1 way. To use services to combat SMS-banners, just enter the phone number to which it is proposed to send SMS or to which you need to put money through the terminal.
In response, you will receive a code, use it to unlock your computer, and if you successfully log on to the system, immediately check your computer for viruses.
Method 2. Restore work operating system from previously created saves (roll back the system), for this you need a disk with your version of the operating system.
Method 3. Take off HDD from a computer / laptop and check it with an antivirus on another (not infected) computer.
Method 4. Remove sms virus using Life CD is described in more detail.
Method 5. Use the Kaspersky utility Rescue Disk
Kaspersky Rescue Disk 10 is a special program designed to scan and disinfect infected computers. The program is used at such a degree of infection when it is not possible to cure the computer using antivirus software or treatment utilities (for example, Kaspersky Virus Removal Tool) launched under the control of the operating system.
In order to use this utility, it must be written to disk or USB stick... With writing to a disk, I think there will be no problems, to write an image of Kaspersky Rescue Disk 10 to a USB drive, follow these steps:
1. Connect the USB drive to your computer
Attention!!! For successful recording of Kaspersky Rescue Disk 10, the memory capacity of the USB drive used must be at least 256 MB. The USB stick must have file system FAT16 or FAT32. If the USB stick has a file NTFS system, format it to FAT16 or FAT32. Do not use for recording Kaspersky Rescue Disk 10 a USB drive that already contains another bootable operating system. Otherwise, the computer may not boot from Kaspersky Rescue Disk 10 correctly.
2. Download the Kaspersky Rescue Disk 10 image and a utility for writing to a USB drive
Iso image of Kaspersky Rescue Disk 10 (~ 250 MB)
Utility for writing Kaspersky Rescue Disk 10 to USB (~ 378 KB).
3. Burn Kaspersky Rescue Disk 10 to a USB drive
To do this, follow these steps:
Run rescue2usb.exe.
In the Kaspersky USB Rescue Disk Maker window, specify the location of the downloaded Kaspersky Rescue Disk 10 image using the Browse ... button.
Select the required USB drive from the list. Press the START button and wait for the recording to complete.
In the window with information about the successful completion of the recording, click "OK". 
4. Prepare your computer to boot from USB media Note !!! To download BIOS menu Use the Delete or F2 keys. For some motherboards, the F1, F8, F10, F11, F12 keys can be used.
Information on how to invoke the BIOS menu is displayed on the screen at the beginning of the operating system boot:
V BIOS settings on the Boot tab, select boot from Removable Device, that is, from a removable disk ( detailed information can be obtained from the documentation to motherboard your computer).
Connect the USB drive with the recorded image of Kaspersky Rescue Disk 10 to the computer.
Kaspersky USB Rescue Disk 10 is ready for use. You can boot your computer from it and start checking the system.
5. Boot your computer from the created disk.
Reboot your computer. After rebooting, the screen will display Press message any key to enter the menu. 
Press any key.
Note !!! If within ten seconds you have not pressed any key, the computer will automatically boot from the hard disk.
Use the cursor keys to select a language graphical interface... Press the ENTER key. 
Read License agreement using Kaspersky Rescue Disk. If you agree with its requirements, press 1 on the keyboard. Press 2 to restart, press 3 to shutdown the computer. 
Select one of the following boot modes:
Kaspersky Rescue Disk. Graphics Mode - Loads graphics subsystem(recommended for most users)
Note !!! If your computer does not have a mouse connected (for example, you have a laptop and you use a touchpad instead of a mouse), select Text Mode.
Kaspersky Rescue Disk. Text mode - loads text mode user interface which is represented by the console file manager Midnight commander.
Press Enter key and wait for the system to boot. 
After loading the operating system, you can start working with Kaspersky Rescue Disk 10. Update anti-virus databases programs and run a virus scan using Kaspersky Rescue Disk 10.
1. Boot the computer from Kaspersky Rescue Disk 10 to graphics mode.
2. In the lower left corner of the screen, click the button in the shape of the letter K. In the menu, select Kaspersky Rescue Disk.
3. Update the anti-virus databases of Kaspersky Rescue Disk. To do this, on the Update tab, click the Execute update button. 
4. Wait until the update of the application anti-virus databases is completed.
5. On the Scan objects tab, check the boxes next to the objects to be scanned by the program. By default, Kaspersky Rescue Disk checks bootable sectors of hard disks, as well as hidden objects of the operating system startup.
6. Click the Scan objects button. 
7. After the scan is complete, if threats are detected, the program will ask you what action to take with malicious objects:
- Treat. After disinfection, you can continue working with the object.
