• What to do if “Windows operating system is locked. The windows banner is blocked, what should I do? How a blocked Windows malware can enter your PC

    – this message is a Trojan. When the Winlock Trojan infects your computer, it displays a blocking banner with a fake message asking you to so that you pay from 500 to 2000 rubles for unlocking your operating system - ignore this message and try to remove the trojan from your computer yourself. The message claims that you broke the law because you watched films containing gay porn, child abuse and the like, in addition, you also reproduced these obscene video materials, in connection with which Microsoft blocked your Windows.

    To scare you even more, so that you are sure to pay the “fine” to cybercriminals, some banners contain a clock counting down the time for unlocking or indicating a specific time. Otherwise, the fake message states that if you do not pay " fine» in full, by topping up your MTS or Beeline subscriber number, or by sending an SMS with the text to a short number - all your documents and files will be deleted, and the case filed against you will be sent to court for further proceedings.

    It goes without saying that this is a complete scam, ignore this fake message and at least try unlock Windows with your own hands. If, out of ignorance, you still paid a non-existent “fine”, you can try to contact your cellular operator and explain that you were deceived into replenishing your subscriber number in order to unlock Windows. Please use the removal guide below Trojan Winlock And unlocking Windows to completely remove the banner " «.

    How to remove the Windows blocked banner

    1.Boot your computer into Safe Mode with Networking.
    To do this, you need to restart your PC, laptop. If your computer is on, turn it off. During the initial launch of the process, press the F8 key on your keyboard several times until you see a menu of additional Windows boot options, then select Safe Mode with Networking from the list.

    2.Make your hidden files and folders visible.

    How to display files on the screen in Windows 7:
    Click "Start" -> Select "Control Panel" -> Click on the "Appearance and Personalization" button -> Click on "Folder Options" and go to the View tab. Select "Show hidden files, folders and drives" by clicking on the "Apply" button and then "OK"

    How to display files on the screen in Windows XP:
    Go to “My Computer” on the desktop -> Select “Tools”, then “Folder Options” and then “View”, and then select “Show hidden files and folders” -> Confirm “Apply” and “OK”.

    3.We find the infected parameter in the system folders.
    Click “Start” -> Run -> Enter %APPDATA%, in the window that opens we need the Microsoft folder, in this list of folders find explorer.exe and delete it.

    4. Open Registry Editor.
    Select Start -> then Run or All Programs. Type: regedit. Click OK. (See How do I delete registry entries?)

    Find the location and delete the following registration key:

    HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run

    5.Download and install legitimate malware removal software to completely remove the infection.

    If you cannot access the Internet after unlocking Windows:

    Boot your computer into safe mode with network drivers loaded.
    Launch Task Manager. Click ctrl+alt+del(or ctrl+shift+esc), and clear the rogue program process task. If after this procedure you cannot access any program, then click on File -> New Task (Run), and type explorer.exe, then click OK.

    Open Internet explorer, select Tools and then Internet Options. Select Connections, then click Network setup-> Use a proxy server for connections LAN checked, uncheck the box and click OK.

    After this procedure you should be able to access the Internet. Now you can easily download antivirus software and run a full scan. Download, install and do not forget to update the selected antivirus program. Then run a full system scan.

    Hello! Today I will write about how to remove a desktop blocker that appeared after the computer was infected with a virus that blocked Windows. And now you see a window in front of you that requires you to enter an unlock code, which you can buy by paying a certain amount after sending an SMS to the attackers’ number.

    How to unlock Windows for free?

    Nobody wants to pay money to unlock Windows. And if you pay money to the account indicated by the scammers, there is no guarantee that they will send you a Windows key that will be unlocked. Therefore, we will look at ways to unlock Windows for free:

    Method 1 is to change the date in the computer's BIOS. For those who do not have a computer, I will try to explain how to enter the BIOS. There is a reboot button on the system unit - press it if the computer is turned on. If the computer is turned off, then turn it on. A couple of seconds after your computer starts booting, press and hold the DELETE key on your keyboard. If you have successfully logged in, the BIOS menu will appear on the screen with a blue background in English. In the BIOS you need to go to the Standard CMOS Features section, there will be a current date field, change the date to an earlier one. After changing the date, press Esc and you will be taken to the main menu. To save the data, select Save & Exit Setup, then press y to confirm saving. This method will help solve the problem with the windows blocker banner, but the virus still needs to be found and removed.

    2nd method - go from your mobile phone or from another computer to the Doctor Web antivirus websites https://www.drweb.com/xperf/unlocker/ or Kaspersky http://www.kaspersky.ru/support/viruses/deblocker and look in these sections for the unlock key.

    The 3rd method is to find and remove the virus yourself. Sequence of actions: when loading Windows, press F8 and select boot in safe mode with command line support; a window will load into which we enter the regedit command, the registry will open, be careful DO NOT DELETE ANYTHING, go to the branch HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon and find the file on the right side called Shell; write down the path to it that is written there and click 2 times and erase this path; then enter explorere.exe into the command line and reboot, Windows will turn on without problems and without a blocking banner. Now follow the path that you wrote down and delete the file of this virus itself! This way you will remove the virus that has blocked Windows.

    4th method - press F8 when loading Windows and try to start system recovery by selecting a restore point. After successful recovery, you need to remove the virus, run an antivirus program and scan the entire computer.

    5th method - icons of these viruses are visible in the quick launch bar. When you hover the cursor over the icon, the file name is displayed, often consisting of a set of numbers. Use the search to find this file. You can't just delete a file like that. First, rename it, and then delete it, and don’t forget to empty the trash. And just in case, scan the system with an antivirus.

    6th method - format the local disk on which Windows is installed. But this option will lead to the loss of data stored on the local disk. And this is the most radical way to deal with a system blocker; use it only if the above methods for unlocking Windows did not help.

    How to remove the virus after unlocking? Download the cureit program, which removes Trojan blockers from Windows. Here is the link http://www.freedrweb.com/cureit/?lng=ru The virus is often registered in the C:\System Volume Information folder

    Sometimes, when you turn on the computer, a message may pop up on the screen stating that the operating system is locked and you need to transfer a certain amount of money to receive an unlock code. In this case, the message may indicate the account of any mobile operator. Quite a lot of users face this problem.

    This message is caused by a fairly common malware. Of course, there is no need to send anything, since no number will be received in response. At the same time, you should not pay attention to the text of the message, since a lot of things can be written there, but this is just an invention of the scammer to confuse the user. In this case, you should not despair, since the solution to this problem is quite simple.

    It is worth noting that there is no point in trying to find unlock numbers on forums or any antivirus websites, since they are impossible to find. Even if the message contains a line for entering this password, this does not mean that it exists. As a rule, attackers don’t bother to come up with it, especially now. Owners of Windows XP, 7 and 8 operating systems often become victims of such scammers.

    How to remove Windows locked

    Initially, you need to familiarize yourself with the manual method of fixing this problem. In addition, there is an automatic method for eliminating this virus, which will be described below. It is worth noting that in automatic mode the whole process is much simpler, however, after eliminating the virus, some problems may appear. The most common problem is that the desktop cannot load.

    To fix this locked system issue, you first need to go into Safe Mode with the ability to use the Command Prompt. These actions are performed differently on different operating systems.

    In versions of Windows XP and 7, after turning on the PC, you must constantly press the F8 key until the possible options for booting the system are highlighted, where you need to click on safe mode. In some BIOS versions, pressing the F8 button will display a menu for selecting a disk to boot the system. In this case, you need to select the hard drive, press Enter and immediately press F8.

    In version 8 of Windows, entering safe mode is a little more difficult. There are several ways to do this. The simplest of them is turning on the PC incorrectly. In this case, the computer will turn on, but a lock window will appear. Here you need to hold down the power button for five seconds, after which the computer will turn off.

    After starting the PC again, a window should open to select a boot method, in which you need to find a safe mode with the ability to work with the command line. After launching the command line, you need to write regedit in it and press Enter.
    As a result, the registry editor should load, where the main work of removing the virus will take place.

    Then in the registry you need to select the HKEY_LOCAL_MACHINE section, then click SOFTWARE, then go to Microsoft, then Windows NT, find CurrentVersion and finally click Winlogon. Viruses that block the operating system often place their entries in this folder.

    Here you need to pay attention to two parameters Shell and Userinit. Their meanings are the same in each version of Windows, so it is worth checking that they are correct. For Shell, the value should be explorer.exe, and in the case of Userinit it looks like c:\windows\system32\userinit.exe, (a comma at the end must be present).

