V Lately computers began to be infected with the so-called ransomware virus (Trojan.Winlock), to unblock which, it is proposed to send paid sms... In this article, you will learn how you can get rid of this virus completely free of charge. In situations where antivirus sites do not open, download and run this utility.

1 way. For the case when Windows boots up and a banner appears on the screen.

The easiest way to get rid of a virus on your desktop is to visit the antivirus developer's website. software Kaspersky Lab and use the form to obtain the unlock key. A similar operation can be performed by going to the Doctor Web site. After the banner disappears from the desktop, be sure to check your computer for viruses.

Sequencing:

1. Go to the website of Kaspersky Lab or Doctor Web. and use the unlock key.

2 and the following methods, for cases when the UNLOCK KEY is NOT SUITABLE.

If a banner appears on the desktop when you turn on your computer, use free utility for the treatment of viruses CureIt - Download, or the Kaspersky utility Virus Removal Tool Download These curing utilities can be run even if another antivirus is already installed on your computer.

Sequencing:

Download and run the CureIt utility- Download, or Kaspersky Virus Removal Tool Download

Method 3. For the case when Windows does not boot.

If, when you turn on the computer, instead of loading operating system an offer to part with a couple of hundred rubles appears on the monitor screen, boot the computer in safe mode. To do this, restart your computer and constantly press the "F8" key on your keyboard. After a few seconds, you will be prompted to choose a Windows boot option. Select " Safe mode with loading network drivers". Next, we get rid of the virus using one of the methods described above.

Sequencing:

1. Boot into Safe Mode
2. Delete using a key from one of the sites of Kaspersky Lab or Doctor Web.
3. To restart a computer.
4. Check your computer for viruses.

Method 4. For the case when Windows does not boot in Safe Mode.

In a situation where you need to remove a banner from the desktop, and the operating system does not boot in either normal or safe mode, the best option will be either the second home computer, or a neighbor's computer. If there are any, we do everything as in the "first or second method" Also, it will not be bad if you have a LiveCD download a LiveCD from Dr.Web, by booting from which you can check your computer for viruses. Almost all antivirus software With latest updates treat the computer from the banner on the desktop.

Sequencing:

1. Enter the unlock key using another computer, or by booting from the LiveCD, download the LiveCD from Dr.Web, download the LiveCD from Kaspersky Lab.
2. Check your computer for viruses.

5 way to remove a banner.

For Windows 7: after clicking Win keys+ U click on the link "Help with setting options" - "Privacy Statement". Then go to step 5

1. After starting your computer, press the keyboard shortcuts button windows icon+ U
2. Please select on-screen keyboard and click "Run".
3. Click "Help" - "About"
4. In the window that appears below, select "Microsoft Web Site"
5. In the address field, rewrite http://devbuilds.kaspersky-labs.com/devbuilds/AVPTool/
6. A save file window will pop up, save to your desktop.
7. In the browser, click on the top "File" - "Open" - "Browse".
8. Click on "Desktop" on the left. At the very bottom, "Files of type" - "All files"
9. Find the downloaded program and run it.
10. Select full check.

6 way to remove a banner.

If the banner appears before the desktop loads, the screen is locked.

1. Press Ctrl + Shift + Esc and hold until the task manager starts blinking.
2. Without releasing the keys Ctrl + Shift + Esc, click on the task manager with the mouse " Remove task".
3. In the task manager, click " new task"and enter" regedit"
4. Go to HKEY_LOCAL_MACHINE / SOFTWARE / MicrosoftWindows NT / CurrentVersion / Winlogon
5. Go to right panel Registry Editor and check the two parameters “ Shell" and " Userinit”. The Shell parameter must be " Explorer.exe". Parameter Userinit -" C: \ WINDOWS \ system32 \ userinit.exe,"(no spaces, always a comma at the end)!
6. If the Shell and Userinit options are OK, find the HKEY_LOCAL_MACHINE / SOFTWARE / Microsoft / Windows NT / CurrentVersion / Image File Execution Options section and expand it. If it contains the explorer.exe subsection, delete it (Click right click mouse => Delete).
7. Reboot your computer.
8. Be sure to check your computer for viruses.

If unsuccessful, repeat this method in safe mode.

If none of the above methods helped you, you can contact our company by

Combating Trojans of the WinLock and MbrLock Families

(Windows blockers)

Relevance of the issue

Trojans that block Windows operation have been one of the most widespread in terms of frequency since September 2009. For example, in December 2010 more than 40% of detected viruses are Windows blockers. The common name for such malicious programs is Trojan.Winlock.XXX, where XXX is the number assigned to a signature that allows identifying several (often several hundred) similar viruses. Also, such programs may be of the Trojan.Inject or Trojan.Siggen types, but this happens much less frequently.

Outwardly, the Trojan can be of two principal types. First: a full-screen splash screen, because of which the desktop is not visible, second: a small window in the center. The second option does not completely cover the screen, but the banner still makes it impossible useful work from a PC, since it always stays on top of any other windows.

Here is a classic example of the appearance of the Trojan.Winlock program:

The Trojan's goal is simple: to get more money for virus writers from the victims of a virus attack.

Our task is to learn how to quickly and losslessly eliminate any banners without paying cybercriminals. After fixing the problem, you must write a statement to the police and provide the employees law enforcement all the information you know.

Attention! There are various threats in the texts of many blockers (“you have 2 hours left”, “10 attempts to enter the code left”, “in case reinstall Windows all data will be destroyed ”, etc.). Basically, this is nothing more than a bluff.

