Why is the virus called the boot? Because he's at startup immediately loaded into memory and intercepts all system control. I'm sure many have faced such a problem that after visiting some, even innocuous sites, computer during the next boot has issued a warning that it is locked, ostensibly for visiting porno sites, or spam, or other negative actions.
Of course, this is nothing when unlocked will not , as such viruses laid even this possibility. Anti often powerless against them, as they are run immediately when the system boots, blocking all anti-virus and security software. So how do you deal with them?
Often two of his species. The first type - when blocking message appears only in the corner of the screen, take partial control of your computer.
This virus belongs to the Trojans, family Trojan.Winlock (hereinafter - Winlock). When you try to open Task Manager to kill the harmful process, he started, most likely, will not. More precisely, will start and immediately disappear, as it is also blocked by the virus. This is the "light" form of a boot virus.
For a start, try booting into Safe Mode. (Hold F8 before booting the system, the pop-up menu, select "Safe Mode"). If in safe mode everything is clean, treated such a virus is quite simple. Need to open the System Configuration Utility ( Start\Run, in the window that opens write msconfig and press enter). Then go to the tab " Startup " carefully examine the list. If you see something suspicious ( abracadabra in the name of an element or a strange entry in the column "team"), simply turn off this entry from startup, reboot the machine and everything is in order.
If you do not see anything strange, just turn off all the time startup and reboot. If everything is clean, it means that the virus is run from there. Then just turn gradually record and look after activation of the virus appears. Once you find harmful entry and disable it, you can go to the path specified in the " command ", and remove the malicious file (s), they will most likely be a few.
If you can not go to any safe mode or open the system settings - go through Safe Mode with Command Prompt. Currently, most Winlock can not block it. After downloading you need to run the registry editor and track suspicious entries there. First you need to check the section HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon, specifically in the parameter value should be stored Shell explorer.exe, parameter Userinit - C:\WINDOWS\System32\userinit.exe, namely with a comma. If this section is nothing suspicious there is no need to check under HKEY_CURRENT_USER. Also worth checking out branches where prescribed auto-start programs, for example, HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run. In case of presence records of suspicious, they must be replaced by a standard value (in the case of the auto-clear). After restarting the computer will only remove the malware.
However, it happens that we do not have access even to the boot menu Windows. Such viruses are called " bootkits ". They enter themselves in the MBR (Master Boot Record, Master Boot Record) and run from there, completely or partially displacing boot Windows. This second type of boot sector viruses. To deal with them is also quite simple. Requires installation disk Windows. On the screen where it says " Press R to start the Recovery Console " press. Follow the entrance to your dial up system and one for the other team fixmbr (warning appears, answer yes) and fixboot (also answered in the affirmative), and you're done. Restored the boot record, you can run the system.
If absolutely nothing works, it is necessary to demolish the system, be sure to format the system (system only) section. A virus that has not happened, use anti-virus software and wary of downloadable documents. In no case should not have an extension. Exe. And if the file name, for example, music.mp3.exe or photo.jpg.exe, then it's definitely a virus.© From: hint4.me: FAQ