- Move to Quarantine if the scan failed to determine whether the object is infected or not. If you have set the required option to scan files in quarantine after each database update, then after receiving a new disinfection signature, the object in Quarantine will be disinfected and again available to the user.
- Delete. If an object has been assigned the status of a virus, but it cannot be disinfected, you can delete it. Information about the object will be saved in the report on detected threats.
Check in text mode.
To run a computer scan and remove malware from your computer, follow these steps:
1. Boot the computer with Kaspersky Rescue Disk 10 in text mode.
2. In the main menu of the loaded file manager Midnight Commander select required type check with the arrow keys and press Enter on your keyboard (or press the symbol on the left in the Midnight Commander window on your keyboard). 
Kaspersky Lab specialists recommend to start scanning startup objects one by one (to do this, press s on the keyboard), and boot sector(press B on your keyboard).
3. After waiting for the scan to complete, update the anti-virus databases of Kaspersky Rescue Disk. To do this, in the main menu of the Midnight Commander file manager, select the Update option and press Enter on your keyboard (or just press u on your keyboard).
How to prevent the appearance of SMS banners.
In order not to have to deal with SMS banners in the future, you must follow several rules:
1 When you go to the pages on the Internet, do not click on the pop-up windows on the sites, for example, “update flash player", Or" check your computer online for viruses ", or" a virus was found on your computer - click delete "all this will most likely lead to the infection of your computer with viruses.
2 Be sure to use an antivirus and update databases regularly.
3 Install all updates to the operating system.
Materials from the site http://support.kaspersky.com/viruses/rescuedisk/ were used.
Winlocker (Trojan.Winlock) - computer virus blocking access to Windows. After infection, it prompts the user to send an SMS to receive a code that restores the computer's performance. It has many software modifications: from the simplest - "embedded" in the form of an add-on, to the most complex - modifying the boot sector of the hard drive.
Warning! If your computer is locked by Winlocker, under no circumstances send SMS or transfer cash to get the OS unlock code. There is no guarantee that it will be sent to you. And if this does happen, know that you will give your hard-earned money to the attackers for nothing. Don't fall for tricks! Only the right decision in this situation, remove the ransomware virus from the computer.
Removing the ransomware banner yourself
This method is applicable to winlockers who do not block the OS from loading into safe mode, registry editor and command line. Its principle of operation is based on the use of exclusively system utilities (without the use of anti-virus programs).
1. When you see a malicious banner on the monitor, first of all, disconnect the Internet connection.
2. Reboot the OS in safe mode:
- at the time of the system reboot, hold down the "F8" key until the " Additional options downloads ";
- using the arrow keys, select "Safe Mode with Support command line"And press" Enter ".
Attention! If the PC refuses to boot in safe mode or the command line / system utilities do not start, try uninstalling the winlocker in a different way (see below).
3. At the command line, type the command - msconfig, and then press "ENTER".
4. The System Configuration panel appears on the screen. Open the "Startup" tab in it and carefully review the list of items for the presence of a winlocker. As a rule, its name contains meaningless alphanumeric combinations ("mc.exe", "3dec23ghfdsk34.exe", etc.) Disable all suspicious files and remember / write down their names.
5. Close the panel and go to the command line.
6. Enter the command "regedit" (without quotes) + "ENTER". Upon activation, the Windows Registry Editor will open.
7. In the "Edit" section of the editor menu, click "Find ...". Write the name and extension of the winlocker found in startup. Start the search with the "Find Next ..." button. All entries with the name of the virus must be deleted. Continue scanning with the F3 key until all sections have been verified.
8. Immediately, in the editor, moving along the left column, browse the directory:
HKEY_LOCAL_MACHINE \ Software \ Microsoft \ Windows NT \ Current Version \ Winlogon.
"Shell" entry - must have the value "explorer.exe"; the "Userinit" entry is "C: \ Windows \ system32 \ userinit.exe,".
Otherwise, if malicious modifications are detected, using the "Fix" ( right button mice - context menu) set the correct values.
9. Close the editor and go back to the command line.
10. Now you need to remove the banner from the desktop. To do this, enter the "explorer" command in the line (without quotes). When will appear Windows shell, remove all files and shortcuts from unusual names(which you did not install on the system). Most likely, one of them is a banner.
11. Restart Windows at normal mode and make sure you managed to remove the malware:
- if the banner disappeared - connect the Internet, update the databases installed antivirus or use an alternative antivirus product and scan all partitions of the hard drive;
- if the banner continues to block the OS, use another removal method. Perhaps your PC was struck by a vinlocker, which “attaches” to the system in a slightly different way.
