Menu
homeInstructions

What to do if Windows is blocked by a virus. We are treated using Windows. If all else fails

Sometimes, when you turn on the computer, a message may pop up on the screen stating that the operating system is locked and you need to transfer a certain amount of money to receive an unlock code. In this case, the message may indicate the account of any mobile operator. Quite a lot of users face this problem.

This message is caused by a fairly common malware. Of course, there is no need to send anything, since no number will be received in response. At the same time, you should not pay attention to the text of the message, since a lot of things can be written there, but this is just an invention of the scammer to confuse the user. In this case, you should not despair, since the solution to this problem is quite simple.

It is worth noting that there is no point in trying to find unlock numbers on forums or any antivirus websites, since they are impossible to find. Even if the message contains a line for entering this password, this does not mean that it exists. As a rule, attackers don’t bother to come up with it, especially now. Owners of Windows XP, 7 and 8 operating systems often become victims of such scammers.

How to remove Windows locked

First of all, you need to familiarize yourself with manually fix this problem. In addition, there is automatic method elimination of this virus, which will be described below. It is worth noting that in automatic mode the whole process is much simpler, however, after eliminating the virus, some problems may arise. The most common problem is that the desktop cannot load.

To fix this locked system issue, you first need to go into Safe Mode with the ability to use the Command Prompt. These actions are performed differently on different operating systems.

In versions of Windows XP and 7, after turning on the PC, you must constantly press the F8 key until the possible options boot the system, where you need to click on safe mode. In some BIOS versions, by pressing the F8 button, a menu will be displayed for selecting a disk to boot the system. In this case, you need to select the hard drive, press Enter and immediately press F8.

In the eighth Windows versions going into safe mode is a little more difficult. There are several ways to do this. The simplest of them is turning on the PC incorrectly. In this case, the computer will turn on, but a lock window will appear. Here you need to hold down the power button for five seconds, after which the computer will turn off.

After starting the PC again, a window should open to select a boot method, in which you need to find a safe mode with the ability to work with the command line. After launch command line in it you need to write regedit and press Enter.
As a result, the registry editor should load, where the main work of removing the virus will take place.

Then in the registry you need to select the HKEY_LOCAL_MACHINE section, then click SOFTWARE, then go to Microsoft, then Windows NT, find CurrentVersion and finally click Winlogon. Viruses that block the operating system often place their entries in this folder.

Here you need to pay attention to two parameters Shell and Userinit. Their meanings are the same in each version of Windows, so it is worth checking that they are correct. For Shell, the value should be explorer.exe, and in the case of Userinit it looks like c:\windows\system32\userinit.exe, (a comma at the end must be present).

If a virus has worked with the operating system, then the values ​​will be different. Mostly Shell changes. In this case, you need to right-click on the parameter with the changed value and select “Change”, after which you should enter the correct value. In addition, you need to remember or write down the path to the virus that was registered there.

After this, you need to go to HKEY_CURRENT_USER and follow the same path as in the first section. Here you also need to pay attention to Shell and Userinit. Such parameters should not be present in this folder. If they are here, you need to select them and click on “Delete”.

Then in the same sections you need to go to HKEY_CURRENT_USER, then select Software, then go to Microsoft, here click Windows, then CurrentVersion and at the end Run and go the same way starting with HKEY_LOCAL_MACHINE. In these folders, you also need to make sure that no option for these departments results in the same files as Shell from the above point. If they are present, then they need to be removed. Often, file names consist of a jumble of letters and numbers in the .exe format. Anything similar to this should be removed.

Then you need to exit the registry and go to the command line. In it you need to register explorer and press Enter, which will open the system desktop. After this, you need to go to the operating system explorer and delete the files that were registered in remote departments. Often these files are located in the Users directory and getting to their location is quite difficult. The easiest way to do this is by specifying the directory path in the address bar. All these files need to be destroyed. If these files are located in the Temp folder, then you can completely clean out this directory.

After completing all the manipulations, you must restart the PC. In this case, you can use the combination Ctrl+Alt+Del. After all these manipulations, the PC will start normally and work perfectly, and the blocking message will not appear. When you start your computer for the first time, you need to download the “Task Scheduler” and check that there are no strange tasks. If anything is found, it must be removed.

Getting rid of Windows locked automatically using Kaspersky Rescue Disk

This method for unlocking the operating system is much simpler than described above. In this case, you need to download Kaspersky on a running PC Rescue Disk With official resource manufacturer. After this, you need to copy the disk image to some storage device.

After starting from this disk, you will be prompted to press a button and then specify the menu language. You need to choose the right one. After this you need to take license agreement. To do this, you need to press 1 on the keyboard. After these manipulations, the disk menu will appear, where you need to select the graphic mode.