Algorithm of actions to combat Trojan.Winlock

There are a great many modifications of blockers, but the number of known copies is very large. In this regard, the treatment of an infected PC may take several minutes in a mild case, and several hours if the modification is not yet known. But in any situation, the following algorithm should be followed:

1. Selection of the unlock code.

Unlock codes for many Trojans are already known and entered into a special database created by Doctor Web specialists. To use the database, follow the linkhttps://www.drweb.com/xperf/unlocker/ and try to pick up the code. Instructions for working with the unlock base: http : // support. drweb. com / show_ faq? qid = 46452743 & lng = ru

First of all, try to get the unlock code using the form that allows you to enter the text of the message and the number to which you want to send it. Pay attention to the following rules:

If you want to transfer money to an account or telephone number, in field Number you must specify the account or phone number, in the field Text you do not need to write anything.

If you want to transfer money to a phone number, in the field Number you must specify the phone number in the format 8хххххххххх, even if the banner contains a number without the number 8.

If you need to send a message to a short number, in the field Number indicate the number,

in field Text- Message text.

If the generated codes did not fit - try to calculate the name of the virus using the presented pictures. Under each image of the blocker, its name is indicated. Having found the required banner, remember the name of the virus and select it from the list of known blockers. Specify the name of the virus that infected your PC in the drop-down list and copy the resulting code into the banner line.

Please note that, in addition to the code, other information may be displayed:

Win + D to unlock - press the key combination Windows + D to unlock.

any 7 symbols - enter any 7 characters.

Use the generator above or use generator above- use the form to get the unlock code Number-Text on the right side of the window.

Use the form or Please use the form- use the form to get the unlock code Number-Text on the right side of the window.

If you didn't manage to pick up anything

2. If the system is partially blocked. This step applies to cases when the banner "hangs" in the middle of the screen, without occupying it entirely. If access is completely blocked, go directly to step 3. The Task Manager is blocked in the same way as in the full-screen versions of the Trojan, that is, it is impossible to terminate the malicious process using conventional means.

Using the leftovers free space on the screen, do the following:

1) Check your PC with the latest version of the Dr. Web CureIt! http://www.freedrweb.com/cureit/. If the virus is successfully removed, the job can be considered done; if nothing was found, go to step 4.
2) Download the Dr.Web Trojan.Plastix fix recovery utility from the link http://download.geo.drweb.com/pub/drweb/tools/plstfix.exe and run the downloaded file. In the program window, click Continue, and when Plastixfix finishes working, restart your PC.
3) Try to install and run the program Process Explorer(you can download it from the website
Microsoft: http://technet.microsoft.com/ru-ru/sysinternals/bb896653). If the launch was successful -
press the button with the sight icon in the program window and without releasing it,
hover over the banner. When you release the button, Process Explorer will show the process,
which is responsible for the banner.

3. If there is no access at all. Usually blockers completely clutter up the screen with a banner, which makes it impossible to launch any programs, including Dr.Web CureIt! In this case, you need to boot from Dr.Web LiveCD or Dr.Web LiveUSB http://www.freedrweb.com/livecd/ and check your PC for viruses. After checking, boot the computer from hard disk and check if the problem was solved. If not, go to step 4.

4. Manual search virus. If you get to this point, then The Trojan that infected the system is a novelty, and you will have to search for it manually.

To manually remove the blocker, you need to access the Windows registry by booting from external media.
Typically, a blocker is launched in one of two well-known ways.

Through autoload in the registry branches
HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ Windows \ CurrentVersion \ Run
HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ Windows \ CurrentVersion \ RunOnce

By replacing system files (one or more) launched in the branch HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ Windows NT \ CurrentVersion \ Winlogon
or, for example, the taskmgr.exe file.

To work, we need Dr.Web LiveCD / USB (or other tools for working with an external registry).

To work with Dr.Web LiveCD / USB, boot the PC from a CD or flash drive, then copy to flash card following files:

C: \ Windows \ System32 \ config \ software* file has no extension *
C: \ Document and Settings \ Your_username \ ntuser.dat

These files contain system registry of the infected machine. Having processed them in Regedit program, we will be able to clean the registry from the effects of virus activity and at the same time find suspicious files.

Now transfer specified files on a functioning Windows PC and do the following:

Run Regedit, open the bush HKEY_LOCAL_MACHINE and execute File -> Load Hive.
In the window that opens, specify the path to the file software, give the section a name (for example, today's date) and click OK.

In this bush, you need to check the following branches:
Microsoft \ Windows NT \ CurrentVersion \ Winlogon:
Parameter Shell should be equal Explorer.exe... If any other files are listed, you must write down their names and full path to them. Then remove all unnecessary and set the value Explorer.exe.

Parameter userinit should be equal C: \ Windows \ system32 \ userinit.exe,(exactly like that, with a comma at the end, where C is the name system disk). If files are specified after the comma, you need to write down their names and delete everything that is indicated after the first comma.
There are situations when there is a similar branch with the name Microsoft \ WindowsNT \ CurrentVersion \ winlogon... If this branch exists, it must be deleted.

Microsoft \ Windows \ CurrentVersion \ Run- the branch contains settings for autorun objects.

You should be especially careful about the presence of objects here that meet the following criteria:

The names remind system processes but programs run from other folders
(For example, C: \ Documents and Settings \ Dima \ svchost.exe).

Names like vip-porno-1923.avi.exe.

Applications launched from temporary folders.

Unknown applications starting from system folders(For example, C: \ Windows \ system32 \ install.exe).

Names are made up of random combinations of letters and numbers
(For example, C: \ Documents and Settings \ Dima \ 094238387764 \ 094238387764.exe).

If suspicious objects are present, their names and paths must be recorded, and the corresponding entries must be removed from startup.

Microsoft \ Windows \ CurrentVersion \ RunOnce- also an autoload branch, it needs to be analyzed the same way.

After completing the analysis, click on the name of the loaded section (in our case, it is called by date) and execute File -> Unload Hive.

Now it is necessary to parse the second file - NTUSER.DAT... Run Regedit, open the bush HKEY_LOCAL_MACHINE and execute File -> Load Hive... In the window that opens, specify the path to the file NTUSER.DAT, give the section a name and click OK.

