Perhaps one of the most popular problems that computer repair users encounter is removing a banner from the desktop. The so-called banner is, in most cases, a window that appears before (instead of) loading the Windows XP or Windows 7 desktop and informs that your computer is locked and in order to receive an unlock code you need to transfer 500, 1000 rubles or another amount to a specific phone number or electronic wallet. You can almost always remove a banner yourself, which we’ll talk about now.
Please do not write in the comments: “What is the code for the number 89xxxxx.” All services that suggest unlock codes by numbers are well known and this is not what this article is about. Keep in mind that in most cases there are simply no codes: the person who created this malicious program is only interested in getting your money, and providing an unlock code in the banner and a way to transfer it to you is extra work that is unnecessary for him.
The site where the unlock codes are presented is available in another article about how to remove the banner.
Types of SMS ransomware banners
I, in general, came up with the classification of species myself, to make it easier for you to navigate these instructions, because it consists of several methods for removing them and unlocking the computer, ranging from the simplest and working in most cases, to more complex ones, which, however, are sometimes required. On average, so-called banners look like this:
So, my classification of ransomware banners:
- Simple - just remove some registry keys in safe mode
- Slightly more complex ones also work in safe mode. They can also be treated by editing the registry, but you will need a LiveCD
- Making changes to the MBR of the hard drive (discussed in the last part of the instructions) - appear immediately after the BIOS diagnostic screen before Windows starts loading. Removed by restoring the MBR (hard disk boot area)
Removing a banner in safe mode by editing the registry
This method works in the vast majority of cases. Most likely, it will work. So, we will need to boot into safe mode with command line support. To do this, immediately after turning on the computer, you will need to frantically press the F8 key on the keyboard until the menu for selecting boot options appears as in the picture below.
In some cases, the computer's BIOS may respond to the F8 key by displaying its own menu. In this case, press Esc to close it and press F8 again.
You should select “Safe Mode with Command Prompt Support” and wait until the download completes, after which you will see a command prompt window. If your Windows has several user accounts (for example, Administrator and Masha), then when loading, select the user who caught the banner.
At the command prompt, type regedit and press Enter. The Registry Editor will open. On the left side of the registry editor you will see a tree structure of sections, and when you select a specific section, the names of parameters and their values . We will look for those parameters whose values have been changed by the so-called. a virus that causes a banner to appear. They are always written to the same sections. So, here is a list of parameters whose values need to be checked and corrected if they differ from those given below:
Section: HKEY_CURRENT_USER/Software/Microsoft/Windows NT/CurrentVersion/Winlogon This section should not contain any parameters named Shell, Userinit. If they exist, delete them. It is also worth remembering which files these parameters point to - this is the banner. Section: HKEY_LOCAL_MACHINE/Software/Microsoft/Windows NT/CurrentVersion/Winlogon In this section, you need to make sure that the value of the Shell parameter is explorer.exe, and the Userinit parameter is C: Windowssystem32userinit.exe, (exactly like that, with a comma at the end)
In addition, you should look at the sections:
HKEY_LOCAL_MACHINE/Software/Microsoft/Windows/Current Version/Run
and the same section in HKEY_CURRENT_USER. This section specifies programs that automatically start when the operating system starts. If you see some unusual file that is not related to those programs that actually start automatically and is located at a strange address, feel free to delete the parameter.
After this, exit the Registry Editor and restart your computer. If everything was done correctly, then Windows will most likely be unlocked after a reboot. Don't forget to delete malicious files and scan your hard drive for viruses just in case.
Using System Restore
This option is good if you have this function enabled. If System Restore was disabled, proceed to the next step.
In order to remove the banner from the desktop using system recovery F8 when loading
repeatedly.
If a list of devices from which booting is possible appears, select your drive (hard drive or SSD) and continue pressing F8 again. You should see a similar picture below. You need to select the System Troubleshooting
highlighted by default
A window will load where you need to select a language, then a user. Next there will be a window with a choice of several recovery options. Choose System Restore. Then select a restore point and return the computer to that point in time. First, take the nearest restore point; if that doesn’t help, restore to an earlier one.
You can read more about how to use System Restore here.
Safe mode is also locked
In this case, you will have to use some kind of LiveCD. One option is Kaspersky Rescue or DrWeb CureIt. However, they don't always help. My recommendation is to have a boot disk or flash drive with such sets of programs for all occasions as Hiren's Boot CD, RBCD and others. Among other things, these disks contain such a thing as Registry Editor PE - a registry editor that allows you to edit the registry while booting into Windows PE. Otherwise, everything is done in the same way as described earlier.
There are other utilities for editing the registry without booting the operating system, such as Registry Viewer/Editor, also available on Hiren's Boot CD.
How do desktop blocking banners look and work?
A banner is nothing more than a program installed on your computer. The program blocks the Windows graphical shell and disables the keyboard, and without these two elements the user cannot do absolutely anything: neither call the task manager, nor open Start. Remember that the user is always the initiator of the installation of this program:
- It is possible that you downloaded some program you needed, started installing it, but it turned out to be not it at all.
