Hello my readers! It is unlikely that an ordinary user of the windows operating system can be surprised by extortion of money using malicious Winlock trojans, more commonly known as the “Windows blocker”.

And it is not surprising, because every second inexperienced user, ignoring the importance of the security of his computer, automatically sent himself to the white list of scammers, who, as practice shows, are quite clever at “moneying” frightened and confused newbies who do not know how to react to such a situation.

Therefore, answering the questions: how not to become a victim of deception? and what to do if windows is blocked? I suggest that you carefully study the material below, which guarantees getting rid of the problem with a few clicks of the mouse.

Where does it all start

One evening, as usual, browsing the Internet for various sites, reading the news feed, your computer may freeze. And a terrifying banner may appear in the center of the screen, which obscures almost the entire desktop and asks you to send SMS (which, obviously, is not free) or asks you to replenish your account to the mobile number specified in the requirement. Otherwise, all materials from the computer will be automatically destroyed.

I will give you some practical advice on what to do if Windows is locked and asks for a code. I will give the best options for unlocking the system.

No extra moves

Fortunately, for some Trojans, it is indeed possible to pick up an unlock code, which, although rarely, completely destroys the virus from the system.

You can select the necessary code using well-known anti-virus databases (more specifically, in a couple of minutes you can find key data on their main pages).

Windows unlock service is available from the company:

• "Doctor Web "
• « Kaspersky Lab»

You can open the required page if your system is blocked from any other PC, tablet or phone.

Important ! Having unlocked access to the system, do not rejoice prematurely. The next step is to check the disk using any antivirus program.

System Restore

Before moving on to the complex and tricky methods of special software, I suggest trying to eradicate the problem with the tools at hand, or rather, call the task manager in your usual way (usually Ctrl + alt + Del).

Happened? Then congratulations, you are dealing with an ordinary and simple Trojan that can be removed easily and quickly.

• We find a suspicious foreign process in the list of processes.
• We force it to end.

An example of what your virus might look like.

Often, a third-party process has an indistinct name and is displayed without a description. Find those in the list and force them to end. I advise you to do this slowly and alternately until the banner disappears.

If the miracle did not happen, and the task manager is not called, then I propose to proceed to the stage of using the third-party process manager Explorer.exe, which can be downloaded from the link. The program can be launched using the "Run" command (press Win + R).

It is very easy to identify a suspicious process in the explorer.exe directive.

military strategy

Another way to deal with a virus is to use some standard programs, including an ordinary notepad or wordpad.

To do this, you “blindly” (because you still can’t close or hide the banner) will need:

1. Launch the Run utility (Win+R)
2. Write in it "notepad" and click on the "Enter" key.
3. Ideally, a new text file will start under the banner window, in which you will type any (no matter what) text and press the power off button on the system unit.
4. Next, all processes running on the system will begin to terminate, except for notepad, which will ask you to “save” or “close without saving” the document (which we, of course, leave unchanged for now).
5. After deactivating the virus, as in the previous method, find the location of the Trojan and destroy it.

More advanced way

For hacker viruses, "unrealistically complex" Trojans, the way to counter the task manager or other system components will not help.

Therefore, it's time to move on to heavy artillery, or rather to a safe mode.

Step-by-step instruction:

1. We restart the computer, and at the time of loading the operating system, hold down the F8 key (sometimes the button is different, it depends on your PC).
2. In a new window (assuming a choice of boot method), select "Safe Mode + Command Prompt".
3. After downloading, type regedit on the command line, press enter and launch the registry editor.
4. We analyze the registry editor of running applications on a PC.
   Most likely you will see the full path to the Trojan files located in the Shell key and in the Userinit branch. In "Shell" the virus is written instead of explorer.exe, and in "userinit" it is indicated after a comma.
5. Copy the full name of the virus to the clipboard.
6. We write “del” on the command line, press the spacebar and right-click to call up the context menu.
7. In the menu window, select the "Paste" command and press Enter.

Voila, the first Trojan file has been successfully destroyed. We carry out a similar operation with the second and subsequent ones (if any).

Well, that's all, I have prescribed the main effective ways to restore access to data. If all the above actions are difficult for you due to ignorance and fear of making things worse, I recommend that you take a training course " computer genius". It will help you gain courage and understand the basics of owning a PC.

I hope now I can be calm for you and for the safety of your information. Be sure to share this useful information with your friends on social media. networks, they, for sure, this material will also come in handy. Don't forget to subscribe to blog updates and install a reliable antivirus! See you soon!

Sincerely! Abdullin Ruslan

Surely, every fourth user of a personal computer has encountered various fraud on the Internet. One type of deception is a banner that blocks Windows and requires you to send SMS to a paid number or requires cryptocurrency. Basically, it's just a virus.

To fight a ransomware banner, you need to understand what it is and how it penetrates your computer. The banner usually looks like this:

But there may be all sorts of other variations, but the essence is the same - crooks want to make money on you.

How a virus enters a computer

The first variant of "infection" is pirated applications, utilities, games. Of course, Internet users are used to getting most of what they want online “for free”, but when downloading pirated software, games, various activators and other things from suspicious sites, we run the risk of becoming infected with viruses. In this situation, it usually helps.

Windows may be blocked due to a downloaded file with the extension " .exe". This does not mean that you need to refuse to download files with this extension. Just remember that " .exe” can only apply to games and programs. If you download a video, song, document or picture, and its name contains “.exe” at the end, then the chance of the ransomware banner appearing increases dramatically to 99.999%!

There is also a tricky move with, supposedly, the need to update the Flash player or browser. It may be that you will work on the Internet, move from page to page and one day you will find an inscription that "your Flash player is out of date, please update." If you click on this banner and it does not lead you to the official adobe.com website, then it is 100% a virus. Therefore, check before clicking on the "Update" button. The best option would be to ignore such messages altogether.

Lastly, outdated Windows updates weaken system protection. To keep your computer protected, try to install updates on time. This feature can be configured in "Control Panel -> Windows Update" to automatic mode, so as not to be distracted.

How to unlock Windows 7/8/10

One of the simple options to remove the ransomware banner is . It helps 100%, but it makes sense to reinstall Windows when you do not have important data on the C drive that you did not have time to save. When you reinstall the system, all files will be deleted from the system disk. Therefore, if you do not have the desire to reinstall software and games, then you can use other methods.

After curing and successfully starting the system without the ransomware banner, additional steps must be taken, otherwise the virus may resurface, or there will simply be some problems in the system. All this is at the end of the article. All information is personally verified by me! So, let's begin!

Kaspersky Rescue Disk + WindowsUnlocker will help us!

We will use a specially designed operating system. The whole difficulty is that on a working computer you need to download an image and or (scroll through the articles, there are).

When it's ready, you need. At the time of startup, a small message will appear, such as "Press any key to boot from CD or DVD". Here you need to press any button on the keyboard, otherwise the infected Windows will start.

When loading, press any button, then select the language - "Russian", accept the license agreement using the "1" button and use the launch mode - "Graphic". After starting the Kaspersky operating system, we do not pay attention to the automatically launched scanner, but go to the "Start" menu and launch the "Terminal"

A black window will open where we write the command:

windows unlocker

A small menu will open:

Select "Unlock Windows" with the "1" button. The program itself will check and fix everything. Now you can close the window and check the entire computer with the already running scanner. In the window, put a tick on the disk with Windows OS and click "Perform object check"

We are waiting for the end of the check (may be a long time) and, finally, we reboot.

If you have a laptop without a mouse, and the touchpad does not work, then I suggest using the text mode of the Kaspersky disk. In this case, after starting the operating system, you must first close the menu that opens with the "F10" button, then enter the same command on the command line: windowsunlocker

Unlock in safe mode, no special images

Today, viruses like Winlocker have grown wiser and block, so most likely you will not succeed, but if there is no image, then try. Viruses are different and everyone can work in different ways, but the principle is the same.

We restart the computer. During boot, you need to press the F8 key until a menu of additional options for starting Windows appears. We need to use the down arrows to select an item from the list, which is called "Safe Mode with Command Line Support".