The branches are of interest here Software \ Microsoft \ Windows \ CurrentVersion \ Run and Software \ Microsoft \ Windows \ CurrentVersion \ RunOnce that define startup objects.

It is necessary to analyze them for the presence of suspicious objects, as indicated above.

Also notice the parameter Shell in a branch Software \ Microsoft \ Windows NT \ CurrentVesion \ Winlogon... It must make a difference Explorer.exe... At the same time, if there is no such branch at all, everything is in order.
After completing the analysis, click on the name of the loaded section (in our case, it is called by date) and execute File -> Unload Hive.

Having received the revised registry and list suspicious file s, you need to do the following:

Save the registry of the affected PC in case something went wrong.

Transfer the fixed registry files to the corresponding folders on the affected PC using Dr.Web LiveCD / USB (copy and replace files). Files, information about which you recorded in the course of work - save on a USB flash drive and delete from the system. Copies of them must be sent to Doctor Web's virus laboratory for analysis.

Try booting the infected machine from the hard drive. If the download was successful
successfully and there is no banner - the problem is solved. If the Trojan is still functional,
repeat all point 4 of this section, but with a more thorough analysis of all vulnerable and frequently used places in the system.

Attention! If after disinfection with Dr.Web LiveCD / USB the computer does not boot
(starts to reboot cyclically, BSOD occurs), you need to do the following:

Make sure there is one file in the config folder software... The problem can arise because on Unix systems, file names are case-sensitive (i.e. Software and software- different names, and these files can be in the same folder), and the corrected file software can be added to the folder without overwriting the old one. At booting Windows, in which the case of letters does not play a role, a conflict occurs and the OS does not boot. If there are two files, delete the older one.

If software one, and the download does not take place, there is a high probability that the system is hit by a "special" modification Winlock... She writes herself to a branch HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ Windows NT \ CurrentVersion \ Winlogon, in parameter Shell and overwrites the file userinit.exe... Original userinit.exe stored in the same folder, but under a different name (most often 03014d3f.exe). Remove infected userinit.exe and rename 03014d3f.exe appropriately (the name may be different, but it is easy to find it).
These steps must be performed after booting from the Dr.Web LiveCD / USB, and then try to boot from the hard disk.

At whatever stage the battle with the Trojan ends, you need to protect yourself from
similar troubles in the future. Install the Dr.Web anti-virus package and regularly
update virus databases.

Instructions

To unlock the banner, you need to download the DrWeb LiveCD and burn it to a CD. From an uninfected computer, go to the DrWeb anti-virus software developer's website and click on the Download link in top panel... In the "Utilities" section of the left side of the page, select Dr.Web LveCD. Click "Download Dr.Web LiveCD", accept the terms of the license agreement.

Download the UltraISO app from the developer's official website. This program allows you to record disk images and create boot disks... Install the program following the instructions of the installer. Double click on the downloaded file The doctors Web.

Insert a blank CD into your computer drive, go to the UltraISO window. In the screen that opens, go to the "Tools" - "Burn CD image" tab. Press the button "Save" and wait for the end of the procedure.

Insert the burned disc into the drive of the infected computer, then reboot the system. After starting from CD, in the menu that opens, select the options for complete anti-virus scan... Remove all infected files following the instructions on the screen.

You can also download the LiveUSB image on the site; to download, use the corresponding menu item on the developer's site. Run the downloaded file, open it in the same way with with UltraISO... In the menu, select the "Boot" - "Burn hard disk image" item. Clear the data using the "Format" button. Then click "Save", wait until the end of the procedure.

Insert the media into the USB port of the infected computer and reboot. If booting from Flash does not start, you need to configure the BIOS to start from a removable disk. To do this, while starting the PC, hold down the F10 keyboard button. If the settings menu does not start, try another key. Its name is usually at the bottom of the screen.

V section Boot Settings for First Boot Device select USB-HDD. Save changes and download again.

Related Videos

Useful advice

Download antivirus software files only from the developer sites.

Sources:

• UltraISO official website in 2018
• doctor web banners in 2018

You will need

• - Internet access;
• - Dr. Web CureIt.

Instructions

Start safe mode of the operating system. To do this, restart your computer by pressing the Reset button. Wait a while for the menu to open additional options downloads.

Press F8 and select Windows Safe Mode. Open Control Panel and go to the Add or Remove Programs menu. Find all utilities related to flash and java applications. Delete them.

Now open System folder 32 of Windows directory... Turn on sorting "By Type". Go to the list of dll files and remove those with the name including the combination lib, for example xqslib.dll.

Restart your computer to normal operating system mode. If after performing the above operations, the banner does not turn off, try to select required code... Visit the following sites: www.drweb.com/xperf/unlocker, http://www.esetnod32.ru/.support/winlock, and http://sms.kaspersky.com.

If this method didn't work, download Dr. Web CureIt. Run it as usual Windows mode and wait for the computer scan to complete. Delete virus files and restart your PC.

Related Videos

Advice 3: How to remove the system blocking banner from using Live CD

If a banner appears on the full screen when the operating system boots, but it cannot be disabled or you are prompted for a code to unlock, eliminate given virus possible with Live CD.

Instructions

The image of this disk is available for download on many Internet resources. To combat the system blocking banner, it is possible to use MultiBoot_2k10, the image of which can be recorded on DVD disc or a USB flash drive.

After that, in the "Start" menu, select Program_2k10 - System utilities- ERD 2005 - Computer Management. In the window that opens, find the system installed on the computer and click "OK".

If the antivirus is password protected, then when you try to change the settings or disable protection, a window will appear with the text "Enter password" or "To make changes, you need administrator rights":

If the entered password is incorrect, the window will shut up and you can try to enter the password again. If you don't remember set password, then to disable it, you need to remove the antivirus and reset its settings.