After launch graphical shell, which allows you to perform various manipulations, you must select unlocking Windows. Then you need to select the items “ Boot sectors», « Hidden objects Startup" and drive C. After that, you need to click "Run check".

At the end of the scan, a report will appear on the screen that will display the actions performed and their results. As a rule, these manipulations are quite enough to unlock the operating system. After this, you need to click “Exit” and turn off the computer. After turning off the computer, you need to remove the drive and start the PC again. The operating system should start and you can start working on the computer.

These are all simple manipulations that will help get rid of the blocking of the operating system. Even novice users can perform them.

Today we are going to introduce you to another one computer virus- Windows is locked. Windows is blocked, which is also known as Windows Blocked ransomware. This threat is not crypto-ransomware, and it does not encrypt the victim's files. However, she locks their computer and asks the victim to pay if she wants to access the computer again. By blocking the computer, it restricts the user from using programs or files that are stored on the computer. It also displays a message on Full Screen, which states that the computer user must pay a ransom to start using the computer again.

The Windows virus is blocked and asks you to buy a card top-up worth 400-600 rubles and enter the code of the criminals in the provided field. Cyber ​​criminals promise to unlock the computer immediately after the victim pays the ransom. The virus says that payment must be made within 10 hours, otherwise computer system will be damaged. However, don't even start looking for your wallet because it is entirely possible to gain access to your computer without money. All you have to do is remove Windows virus blocked from your system.

It is recommended to remove this virus using software because it is very difficult to detect and remove this virus manually. This virus usually names its files differently, so users will not be able to quickly identify and remove it. All we know is where the virus writes its files. It saves them to your Downloads or Temp folder, but in order to enter these folders you need to restart your computer and enter safe mode. you can find detailed instructions on how to remove Windows locked on page 2.

How can a blocked Windows malware enter your PC?

Windows blocked virus can be downloaded from the official website or malware website. Cyber ​​criminals prefer to use click attacks and place harmful links in mildly suspicious content, so if you have even the slightest suspicion that the ad, link or button you are about to click on may lead you to dangerous websites, do not click on them . In order to protect your computer from malware, you should protect it with an anti-spyware tool like .

Malicious files also spread throughout e-mail. The 2-Spyware team strongly recommends that users monitor emails that come from unknown persons, especially if they offer to open attachments. Scammers also tend to send intrusive emails, and if you want to block them, rather create a filter for emails, instead of clicking the “Unsubscribe” button in the message provided. Criminals typically insert malicious attachments behind this button.

If Windows Trojan blocked has already entered your computer, please follow the instructions on uninstalling Windows blocked, which is provided on page 2 and eliminate it from your PC as soon as possible.

How to remove Windows blocked virus?

You should not be afraid of Windows blocked threats, and do not rush to pay it, because this virus can be decommissioned quite in a simple way. Since this virus does not encrypt files, but only blocks access to them, it is not dangerous, because by removing this virus, you can regain access to the files. Please, use Windows instructions blocked below and remove this threat from your computer. To prevent computer threats that can infect your computer, we recommend that you install a powerful protection tool. For this reason, we recommend installing antiviral agent SpyHunter. Don't forget to update regularly software, because only in this way will it be able to identify and eliminate latest version harmful threat.

Those who are “lucky enough” to encounter such a malicious program will well understand how unpleasant and serious this problem is. Just imagine, you downloaded some file from the Internet, for example e-book. So, you open the downloaded archive, and suddenly a message appears on the entire screen that the computer is locked and to unlock it you need to top up an account or transfer money to a wallet. In addition, there will definitely be a threat that if the requirements are not met, important data for you may be lost, damaging your reputation different ways and even damage and failure of the computer. That's it, you can't do anything anymore, the computer doesn't respond to any commands and even rebooting and trying to call the task manager doesn't help.

Don’t be scared, all these threats are just a bluff, and even more so, you shouldn’t transfer any money to anyone. Such viruses do nothing more than block your PC. They are created by students, or children in general, who simply used a ready-made product in the hope of easy profit.

You can become infected with such malware by downloading something from the Internet. It is also common for computers to be accessed through vulnerabilities in the browser. No one is safe from this anymore, because to get infected you just need to go to an infected website.

Such viruses, once on a PC, register themselves in startup and block the work of all key applications, which you can use while covering the entire screen with a lock message. But no matter how terrible this thing is, such malware can be avoided special effort get rid of.

Removing the Windows blocked banner

The images below show examples of banners.

First of all, you should understand that you should not follow the instructions in the banner. Don’t send money to anyone or send SMS, no one will send you an unlock key anyway, and you’ll just waste your money. Follow instead the following recommendations, which will help you rid your computer of Winlock.

First, find any other working computer or smartphone. And through it, visit the websites of the antivirus companies DrWeb or Kaspersky. You will find there special services selection of keys for unlocking. Enter the required data there, after which a key will be generated. Take this badass and write it in the banner field that has blocked the computer. Quite often this method helps.

