Windows is blocked
Windows is blocked - what to do? How to remove a banner from your computer? Don’t be afraid and don’t rush to take it to the service center. After all, I have prepared for you several ways to remove the ransomware banner in Windows 7.
This virus almost completely blocks the system (you cannot use safe mode, Task Manager and other functions). A message is displayed on the screen that requires the computer owner to pay money (via a terminal or SMS). After this, the virus will supposedly cease to act. In fact, this is not so; the computer will not be unlocked. Therefore, there is no need to send your funds to anyone somewhere.
This disease has brought a lot of harm to ordinary users, although its authors, without a doubt, have considerable income in this matter. In addition, the virus is constantly improving, which makes it more dangerous. It is worth noting that such blocking can only happen on an unlicensed version of Windows, because the licensed version is constantly updated. In addition, the virus is very complex. It is not just registered in startup (like many others). It is embedded much deeper, so it works both in safe mode and when loading only drivers and services. Getting the computer to work after this is quite a difficult task.
This article will look at how to remove the virus, as well as difficulties that may arise after doing so (for example, a clean desktop).
The methods under consideration are suitable for almost all modifications of this type of virus. Now let's look at these options.
Solving the system lock problem
Method 1. Unlock codes
There are codes for unlocking Windows on the Dr.Web antivirus website (link https://www.drweb.com/xperf/unlocker/). Select a screenshot of your virus, after which you will see the unlock code. You can also enter the phone number (to which the virus asks to send money), click “find” and receive the corresponding code. After the procedure, we treat the computer with a regular antivirus. The situation when, after unlocking, you have a clean desktop, will be discussed at the end.
Method 2. Using the avz utility
1. A computer and a disk (or flash drive) are required.
2. Download the utility and write it to removable media.
3. Before booting the system, you need to select options for booting (to do this, press F8 at the very beginning of the process). Select the “Safe Mode with Command Line Support” option.
4. If everything goes well, the command line will appear after the system boots.
5. Insert the removable media into the computer.
6. Type explorer on the command line and press enter.
7. The traditional “My Computer” should appear.
8. Go to the flash drive or disk and run the avz.exe utility.
9. Next, go to the “File - Troubleshooting Wizard” functions, then “System problems” - “All problems” and click the “Start” button. In the window, check all the boxes except “Automatic system updates are disabled” and those that begin “Allow autorun from...”. Next, click “Fix noted problems.”
10. We also do: “Browser settings and tweaks” – “All problems”, check all the boxes there and, by analogy, click the “Fix noted problems” button.
11. In addition, select “All problems” in the “Privacy” section and correct the noted problems there (and all of them should be).
12. Close the window, remaining in AVZ. In the program, click “Tools” – “Explorer Extensions Manager” and uncheck all the items written in black.
13. Next, turn on “Service” – “IE Extensions Manager” and delete absolutely all lines in the list that appears.
14. If after restarting the computer there are no more problems, we clean it with a traditional antivirus.
If the manipulations described above do not lead to the desired result, you need to either use one of the methods below, or use the same methods to launch AZV and conduct a full scan of the computer there.
Method 3. Using a script.
1. A computer and a disk (or flash drive) are required.
2. Download the utility and write it to removable media.
3. Before booting the system, you need to select options for booting (to do this, press F8 at the very beginning of the process). Select the “Safe Mode with Command Line Support” option.