This is where we need to get to and select the desired line:

Further, if everything goes well, the computer will boot up and we will see the desktop. Excellent! But that doesn't mean everything works now. If you do not remove the virus and just reboot in normal mode, the banner will pop up again!

We are treated with Windows tools

You need to restore the system when there was no blocker banner yet. Read the article carefully and do everything that is written there. There is a video below the article.

If it doesn’t help, then press the “Win ​​+ R” buttons and write the command in the window to open the registry editor:

regedit

If, instead of the desktop, a black command line is launched, then simply enter the “regedit” command and press “Enter”. We have to check some registry keys for viruses, or to be more precise, malicious code. To start this operation, go here on this path:

HKEY_LOCAL_MACHINE\Software\Microsoft\WinNT\CurrentVersion\Winlogon

Now, in order, we check the following values:

• Shell - “explorer.exe” must be written here, there should be no other options
• Userinit - here the text should be "C:\Windows\system32\userinit.exe,"

If the OS is installed on a different drive than C:, then the letter will be different there, respectively. To change incorrect values, right-click on the line you want to edit and select "change":

Then we check:

HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Winlogon

There should be no Shell and Userinit keys here at all, if there are, delete them.

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce

And be sure to:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce

If you are not sure whether you need to delete the key, you can simply add a “1” to the parameter first. The path will be in error, and this program will simply not start. Then you can return it as it was.

Now you need to run the built-in system cleaning utility, we do it in the same way as we launched the registry editor "regedit", but we write:

cleanmgr

Select the disk with the operating system (by default C:) and after scanning, check all the boxes except for "Service Pack Backup Files"

And click "OK". By this action, we may have disabled the autorun of the virus, and then we need to clean up the traces of its presence in the system, and read about this at the end of the article.

AVZ Utility

It consists in the fact that in safe mode we will run the well-known antivirus utility AVZ. In addition to searching for viruses, the program has just a lot of functions to fix system problems. This method repeats the steps for filling holes in the system after the virus has worked, incl. to get acquainted with it, go to the next paragraph.

Fixing issues after ransomware removal

Congratulations! If you are reading this, then the system started without a banner. Now you need to check the whole system with them. If you used the Kaspersky rescue disk and checked it there, then you can skip this item.

There may also be one more trouble associated with the activities of the villain - the virus can encrypt your files. And even after its complete removal, you simply will not be able to use your files. To decrypt them, you need to use programs from the Kaspersky website: XoristDecryptor and RectorDecryptor. There are also instructions for use.

But that's not all, because. Winlocker most likely messed up in the system, and various glitches and problems will be observed. For example, the registry editor and task manager will not start. To treat the system, we will use the AVZ program.

When downloading using Google Chrome, there may be a problem, because. this browser considers the program to be malicious and does not allow it to be downloaded! This question has already been raised on the official Google forum, and at the time of writing, everything already ok.

To still download the archive with the program, you need to go to "Downloads" and click "Download malicious file" there 🙂 Yes, I understand that it looks a little silly, but apparently chrome thinks that the program can harm the average user. And this is true, if you poke wherever you hit! Therefore, strictly follow the instructions!

We unpack the archive with the program, write it to external media and run it on the infected computer. Let's go to the menu "File -> System Restore", mark the checkboxes as in the picture and perform the following operations:

Now let's take the following path: "File -> Troubleshooting Wizard", then go to "System problems -> All problems" and click on the "Start" button. The program will scan the system, and then in the window that appears, set all the checkboxes except "Disabling operating system updates in automatic mode" and those that begin with the phrase "Allow autorun from ...".

Click on the "Fix flagged issues" button. After successful completion, go to: "Browser settings and tweaks -> All problems", here we put all the checkboxes and in the same way click on the button "Fix flagged problems".

We do the same with “Privacy”, but here do not check the boxes that are responsible for cleaning bookmarks in browsers and what else you think you need. We finish the check in the sections "Cleaning the system" and "Adware/Toolbar/Browser Hijacker Removal".