Removal with antivirus utilities
To download the utilities that remove winlockers and burn their disk, you will need another, uninfected, computer or laptop. Ask a neighbor, friend or friend to use his PC for an hour or two. Stock up on 3-4 blank discs(CD-R or DVD-R).
Advice! If you are reading this article for informational purposes and your computer, thank God, is alive and well, still download the healing utilities considered in this article for yourself and save them on disks or a flash drive. A prepared "first aid kit" increases your chances of winning viral banner twice! Quickly and without unnecessary worries.
1. Go to the official site of the utility developers - antiwinlocker.ru.
2. On home page click the AntiWinLockerLiveCd button.
3. A list of links for downloading program distributions will open in a new browser tab. In the column "Disk images for disinfecting infected systems" follow the link "Download AntiWinLockerLiveCd image" with the number of the older (new) version (for example, 4.1.3).
4. Download the image to ISO format on computer.
5. Burn it to DVD-R / CD-R in ImgBurn program or Nero using the Burn Disc Image function. The ISO image must be unpacked to create a bootable disc.
6. Insert the AntiWinLocker disc into the PC where the banner is rampant. Restart the OS and go to BIOS (find out hotkey to log in for your computer; possible options- "Del", "F7"). Install boot not from the hard drive ( system partition C), but from a DVD drive.
7. Restart your PC again. If you did everything correctly - you wrote the image to disk correctly, changed the boot setting in BIOS - the AntiWinLockerLiveCd utility menu will appear on the monitor.
8. To automatically remove the ransomware virus from your computer, click the START button. And that's it! No other action is required - one-click destruction.
9. At the end of the removal procedure, the utility will provide a report on the work done (what services and files it unlocked and cured).
10. Close the utility. When you reboot the system, go to the BIOS again and specify the boot from the hard drive. Start the OS in normal mode, check its performance.
WindowsUnlocker (Kaspersky Lab)
1. Open the sms.kaspersky.com page (Kaspersky Lab's official website) in your browser.
2. Click the "Download WindowsUnlocker" button (located under the "How to remove the banner" label).
3. Wait while the image is downloaded to your computer boot disk Kaspersky Rescue Disk with WindowsUnlocker.
4. Write down ISO image in the same way as the AntiWinLockerLiveCd utility - make a bootable disk.
5. Configure BIOS of locked PC to boot from DVD drive. Insert the Kaspersky Rescue Disk LiveCD and reboot the system.
6. To launch the utility, press any key, and then use the cursor arrows to select the interface language ("Russian") and press "ENTER".
7. Read the terms of the agreement and press "1" (agree).
8. When the Kaspersky Rescue Disk desktop appears on the screen, click on the leftmost icon in the taskbar (the letter "K" on blue background) to open the disc menu.
9. Select "Terminal".
10. In a terminal window (root: bash), near the "kavrescue ~ #" prompt, enter "windowsunlocker" (without quotes) and activate the directive with the "ENTER" key.
11. The utility menu will be displayed. Click "1" (Unblock Windows).
12. After unlocking, close the terminal.
13. We already have access to the OS, but the virus is still free. In order to destroy it, do the following:
- connect the internet;
- launch the shortcut "Kaspersky Rescue Disk" on the desktop;
- update signature bases antivirus;
- select the objects to be checked (it is advisable to check all the elements of the list);
- with the left mouse button, activate the "Scan objects" function;
- if a ransomware virus is detected, select “Remove” from the suggested actions.
14. After disinfection, in the main menu of the disk, click "Turn off". At the time of restarting the OS, go to the BIOS and install the boot from the HDD (hard drive). Save your settings and boot Windows normally.
Service for unlocking computers from Dr.Web
This method consists in trying to force the WinLocker to self-destruct. That is, give him what he requires - the unlock code. Naturally, you don't have to spend money to get it.
1. Rewrite the wallet or phone number that the attackers left on the banner to buy the unlock code.
2. Log in from another, "healthy" computer to the Dr.Web unlock service - drweb.com/xperf/unlocker/.
3. Enter the copied number in the field and click the "Search codes" button. The service will execute automatic selection unlock code according to your request.
4. Rewrite / copy all codes shown in search results.
Attention! If there are none in the database, use the Dr.Web recommendation for self-removal Winlocker (follow the link under the message "Unfortunately, at your request ...").
5. On the infected computer, enter the unlock code provided by the Dr.Web service in the banner "interface".
6. In case of self-destruction of the virus, update the antivirus and scan all partitions of the hard disk.
Warning! Sometimes the banner does not respond to the input of the code. In this case, you need to use another removal method.