4. If everything goes well, the command line will appear after the system boots.
5. Insert the removable media into the computer.
6. Enter explorer on the command line and press enter.
7. The traditional “My Computer” should appear.
8. Go to the flash drive or disk and run the avz.exe utility.
9. In the program window, open the “File” tab and click on the “Run script” operation.
10. Enter the following script into the window that appears.
begin
SearchRootkit(true, true);
SetAVZGuardStatus(True);
QuarantineFile('C:\Documents and Settings\Your_Account\Local Settings\Temporary Internet Files\Content.IE5\FNM62GT9\lexa2[1].exe','');
QuarantineFile('C:\RECYCLER\S-1-5-21-1482476501-1644491937-682003330-1013\ise32.exe','');
QuarantineFile('C:\Program Files\AskBarDis\bar\bin\askBar.dll','');
DelBHO('{638E9359-625E-4E8A-AA5B-824654C3239B}');
DelBHO('{1A16EC86-94A1-47D5-A725-49F5970E335D}');
QuarantineFile('C:\Documents and Settings\All Users\Application Data\zsglib.dll','');
QuarantineFile('C:\Documents and Settings\All Users\Application Data\phnlib.dll','');
QuarantineFile('Explorer.exe csrcs.exe','');
QuarantineFile('C:\WINDOWS\System32\drivers\68ed4e7b.sys','');
DeleteFile('C:\WINDOWS\System32\drivers\68ed4e7b.sys');
DeleteFile('Explorer.exe csrcs.exe');
DeleteFile('C:\Documents and Settings\All Users\Application Data\phnlib.dll');
DeleteFile('C:\Documents and Settings\All Users\Application Data\zsglib.dll');
DeleteFile('C:\Program Files\AskBarDis\bar\bin\askBar.dll');
DeleteFile('C:\RECYCLER\S-1-5-21-1482476501-1644491937-682003330-1013\ise32.exe');
DeleteFile('C:\Documents and Settings\Your_Account\Local Settings\Temporary Internet Files\Content.IE5\FNM62GT9\lexa2[1].exe');
DelBHO('{1F460357-8A94-4D71-9CA3-AA4ACF32ED8E}');
DelBHO('{3041d03e-fd4b-44e0-b742-2d9b88305f98}');
DelBHO('{201f27d4-3704-41d6-89c1-aa35e39143ed}');
DelCLSID('{28ABC5C0-4FCB-11CF-AAX5-81CX1C635612}');
DeleteFileMask('C:\Documents and Settings\Your_Account\Local Settings\Temporary Internet Files\Content.IE5', '*.*', true);
BC_ImportDeletedList;
ExecuteSysClean;
BC_Activate;
RebootWindows(true);
end.
SearchRootkit(true, true);
SetAVZGuardStatus(True);
QuarantineFile('C:\Documents and Settings\Your_Account\Local Settings\Temporary Internet Files\Content.IE5\FNM62GT9\lexa2[1].exe','');
QuarantineFile('C:\RECYCLER\S-1-5-21-1482476501-1644491937-682003330-1013\ise32.exe','');
QuarantineFile('C:\Program Files\AskBarDis\bar\bin\askBar.dll','');
DelBHO('{638E9359-625E-4E8A-AA5B-824654C3239B}');
DelBHO('{1A16EC86-94A1-47D5-A725-49F5970E335D}');
QuarantineFile('C:\Documents and Settings\All Users\Application Data\zsglib.dll','');
QuarantineFile('C:\Documents and Settings\All Users\Application Data\phnlib.dll','');
QuarantineFile('Explorer.exe csrcs.exe','');
QuarantineFile('C:\WINDOWS\System32\drivers\68ed4e7b.sys','');
DeleteFile('C:\WINDOWS\System32\drivers\68ed4e7b.sys');
DeleteFile('Explorer.exe csrcs.exe');
DeleteFile('C:\Documents and Settings\All Users\Application Data\phnlib.dll');
DeleteFile('C:\Documents and Settings\All Users\Application Data\zsglib.dll');
DeleteFile('C:\Program Files\AskBarDis\bar\bin\askBar.dll');
DeleteFile('C:\RECYCLER\S-1-5-21-1482476501-1644491937-682003330-1013\ise32.exe');
DeleteFile('C:\Documents and Settings\Your_Account\Local Settings\Temporary Internet Files\Content.IE5\FNM62GT9\lexa2[1].exe');
DelBHO('{1F460357-8A94-4D71-9CA3-AA4ACF32ED8E}');
DelBHO('{3041d03e-fd4b-44e0-b742-2d9b88305f98}');
DelBHO('{201f27d4-3704-41d6-89c1-aa35e39143ed}');
DelCLSID('{28ABC5C0-4FCB-11CF-AAX5-81CX1C635612}');
DeleteFileMask('C:\Documents and Settings\Your_Account\Local Settings\Temporary Internet Files\Content.IE5', '*.*', true);
BC_ImportDeletedList;
ExecuteSysClean;
BC_Activate;
RebootWindows(true);
end.
Important: in place of the text Your_account, enter the name of your account in the system. This is either administrator, or user, or Andrey, Petya, or anything else, that is, the name that is used to log into Windows.
1. Click “Run” and wait for the script to finish its work.
2. If the problem disappears after a reboot, we scan and clean the system with a traditional antivirus. If the option does not work, you need to use the same methods to launch AZV and conduct a full scan of the computer there.