You can also download a utility on the Kaspersky and DoctorWeb websites that can be used to scan your computer for malware.

(Marked with number 1 on the screenshot)

If you are faced with a program that encrypts data that is important to you and also requires money, then you need to use various additional programs who can decipher them. (Marked with number 2 on the screenshot)

I recommend recording similar utilities on a flash drive or disk in advance so that, if necessary, you can use the necessary tools without resorting to the help of an additional computer.

How to start the OS if Windows is locked?

We will start Windows in safe mode. To do this, after turning on the computer, before loading Windows, you must press the F8 key. Using the arrows on the keyboard, you can select the desired boot mode. Will good sign, if the virus does not start in safe mode. If Winlock does start, then you can try another mode that has command line support. If it doesn’t help in any of the cases, there is still one more option - start the OS with bootable flash drive or disk.

To create such a flash drive or disk, you must download Windows PE. And write the downloaded disk image to a suitable storage medium. After which, immediately after you turned on the computer and the Bios screen, press the Del key (or F2/F10/F12 depending on motherboard, having learned this in the instructions). You will be taken to the menu Bios settings, in which you need to set the floppy drive or usb first in the queue for loading the OS and save the changes. Don't forget to insert your disk/flash drive and restart your computer. After this, Windows PE will start, which will already have a fairly rich toolkit necessary to remove Winlocker.

If you were able to start your native OS, then scan the data recorded on the storage medium antivirus utilities. If you started with Windows PE, then run these applications from a flash drive. Additionally, you can use the applications that come with this Windows OS.

How unlock computer manually?

This method often helps: through file manager, clear all temporary Temp folders And Application folder Data (located in home folder user).

Completely clearing all caches installed browsers. Delete the file through which you were infected, if there is one. After all these steps, restart your computer. If all this does not save you from the banner, try the following recommendations.

Look for all files with a recent modification date, this way you can find winlock files. Quite often, you can deactivate a virus by resetting the date in the BIOS several years ahead or back.

If you managed to start your native system in safe mode, then a mandatory step will be to clean the registry. Open the registry editor through the Run application by entering regedit command. If there is command line support, then the same command can be entered in the console.

Next you should go to this branch: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon

Pay attention to the following parameter: Shell, which should contain “explorer.exe”, and in the parameter Userinit The value should be "\WINDOWS\system32\userinit.exe". If the values ​​of these parameters are not the same, then change them to what they should be. It would be better to rewrite these values ​​again, even if they are not different.

It is necessary to check the branch associated with autoloading, which is located on this path.

As we understand you, since you visited our site in search of a solution to your problem. Easy to pick up on the Internet - Windows blocked banner, but to do this on purpose you still need to try. Of course, “hot” lovers have already encountered the problem of an SMS virus blocking Windows, but in fact, running into a virus - the “Windows blocked” window is not necessary on a site containing pornographic materials or other obscene materials. You can go to a seemingly decent site, click on any link to download the program and become the “lucky” owner of a banner, after which Windows is completely or partially blocked, top up your Beeline or MTS account, while asking.

Usually like this windows virus is locked, displays a banner on the entire desktop screen, and you can't do anything. In front of you, as a rule, you see pseudo warnings with penalties that threaten to expose you in inappropriate behavior. And as a fine for this, they require you to top up your MTS or Beeline subscriber number in the amount of 1000, 2500, and even 3000 rubles, blackmail is also reinforced by the fact that your data can be deleted through certain time, as well as information about the alleged misconduct handed over to the authorities.

It's all simple psychological impact, designed for the fact that you - gullible user rush to send money to someone unknown even to whom and where to delete it windows banner blocked. The most annoying thing is that if you want to fork out and send money or SMS, windows banner code blocked you still won’t get it, and the money will disappear. So what should you do when a gullible user catches a banner virus? windows blocked, 3000 rubles not a small amount to send to hackers to create such blockers.

How to remove the Windows blocked banner

Don't think that remove banner at windows 7 - windows blocked it's quite difficult. The purpose of our site is precisely to simplify the removal of the blocked windows banner. Although scammers do not sleep and try in every possible way to bypass the options described on the Internet on how to remove the Windows blocked sign. Here you will find exactly your option, for example, if installed on your computer Windows XP, locked microsoft application security essentials and completely paralyzed. In any case, agree hopeless situations can not be.

Activating blocked Windows XP, 7, 8, Vista, whatever one may say, requires practice, and you will find the theory here. Now let's move directly to the methods how to delete windows banner blocked 1000 rubles and more.

Remove the Windows banner blocked top up your number using the Virustop computer service

If you are one of those for whom independent unlocking windows more complex method an incomprehensible task, the right decision will - call a computer technician to your home.

