Windows is locked - what to do? How to unblock Windows from ransomware Windows 7 is blocked what to do step by step instructions

A lot of Windows users have faced the fact that sometimes the computer is locked. Messages like "Your Windows is locked" can appear in several cases. And this is not always associated with viral exposure. The fact is that the system itself can issue notifications of this kind. Further, it is proposed to familiarize yourself with the possible situations and the main methods for eliminating such a problem.

Windows computer is locked: possible reasons for this phenomenon

So, let's start with the root causes of blocking the operating system itself, the registration record, the disk, or access to some applications. In general, there may not be so many situations when it is reported that a Windows computer is locked.

Among all that occurs most often, the following problems can be distinguished:

  • the system is blocked due to lack of activation;
  • access to programs is limited by the security system or by the administrator;
  • the system is blocked by ransomware viruses.

What if Windows 7 is locked after installation?

It is no secret that for all systems of this family, including the already freely distributed tenth modification, a special license key must be entered during the installation process. However, in any installer, you can skip this step by postponing the activation of the operating system until later. The system will work, but its life is usually limited to thirty days.

If during this time you do not enter the activation code, a permanent notification will appear on the screen in the system tray area that, for example, Windows 7 is locked. In other words, it will be impossible to fully use it. As already clear, to correct the situation, it is necessary to activate. After successfully completing the procedure and rebooting, the system notification that the Windows system is locked will disappear. Many users, unfortunately, constantly postpone registration, leaving this procedure for later, and completely ignore the end of the trial period. Thus, the usual carelessness leads to the fact that the whole system stops working at one point.

Using an activator

However, not all users tend to purchase official copies of the system and do not always have the necessary activation keys available. It is clear that in this case, you will again receive a message stating that Windows is locked. What to do in such a situation?

There is a solution, although it can be attributed to some illegal actions on the part of the user that violate international law. However, this never stopped our user. If you want to activate the system without a key, just use utilities like KMSAuto Net, which perform this procedure automatically. The only thing that you should pay attention to is the agreement to enter the reactivation process into the "Task Scheduler" (re-registration will be carried out every ten days). In addition, you cannot delete the file itself. If the antivirus or the protection system of the OS itself ("Defender" and firewall) is triggered, the object must be added to the exclusion lists of all tools that monitor the security of the system. In the firewall, the program can be immediately added to the list of allowed or a new rule can be created to run it. Exactly the same actions are performed in antivirus software.

Administrator rights

But both the computer administrator and the sysadmin can block access to Windows if network modifications are used. In this case, we are talking not only about limiting the use of programs or system tools, but even about the fact that logging in at the level of a registered user will be simply impossible.

So, if the administrator has blocked Windows 10 from logging in, the solution is obvious - you need to contact him to restore access. If you know the administrator's username and password, the solution looks even simpler. Just log into the system as an administrator, go to account management, select your registration and set the necessary rights or unlock. By the way, setting the appropriate rights to change system parameters or disable control of "accounts" can also be useful if Windows 10 blocked the program, considering it unreliable when trying to install or when starting after installing it.

The simplest solution seems to be exactly the access to which can be obtained through the Windows search engine (so as not to rummage through various kinds of menus for a long time). In the settings window, you just need to rearrange the slider to the lowest position, save the settings and restart. You can also disable the firewall and the TrustedInstaller service. If some applet has blocked Windows, you can unblock it, but already by setting a permanent launch on behalf of the administrator. To do this, use the properties section of the executable file or its shortcut with a check mark on the appropriate line so that the application constantly starts with the rights the user needs, and the system does not issue constant requests for trust. By the way, the same applies to the TrustedInstaller service, which can be disabled by the simplest method through the services section, where it is first deactivated in the parameters, and then the disabled start option is set for it in the startup type.

Virus blocking: options for correcting the situation

Finally, one of the most common situations can be called the inability to log in, when a constantly hanging banner appears on the screen during the boot process, notifying that the computer is locked (Windows is locked) due to visits to some dubious sites on the Internet or the distribution of inappropriate content. which is supposedly produced from your address.

In fact, the operating system itself does not provide for such a lock, and the user is dealing with an ordinary ransomware virus, which, in addition to everything, also issues a demand to pay a certain amount, after which the system should seem to return to normal. Do not try to transfer anything to the specified details. You can get rid of this kind of viruses using simpler methods:

  • restore the system from a checkpoint;
  • delete virus keys from the system registry;
  • use antivirus software.