4 method
Suitable for older versions of the virus in question. But it is more likely to clear one’s conscience, since the likelihood that it will work is not that great. Immediately after turning on the computer, press the Delete button and go to the BIOS. There we set the system clock either a week ago or a week forward. Then the virus may (not necessarily) turn off. After this, we start the system and completely scan it with a regular antivirus or antivirus utility Dr.Web CureIt. He must detect a virus lying on the computer and neutralize it.
Method 5: Using the LiveCD application.
The LiveCD program from the Dr.Web brand can help defeat the antivirus. Its task is to scan the system from disk and clean it of all those diseases that block its operation.
First, download the LiveCD program from the Internet.
Next you need to complete the installation. To do this, the image must be written to disk. There are many different ways to do this. Here is one of them:
1. Insert a blank disk into the drive;
2. Download a special recording program - SCD Writer.
3. Download the image of the LiveCD program itself from the Internet.
4. Launch the SCD Writer application, select “Disk” in it, click “Burn image to disk”. We indicate the path to the LiveCD image located on the hard drive, set the recording speed and wait for the process to complete.
Now you need to set the parameters so that when you turn on the computer, the system boots not from the hard drive, but from the CD. To perform this task, you need to go into the BIOS (at the very beginning of starting the computer, press the Delete key). Then we go to the Boot section (that is, downloading). A list of the order of media from which the system starts will appear there. By default this is the hard drive. We need to configure this parameter so that the first place is not the hard drive, but the disk located in the drive. We do this using the keyboard (the mouse does not work in the BIOS). The computer will now boot using the data from the disk.
Save the changes and restart the computer. After loading from the disk, select the first item in the menu that appears. Next, turn on Dr.WebScanner, click “Start” and wait for completion. After the program processes the viruses, select the “Delete” option.
Method 6. Kaspersky Virus Removal Tool utility.
The method is based on the use of a script.
1. A computer and a disk (or flash drive) are required.
2. Download the Kaspersky Virus Removal Tool utility and write it to removable media.
3. Before booting the system, you need to select options for booting (to do this, press F8 at the very beginning of the process). Select the “Safe Mode with Command Line Support” option.
4. If everything goes well, the command line will appear after the system boots.
5. Insert the removable media into the computer.
6. Enter explorer on the command line and press enter.
7. The traditional “My Computer” should appear.
8. Go to the removable media menu and launch the Kaspersky Virus Removal Tool program.
9. In the application window, select the “Manual treatment” option and insert the codes below one by one. Important! One at a time - this means inserting the first script, clicking “Run”, deleting it, entering the second one, clicking “Run” and so on. The pictures are clickable and lead to the full text of these scripts.
begin
SearchRootkit(true, true);
QuarantineFile('Base.sys', 'CHQ=N');
QuarantineFile('explorer.ex', 'CHQ=N');
QuarantineFile('hpt3xx.sys', 'CHQ=N');
QuarantineFile('C:\WINDOWS\system32\DRIVERS\AVGIDS Shim.Sys', 'CHQ=S');
QuarantineFile('C:\WINDOWS\system32\drivers\cmudau .sys', 'CHQ=S');
QuarantineFile('C:\WINDOWS\System32\Drivers\dump_n vatabus.sys', 'CHQ=S');
QuarantineFile('C:\WINDOWS\system32\Drivers\SPT2Sp 50.sys', 'CHQ=S');
QuarantineFile('C:\WINDOWS\system32\Drivers\usbVM3 1b.sys', 'CHQ=S');
QuarantineFile('C:\WINDOWS\system32\DRIVERS\wg111v 2.sys', 'CHQ=S');
QuarantineFile('C:\DOCUME~1\FE66~1\LOCALS~1\Temp\Y KI224.tmp', 'CHQ=S');
BC_QrFile('C:\WINDOWS\System32\Drivers\dump_nvatab us.sys');
BC_QrFile('C:\WINDOWS\system32\Drivers\SPT2Sp50.sy s');
BC_QrFile('C:\WINDOWS\system32\Drivers\usbVM31b.sy s');
BC_QrFile('C:\WINDOWS\system32\DRIVERS\wg111v2.sys ');
BC_QrFile('C:\DOCUME~1\FE66~1\LOCALS~1\Temp\YKI224 .tmp');
BC_Activate;
RebootWindows(true);
end.