At the end, close the window without leaving AVZ. In the program we find "Tools -> Explorer Extensions Editor" and remove the checkmarks from those items that are marked in black. Now let's go to: "Tools -> Internet Explorer Extension Manager" and completely erase all the lines in the window that appears.

I already said above that this section of the article is also one of the ways to cure Windows from a ransomware banner. So, in this case, you need to download the program on a working computer and then write it to a USB flash drive or to a disk. All actions are carried out in a safe mode. But there is another option to run AVZ even if safe mode is not working. You need to start, from the same menu when the system boots, in the "Computer Troubleshooting" mode

If you have it installed, it will be displayed at the very top of the menu. If not there, then try to start Windows until the banner appears and turn off the computer from the outlet. Then turn it on - a new launch mode will probably be offered.

Starting from a Windows installation disc

Another sure way is to boot from any Windows 7-10 installation disk and select not "Install" there, but "System Restore". When the troubleshooter is running:

• You need to select "Command Prompt"
• In the black window that appears, write: "notepad", i.e. Launch a regular notepad. We will use it as a mini conductor
• Go to the menu "File -> Open", select the file type "All files"
• Next, we find the folder with the AVZ program, right-click on the launched file “avz.exe” and launch the utility using the “Open” menu item (not the “Select” item!).

If nothing helps

Refers to cases when, for some reason, you cannot boot from a flash drive with a recorded image of Kaspersky or the AVZ program. You just have to get a hard drive out of the computer and connect it with a second drive to a working computer. Then boot from an UNINFECTED hard drive and scan YOUR drive with a Kaspersky scanner.

Never send SMS messages requested by scammers. Whatever the text, do not send messages! Try to avoid suspicious sites and files, but in general read. Follow the instructions and then your computer will be safe. And do not forget about the antivirus and regular updates of the operating system!

Here is a video showing everything in an example. The playlist consists of three lessons:

PS: what method helped you? Write about it in the comments below.

Today we are going to introduce you another computer virus - Windows blocked. Windows Blocked which is also known as Windows Blocked ransomware. This threat is not a crypto ransomware and it does not encrypt the victim's files. However, she blocks their computer and asks the victim to pay if she wants to access the computer again. By blocking the computer, it restricts the user from using programs or files that are stored on the computer. It also displays a full screen message stating that the user of the computer must pay a ransom in order to start using the computer again.

The Windows blocked virus asks you to buy a card top-up worth 400-600 rubles and enter the code of the criminals in the provided field. Cyber ​​criminals promise to unlock the computer immediately after the victim pays the ransom. The virus says that payment must be made within 10 hours, otherwise the computer system will be damaged. However, don't even start looking for your wallet because it's entirely possible to access your computer without money. All you have to do is remove the Windows blocked virus from your system.

It is recommended to remove this virus using software because it is very difficult to detect and remove this virus manually. This virus usually names its files differently so that users cannot quickly identify and remove it. All we know is where the virus writes its files. It saves them to the Downloads or Temp folder, but in order to enter these folders, you need to restart your computer and enter in safe mode. You can find detailed instructions on how to remove Windows Locked on page 2.

How Windows blocked malware can enter your PC?

Windows blocked virus can be downloaded from the official site or malware site. Cyber ​​criminals prefer to use click attacks and place harmful links in slightly suspicious content, so if you have the slightest suspicion that the ad, link or button you are about to click on may lead you to dangerous websites, do not click on them . In order to protect your computer from malware, you must protect it with an anti-spyware tool like .

Malicious files are also distributed via email. The 2-Spyware team strongly advises users to keep an eye out for emails that come from unknown individuals, especially if they offer to open attachments. Fraudsters also tend to send intrusive emails, and if you want to block them, create an email filter instead of clicking the "Unsubscribe" button in the email provided. Criminals tend to inject malicious attachments behind this button.

If the Windows Blocked Trojan has already infiltrated your computer, please follow the Windows Blocked Trojan removal instructions provided on page 2 and eliminate it from your PC as soon as possible.

How to remove Windows blocked virus?