Remove banner MBR.Lock
MBR.Lock is one of the most dangerous winlockers. Modifies the data and code of the hard disk master boot record. Many users, not knowing how to remove this ransomware banner, start reinstalling Windows, hoping that after this procedure, their PC will "recover". But, alas, this does not happen - the virus continues to block the OS.
To get rid of the MBR.Lock ransomware follow these steps (option for Windows 7):
1. Insert the installation Windows disk(any version, assembly will do).
2. Go to Computer BIOS(find out the hotkey to enter BIOS in technical description your PC). In the First setup Boot Device install "Сdrom" (boot from DVD drive).
3. After restarting the system, the installation disc Windows 7. Select the type of your system (32/64 bit), interface language and click the "Next" button.
4. At the bottom of the screen, under the Install option, click System Restore.
5. In the "System Recovery Options" panel, leave everything unchanged and click "Next" again.
6. Select Command Prompt from the Tools menu.
7. At the command line, enter the command - bootrec / fixmbr, and then press Enter. System Utility will overwrite boot record and thereby destroys the malicious code.
8. Close Command Prompt and click Restart.
9. Scan your PC for viruses with Dr.Web CureIt! or Virus Removal Tool (Kaspersky).
It is worth noting that there are other ways to treat a computer from a winlocker. The more means in your arsenal to combat this infection, the better. In general, as they say, God protects the saved - do not tempt fate: do not go to dubious sites and do not install software from unknown manufacturers.
Let your PC ransomware banners pass by. Good luck!
While surfing the Internet, a user may accidentally look at a site intentionally infected with a ransomware virus. If in the operating room Windows system, browser or other software there are vulnerabilities, the computer is completely blocked, a window appears on the screen with a message that the user allegedly violated certain rules and Windows version locked. To unlock, it is proposed to send an SMS message to the specified telephone number... The cursor moves only over the window, restarting does not help.
There are several ways to remove ransomware viruses. The easiest way is to use the Kaspersky Lab website: you need to go to it from another computer or under a backup OS and go to the "Remove SMS blockers" page. Next, enter in the search box the phone number to which you are invited to send an SMS, and click the "Get code" button. If required code is, you get it. After that, enter it in the blocker window, Windows will be unlocked.
Unfortunately, this method does not always work. If unsuccessful, it is possible to remove the banner using Kaspersky WindowsUnlocker. This utility can be downloaded from the same page of the Kaspersky website, it is included in the Kaspersky Rescue Disk. You need to download a disk image (its size is a little over 300 MB) and burn it to a CD. After that, the utility is launched from the CD when the computer starts, it can be used to delete all SMS blocker files and restore the registry. After the utility is finished, the computer will be fully functional.
You should use Kaspersky WindowsUnlocker even when you managed to find an unlock code. The files of the blocker virus still remain on the computer and should be deleted.
Professional removal of blockers
Virus creators are constantly creating new versions, so it is very likely that you will not be able to remove a virus that you come across using standard methods. In this case, the banner will have to be removed in manual mode, which requires a lot of experience. For instance, experienced master can try to boot the computer in safe mode with command line support. When the console becomes available, it will launch the desktop with the explorer.exe command; the virus usually does not activate with this boot method. After that, the expert will check system registry and Windows folders, will manually remove the blocker files from them, which will completely restore the computer to work.
If you have come across an SMS blocker and cannot get rid of it, call us. Our specialist will come and are guaranteed to restore your desktop or laptop. By observing the work of a master, you can learn a lot, which will allow you to cope with similar situations... Call us at any time convenient for you!
In this post I will tell you how you can remove porn banners and SMS blockers windows for which no unlock codes were found.
How to search for them is described in the previous article here:
To carry out activities to clean your computer, we need:
- Uninfected computer (a computer of a neighbor, brother or godfather will also do) - 1 piece
- USB flash drive or blank CD (the most common USB flash drive volume of at least 256 MB or CD / DVD-R disc) - 1 piece
- Internet access (you will need to download about 200 Megabytes) - 1 piece
- Patience and quick wits - 1 each
If, while working with a computer, a banner (advertising module) appeared on the screen with a request to replenish the account or send an SMS to the number indicated in the message, this means that you have become a victim of a ransomware-blocker. The purpose of ransomware is to block user access to data or to restrict the ability to use the computer and demand a ransom for a return to original state systems.
To combat ransomware, specialists Kaspersky Labs developed a special utility Kaspersky WindowsUnlocker... The utility is launched when the computer boots from a special version of the image Kaspersky Rescue Disk 10 and allows you to work as in graphical boot mode Kaspersky Rescue Disk and in text.
Utility Kaspersky WindowsUnlocker allows you to disinfect the registry of all operating systems installed on the computer (including those installed on different partitions in different folders one section), as well as treatment of user registry branches. Kaspersky WindowsUnlocker does not perform any operations with files (to disinfect infected files, you can use Kaspersky Rescue Disk 10).
2. Booting the computer from Kaspersky Rescue Disk
For recording Kaspersky Rescue Disk on a CD / DVD or USB drive, you need an uninfected computer connected to the Internet.
1. Download special version the Kaspersky Rescue Disk image, which includes the Kaspersky WindowsUnlocker utility.
5 . Kaspersky WindowsUnlocker log
The log (log) of the utility operation may be needed by the Service specialists technical support when analyzing your request. You can send a request through the My Account service. To view the utility operation log, do the following:
- On the desktop double click open up File Manager(if you are working in text mode, close user's menu by clicking F10).
- On the menu File manager(in text mode - Midnight commander) find the folder / var / kl(or / var / tmp if the first folder is unavailable) and open it.
- The folder contains text file of the kind WUnlocker.1.0.0.0_% dd.mm.yy_hh.mm.ss_log% .txt... This file contains the work log Kaspersky WindowsUnlocker.
After finishing work with Kaspersky WindowsUnlocker restart your computer and in the options BIOS on the bookmark Boot set your hard disk as the boot disk.
Update 12/17/2011
By the way, often after successful removal of a virus, its "traces" remain in the system in the form, for example, of a blocked task manager.
If you have any questions about using the utility or following the steps in the instructions, write either in the comments or.
Today I will talk about how to remove a banner from your desktop. Ransomware banners are different: some only partially block the computer's performance, others completely paralyze its operation. The last time, I just had to deal with the second type of banner.
The ransomware banner completely blocked my friend's computer. The mouse cursor could only move within the banner boundaries. None of the keyboard shortcuts worked, and when I tried to boot into Safe Mode I got “ blue screen of death".
The banner looked like this:
Ransomware banner view on desktop
The text, in my opinion, was composed by a person with a good sense of humor:
“Your computer is blocked for viewing, copying and replicating video materials containing elements of pornography, pedophilia and violence against children. To unblock, you need to pay a fine of 1000 rubles to an MTS account. The fine can be paid in any payment terminal.
In case of payment of an amount equal to or exceeding the fine by fiscal receipt terminal will print the unlock code. You need to enter it in the field at the bottom of the window and press the "Enter" button. After unblocking, you must remove all materials containing elements of pornography, violence and pedophilia. If the fine is not paid within 12 hours, all data on your personal computer will be irrevocably deleted, and the case will be referred to the court for proceedings under Article 242 Part 1 of the Criminal Code of the Russian Federation.
ATTENTION! Restarting or shutting down the computer will immediately delete all data, including the operating system code and BIOS, and cannot be recovered. "
In such cases, you can try to visit the Kaspersky or Dr. Web using another computer and try to get the unlock code by entering the phone number to which they want to send an SMS or top up the account. However, on this moment banners that do not have unlock codes have become widespread.
In a specific case, I used the Kaspersky Rescue Disk, the image of which (file with ISO extension) can be downloaded from the official website of Kaspersky Lab or from the file hosting Depositfiles (268 MB).
At the moment, Kaspersky Rescue Disk 10 is available for download. The disk image can be written to a USB flash drive or to a CD (CD-R or CD-RW). I prefer to use CDs, as this ensures that after the image is recorded, the media will not under any circumstances be infected with viruses.
Let me remind you that to boot your computer from a CD, in the BIOS, the first boot device CD-ROM must be specified. To enter the BIOS, when booting / restarting the computer, you must hold down, as a rule, Delete key... In some computers, other keys, such as F2, can be used to enter the BIOS.
When booting from Kaspersky Rescue Disk, you need to specify the language (English by default) and select the type of data display mode. For novice users, it is best to boot into graphical mode. After loading, in graphical mode, the desktop will appear.
Before starting a computer scan for viruses, you must update the program. To do this, you can go to the "Update" tab and click on the "Perform update" link.
After the update, you need to return to the "Scan objects" tab, select the objects that need to be scanned (it is desirable to select all disks) and start the scan by clicking on the "Scan objects" link.
After checking your computer for viruses, using Kaspersky utilities Rescue Disk, you can see the results in the "Reports" tab.
In a successful scenario, after restarting the computer, everything should return to square one. In my case, it turned out that way, the ransomware banner was removed when help Kaspersky Rescue Disk. By the way, I must say that an attempt to remove such a banner using the Dr.Web CureIt! ended in failure.
Evgeny Mukhutdinov