SearchRootkit(true, true);
QuarantineFile('Base.sys', 'CHQ=N');
QuarantineFile('explorer.ex', 'CHQ=N');
QuarantineFile('hpt3xx.sys', 'CHQ=N');
QuarantineFile('C:\WINDOWS\system32\DRIVERS\AVGIDS Shim.Sys', 'CHQ=S');
QuarantineFile('C:\WINDOWS\system32\drivers\cmudau .sys', 'CHQ=S');
QuarantineFile('C:\WINDOWS\System32\Drivers\dump_n vatabus.sys', 'CHQ=S');
QuarantineFile('C:\WINDOWS\system32\Drivers\SPT2Sp 50.sys', 'CHQ=S');
QuarantineFile('C:\WINDOWS\system32\Drivers\usbVM3 1b.sys', 'CHQ=S');
QuarantineFile('C:\WINDOWS\system32\DRIVERS\wg111v 2.sys', 'CHQ=S');
QuarantineFile('C:\DOCUME~1\FE66~1\LOCALS~1\Temp\Y KI224.tmp', 'CHQ=S');
BC_QrFile('C:\WINDOWS\System32\Drivers\dump_nvatab us.sys');
BC_QrFile('C:\WINDOWS\system32\Drivers\SPT2Sp50.sy s');
BC_QrFile('C:\WINDOWS\system32\Drivers\usbVM31b.sy s');
BC_QrFile('C:\WINDOWS\system32\DRIVERS\wg111v2.sys ');
BC_QrFile('C:\DOCUME~1\FE66~1\LOCALS~1\Temp\YKI224 .tmp');
BC_Activate;
RebootWindows(true);
end.
var
qfolder: string;
qname: string;
begin
qname := GetAVZDirectory + '..\Quarantine\quarantine.zip';
qfolder := ExtractFilePath(qname);
if (not DirectoryExists(qfolder)) then CreateDirectory(qfolder);
CreateQurantineArchive(qname);
ExecuteFile('explorer.exe', qfolder, 1, 0, false);
end.
qfolder: string;
qname: string;
begin
qname := GetAVZDirectory + '..\Quarantine\quarantine.zip';
qfolder := ExtractFilePath(qname);
if (not DirectoryExists(qfolder)) then CreateDirectory(qfolder);
CreateQurantineArchive(qname);
ExecuteFile('explorer.exe', qfolder, 1, 0, false);
end.
begin
Executerepair(16);
ExecuteWizard('TSW', 2, 2, true);
RebootWindows(true);
end.
Executerepair(16);
ExecuteWizard('TSW', 2, 2, true);
RebootWindows(true);
end.
begin
ExecuteStdScr(3);
RebootWindows(true;
end.
ExecuteStdScr(3);
RebootWindows(true;
end.
10. After the reboot, see if the problem with the virus is resolved or not. If yes, then, by analogy with the previous methods, we check the computer with a regular antivirus.
Method 7. Hard case
Some modifications of the virus in question are very cunning. All previous methods are based on taking control of the computer into your own hands at the very beginning of booting and then carrying out operations - turning on safe mode, booting from removable media, etc. Variants of this virus can simply “block the road” - overwrite the boot sector so that it will now be impossible to somehow change the progress of the boot. Therefore the methods above will not work. But there is another way. About him below.
Insert the disk with the Windows operating system into the drive. Next, the same as in method 5: “you need to set the parameters so that when you turn on the computer, the system boots not from the hard drive, but from the CD. To perform this task, you need to go into the BIOS (at the very beginning of starting the computer, press the Delete key). Then we go to the Boot section (that is, downloading). A list of the order of media from which the system starts will appear there. By default this is the hard drive. We need to configure this parameter so that the first place is not the hard drive, but the disk located in the drive. We do this using the keyboard (the mouse does not work in the BIOS). The computer will now boot using the data from the disk."
After booting from removable media, instead of installing the system, press the R key. Then the recovery console will open. She will prompt you to choose which specific system to restore (use the 1 or Enter keys; answering the console question in the affirmative, you may need to press the Y and Enter keys). After that, enter the commands FIXBOOT and FIXMBR. Below in the pictures:
We restart the computer and observe the result - the virus should disappear. True, he is unlikely to do this without leaving a trace. It often happens that problems with the operating system may subsequently arise, in particular, an empty desktop, a non-working task manager, etc. How to deal with this is below.
When safe mode does not turn on or LiveCD is powerless
Some varieties of the virus may prevent you from turning on safe mode, that is, the disease is active at the very initial stage of booting the computer. Or LiveCD does not help - it does not find the virus and, accordingly, cannot remove it.
In this case, an extraordinary move can help - solving the problem “backwards”, that is, first restore the interface, and then move on to deleting the banner itself. To do this, you need to use the recommendations given below - “Solving problems after removing the virus.” To begin with, you can somehow restore the system's functionality.