System Restore

Consider a situation where, for example, Windows XP is locked. The system does not start, and at the stage of loading the "Desktop" the above banner appears.

To begin with, you can try to forcibly turn off your computer or laptop, then turn it on again and see if the automatic recovery starts. If for some reason this does not work, turning it on and off will need to be done several times so that the system itself determines that an incorrect shutdown was performed.

If recovery still does not work, the system does not boot, or at startup it turns out that the Windows account is blocked, you can use the classic method of choosing the boot type by pressing the F8 key at startup (in Windows 10 this option does not work, and you can use to start removable media). Here you simply select to load the last good configuration and see how the system behaves.

If this does not help, try to start in safe mode, and then enter the system recovery settings through the "Control Panel" and roll back using the checkpoint that preceded the penetration of the virus into the system (if there is no such point, click on link to show other points).

Using Registry Editor in Safe Mode

But, suppose that this did not give an effect. Again, we observe a situation when Windows is blocked by a virus application. What to do in this case?

To begin with, you should use the boot in safe mode with command line support, and then call the registry editor through the console (regedit command). Now the most important thing begins.

The first step is to find the Shell and Userinit keys in the HKLM branch, which are located in the Winlogon directory. For the first entry (without options), the value explorer.exe should be specified, and for the second, the full path to the executable file userinit.exe, which is located in the System32 system folder of the Windows root directory in the system partition (usually on the C drive).

After that, you should check out a similar section in the HKCU branch. Here in the same directory the above keys should not be at all. If they are present, they must be removed. Then, to be correct, you need to check the Run and RunOnce directories in the HKLM and HKCU branches. In these sections, you need to get rid of all suspicious entries in which links to executable EXE files whose names consist of a meaningless set of characters are set as current values ​​(if for some reason you doubt whether it is worth deleting a certain key, just go to editing parameters by double-clicking and setting the value to one - this will disable the execution of the application, and if necessary, the value can be returned to its previous state after eliminating the main problems with the operating system itself, but after restarting it in working order).

The next step, if the Windows drive is locked, will be to clean it up. For this, the same command line is used, but it contains the abbreviation cleanmgr. In the window that appears, check the boxes on all lines that are in the list, except for the item for deleting backup files.

After editing the registry and the cleaning procedure, you can restart the computer and see how the boot will be performed. If for some reason the start again turns out to be impossible, in the command console enter explorer.exe, go to the user's Users folder, in your directory go to the AppData folder and in the subdirectories delete the files with the names that you got rid of in the registry.

If, when performing the indicated actions with the registry and the system partition, it is not possible to call the command line through the start in safe mode, you will have to use booting from removable media (installation or recovery disk / flash drive) followed by similar procedures. In this case, the command console can be activated in the fastest way through the combination Shift + F10.

AntiWinLocker application

But what if after that it turns out that the Windows computer is blocked by an application of a viral nature? Here specialized utilities will come to the rescue. One of the most interesting can be called the described boot program, which allows you to start, being recorded on an optical or USB drive.

After starting the program, you must accept the license agreement and select automatic launch. Further, this tool will perform a complete scan of the computer system and indicate exactly where the viruses are located. You can delete them immediately or leave the execution of such actions for later, but after the restart, you will additionally need to launch some anti-virus scanner. In theory, the system should boot normally.

If the previous solution did not help, and again it turns out that the Windows computer is locked, you can use the equally effective utility Kaspersky Rescue Disk, which also starts from removable media.

After launching the utility, you first need to select the language and preferred interface (preferably graphical). After that, you can either check for viruses, or go directly to unlock the system. For the first option, all disks and partitions are marked, after which the scanning process starts.

For the second option, the terminal line is used, called through the main menu button (like "Start" in Windows), and the windowsunlocker line is entered in the console that appears. After that, a black window similar to the command console will appear, where you will be offered three options for action. For instant unblocking, a unit is entered, after which it remains only to wait for the end of the process. However, even if a scan is carried out immediately and a virus is detected and removed or neutralized, it will be possible to start the operating system. By the way, it is this program that allows you to detect and eliminate almost all known threats, so its use in the case of deep infection is the most effective.

AVZ program

Now one more situation, when it occurs, it turns out that Windows is locked. The AVZ program or some kind of portable scanner can be used, so to speak, already for a control shot - to check the system and / or restore it with the elimination of the detected problems.

The application is launched when the system starts from removable media or in safe mode, after which the restore item is selected from the file menu. Mark all that is needed and press the button to perform the selected actions. But it is too early to rejoice. Next, you need to go to the built-in "Troubleshoot Wizard", select the system problems and the "All" item, mark all the lines and perform the necessary actions to scan and eliminate the errors found. After that, in the same way, you need to use the settings and tweaks section of the browser, and then through the service menu go to the explorer extensions editor, where the checkboxes are removed from all the items marked in black. Then, through the same service menu, you need to go to the Internet Explorer Extension Manager and delete all the lines that appear in the settings window.

When the Windows computer is locked, running this application in Safe Mode may not work. If you want to use exactly this option for starting the utility, you can use the system boot menu (F8) and choose to start the recovery tool first, and then use the command line, from which you need to start the standard Notepad by entering the notepad command. In this program, you should open the AVZ.exe file by selecting "All" in the file type, and run the executable antivirus file itself through the PCM with the choice of the line "Open", and not "Select", since using the second item will only lead to the fact that the text representation of the compiled file will be shown, rather than starting it as an executable applet.

What if all else fails?

As it is already clear, viruses can block access to Windows quite simply. Usually such situations are associated with outdated versions of XP, but it is far from the fact that later modifications cannot be affected by such an effect.

However, returning to the main question, we can assume that none of the above solutions gave a positive result. What to do in such a situation? Here, as a last option, you can suggest removing the hard drive with the infected system, connecting it to an uninfected computer terminal and checking it for viruses using a portable antivirus launched from the computer to which your hard drive is connected. What to use? In principle, utilities like Dr. Web CureIt or KVRT from Kaspersky Lab. In them, however, it will not work to mark the boot or hidden areas of the connected HDD, however, it is precisely as the last option that such a solution can be used (of course, provided that no other measures help).

Instead of a total

That, in fact, is all that concerns the occurrence of problems when the system or some of its functions are blocked. If the operating system starts, we can immediately conclude that the prohibitions were imposed due to the lack of activation or represent security measures on the part of the system itself or the computer administrator. But in the case of the appearance of messages in the form of banners, this is a clear sign of a viral effect.

As for troubleshooting problems and bringing the system to a normal working state, it is best to use KMSAuto Net for activation (the program is portable and does not require installation); to eliminate problems with prohibitions from the OS itself, disabling UAC control or granting yourself extended rights to change the system configuration or access to blocked programs. Well, to fight viruses without utilities that start even before the main Windows modules are loaded, in this case it is impossible to do without.

Yes, and one more thing. Even if the operating system starts in safe mode, it is under no circumstances recommended to use alleged antivirus programs like SpyHunter, since threats may be detected and will be, but it will be impossible to remove or neutralize them without purchasing the main application. In addition, it will be much more difficult to get rid of the anti-virus applets of this type later than to remove threats detected by other applications, for example, applications from Kaspersky Lab. So, if you are invited to download and install such utilities, it is better, as they say, not to risk it.

Friends, hello. Today's article will be useful primarily for corporate users of Windows-based computers working with standard local accounts. Whereas, only authorized persons of the company in the form of employees of the IT section can log into accounts with the status of an administrator. Although, in a certain family microclimate, the problem described below can be encountered using home devices. What kind of problem is this? And this is the inability to access Windows with a notification on the lock screen "The user account is locked and cannot be used to log on to the network." What kind of blockage is this, and how to deal with it?

So, we cannot enter Windows, because we see this on the lock screen.

Such blocking is the result of a certain number of unsuccessful attempts to authorize in the local account, if the computer administrator has made the appropriate local group policy settings.

Locking Windows Accounts

The computer administrator in local group policies can set a certain number of attempts to log into user accounts. If this number of attempts is exceeded, the account is blocked for entry. This is such a protection against guessing passwords. Even if we are not dealing with a situation of trying to guess a password for someone else's account, but simply its true owner inattentively entered characters or did not look at the keyboard layout, it will not be possible to enter the system even if the correct password is entered. You will have to wait for the time set by the administrator until the login attempts counter is reset. And, of course, until the time of the blocking itself expires.

Such protection against guessing passwords is established in the local group policy editor, in the account lockout policy.

When this threshold is set, other policy settings - the time until the lockout counter is reset and the duration of the lockout itself - will automatically be set to 30 minutes.

You can change them if necessary. And, for example, set a shorter time to reset the counter of unsuccessful password attempts.

And, on the contrary, increase the blocking time of the account itself.

This protection applies only to local accounts and does not work when trying to guess a password or pin code for connected Microsoft accounts.

There are several ways to unblock a blocked account:

Log in to the system as an administrator and unlock;

If access to the administrator account is not possible, remove the lock by booting from a removable device and tweaking something in the Windows registry.

How to unblock your Windows account if you have administrator access

If your account is blocked, but you have access to the administrator's account, you need to log into the latter and unblock your own in this way. Press the Win + R keys, enter:

In the window that opens, in the "Users" folder, look for your account and double-click on it.

In the window of the opened properties, uncheck the "Block account" checkbox. We apply.

Trying to log into your account.

  • Note: if you do not have a password for the administrator account, you should not try to log in using brute force. Password guessing protection works for all local accounts, including the administrator. After a certain number of unsuccessful authorization attempts, his account will also be blocked.

How to unblock your Windows account if you don't have administrator access

If there is no access to the administrator account, we extract a DVD or a USB flash drive with the process of installing any version of Windows or a Live disk with the ability to edit the operating system registry. We boot the computer from a removable device, in our case it is a flash drive for installing Windows 10. Important: starting from a removable device should be carried out only when the Windows 8.1 and 10 systems are rebooted. is loaded from a file previously saved on disk. We also need the kernel to boot with the changed registry settings.

At the first stage of installing Windows, press Shift + F10. We start the registry with the command line:

In the browse window, go to the root of the devices "This computer" and go to the Windows section. We have it designated as a drive (C: \), but the system drive can also be listed under a different letter. Here you need to be guided by the volume of the section. On the system partition, open the "Windows" folders, then - "System32", then - "config". Inside the latter, we need a SAM file, this is the so-called registry hive, we open it.

An open bush needs to be named somehow, the name is unimportant. Let's call it 777.

Inside the registry key HKEY_LOCAL_MACHINE, we now observe a new branch 777. We expand the path inside it:

777 - SAM - Domains - Account - Users - Names

Find the name of your account in the "Names" folder. For example, we need the user Vasya. Let's see what, when you select Vasya, is displayed in the registry panel on the right. We have a value of 0x3f8. The same value, but only in a different writing format - with extra zeros in front and caps - are now looking for above, inside the "Users" folder.

If, after turning on the computer again, you see a message that Windows is locked and you need to transfer 3000 rubles in order to get an unlock number, then know a few things:

  • You are not alone - this is one of the most common types of malware (virus)
  • Do not send anything and anywhere, you most likely will not receive a number. Not at the expense of beeline, not at mts, or anywhere else.
  • Any text that a fine is due, threatens the Criminal Code, mentions of Microsoft security, and so on - this is nothing more than a text invented by a would-be virus writer to mislead you.
  • It is quite simple to solve the problem and remove the Windows blocked window, now we will figure out how to do it.

Typical Windows lock window (not real, I drew it myself)

Hopefully the introduction was clear enough. One more, last point, to which I will draw your attention: you should not search the forums and on specialized antivirus sites for unlock codes - you are unlikely to find them. The fact that the window has a field for entering a code does not mean that such a code actually exists: usually scammers do not "bother" and do not provide for it (especially recently). So, if you have any version of Microsoft's OS - Windows XP, Windows 7, or Windows 8 - then you are a potential victim.

How to remove Windows locked

First of all, I'll show you how to do this manually. If you would like to use an automatic method to remove this virus, then skip to the next section. But I note that despite the fact that the automatic method is, in general, simpler, there may be some problems after removal - the most common of them - the desktop does not load.

Starting Safe Mode with Command Prompt

The first thing we need in order to remove the Windows blocked message is to enter Safe Mode with Windows Command Prompt support. To do this:

  • In Windows XP and Windows 7, immediately after turning on, start feverishly pressing the F8 key until a menu of alternative boot options appears and select the appropriate mode there. For some BIOS versions, pressing F8 will select the boot menu for devices. If this appears, select your primary hard drive, press Enter and at the same second start pressing F8.
  • Getting into Windows 8 Safe Mode can be tricky. The fastest is to shut down the computer incorrectly. To do this, with the PC or laptop turned on, looking at the lock window, press and hold the power (power) button on it for 5 seconds, it will turn off. After turning on again, you should get into the window for choosing boot options, there you will need to find safe mode with command line support.

Enter regedit to launch Registry Editor

Once the Command Prompt has started, type regedit into it and press Enter. The registry editor should open, in which we will perform all the necessary actions.

First of all, in the Windows Registry Editor, go to the registry branch (tree structure on the left) HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ Windows NT \ CurrentVersion \ Winlogon, it is here that viruses blocking Windows first of all place their records.

Shell - the parameter in which the Windows virus is most often started Blocked

Pay attention to the two registry settings - Shell and Userinit (in the right pane), their correct values, regardless of Windows version, are as follows:

  • Shell - value: explorer.exe
  • Userinit - value: c: \ windows \ system32 \ userinit.exe, (exactly with a comma at the end)

You will most likely see a slightly different picture, especially in the Shell parameter. Your task is to right-click on a parameter whose value is different from the desired one, select "Change" and enter the desired one (the correct ones are written above). Also, be sure to remember the path to the virus file, which is indicated there - we will delete it a little later.

There should not be a Shell parameter in Current_user

The next step is to go to the registry key HKEY_CURRENT_USER \Software \Microsoft \WindowsNT \CurrentVersion \Winlogon and pay attention to the same parameter Shell (and Userinit). They shouldn't be here at all. If there is, right-click and select "Delete".

  • HKEY_CURRENT_USER \ Software \ Microsoft \ Windows \ CurrentVersion \ Run
  • HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ Windows \ CurrentVersion \ Run

And we make sure that none of the parameters in this section lead to the same files as Shell from the first paragraph of the instruction. If there are any, delete them. As a rule, file names are in the form of a set of numbers and letters with the extension exe. If there is something like this, delete.

Close the registry editor. The command line will be in front of you again. Enter explorer and press Enter - the Windows desktop will start.

Quickly navigate to hidden folders using the address bar of the explorer

Now go to Windows Explorer and delete the files that were listed in the registry keys we deleted. Typically, they are located deep in the Users folder and it is not easy to get to this location. The fastest way to do this is to specify the path to the folder (but not to the file, otherwise it will start) in the address bar of the explorer. Delete these files. If they are located in one of the "Temp" folders, then you can safely clean this folder of everything.

After all these steps have been completed, restart your computer (depending on the version of Windows, you may need to press Ctrl + Alt + Del.

Upon completion, you will get a working, normally starting computer - "Windows is locked" no longer appears. After the first launch, I recommend opening Task Scheduler (Task Scheduler, you can find it through the search in the Start menu or on the Windows 8 Start Screen) and see that there are no strange tasks there. Remove if found.

Remove Windows blocked automatically using Kaspersky Rescue Disk

As I said, this way of removing Windows lock is a little easier. You will need to download Kaspersky Rescue Disk from the official website http://support.kaspersky.com/viruses/rescuedisk#downloads from a working computer and write the image to a disk or a bootable USB flash drive. After that, you need to boot from this disk on the locked computer.

After booting from Kaspersky Rescue Disk, you will first see a prompt to press any key, and then the choice of language. We choose the one that is more convenient. The next step is the license agreement, in order to accept it, you need to press 1 on the keyboard.

Kaspersky Rescue Disk menu

The Kaspersky Rescue Disk menu will appear. Select Graphics Mode.

Virus scan settings

After that, a graphical shell will start, in which you can do a lot of things, but we are interested in fast unlocking of Windows. Check the boxes "Boot sectors", "Hidden startup objects", and at the same time you can check the C: drive (the check will take much longer, but it will be more effective). Click Check Now.

After the check is complete, you can look at the report and see what exactly was done and what the result is - usually, to remove the Windows lock, such a check is enough. Click Exit and then shut down your computer. After shutdown, remove the Kaspersky disk or USB flash drive and turn on the PC again - Windows should no longer be locked and you can return to work.