- Or you were looking for a movie online, and the site told you that you need to update the Flash player, and without hesitation you started downloading some unknown “Flash player”.
Banners look something like this, but there are other varieties. The principles of “treatment” are the same for everyone.
Banner requiring you to top up your mobile phone balance
Banner requiring you to send an SMS to a short paid number
Let's try to figure out step by step how to get rid of a viral banner blocking your desktop.
How to remove a banner in the boot area of your hard drive
The last and most unpleasant option is a banner (although it’s hard to call it that, more like a screen), which appears even before Windows starts loading, and immediately after the BIOS screen. You can remove it by restoring the MBR hard disk boot record. This can also be done using a LiveCD such as Hiren's Boot CD, but this requires some experience with hard drive partition recovery and an understanding of the operations involved. There is a slightly simpler way. All you need is a CD with the installation of your operating system. Those. if you have Windows XP, then you will need a disk with Win XP, if Windows 7, then a disk with Windows 7 (although a Windows 8 installation disk will also work here).
Removing the boot banner in Windows XP
Boot from the Windows XP installation CD and when you are prompted to launch the Windows Recovery Console (not the automatic F2 recovery, but the console, launched with the R key), launch it, select a copy of Windows, and enter two commands: fixboot and fixmbr (first first, then second), confirm their execution (enter the Latin symbol y and press Enter). After this, reboot your computer (no longer from the CD).
Recovering boot record in Windows 7
It is done in almost the same way: insert the Windows 7 boot disk, boot from it. First, you will be asked to select a language, and on the next screen at the bottom left there will be a “System Restore” option, which you should select. You will then be asked to choose one of several recovery options. Launch Command Prompt. And in order, run the following two commands: bootrec.exe /FixMbr and bootrec.exe /FixBoot. After restarting the computer (from the hard drive), the banner should disappear. If the banner continues to appear, then run the command line from the Windows 7 disk again and enter the command bcdboot.exe c:windows, in which c:windows is the path to the folder in which you have Windows installed. This will restore the operating system to boot correctly.
Extreme measures
But that's not all. To answer how to remove a pop-up banner in a browser, some people are ready to go to extreme measures. Usually it doesn’t come to them, but there is no need to exclude such situations either. What is it about?
In order to get rid of any virus in the browser, you can simply delete the Internet browser with all user data. By reinstalling (not to be confused with updating) the software, you will be able to resume work with working software. Before uninstalling, it is better to make copies of your bookmarks, if any.
In some cases, the operation of the operating system is restored after an OS rollback. The operation is carried out using standard Windows tools. You can find the desired section in “Start”, in the folder “All Programs” - “Accessories” - “System Tools”. Following the instructions on the screen, the “victim” will restore the system in a few minutes.
The last way to get rid of banners and viruses in general is to completely reinstall Windows. It requires an installation disk. During the operation, it is recommended to completely format the hard drive of the “machine”. This is the only way to 100% get rid of all existing computer infections.
More ways to remove a banner
Personally, I prefer to remove banners manually: in my opinion, it’s faster and I know exactly what will work. However, from almost all antivirus manufacturers you can download a CD image from their website, after booting from which the user can also remove the banner from the computer. In my experience, these disks do not always work, however, if you are too lazy to understand registry editors and other similar things, such a recovery disk can be very useful.
In addition, on antivirus websites there are also forms in which you can enter the phone number to which you are asked to send money and, if there are blocking codes for this number in the database, they will be communicated to you free of charge. Beware of sites where they ask you to pay for the same thing: most likely, the code you receive there will not work.
Where does the banner blocker come from?
On unknown resources, when viewing information, a menu may suddenly appear in which the user will be prompted to update or download Flash Player. Without such a program, the quality of the PC is in question, so the person agrees to the terms of the menu. As a result, the player program is not downloaded, and a ransomware banner appears instead. You can avoid falling victim to such a trap by downloading software only from official developer portals.
Using pirated programs
To hack Windows or a video game you have to use cracks, keys and patches. And with all this “good” comes the Windows blocked banner. Experts recommend using only licensed products, and if you have already been a pirate, then you need to look at the torrent statistics and read reviews.
- LiveJournal
- Blogger
Banner infections occur using different methods.
Self-installation of viral advertising
The procedure for searching for something on the Internet can be complicated; when writing a coursework, a student downloads dozens of abstracts, electronic versions of books and magazines. Most of these files are contained in an archive, and the user receives a virus along with the abstract or even instead of it.
A new task arises: how to remove the ransomware banner? To open access to downloaded data, scammers offer to install special software. During the installation procedure, a license agreement will appear (which no one will read and accept all the terms) with permission for advertising. It turns out that the user independently allowed the virus to live in his computer. The antivirus should always work and detect pests.
OS security weaknesses
Vulnerabilities in operating systems and browsers are actively exploited by pests. Therefore, all programs that are often used must be updated regularly, because the appearance of a banner, which is very difficult to get rid of, is due to the fault of the computer owner himself. Sometimes users themselves disable the security system in order to carry out some configurations, and then forget to turn it on. Viruses instantly find weak spots, and removing the banner from your computer will no longer be easy.