You should not be afraid of Windows blocked threats, and do not rush to pay it because this virus can be decommissioned in a fairly simple way. Since this virus does not encrypt files, but only blocks access to them, this is not dangerous, because by removing this virus, you can return access to files back. Please use the Windows blocked instructions below and remove this threat from your computer. To prevent computer threats that can infect your computer, we recommend that you install a powerful protection tool. For this reason, we recommend installing the SpyHunter antivirus tool. Do not forget to update the software regularly, because only in this way will it be able to identify and eliminate the latest version of the harmful threat.

Symptoms

Suddenly, unexpectedly, when you turn on the PC, you will see not the desktop that is familiar to the eye, but a full-screen message stating that Windows is now locked. To remove this lock, you are prompted to send an SMS and enter the unlock code. And they warn in advance that reinstalling Windows can cause data corruption, etc. In general, there are many varieties of this infection, and it makes no sense to describe in detail the behavior of each.

A typical window that indicates a PC infection with a virus.

Treatment

1. To begin with, do not send any SMS to any short numbers. You will simply lose money and the system will not be restored.

2. Try to use services from Doctor Web and Nod:

It is possible that you will be able to pick up an unlock code. By the way, for many operations you will need a second computer; if you don't have one, ask a neighbor, friend, sibling, etc.

3. Unlikely, but sometimes it helps. Try in the Bios settings (when booting the PC, press the F2 or Del button (depending on the model)) to change the date and time for a month or two ahead. Then restart Windows. Next, if the computer boots up, clear everything in startup and check PC.

4. Restart your computer in safe mode with command line support. To do this, when you turn on and boot your PC, press the F8 button - before you should pop up the Windows boot menu.

After downloading, enter the word "explorer" in the command line and press the Enter key. Then open the start menu, select run and type "msconfig".

If everything is done correctly, a window will open in which you can see the startup programs, and, of course, disable some of them. In general, you can disable everything and try to restart the PC. If it works, download the latest version of any antivirus and check your computer. By the way, the CureIT test gives good results.

5. If the previous steps didn't help, it's worth a try. To do this, you may need an installation disk, it would be nice to have it on the shelf in advance, so that if something happens ... By the way, you can read about how to burn a boot disk with Windows.

6. To restore the PC, there are special live cd images, thanks to which you can boot, check your computer for viruses and delete them, copy important data to other media, etc. Such an image can be written to a regular CD (if you have a drive) or to a flash drive ( , ). Next, enable boot from disk / flash drive () in Bios and boot from it.

The most popular are:

Dr.Web® LiveCD - (~260mb) a good image that can quickly check the system for viruses. There is support for several languages, including Russian. Works pretty fast!

LiveCD ESET NOD32 - (~200mb) the image is slightly smaller than the first one, but it loads automatically * (I will explain. On one PC, I tried to restore Windows. As it turned out, the keyboard was connected to USB and refused to work until the OS loaded. T .i.e. when booting the rescue disk, it was impossible to choose to check the computer in the menu, and since by default on many emergency disks Windows is loaded, it was loaded instead of the Live CD. , which by default, it loads its mini-OS and starts checking the hard drive. Great!). True, checking with this antivirus lasts quite a long time, you can safely go to rest for an hour or two ...

Kaspersky Rescue Disk 10 is a bootable rescue disk from Kaspersky. By the way, I used it not so long ago and there are even a couple of screenshots of its work.

After checking with such a disk, the computer must be restarted, and the disk removed from the tray. If the virus was found and removed by the antivirus program, you will most likely be able to start working normally in Windows.

7. If nothing helps, maybe you should think about. Before this operation, save all the necessary files from your hard drive to other media.

There is also another option: call a specialist, however, you will have to pay ...

Have you turned off your PC or laptop for a while, then turned it on, and the message “Your Windows is blocked by the Ministry of Internal Affairs of the Russian Federation ...” flaunts on your desktop? At the same time, everything is blocked, the keyboard and mouse do not work? This is a common virus. Or as it is also called - a banner extortionist.