To do this, click the button "Start", open "Control Panel" and select "Remove programs" or "Programs and Features"... In the list installed programs, select "Dr.Web" and click "Delete"... In the delete window, uncheck the item "Dr.Web settings" and press "Further":

Then, enter the numbers in the special field and press "Remove a program":

Wait for the uninstallation to complete and confirm the computer restart:

After rebooting, you need to download and run, since some versions of the antivirus, for example the 11th, after uninstallation, leave information about the set password in the system.

After these steps, you can install Dr.Web anti-virus and, if necessary, install New password.

To set a password in antivirus products Dr.Web versions 10 and 11, click on the Dr.Web icon in the system tray, unlock the "lock" and click on the "gears" icon:

In the settings window, enable the "Password protect Dr.Web settings" switch:

Then, enter the new password twice:

To set a password in Dr.Web versions 7 - 9, click right key mouse on the Dr.Web icon in the system tray, and in the "Tools" menu, click on the "Settings" item:

On the "Self-defense" tab, check the "Password protect Dr.Web settings" item, enter the new password twice and click "OK":

I made a purchase of a license through Google Play, but the activation did not happen. What to do?

IMPORTANT! If during the activation process the program displays error messages, contact the service technical support... Attach the exact text or screenshot of the error, order number to your request Google play(GPA -...) and the Google Account address (@ gmail.com) through which the purchase was made.

How to create a request to the technical support service through My Dr.Web Personal Account?

• To enter your account from a mobile device, install Dr.Web, select the "About" item in the menu and click the "My Dr.Web" link.

  Go to the Support tab - Ask a question.

• To enter the office from a PC or Mac, use the special service on the Doctor Web website. Once in your account, go to the Support tab - Ask a question.

Use the Personal Account "My Dr.Web"- your personal assistant and a guide to services. In particular, from here you can contact the user support service. For your convenience in Personal account the history of all calls is saved.

How can a user of the free version of Dr.Web for Android get Doctor Web technical support?

• If you need purchase assistance paid version- on the support request page on the Doctor Web website, select the option "I am not the owner of the commercial Dr.Web license" and ask your question.
• If you need help with the program- this type of support is not provided for users of free versions of this product. Try to find answers to your questions in Frequently Asked Questions or get advice from other users at the Dr.Web Forum.

I am a paid version of Dr.Web for Android (not a lifetime license). What information do I need to provide to Doctor Web technical support to get help?

If you contact technical support:

• from the Dr.Web program page on Google Play, through your My Dr.Web account or through the support form on the Doctor Web website- provide either your serial number or your order number on Google Play and your gmail address... If you do not have an order number, then most likely you did not purchase your Dr.Web license through this site. In this case, you will need to provide your serial number. You can find out your serial number by going to the My Dr.Web Personal Account.
• via the link in the receipt- follow the link, in the support request form on the Google Play website, select the topic of your appeal and ask a question. We will receive all the necessary data about you automatically from Google Play.

Lost receipt of purchase. How can I find out my order number (for example, to contact Doctor Web support)?

Where can I find my Dr.Web serial number?

Only users of the shareware version of Dr.Web for Android ( comprehensive protection), which becomes available to them after paying for the license in the Personal Account "My Dr.Web" in the area of ​​license data.

How do I know which version of the program I have - paid or free?

In the Dr.Web main menu, select "About". If the word Light is present, the program is free. Also, the main menu differs in a set of protection components, in the paid version there are much more of them.

What confirmation of purchase will I receive after paying for a license on Google Play?

You will receive an email with a receipt confirming your purchase. The letter contains your order number and order details, a link to contact Doctor Web support for purchasing, paying and refunding. If you have not received such a letter, please contact the Goggle Play support service - until the payment arrives, Doctor Web support will not be able to help you.

You can find a list of the purchases you've paid for in Google Wallet. Applications for which payments have been made and which you are entitled to use, you can find in your Google account in the "My Applications" section.

I paid for the license, but the program reports that "demo in use / license not found".

In the main window of the program, go to the menu, select the "About" item, click on the "Update license" button and select the "Buy / Download" option. To activate a license, you must have Internet access and use the same Google account through which the purchase was made. The Dr.Web key file will be loaded automatically.

How long after paying for the purchase can I apply for a refund to Doctor Web?

According to the Google Play refund policy under the Agreement between Doctor Web and Google, you can apply for a refund no later than 48 hours after the purchase has been paid.

How to get a refund for a paid license?

• If you have an email from Google Play with a purchase receipt- open it and click on the link in the phrase “Have questions? Contact your vendor Doctor Web, Ltd. ". A support request form via Google Play will open. Select a topic on the request page "I want to receive a refund / return an item" and submit a refund request. Doctor Web employee will make necessary actions upon processing your request and the funds will be refunded.
• If your purchase receipt is lost- apply for a return via the support request form on the Doctor Web website or in the My Dr.Web Account. Enter your order number and gmail address.

In both cases, you will receive confirmation of the refund from name google Play.

Attention! Refund time depends only on your bank! If within 2-3 days after receiving confirmation from Google Play the funds are not returned to your account - contact your bank... Doctor Web cannot influence banks' policies and expedite refunds. Our obligation to users for refunds ends when a refund confirmation is sent on behalf of Google Play.

My order was canceled, but the money was debited anyway.

Most likely, they were temporarily not debited, but blocked by the bank that issued your credit card... Doctor Web cannot influence banks' policies. After the expiration of the period set for blocking, the funds will be returned to your account. If within 2-3 days after you receive confirmation from Google Play about the refund, the money will not be returned to your account - contact your bank.

I have purchased a new smartphone. How to transfer a Dr.Web license to it from an old smartphone?

• If your license has expired, you cannot transfer it to another device. Purchase a new license.
• If your license is still valid- log in from your new device to that google account through which you purchased it. In the "My Applications" section, select Dr.Web and click the "Install" button. An unexpired license will be recognized automatically.

How do I reinstall Dr.Web for Android?

• If Dr.Web is not yet installed on your device- log in from your device to the Google account through which you purchased it. In the "My Applications" section, select Dr.Web and click the "Install" button. An unexpired license will be recognized automatically.
• If Dr.Web is already installed on your device:
  1. Start Dr.Web.
  2. In the main window of Dr.Web, select the "About" item from the menu.
  3. Click on the "Update License" button and select the "Buy / Download" option.

General issues

Are there viruses for mobile devices?

Viruses for mobile operating systems are the fastest growing segment. Along with the growing popularity of a particular OS among users, the interest in it on the part of cybercriminals, whose main goal is money, is also growing. The number of threats for such a popular mobile platform like Android.

Why is it necessary to protect not only corporate computers, but also personal mobile devices of employees, especially if these employees work with finances (for example, accountants)?

Outside the office, employees are not protected from hacker attacks, the applications they use may have vulnerabilities, and their computers and mobile devices may have viruses and Trojans that can steal passwords, data for access to banking and payment systems, and funds from bank accounts.

At the same time, employees regularly log into the company's local network from their devices, which means they endanger confidential data and, of course, money - not only personal, but also corporate. Up to 70% of infections in local networks occur from personal devices, including mobile devices.

In addition, one of the security measures when working with funds is SMS confirmation from the bank. On the this moment there is malware designed to modify SMS confirmations. The use of antivirus guarantees the impossibility of concealing the fact of theft of funds.

I do not install malware! How can I infect my device?

You don't need to install anything to get infected - just visit a site that has been hacked by hackers. And it will not necessarily be a site with questionable content - hacking news sites is much more profitable from the point of view of cybercriminals. News sites are among the most visited Internet resources. They, as a rule, do not arouse suspicion either among users or among system administrators companies that do not block access to these sites. That is why news portals Is a very attractive "field of activity" for intruders. By spreading malware through them, they can cause damage a huge number users and companies.

What does Dr.Web for Android protect against?

Free version Dr.Web for Android Light has only one module "Antivirus" and protects only against malicious programs.

The full version of Dr.Web for Android contains the following modules:

• Antivirus - protection against malicious programs;
• Antispam - filtering SMS spam and unwanted calls;
• Anti-theft - will help you find a lost device or destroy all user data on it remotely;
• URL filter - protects from malicious and unwanted sites;
• Security Auditor - helps detect and fix Android vulnerabilities;
• Firewall (for Android 4.0 and higher) - flexible configuration of application access to networks and protection against overuse of mobile Internet.

Dr.Web for Android can only protect mobile devices, since the virus databases for mobile antivirus differ from the anti-virus databases for desktop computers... For guard conventional computers use the appropriate Doctor Web products.

Does antivirus affect the performance of my device?

Dr.Web anti-virus occupies about 1 MB in the memory of the mobile device. Constantly in random access memory there is only a file monitor that monitors the system. The monitor requires a certain amount of resources, but does not have a noticeable effect on performance.

How can I find out the name of my Dr.Web for Android?

About the program.

The name and version of the Dr.Web solution you use to protect your device will be written on the page that opens.

How can I find out the validity period of a Dr.Web license?

On the main screen of the application, tap on the menu icon in the right upper corner and select the item License.

On the page that opens, you can find out the owner of the license, as well as the expiration date.

The antivirus found threats and removed them, but they reappeared. What to do?

For mobile devices, the most dangerous threats that hit the firmware and system partitions... The main signs of malware in the system area:

1. Repeated appearance of the same threats in the same places, even after removing them with an antivirus. Threats usually appear again after the device is rebooted.
2. Warnings in Dr.Web Security Auditor.

In such situations, due to the peculiarities of the Android OS implementation, it is impossible to get rid of the Trojan using the standard means of ANY antivirus, because on a non-rooted device, the antivirus, like any other application, does not have administrative rights: Dr.Web can detect malware trapped in system area but does not have the right to delete them.

To eliminate such firmware vulnerabilities and threats in / system, you can do the following:

1. Disable (if possible) these applications. This will not eliminate the threat completely, but will neutralize it until it can be removed completely.
2. If your device has root access (superuser rights that allow you to make any changes, including to the firmware), you can try to remove malicious applications using special third-party utilities.

   Setting up root access in some cases may lead to the manufacturer's refusal to warranty service devices.

   Make backup all user data, then perform the factory reset operation and set new firmware device received from the manufacturer, from where the Trojan was removed by the device manufacturer. The update may have to wait, depending on the manufacturer's support level.

   If no firmware is provided, the best solution will return the purchased device to the seller. Do NOT use this device.

We also recommend that you familiarize yourself with the dedicated issue "Fish rots from the head ..." of the "Antivirus Truth!" Project. The reasons for the Trojans getting into the firmware are described in the Sewn-Hidden issue.

Are there any dangerous malware for Android?

There are, and their number continues to grow.

Recently widespread blocker Trojans (for example, Android.Locker.71.origin) encrypt files, block infected mobile devices and demand a ransom from affected users.

Backdoor Trojans (for example, Android.BackDoor.20), malicious programs that allow attackers to perform various actions on infected mobile devices, are becoming more widespread.

Trojans of the Android.SmsSend family, which appeared back in 2010, are a widespread and massive threat to this mobile platform. They are designed to send expensive SMS messages and subscribe to various content services.

A huge threat is posed by mobile banking Trojans designed to intercept SMS messages, steal mTAN codes and transmit them to cybercriminals who perform various financial operations with electronic invoices of unsuspecting victims (for example, making online purchases). A known banking Trojan for Android platforms- Android.SpyEye.1.

Malware such as Android.MailSteal.1.origin, Android.Maxbet.1.origin, Android.Loozfon.origin, and Android.EmailSpy.origin target addresses Email from the contact book of the mobile device and sending them to remote server, which in the future allows attackers to establish mass mailing spam.

How to test Dr.Web for Android before purchasing?

How do I know if the antivirus is working?

Launch the Dr.Web for Android application. In the window that opens, pay attention to the SpIDer Guard section: the inscription “ Monitor is on and protects the system"Means that everything is in order. If it says “ Monitor is off» - antivirus monitor not active. To enable it, click on the SpIDer Guard indicator.

How can I check my device for viruses?

To scan a mobile device for viruses, launch Dr.Web for Android and press the button Scanner... In the window that opens, specify the scan mode.

• Quick check. Only scanned installed applications... The fewer there are, the faster the check will pass.
• Full check. All files on the mobile device are checked.
• Custom scan. Allows you to scan for viruses only specific file or folder. To start a custom scan, select the required objects with green check boxes and click the Check button.

You can interrupt scanning at any time by pressing the button. Abort.

How can I view the statistics of antivirus operation?

Launch the Dr.Web for Android application, press the menu button and select “ Statistics". The statistics window displays the number of processed files and all actions performed by the anti-virus components. It is possible to reset statistics (" Menu» → « Clear statistics") Or save the log to a file (" Menu» → « Save log»).

A warning about a detected virus has appeared. What to do?

Open the notification panel and click the Dr.Web icon. In the window that opens, you will see all the information about the threat. Click on this message and then select the required action: delete the file, move it to quarantine, or ignore the warning.

Attention! Choose option Skip Not recommended! If you think that the antivirus has worked by mistake, first click Quarantine, and then send the suspicious file to us for a detailed analysis.

What functions does SpIDer Guard perform?

SpIDer Guard is designed for permanent protection mobile device from viruses and other threats. It is loaded into memory when Android starts up and scans the files accessed by the user or the system on the fly.

Installation / Removal / Activation

What are the ways to install antivirus?

There are several ways to install Dr.Web.

1. The easiest and fastest way is through the service Play Market:
   • Open the Play Market application on your device, use the search to find the Dr.Web application Security space and click on the button Install;
   • After the app has finished installing, tap Open... Check out license agreement and press To accept.
   • In the window that appears, click Allow to give the app the permissions it needs to run. After installation, you need to activate a commercial or demo license.
2. Other installation methods:
   • Downloading the installer from Doctor Web's website - from the Download Wizard (a serial number is required) or from the product page. The downloaded apk file must be installed manually.
   • Installation using a computer synchronization program (almost never used).

Activating a license using a serial number

Open the Dr.Web application, go to the Menu (three dots in the upper right corner of the screen) → License → Enter new serial number... Enter your serial number and click Activate.

No other additional steps, including reinstallation, are required. The same method is suitable for activation serial number, if it comes on the purchase / renewal of Security Space with mobile version For a present.

Activation error

License activation using a PC key file

Activation via key file working only for the application downloaded directly from the Doctor Web site(this method is not suitable for an application installed via the Play Market!).

Copy the key file to any folder in internal memory device or to its memory card.

You can unpack the archive and copy only the file with the * .key extension, or transfer the entire ZIP archive to the device;

1. Open the Menu (three dots in the upper right corner of the screen), select the License section, item I already have a license, option Use key file;
2. Open the folder where the key file or ZIP archive was saved and select it.

The key file will be installed into the system, and a message will appear on the screen.

Activation error

If you get any error messages, try activating your license using a different network connection.

If the problem persists, detailed diagnostics are needed. Please contact technical support in writing. Attach a screenshot of the error to your request, include your serial number.

License activation via Google Play

Select Menu (three dots in the upper right corner of the application window) → License → I already have a license:

Then press Restore a purchase on Google Play.

Please include the email address you used to purchase this license and your personal information.

Activation error

If you get any error messages, try activating your license using a different network connection.

If the problem persists, detailed diagnostics are needed. Please contact technical support in writing. Attach a screenshot of the error to your request, indicate the Gooogle play order number (GPA -...) and the Google account address ([email protected]), to which the purchase was made.

How do I temporarily disable my antivirus?

Launch the Dr.Web for Android application. To temporarily pause the file monitor, press the green indicator ON opposite the title SpIDer Guard... The system will immediately inform you that the monitor is turned off, and the mobile device may be exposed to threats.

With the anti-virus turned off, your mobile device becomes vulnerable, so do not forget to reactivate Dr.Web as soon as possible.

How do I uninstall the antivirus?

On the menu Settings of your mobile device enter the section Applications and select the item Application management... In the tab Third party click on the icon ... In the appeared window with information about the program, click the button Delete... For final removal antivirus click OK in the delete confirmation request.

Another way to uninstall - click on the antivirus icon on the desktop of your device and release it for a few seconds. A trash can icon appears at the top of the screen labeled Delete. Drag the app icon to the trash can and confirm the deletion.

Renewal

How to renew your license through Google Play

In the Dr. Web for Andorid click Menu (three dots in the upper right corner of the screen) → License → Renew your license through Google Play... Follow the link and pay for the license. If the license was purchased not through Google Play, when you try to renew, the application will display a corresponding error message, and you can choose another renewal method.

Possible problems with renewal

• There is no access to the serial number, but there is access to the registration e-mail:

  You can restore the serial number in the form on the website at.

• There is no access to the mail for which the license was registered, the serial number is known:

  If old address e-mail address is known, you can replace the old address with a new one in the form on the website at the antivirus dot eh ef slash number.

• No serial number, no mail access:

  Contact support at antivirus dot e r e f slash support. In the request, you will need to provide copies of the following documents.

Updates

How to update virus databases in Dr.Web for Android manually?

Default updates virus databases loaded automatically, in background... To update the databases manually, on the main screen of the application, press Menu (three dots in the upper right corner of the screen) and select Virus databases , and then Refresh .

How to update databases by downloading them from your site?

At the moment, it is impossible to update the antivirus using the virus databases recorded on the mobile device. To update the databases, use the built-in update module.

Note: a configured Internet connection is required for a successful update.

How to enable or disable the use of mobile networks (LTE, 3G, EDGE, GPRS when downloading updates?

1. From the main screen of the application, press Menu (three dots in the upper right corner of the screen) and select Settings, then the section Updating virus databases;
2. Check the box Wi-Fi update, wherein mobile networks will not be used by default for updates. But if active Wi-Fi networks are not detected, you will be prompted to use the mobile internet to update.

Settings

How to enable the Ukrainian language?

The interface language of Dr.Web for Android corresponds to current language operating system. Select Ukrainian as the Android interface language, and the antivirus will switch to the Ukrainian interface automatically.

Note: To change the OS language, open Menu Settings... Go to section Language & Keyboard, click Select language and in the menu that opens, set the desired language.

Account

How to create a Dr.Web account on an Android device?

In Dr.Web Security Space for Android version 12, you can now protect your Dr.Web account, as well as configure some password protection components. Setting a password for account Dr.Web guarantees the impossibility of changing important settings antivirus and system.

If you are already a Dr.Web user, when you upgrade the application to version 12, an account is created automatically if you have enabled and configured Dr.Web Anti-theft.

If you have downloaded Dr.Web version 12 for the first time, create an account to set a password for accessing Dr.Web settings.

Select item Account.

Please enter a valid email address. Click on the button Continue.

Enter your account password. It must be at least 4 characters long.

Passwords less than 8 characters in length are revealed by hackers almost instantly.

Repeat password and press Continue.

You will see confirmation of the account creation. Click on Continue.

The same password will be used to protect the settings of some Dr.Web components, as well as to access other applications installed on the device, if access to them is closed by Parental Control.

How to recover password for Dr.Web for Android account via SMS

Ask your friend from the list of friends specified when configuring Dr.Web Anti-theft to send an SMS with the text # RESETPASSWORD # to your phone.

When you receive SMS with this command, the password is reset automatically. If the phone has not been locked, the screen will appear Change Password where you can set a new password.

If the device has been locked, it will be unlocked.

All SMS commands for remote control of Dr.Web Anti-theft

How to recover password for Dr.Web for Android account via mail

Click on Forgot your password? on any screen where a password is requested. Read the instructions.

Open the web page of the Dr.Web account https://acs.dataprotection.com.ua and enter the key and email address specified in the window Forgot your password?.

If the code is entered correctly, such a window will open.

Check your mail - you will receive an email with a confirmation code.

Enter this code in the window Forgot your password? and press Continue.

Come up with a new password and remember it.

If you have not received the letter, click on the line Did not get the email?, and you will be automatically redirected to the Doctor Web technical support page.

How to recover password for Dr.Web for Android account via support?

If you were unable to unblock the anti-theft on your own through the unblocking service or SMS commands, create a written request for support.

The support service does NOT provide the unlocking service by phone.

Due to the specifics of the Anti-Theft work, the task of which is to prevent unauthorized access outsiders to manage the device, the unlocking service is provided only to the owners of the device. When contacting, you will need to prove that you are the owner of the device.

In support request:

1. Specify the IMEI of the device (unique identifier of your device. Usually it is a 15-digit number written in decimal digits. To find it out, dial * # 06 # in your phone).

Attach to your request:

• Check for the purchase of the device and a photo of the completed warranty card(if you still have the box / packaging of the device with a readable IMEI, attach a photo of the box to your request);
• documents confirming your payment for the Dr.Web license (letter from the online store, scanned copy of the payment document, etc.). If you won a license in the Dr.Web auction - enter the login from your account to the account on the Doctor Web website. If you are a demo user please ignore this subclause.
• a photo of the lock screen (indicating the e-mail or google-account to which the anti-theft was registered) with the code displayed when you click on the "forgot password".

How to delete Dr.Web account on Android device?

If you no longer have access to the mail to which the account is registered, in such a situation you will need to delete the old account and create a new one.

From the main screen of the application, click on the menu icon in the upper right corner.

Select item Account.

Select item Delete your account.

Enter your password and select Delete your account.

When you delete your account, the Anti-Theft and Parental Control settings will be reset - you will need to reconfigure them.

Parental control

How do I enable Parental Controls on my Android device?

Dr.Web parental control protects applications from unauthorized access, and anti-virus settings - from unwanted changes strangers or children. But first, you need to enable Dr.Web Parental Control.

In the main menu of the program, select Parental control.

Click on the button Turn on or click on the switch in the upper right corner of the window.

Give Parental Controls access to special Android capabilities by pressing the button Grant access.

In the settings window Special abilities click on the button Dr.Web Security Space.

Use the switch to turn on the use special features Android.

Close accessibility preferences.

Sign in to bookmark Applications and check the app Settings- it will prohibit unauthorized access to system settings.

On a bookmark Components check all the boxes - after that, access to these Dr.Web protection components will be possible only with a password.

How to protect your Android device from unauthorized downloading and using other programs?

Dr.Web Security Space for Android can protect both from downloading new and using already installed applications.

So that no one - neither your child, nor another family member, nor strangers - download anything to your device and cannot use the programs already downloaded, but harmful to them, from your point of view, programs, block these opportunities using special function Parental Control.

V Parental control Dr.Web open the tab Applications... You will see a list of all applications installed on the device. Select the applications to which access will be denied.

This is enough only so that no one who does not know the password for the Dr.Web account can use already installed applications... Additionally, it is necessary to prohibit downloading new applications to the device.

Go to the tab Components Parental Control. Check the box Dr.Web settings.

In the tab Components Parental Controls check Play Market.

And then, when trying to download a new application, the user will see a window like this:

Url filter

How to configure Dr.Web URL filter on an Android device?

By default, the URL filter is disabled in Dr.Web Security Space for Android 12. We recommend that you configure it immediately after installing Dr.Web and protect access to it using Dr.Web Parental Control with a password - this will protect your loved ones from getting to malicious and fraudulent sites.