But first, try to find passwords or cheats yourself. To do this you need to use free service unlocking your computer from leading antivirus developers: Kaspersky and Doctor Web. They are also called deblockers. What utilities are there?

Unblock Windows virus blocked by Doctor Web utility

So, in the field that appears, you will need to enter the phone number or wallet to which you need to transfer money. By the way, you can also try to find the code and name of the virus from the images - black, blue windows banner is blocked, green or a porn banner of a different color. By clicking, the system offers pre-prepared banner pictures and approximate unlock codes. It all depends on the class and complexity of the malware, so it happens that the codes are not suitable for unlocking Windows using a phone number when you enter them directly on a locked computer.

Kaspersky remove windows banner blocked

Kaspersky has a similar service. Follow the link http://support.kaspersky.ru/ on the website and select the [Combating malware] and follow the link [Removing banners from the desktop, unlock Windows].

Enter the number in the form provided and click [get code]. You can enter both a regular number and text for SMS on short number. The service will provide several options at once unlock windows by phone number - try them all, one or the other will definitely work.

If when loading operating system Instead of the usual desktop, you see this or a similar message, and even with threats of data destruction, damage to the computer, arrest, execution, etc. in case of non-payment within a short time, while this message it is impossible to remove or minimize in any way (no actions are possible other than entering the unlock code), please know: You have become a victim of ransomware scammers, but you should NEVER pay them. By doing this, you are only sponsoring further development of malware; in addition, sending money somewhere does not mean that they will send you a saving code, and even if they do, it is not a fact that the situation will not repeat itself in a week. In this article I will describe how to prevent such an infection and cure your computer if it does happen, using the example of one similar situation.

IN given time Such an infection can be found relatively rarely, but people still manage to find it somewhere and then they have to remember their past experience and take on the task of eliminating this scourge. Two years ago, the situation with Winlocker viruses was simply catastrophic: almost everyone was infected repeatedly. The ingenuity of virus writers was amazing: there were cases when the situation was resolved only complete reinstallation systems. After the arrest of a gang of such “programmers” in Moscow last year, the situation improved dramatically. I was amazed by the amount they earned in six months: billion(!!!) rubles.

Now I will describe today's incident

Symptoms: the virus window is on top of all others, the Task Manager is blocked, standard set threats. Among the innovations, it should be noted that the authors of such viruses no longer offer to send money via SMS. Instead, you need to replenish their WebMoney wallet (in this case, it is almost impossible to track the author of the virus), and the amounts have increased: if earlier extortionists asked for 30 hryvnia, now they ask for 100 hryvnia (and criminal liability in Ukraine starts from 60 hryvnia). I laughed at the completely wretched execution of the virus: they couldn’t even implement full screen mode(apparently the screen resolution of 1200×800 is in the unlikely category))) so overcoming it was not difficult (but if the victims start transferring money to them, they will buy a lot of smart books on programming and next time they will write something more elegant!) , a bunch grammatical errors(“…reports blocking…”))).

The mechanism of infection, how the virus works and how to remove it

In startup there is a file “superclubber.bat” with the text:

@echo off
Title superclubber
start superclubber.exe

Detecting troyan winlock using the Sysinternals Autoruns utility in Windows startup

that is, it launches the “superclubber.exe” file, which is the actual virus. Accordingly, the entire treatment procedure comes down to deleting this registry entry and two files ( unfortunately such simple viruses are very rare, usually you have to sweat very hard to get rid of it). Analysis of this file on the website virustotal.com showed that it was in this moment detect only 14 antiviruses out of 43. ( low percentage(!)). Avira (TR/Crypt.CFI.Gen), Avast (Win32:Rootkit-gen), AVG (Generic23.AMUX), DrWeb (Trojan.Winlock.3724), Kaspersky (Trojan-Ransom.Win32.Blocker.apz), NOD32 (a variant of Win32/LockScreen.AHP trojan) were among those who detect. Of those who still have it does not define, and, accordingly, they skip It should be noted antiviruses Microsoft, Panda, Symantec, McAfee, GData.

After a reboot, the window no longer pops up, which means the virus is no longer active.

Cause of infection of this computer it turned out that last date updates Avast antivirus was June 13 (that is, it had not been updated for more than a month), and he did not yet know the state of this virus on that date and therefore missed it.

Method of infection: further analysis showed that the person spent the entire time prior to infection on various porn sites (more than 100 in a row). Some of these sites contained malicious code(java exploit) that caused the infection.

View History Opera browser showed that on the day of infection the user visited a large number of porn sites

Final cleanup

We update the antivirus and do full scan systems:

In the scan results we detect the files through which the infection occurred

In the scan results, we find the files through which the infection occurred. IN in this case it happened completely unnoticed by the user and did not require any action from him. Let me note again: if the user had bothered to keep the antivirus up to date, this infection would not have happened!

We do the same Malwarebytes program Anti-Malware: