How to remove the banner from your desktop through ERD Commander
Recently, faced with a new ploy of virus writers. Visually banner « the Windows lock» is no different from its predecessors, with the exception of the fact that demand for the release of 3000 rubles computer. Phone in general, it makes no sense to point out as they change every day and nothing is said.
So, what’s the difference? And the difference is that when you try to remove a banner through the secure mode , the registry was not found anything suspicious. It was then decided to check the registry and startup and remove banner Computer blocked by the ERD Commander . Here’s the trick was discovered, which was not immediately possible to notice and a cursory glance to overlook.
Actually the process of creating USB -fleshki with ERD Commander or recording it to disk image is described in the article How to unlock the computer using ERD Commander . So I will not dwell on this issue, as well as to load and configure the ERD Commander . We assume that you have already started it.
The startup detected 2 «interesting» line. It would seem all is well, because the file explorer.exe really should be in the folder of the C: \ the Windows \ . The path is correct, the conductor image for the idea has not changed since the computer into safe mode boot is absolutely normal. But if you look at the properties and the location of the registry key, the situation is a little clearer.
It is evident that the description in this file does not correspond to reality and «Publisher» field altogether empty and must be Microsoft Corporation . Incorrect entries are branch HKLU \ … This means that the program is run on the user’s behalf. However, the real conductor runs as a system of registry keys HKLM \ software \ microsoft \ of WindowsNT \ CurrentVersion \ the Winlogon . And if you look at the properties of a file the explorer.exe , run under the system, and there is the description, and the publisher all in perfect order.
Everything will fall into place, when we run the Explorer in the ERD Commander and look at the root of drive C:
There are 2 (!) Folder the Windows . One of them is true, and the other created by the virus. Actually in this folder, and the file is a banner the explorer.exe . Find out which folder is needed and what is not very easy. In the folder, create a virus is only a banner file called explorer.exe and all. Perhaps in other variations of the banners there will be other files, but they will not be much. Besides the folder can be identified by date of creation.
To unlock the computer, it is enough to remove the entries from startup (for this right-click on the line and from the context menu Delete or Delete , depending on the language), and you want to delete the file itself with a banner, or rather all fake folder the Windows , in where it lies.