
The paths to the files of the malicious component will most likely be in the Shell and Userinit keys (in the first one it is written explorer.exe, and in "Userinit" it is easy to identify it by a comma). Then the procedure is as follows: copy the full name of the detected virus file with the right button to the clipboard, write “del” in the command line, then put a space and paste the copied name. ENTER - and you're done. Now you know how to remove the ransomware virus.
We also do it with other infectious files.
Method number 3
System Restore
We boot the system in safe mode, as described above. In the command line, write: "C: \ WINDOWS \ system32 \ Restore \ rstrui.exe". Modern versions will understand and simply "rstrui". And, of course, ENTER.
The "System Restore" window will pop up in front of you. Here you will need to select a restore point, or rather, the date before the virus hit the PC. It may be yesterday, or it may be a month ago. In short, choose the time when your computer was 100% clean and healthy. That's all for Windows unlocking.
Method number 4.
Emergency disk
This method assumes that you have time to download software from another computer or go to a friend for it. Although, maybe you have already prudently acquired one?
Special software for emergency treatment and system recovery is supplied by many developers directly in anti-virus packages. However, the rescue disk can also be downloaded separately - free of charge and without registration.
You can use ESET NOD32 LiveCD, Comodo Rescue Disk, or. All these applications work according to the same principle and can be placed on CD, DVD or USB stick. They are automatically loaded along with the integrated OS (most often Linux), block the launch of Windows and, accordingly, malicious elements, scan the computer for viruses, remove dangerous software, and treat infected files.