Additionally, the user can independently configure black and white lists of sites or deny access to sites by thematic groups.

Only then your children (or anyone else with access to your device) will not be able to visit unwanted Internet pages from your point of view, by disabling blocking in the URL filter, and will be protected from scammers luring to dangerous sites.

To prevent anyone from changing the URL filter settings you specified:

V Parental control in the tab Components check the box next to URL Filter.

When trying to open a site from the list of prohibited, the user will see such a window.

You can learn more about the URL filter settings in the tutorial video.

Dr.Web Anti-theft

How to get the coordinates of a stolen or lost device

This is possible if DrWeb is installed on the device and the Anti-Theft function is enabled.

1. If the friends list was not used:

   • To the number of the sim card installed in the phone, send SMS from any number with the command # locate # password # (your password specified when setting up the anti-theft).

2. If a friend list was used:

   • To the number of the SIM card installed in the phone, send SMS with the command # locate #

     SMS is sent only from the "friend" number specified when setting up Anti-Theft and provided that such numbers in the settings were allowed to send command SMS without a password.

     If on a lost phone Android version 4.4 and higher, it is recommended to send SMS from trusted numbers (friends' numbers), because on some devices, the OS displays the SMS content in the notification and the password can be read by a third party (this is a feature of the Android OS of the specified versions).

If your sim card has been removed from the device, the only affordable option will send a command to the number of another sim card.

This is possible if:

1. The person who found your device will install another SIM card in it;

2. When configuring Anti-Theft, you specified your friends' numbers and set the option Notify about SIM card change.

   In this case, when the SIM card is replaced, the trusted numbers sms will be sent with a notification this event(and at the same time about the new number - further commands will need to be sent to it).

Please note that if the trusted numbers were not specified, this greatly reduces the chances of finding the device using the Anti-Theft function.

How to unlock my phone if I forgot my Anti-Theft password?

Tab Forgot your password? in the application it looks like this:

There are several ways to reset your password.

1. Through the form on the website:

   • Open the password reset form.
   • In the form fields, enter the key (letter sequence), your email address (also visible in the screenshot), and click Get Code.
   • A password reset code will be sent to specified E-mail... Enter it in the field confirmation code and click Continue.

   If the message is not received within 10 minutes, check the Spam folder mailbox... Or send a written request to support with a request to unlock. Please provide the following information and documents in your request.

2. If the list of friends was filled on the device:

   Ask one of your acquaintances, whose numbers are stored in your Dr.Web friends list, to send an SMS command # RESETPASSWORD # to your number. The list can be found in the Forgot your password? in the application.

   When you receive an SMS on your device, the Change password window will automatically open. If the device has been locked, the lock will be removed.

Scanner

How do I view the scan report?

Statistics... The statistics window displays the number of processed files and all actions performed by the anti-virus components. It is possible to reset statistics ( Menu-> Clear Statistics) or save the log to file ( Menu-> Save Log).

How do I send you a scan report?

Launch the Dr.Web for Android application and select the item Statistics... Click the button Menu and in the pop-up window select Save log... The DrWeb_Log.txt report file will be saved to the /Andoroid/data/com.drweb/files/ folder, which will be notified accordingly. If you make a request to the technical support service, then use the form on our website https://support.dataprotection.com.ua/support_wizard/ to send it. To attach a file to the request, click the button Overview, in the window that appears, select desired file and press Open... To send a request, use the button send.

Firewall

How to avoid downloading a large amount of data to your Android device using the mobile Internet?

To avoid downloading large amounts of data using the mobile Internet, you can temporarily disable it for the application. For this:

• start Dr.Web;
• select the application you are interested in from the list;
• in the section "Access to data transmission" click on the icon " Mobile Internet"To make it inactive.

When a major update is downloaded, for example through a free or home wifi, in the same way, allow the application to use a mobile connection to access the Internet.

How can I see applications whose network access parameters have been set in Dr.Web Firewall?

To see applications whose network access parameters have been set in the Firewall:

• start Dr.Web;
• open the Firewall component;
• go to the "Applications" tab;
• Look out for apps marked with a red gear.

The presence of such an icon indicates that the application settings in the Firewall have been changed or an active rule has been set for it.

How to enable display of floating window in Dr.Web for Android?

The floating window with information about traffic usage is disabled by default, as it takes up space on the screen, which may affect the usability of the mobile device. When there is no urgent need to control traffic, you can not turn it on, but when volumes and sources are important, it is better to have this data in plain sight.

To enable the display of a floating window:

• start Dr.Web;
• open the Firewall component;
• go to the "Restriction" tab;
• check the box "Information about current traffic";
• position the floating window on the screen so that it does not interfere with your mobile device.

Immediately after checking the box, a floating window with traffic information will appear on the screen, which will then be displayed on top of other windows.

How to get complete information about the network activity of applications on an Android device while Dr.Web Firewall is active?

For the convenience of the user, information on the use of network traffic is displayed in two ways.

To obtain full information O network activity applications during Firewall activity:

• start Dr.Web;
• open the Firewall component;
• go to the "Applications" tab.

To view data on the application you are interested in, select it from the list - the settings window will open, where all the information is located.

Also, this information can be controlled through a floating window - we have described how to enable it.

How to prohibit access to Internet resources on an Android device using Dr.Web Firewall?

If there is a need to deny access to an Internet resource, this can be done on the "Traffic" tab of Dr.Web Firewall:

• start Dr.Web;
• open the Firewall component;
• go to the "Traffic" tab;
• select the application whose access to the resource should be denied;
• in the drop-down list of connections used by the application, specify the one you want to block;
• a pop-up menu will appear allowing you to add an Allow or Deny rule. Click Add Deny Rule.

Now access to this resource will be automatically blocked by the Firewall.