Literacy among crooks is sometimes lame

Needless to say, these crooks know what they're doing. When you read how it is written in strict official language that the Ministry of Internal Affairs of the Russian Federation (or Ukraine) blocked a PC for watching bad videos and you face a fine under article such and such .... This causes shock and bewilderment. And then the fear for your data, because below it is written that if you do not pay the fine within N hours, Windows will be deleted.

But below is a personal phone or wallet number (this is evidence against itself!), And it is also written that after time the PC is liquidated, explodes and flies into space. This already causes laughter and the understanding that the message "Windows is blocked" is just a joke. Therefore, nothing will happen to the computer and these crooks do not need to pay. True, you still have to figure out how to unlock your computer from the ransomware virus.

By the way, anyone can “block” Windows: the Ministry of Internal Affairs of the Russian Federation, the Security Service of Ukraine, Microsoft Security Essentials, etc. Fantasy crooks work well.

Of course, you can pay this alleged "fine" to the specified wallet or phone in the hope of receiving a saving code to unlock, but .... Where will the scammer send it? And to whom? And how much do you think he needs it? As a result, you will only spend money, but you will not receive a code. And then you still have to figure out how to remove the banner of the Ministry of Internal Affairs from the computer.

Why is Windows being blocked?

Because you caught a virus from some dubious site. Perhaps these were cheats for a computer toy. Maybe some program or Windows installation. I also had one case when this virus was caught while uploading an abstract.

By the way, very often on third-party sites the message “Your Flash Player is out of date, update it” pops up. If you click on it, you can catch this virus. Ignore such messages, and update only manually and only from the official Adobe website.

Something like this message pops up in browsers (with a virus, of course)

In general, no one is immune from this. And the ransomware banner appears everywhere: on Windows XP, 7, 8 or 10. You can, of course, install an antivirus and not go to dubious sites - this will reduce the likelihood of catching this infection, but there are no guarantees.

Now let's move on to the main and consider the most effective ways to remove the "Windows is locked" banner.

Since your PC or laptop is not working, and nothing can be done about it, in some cases a second computer will be needed to solve the problem. It is with its help that you can find the necessary programs to remove the banner.

A simple service from Dr.Web

The easiest solution to this problem is to enter the wallet or phone number indicated in the message and see if there is already a code on the Internet to unblock the virus. For this:

1. Go to the Dr.Web site (link).
2. Enter the number and click the "Search Codes" button.
3. See if any unlock codes are found.

If the service found something, try entering this code. Perhaps this will help unlock the computer from the banner. If nothing is found, then move on.

Kaspersky Rescue Disk

The free utility Kaspersky Rescue Disk is one of the most effective options to remove the “Windows is blocked” banner. After all, she can not only unlock the computer from the banner of the Ministry of Internal Affairs, but also check it for viruses and eliminate the remaining traces of this infection.

First you need to download it on a working PC from the office. site (link), and then correctly write to a USB flash drive using UltraISO, Rufus, etc.

Next, you need to boot from it on a locked computer or laptop. To do this, you need to go into the BIOS or Boot Menu and set the USB flash drive to boot first, and after it - the HDD drive.

After a successful download, the Kaspersky Rescue Disk utility will start. Further:

Next, the utility will get to work and remove the annoying banner that Windows is blocked. After that, it is recommended to check your computer or laptop with the same program in order to permanently erase the remaining traces of this virus.

If the mouse and touchpad on the laptop do not work, then select the text mode, not the graphic one. After starting the OS, press F10 (to hide the menu), and then write the command windowsunlocker in the command line.

Another great and free utility is . Write to a USB flash drive and boot from it on a locked PC (how to do this is written above).

Thereafter:

1. Wait for the utility to load.
2. You accept faces. agreement.
3. Press the "Start" button and select "Start automatically".

The utility will scan and remove the virus.

Instead of a conclusion

That's all. Now you know what to do if Windows is blocked and how to get rid of the ransomware banner. Of course, there are many other ways to unlock your computer from the MVD virus, but these 2 programs are more than enough.

First, they are the most efficient. Secondly, these methods are very simple and understandable even for beginners. And with the help of these utilities, you can remove the banner of the Ministry of Internal Affairs, after which the PC or laptop will work again, as before.