    If a virus has worked with the operating system, then the values ​​will be different. Mostly Shell changes. In this case, you need to right-click on the parameter with the changed value and select “Change”, after which you should enter the correct value. In addition, you need to remember or write down the path to the virus that was registered there.

    After this, you need to go to HKEY_CURRENT_USER and follow the same path as in the first section. Here you also need to pay attention to Shell and Userinit. Such parameters should not be present in this folder. If they are here, you need to select them and click on “Delete”.

    Then in the same sections you need to go to HKEY_CURRENT_USER, then select Software, then go to Microsoft, here click Windows, then CurrentVersion and at the end Run and go the same way starting with HKEY_LOCAL_MACHINE. In these folders, you also need to make sure that no option for these departments results in the same files as Shell from the above point. If they are present, then they need to be removed. Often, file names consist of a jumble of letters and numbers in the .exe format. Anything similar to this should be removed.

    Then you need to exit the registry and go to the command line. In it you need to register explorer and press Enter, which will open the system desktop. After this, you need to go to the operating system explorer and delete the files that were registered in remote departments. Often these files are located in the Users directory and getting to their location is quite difficult. The easiest way to do this is by specifying the directory path in the address bar. All these files need to be destroyed. If these files are located in the Temp folder, then you can completely clean out this directory.

    After completing all the manipulations, you must restart the PC. In this case, you can use the combination Ctrl+Alt+Del. After all these manipulations, the PC will start normally and work perfectly, and the blocking message will not appear. When you start your computer for the first time, you need to download the “Task Scheduler” and check that there are no strange tasks. If anything is found, it must be removed.

    Getting rid of Windows locked automatically using Kaspersky Rescue Disk

    This method for unlocking the operating system is much simpler than described above. In this case, you need to download Kaspersky Rescue Disk from the manufacturer’s official resource on a working PC. After this, you need to copy the disk image to some storage device.

    After starting from this disk, you will be prompted to press a button and then specify the menu language. You need to choose the right one. After this, you must accept the license agreement. To do this, you need to press 1 on the keyboard. After these manipulations, the disk menu will appear, where you need to select the graphic mode.

    After launching the graphical shell, which allows you to perform various manipulations, you must select Windows unlock. Then you need to select the items “Boot sectors”, “Hidden startup objects” and drive C. After that you need to click “Run check”.

    At the end of the scan, a report will appear on the screen that will display the actions performed and their results. As a rule, these manipulations are quite enough to unlock the operating system. After this, you need to click “Exit” and turn off the computer. After turning off the computer, you need to remove the drive and start the PC again. The operating system should start and you can start working on the computer.

    These are all simple manipulations that will help get rid of the blocking of the operating system. Even novice users can perform them.

    If, when you turn on your computer again, you see a message that Windows is locked and you need to transfer 3,000 rubles in order to get an unlock number, then know a few things:

    • You are not alone - this is one of the most common types of malware (virus)
    • Don’t send anything anywhere, you most likely won’t receive the number. Not to the Beeline account, not to MTS, or anywhere else.
    • Any text stating that a fine is due is subject to the Criminal Code, mentions of Microsoft security and so on are nothing more than a text made up by a would-be virus writer to mislead you.
    • Solving the problem and removing a locked Windows window is quite simple, now we’ll figure out how to do it.

    A typical Windows lock window (not a real one, I drew it myself)

    As I already said, this method of removing Windows lock is somewhat simpler. You will need to download Kaspersky Rescue Disk from the official website http://support.kaspersky.ru/viruses/rescuedisk#downloads from a working computer and burn the image to a disk or bootable USB flash drive. After this, you need to boot from this disk on a locked computer.

    After booting from Kaspersky Rescue Disk, you will first see a prompt to press any key, and then a choice of language. We choose the one that is more convenient. The next step is the license agreement, in order to accept it, you need to press 1 on the keyboard.

    Kaspersky Rescue Disk menu

    The Kaspersky Rescue Disk menu will appear. Select Graphics Mode.

    Virus scan settings

    After this, the graphical shell will launch, in which you can do many things, but we are interested in quickly unlocking Windows. Check the boxes for “Boot sectors”, “Hidden startup objects”, and at the same time you can also check the C: drive (the check will take much longer, but will be more effective). Click "Run Check".