Today we are going to introduce you to another computer virus - Windows Blocked. Windows Blocked which is also known as Windows Blocked ransomware. This threat is not ransomware, nor does it encrypt the victim's files. However, she locks their computer and asks the victim to pay if she wants to access the computer again. By blocking the computer, it restricts the user from using programs or files that are stored on the computer. It also displays a full-screen message that says the computer user must pay a ransom to start using the computer again.

The Windows virus blocked asks to buy a top-up card worth 400-600 rubles and enter the code of the criminals in the provided field. Cyber ​​criminals promise to unlock the computer as soon as the victim pays the ransom. The virus says that payment must be made within 10 hours, otherwise the computer system will be damaged. However, don't even start looking for your wallet, because it is quite possible to access your computer without money. All you need to do is remove the blocked Windows virus from your system.

It is recommended to remove this virus using software because it is very difficult to detect and remove this virus manually. This virus usually names its files differently, so that users will not be able to quickly identify and remove it. All we know is where the virus writes its files. It saves them to the Downloads or Temp folder, but in order to enter these folders, you need to restart your computer and enter Safe Mode. You can find detailed instructions on how to remove Windows locked on page 2.

How can a blocked Windows malware enter your PC?

Windows virus blocked can be downloaded from the official website or malware website. Cyber ​​criminals prefer to use click attacks and place harmful links in low-suspicious content, so if you have the slightest suspicion that the ad, link or button you are about to click on could lead you to dangerous websites, do not click on them. ... In order to protect your computer from malware, you must protect it with an anti-spyware tool like.

Malicious files are also distributed via email. The 2-Spyware team strongly recommends that users watch out for emails that come from unknown persons, especially if they offer to open attachments. Scammers also tend to send intrusive emails, and if you want to block them, create a filter for emails rather than clicking the “Unsubscribe” button in the provided message. Criminals tend to inject malicious attachments behind this button.

If Windows Blocked Trojan has already infiltrated your computer, please follow the Windows Blocked Removal Instructions provided on page 2 and eliminate it from your PC as soon as possible.

How to Remove Windows Blocked Virus?

You shouldn't be afraid of Windows blocked threats, and don't rush to pay it, because this virus can be taken out of service in a fairly simple way. Since this virus does not encrypt files, but only blocks access to them, it is not dangerous, because by removing this virus, you can restore access to files back. Please use the Windows Blocked instruction below and remove this threat from your computer. To prevent computer threats that can infect your computer, we recommend that you install a powerful security tool. For this reason, we recommend installing the SpyHunter antivirus tool. Do not forget to regularly update the software, because only in this way it will be able to identify and eliminate the latest version of the harmful threat.

Surely, every fourth user of a personal computer has encountered various fraudulent activities on the Internet. One of the types of deception is a banner that blocks Windows and requires you to send SMS to a paid number or requires cryptocurrency. In fact, it is just a virus.

To fight a ransomware banner, you need to understand what it is and how it gets into your computer. Usually a banner looks like this:

But there may be all sorts of other variations, but the essence is the same - the crooks want to make money on you.

Ways of getting the virus into the computer

The first variant of "infection" is pirated applications, utilities, games. Of course, Internet users are accustomed to getting most of what they want on the network "for free", but when downloading pirated software, games, various activators and other things from suspicious sites, we run the risk of getting infected with viruses. In this situation, it usually helps.

Windows may be blocked due to a downloaded file with the extension " .exe". This does not mean that you need to refuse to download files with this extension. Just remember that “ .exe"Can only apply to games and programs. If you download a video, song, document or picture, and its title contains ".exe" at the end, then the chance of the ransomware banner appearing sharply increases to 99.999%!

There is also a tricky move with, allegedly, the need to update the Flash player or browser. It may be that you will be working on the Internet, go from page to page and one day you will find the inscription that "your Flash player is outdated, please update." If you click on this banner, and it does not lead you to the official website adobe.com, then it is 100% virus. Therefore, check before clicking on the "Update" button. The best option would be to ignore such messages altogether.

Last but not least, outdated Windows updates weaken the protection of the system. To keep your computer protected, try to install updates on time. This function can be configured in Control Panels -> Windows Update to automatic mode so as not to be distracted.

How to unlock Windows 7/8/10

One of the simplest options to remove ransomware banner is. It helps 100%, but it makes sense to reinstall Windows when you do not have important data on the "C" drive that you did not have time to save. When you reinstall the system, all files will be deleted from the system disk. Therefore, if you have no desire to reinstall software and games, then you can use other methods.