After carrying out operations, it is recommended to boot the system for the first time in safe mode, and not in normal mode, since the virus may be registered in startup and the banner may reappear.
Troubleshooting after virus removal
It is not always possible to simply remove a virus that requires sending an SMS or transferring money. The disease can change registry settings. Therefore, after uninstalling the virus, the desktop may be completely empty, and the mouse cursor may not work. Surely the task manager, Start menu, My Computer and other system functions will not open. You can try to carry out treatment from safe mode, but often it is not working, that is, the computer immediately reboots. But there is an opportunity to get out of the situation.
If the computer does not boot from the hard drive, you can do it from removable media, for example, from a CD. The Windows operating system has distribution kits with which you can immediately boot from disk.
Procedure for carrying out operations:
• Requires a computer and removable media (flash drive or disk).
• Find and download a boot disk image with the Windows PE OS distribution. It must either be added to the distribution disk, or written to a flash drive separately.
The archive does not contain any viruses. It contains various programs that allow you to work with system files and raise its performance “from its knees”. These include databases with antiviruses and editors. Naturally, your antivirus can play it safe and issue messages about an allegedly present threat.
• Inside, among other things, there is a program for recording SCD Writer (discussed in one of the previous methods). Select the “Disk” tab, there – “Burn ISO image”. Select the downloaded image, set the recording speed and wait for the process to complete.
• We go to the computer with the virus. You need to set the parameters so that when you turn on the computer, the system boots not from the hard drive, but from the CD. To perform this task, you need to go into the BIOS (at the very beginning of starting the computer, press the Delete key). Then we go to the Boot section (that is, downloading). A list of the order of media from which the system starts will appear there. By default this is the hard drive. We need to configure this parameter so that the first place is not the hard drive, but the disk located in the drive. We do this using the keyboard (the mouse does not work in the BIOS). The computer will now boot using the data from the disk.
• Insert the disk and flash drive with the registry editor.
• After booting from the disk, in the menu that opens, press the number 1 to enable WindowsPE. The system will begin to boot (possibly for a long time). Also point the program to the path to the infected operating system on the hard drive.
• Go to “My Computer” and open the flash memory there. We launch the registry editor on it. You may need to specify the location of the ntuser.dat file on the infected system to gain access to the registry. Puttakov: C:\DocumentsandSettings\account_name\ntuser.dat, where “account_name” means your Windows user name. If the program still does not see the file, go to “My Computer” and manually search for ntuser.dat in “Search”. Right-click on it, bringing up the context menu, and in “Attributes” uncheck “Hidden”. Now go back to the Registry Editor, the file should become visible. If the program prompts you to specify the path to the file for another user, refuse if you have completed all the operations above.
• There are two types of branches in the Registry Editor (on the left in the window are structures with folders). One is the current records for the system on disk, and the other is the infected system. They can be specified with brackets, say, HKEY_LOCAL_MACHINE(...), where (...), is the computer name or characters (W_IN_C). Perhaps only sub-branches will be duplicated, or the names of the registry entries of the infected system will be without brackets, with an underscore (HKEY_LOCAL_MACHINE_W_IN_C). You need to look around well to avoid making mistakes.
• We follow the path HKEY_LOCAL_MACHINE(...)\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon. Click on Winlogon, settings for this section will appear on the right. In the Shell line, instead of what is written there, set explorer.exe (to do this, click the mouse twice on the line). There is also a line called userinit. It should contain the path C:\WINDOWS\system32\userinit.exe (if your system is not recorded on the C:\ drive, specify a different logical drive). Important – the path must end with a comma! Look at other registry lines to see if there are any paths that do not lead into the system in any way.
• Next, go to “My Computer” and open the system folder: windows/system. There we find the file user32. If it exists, delete it. Then we check the logical drives (C, D and others that exist) and delete all autorun.inf files and those with the .exe extension from there. Then we turn on dr.web cureit and scan the affected system.
• We pull out the disk, reboot the computer, return to the BIOS, and return booting from the hard disk (HDD) there. Exit the BIOS menu and load Windows.
• After this, we scan the computer again with a regular antivirus. If the system does not work, try booting in safe mode.
If the task manager does not work, download avz and run the program. In the window, select “File”, there – “System Restore”. On the “Unlock task manager” item, check the box and click “Perform selected operations”. Close the application, the task manager should work. That's all. Be sure to write in the comments what didn’t work out.