    After the check is completed, you can look at the report and see what exactly was done and what the result was - usually, such a check is enough to remove the Windows lock. Click "Exit" and then turn off your computer. After shutting down, remove the Kaspersky disk or flash drive and turn on the PC again - Windows should no longer be locked and you can return to work.

    If, when loading the operating system, instead of the usual desktop, you see this or a similar message, and even with threats of data destruction, damage to the computer, arrest, execution, etc. in case of non-payment within a short time, while this message cannot be removed or minimized in any way (no actions are possible other than entering the unlock code), know: You have become a victim of ransomware scammers, but you should NEVER pay them. By doing this, you are only sponsoring further development of malware; in addition, sending money somewhere does not mean that they will send you a saving code, and even if they do, it is not a fact that the situation will not repeat itself in a week. In this article I will describe how to prevent such an infection and cure your computer if it does happen, using the example of one similar situation.

    At this time, such an infection can be found relatively rarely, but people still manage to find it somewhere, and then they have to remember their past experience and take on the task of eliminating this scourge. Two years ago, the situation with Winlocker viruses was simply catastrophic: almost everyone was infected repeatedly. The ingenuity of virus writers was amazing: there were cases when the situation was resolved only by a complete reinstallation of the system. After the arrest of a gang of such “programmers” in Moscow last year, the situation improved dramatically. I was amazed by the amount they earned in six months: billion(!!!) rubles.

    Now I will describe today's incident

    Symptoms: the virus window is on top of all others, the Task Manager is blocked, a standard set of threats. Among the innovations, it should be noted that the authors of such viruses no longer offer to send money via SMS. Instead, you need to replenish their WebMoney wallet (in this case, it is almost impossible to track the author of the virus), and the amounts have increased: if earlier extortionists asked for 30 hryvnia, now they ask for 100 hryvnia (and criminal liability in Ukraine starts from 60 hryvnia). What made me laugh was the absolutely wretched execution of the virus: they couldn’t even implement a full-screen mode (apparently a screen resolution of 1200×800 is in the unlikely category))) so it wasn’t difficult to overcome it (but if the victims start transferring money to them, they will buy a lot of smart books on programming and next time they will write something more elegant!) , a bunch of grammatical errors (“...reports blocking ...”))).

    The mechanism of infection, how the virus works and how to remove it

    In startup there is a file “superclubber.bat” with the text:

    @echo off
    Title superclubber
    start superclubber.exe

    Detecting troyan winlock using the Sysinternals Autoruns utility in Windows startup

    that is, it launches the “superclubber.exe” file, which is the actual virus. Accordingly, the entire treatment procedure comes down to deleting this registry entry and two files ( Unfortunately, such simple viruses are very rare, usually you have to sweat very hard to get rid of it). Analysis of this file on the website virustotal.com showed that it is currently detected by only 14 out of 43 antiviruses. ( low percentage(!)). Avira (TR/Crypt.CFI.Gen), Avast (Win32:Rootkit-gen), AVG (Generic23.AMUX), DrWeb (Trojan.Winlock.3724), Kaspersky (Trojan-Ransom.Win32.Blocker.apz), NOD32 (a variant of Win32/LockScreen.AHP trojan) were among those who detect. Of those who still have it does not define, and, accordingly, they skip It should be noted antiviruses Microsoft, Panda, Symantec, McAfee, GData.

    After a reboot, the window no longer pops up, which means the virus is no longer active.

    Cause of infection This computer turned out to be that the last update date for the Avast antivirus was June 13 (that is, it had not been updated for more than a month), and it did not yet know the state of this virus on that date and therefore missed it.

    Method of infection: further analysis showed that the person spent the entire time prior to infection on various porn sites (more than 100 in a row). One of these sites contained malicious code (java exploit), which caused the infection.

    Viewing the Opera browser history showed that on the day of infection the user visited a large number of porn sites

    Final cleanup

    We update the antivirus and do a full system scan:

    In the scan results we detect the files through which the infection occurred

    In the scan results, we find the files through which the infection occurred. In this case, it happened completely unnoticed by the user and did not require any action from him. Let me note again: if the user had bothered to keep the antivirus up to date, this infection would not have happened!

    We do the same with Malwarebytes Anti-Malware:

    Read more: