Having access to the Internet, sooner or later you may encounter various malicious programs that can damage the contents of your computer. And not always installed antivirus software is able to protect against such programs. A widespread virus is a ransomware banner, which looks like a window containing information that the user has been convicted of violating the law, and in order to avoid consequences, a certain amount of money should be transferred to the specified phone number.
Instructions
Step 1
Such a banner may appear before or immediately after the operating system boots and block Windows functions. Under no circumstances should you transfer money to a scammer's account, this will not help get rid of the banner. The first and easiest way is to use a free utility from the domestic manufacturer of antivirus software Kaspersky WindowsUnlocker. It is available on the manufacturer's website, it is not difficult to use it. However, this method will not always help.
Step 2
The safest way is to clean the registry yourself. Perform a safe start of the operating system, always with command line support, in the command line that appears, enter the regedit command and press enter. The left part of the Registry Editor window that appears contains a list of keys, the right part displays the names and values of the parameters of the corresponding key. Check consecutively for consistency and, if necessary, modify the following sections:
1) HKEY_CURRENT_USER> Software> Microsoft> Windows NT> CurrentVersion> Winlogon
Here remove the Shell and Userinit parameters if present. It will not be superfluous to remember the address of the file to which these parameters refer - this is the banner, and remove it from the hard disk.
2) HKEY_LOCAL_MACHINE> Software> Microsoft> Windows NT> CurrentVersion> Winlogon
The Shell parameter should be explorer.exe and Userinit should be C: / Windows / system32 / userinit.exe with a trailing comma. Correct if necessary.
3) HKEY_LOCAL_MACHINE> Software> Microsoft> Windows> CurrentVersion> Run and HKEY_CURRENT_USER> Software> Microsoft> Windows> CurrentVersion> Run
In these sections, you need to check the list of programs automatically launched after the operating system starts. As a rule, these programs will be very familiar and it will not be difficult to distinguish a regular program from a suspicious one. You can safely delete the parameters, this will only affect the number of automatically loaded programs. The more unknown parameters are removed, the more likely the malicious banner will be removed. The same action will affect the loading speed of the operating system - the fewer programs, the faster the loading.
Step 3
After cleaning the registry, you should restart your computer. If everything is done correctly, the banner will not appear.
Step 4
If the banner is loaded before Windows starts, then the virus is registered in the boot area of the disk, and it should be restored. This will require an installation disc with your operating system. We boot Windows from it, select the restore point using the console (key R), then select a copy of Windows and enter the commands: first fixboot, confirm (enter the Latin y), then fixmbr, confirm. After the boot area repair is complete, you must restart the computer from the hard drive. The problem should be resolved.