After disinfection and successful launch of the system without the ransomware banner, you need to take additional steps, otherwise the virus may emerge again, or there will simply be some problems in the system's operation. All this is at the end of the article. All information is verified by me personally! So, let's begin!

Kaspersky Rescue Disk + WindowsUnlocker will help us!

We will use a specially designed operating system. The whole difficulty is that on a working computer you need to download an image and or (scroll through the articles, there is).

When it's ready, you need it. At the time of launch, a small message will appear, such as "Press any key to boot from CD or DVD". Here you need to press any button on the keyboard, otherwise the infected Windows will start.

When loading, press any button, then select the language - "Russian", accept the license agreement using the "1" button and use the launch mode - "Graphic". After starting the operating system of Kaspersky, do not pay attention to the automatically launched scanner, but go to the "Start" menu and launch "Terminal"


A black window will open, where we write the command:

windowsunlocker

A small menu will open:


Select "Unblock Windows" with the "1" button. The program will check and fix everything itself. Now you can close the window and check, with the already running scanner, the entire computer. In the window, put a check mark on the disk with Windows OS and click "Run object scan"


We are waiting for the end of the check (it may be a long time) and, finally, we reboot.

If you have a laptop without a mouse, and the touchpad does not work, then I suggest using the text mode of the Kaspersky disk. In this case, after starting the operating system, you must first close the menu that opens with the "F10" button, then enter the same command in the command line: windowsunlocker

Unlock in safe mode, no special images

Today, viruses like Winlocker have grown wiser and block Windows from booting in safe mode, so most likely you will not succeed, but if there is no image, then try it. Viruses are different and different methods can work for everyone, but the principle is the same.

We reboot the computer. During boot, you need to press the F8 key until the Windows Advanced Startup Options menu appears. We need to use the "down" arrows to select from the list an item called "Safe Mode with Command Line Support".

This is where we need to go and select the required line:

Further, if all goes well, the computer will boot up and we will see the desktop. Fine! But this does not mean that everything works now. If you don't remove the virus and just reboot in normal mode, the banner will pop up again!

We are treated with Windows tools

It is necessary to restore the system when there was no blocker banner yet. Read the article carefully and do everything that is written there. There is a video under the article.

If it doesn't help, then press the "Win + R" buttons and write the command in the window to open the registry editor:

regedit

If, instead of the desktop, a black command line is launched, then simply enter the "regedit" command and press "Enter". We have to check some registry keys for virus programs, or to be more precise, for malicious code. To start this operation, follow this path:

HKEY_LOCAL_MACHINE \ Software \ Microsoft \ WinNT \ CurrentVersion \ Winlogon

Now, in order, we check the following values:

  • Shell - "explorer.exe" must be written here, there should be no other options
  • Userinit - here the text should be "C: \ Windows \ system32 \ userinit.exe,"

If the OS is installed on a different drive than C :, then the letter there will be different accordingly. To change the wrong values, right-click on the line you want to edit and select "change":

Then we check:

HKEY_CURRENT_USER \ Software \ Microsoft \ Windows NT \ CurrentVersion \ Winlogon

There shouldn't be any Shell and Userinit keys here at all, if there are, we delete them.

HKEY_LOCAL_MACHINE \ Software \ Microsoft \ Windows \ CurrentVersion \ Run

HKEY_LOCAL_MACHINE \ Software \ Microsoft \ Windows \ CurrentVersion \ RunOnce

And also be sure:

HKEY_CURRENT_USER \ Software \ Microsoft \ Windows \ CurrentVersion \ Run

HKEY_CURRENT_USER \ Software \ Microsoft \ Windows \ CurrentVersion \ RunOnce

If you are not sure whether it is necessary to delete the key, you can simply add one “1” to the parameter first. The path will fail, and this program simply won't start. Then it will be possible to return it as it was.

Now you need to run the built-in system cleaning utility, we do it in the same way as we started the registry editor "regedit", but write:

cleanmgr

We select the disk with the operating system (by default C :) and after scanning we mark all the checkboxes, except for "Files of the backup copy of the service pack"

And we press "OK". By this action, we may have disabled the autostart of the virus, and then we need to clean up the traces of its presence in the system, and read about this at the end of the article.

AVZ utility

It lies in the fact that in safe mode we will run the well-known antivirus utility AVZ. In addition to scanning for viruses, the program has just a lot of functions for correcting system problems. This method repeats the steps to patch up holes in the system after the virus has run, incl. to get acquainted with it, go to the next item.

Fixing problems after removing ransomware

Congratulations! If you are reading this, then the system started without a banner. Now you need to check the whole system with them. If you used the Kaspersky rescue disk and checked it there, then you can skip this item.

There may also be another nuisance associated with the villain's activities - a virus can encrypt your files. And even after completely removing it, you simply won't be able to use your files. To decrypt them, you need to use programs from the Kaspersky website: XoristDecryptor and RectorDecryptor. There is also an instruction for use.

But that's not all, because the winlocker most likely has messed with the system, and various glitches and problems will be observed. For example, Registry Editor and Task Manager will not start. To treat the system, we will use the AVZ program.

When downloading using Google Chrome, there may be a problem. this browser considers the program to be malicious and will not let you download it! This issue has already been raised on the official Google forum, and at the time of this writing, everything already ok.

To still download the archive with the program, you need to go to "Downloads" and there click "Download malicious file" 🙂 Yes, I understand that it looks a little silly, but apparently chrome thinks that the program can harm an ordinary user. And it's true if you poke there wherever you hit! Therefore, we strictly follow the instructions!

We unpack the archive with the program, write it to external media and run it on the infected computer. Go to the menu "File -> System Restore", mark the checkboxes as in the picture and perform the operations:

Now we go along the following path: "File -> Troubleshooting Wizard", then go to "System problems -> All problems" and click on the "Start" button. The program will scan the system, and then in the window that appears, set all the checkboxes except "Disable operating system updates in automatic mode" and those that begin with the phrase "Allowed autorun from ...".

We click on the button "Fix the marked problems". After successful completion, go to: "Browser settings and tweaks -> All problems", here we set all the checkboxes and in the same way click on the "Fix the marked problems" button.

We do the same with "Privacy", but here do not check the boxes that are responsible for cleaning bookmarks in browsers and what else you think you need. We finish the check in the sections "Cleaning the system" and "Adware / Toolbar / Browser Hijacker Removal".

Finally, close the window without leaving AVZ. In the program we find "Tools -> Explorer Extension Editor" and remove the check marks from those items that are marked in black. Now go to: "Tools -> Internet Explorer Extension Manager" and completely erase all lines in the window that appears.

Above, I have already said that this section of the article is also one of the ways to treat Windows from the ransomware banner. So, in this case, you need to download the program on a working computer and then write it to a USB flash drive or disk. We carry out all actions in a safe mode. But there is another option to launch AVZ, even if Safe Mode does not work. You need to start from the same menu when the system boots, in the "Troubleshoot computer" mode

If you have it installed, it will be displayed at the very top of the menu. If it is not there, then try to start Windows before the banner appears and turn off the computer from the outlet. Then turn it on - a new startup mode may be offered.

Run from the Windows installation disc

Another surefire way is to boot from any Windows 7-10 installation disk and select there not "Installation", but "System Restore"... When the troubleshooter is running:

  • You need to select "Command line" there
  • In the appeared black window, write: "notepad", i.e. launch a regular notepad. We will use it as a mini-guide.
  • Go to the menu "File -> Open", select the file type "All files"
  • Next, find the folder with the AVZ program, right-click on the executable file "avz.exe" and launch the utility using the "Open" menu item (not the "Select" item!).

If all else fails

Refers to cases when, for some reason, you cannot boot from a USB flash drive with a recorded image of Kaspersky or the AVZ program. You just have to get the hard drive out of the computer and connect it with the second drive to the working computer. Then boot from an NON-INFECTED hard disk and scan YOUR disk with a Kaspersky scanner.

Never send SMS messages requested by scammers. Whatever the text, don't send messages! Try to avoid suspicious sites and files, and generally read. Follow the instructions and then your computer will be safe. And don't forget about antivirus and regular operating system updates!

Here is a video where everything can be seen with an example. The playlist consists of three lessons:

PS: which way helped you? Write about it in the comments below.

2021 wisemotors.ru. How it works. Iron. Mining. Cryptocurrency.