Users often contact us with the following problem:
When you launch the browser, the mvd.ru website opens with a warning about the need to pay a fine:
Ministry of Internal Affairs of the Russian Federation. You broke the law! The Ministry of Internal Affairs of the Russian Federation discovered the use of your electronic device for an illegal purpose, namely viewing and copying materials containing elements of pedophilia, violence and GAY PORN. You have 12 hours to pay the fine.When you try to open any other site, mvd.ru still opens. In addition, on the network connections icon there is a “Connection limited” triangle. The antivirus does not find any viruses and malware on the computer. How to delete mvd.ru message from browser?
This is what the page with the requirement to pay the fine looks like:
Right on the fraudulent page there is a form for transferring money to scammers, supposedly to unlock the computer. In fact, this page has nothing to do with the mvd.ru website. It has been replaced by scammers. If you open this site from a non-infected computer, the real Ministry of Internal Affairs website will open.
There is another type of page with a message:
Internet access is blocked. To unblock, enter your phone number and follow the instructions in the SMS.
Only the input form is displayed on the screen telephone number and buttons Send And To enter the code:
Reason for the fraudulent web page
The ransomware page appears because the malware has changed your computer's DNS server address. As a result, when requesting any website, the DNS response is replaced by a fraudulent server and produces a fraudulent web page, the purpose of which is to lure money.
The real Ministry of Internal Affairs cannot block a computer for viewing prohibited sites. Moreover, the Ministry of Internal Affairs will never demand payment of a fine on a mobile phone.
Removing mvd.ru
1 Click right click mouse over the network icon in the taskbar.
2 Select Network and Sharing Center:
If you don't see any connections, check to see if you're connected to Wi-Fi or have a cable connected.
4 Press the button Properties:
5 Select from the list Internet Protocol Version 4.
6 Press the button Properties:
Here we see third party DNS server, which was specified by the malware:
7 Set the switch to Obtain DNS server address automatically.
8 Click OK:
9 Click Close to apply settings:
Attention! There are times when malware changes DNS settings not only on the computer, but also on the router. Especially if you use the default login and password to log into the router’s web interface, like admin/admin. Therefore, we recommend checking that the DNS settings on the router are correct. You can check with your Internet Service Provider for information about what the correct DNS settings are. We also recommend installing your strong password to log into the web interface of the router (modem).
Watch the video to see how this is done:
If all else fails
If, after completing the above steps, a fraudulent page still opens instead of the desired site, take additional steps.
1. Go to the network card settings again.
- Install automatic receipt IP.
- Specify the DNS server manually Google: 8.8.8.8
- Click OK to save:
- Click Close in two windows.
- Launch Command Prompt.
- Enter:
- Press Enter:
3. Perform cleaning temporary files using CCleaner()
What to do if your iPad or iPhone is blocked by the Ministry of Internal Affairs
If the ransomware “pay a fine of 3,000 rubles” appeared on Apple device, That:
1. First try clearing history and cookies
Go to Settings:
Open section Safari.
Click Clear the history And Clear:
Then click Delete cookies and data and again Clear:
2. If previous action Unlocking the iPad didn’t help, the easiest way is to reset the settings ( hard reset) using iTunes:
How to remove MIA from an Android device
1. Try this option first: log in Settings, Application Manager, find your browser (for example Chrome), open the application properties and click Clear data:
2. If it doesn’t help, there is more radical method: Reset the device.
Enter Recovery on your Android device. Most often this will require:
- turn off your smartphone/tablet,
- hold down the center button (home).
- press a key increase the volume And power button.
- hold until the green robot appears on the display.
(Read about various options logging into recovery on different devices :)
Select wipe data/factory reset:
And confirm by selecting YES:
Surely, you have heard, and maybe even found yourself in such a situation when, after downloading a file or visiting a dubious site on the Internet.
The PC suddenly became uncontrollable and a banner appeared requiring you to enter a code in order to unlock the computer, which can be obtained by sending an SMS or topping up your account specified phone number for a certain amount.
What to do in this case? Should I submit to the ransomware or is there still a chance to somehow unlock my computer without SMS? Let's look at several options for our actions in order not to become a “cash cow” for scammers.
After all, after replenishing the account, they will already know your phone number and most likely will be able to log in to your account. mobile operator. This means that it will not be difficult for them to withdraw money from your phone. But let’s not despair and first try to cope with the problem ourselves. So how?
Trying to unblock from a banner through the task manager
This is one of the simplest methods. Who knows, maybe the scammers are not so literate and are just bluffing? So, we call the task manager and remove the task performed by our browser. To do this, press the Ctrl+Alt+Del keys simultaneously (of course, we don’t press the plus signs). Then in the window that opens, click “Launch dispatcher”:
This window may have different types, depending on the operating system, but I hope the essence is clear. Next, the task manager appears. This is where we need to remove the task of our browser. Click on the line with the browser and then on the “Cancel task” button:
By the way, this method is applicable both for this and for any other task. To close a frozen program, for example. I must say, it is not always possible to do this on the first try; sometimes the task manager window blinks and disappears again.
In such cases, it happens that pressing again helps Ctrl+Alt+Del both repeatedly and up to 10 times in a row! It probably doesn't make sense anymore. It turned out well. No - let's move on.
Trying to unlock a computer through the registry
Now let's try the next option - more complicated. Place the cursor in the code input field, press Ctrl+Alt+Del and carefully look at the banner.
It, of course, will not necessarily be the same as mine, but the offer to send SMS or top up the number and the line for entering a code or password must be present. If as a result of our actions the cursor disappears, then the keyboard’s attention has switched to the task manager:
Now you can press Tab, and then Enter, and an empty desktop should open in front of you, most likely, even without “Start”. If this happened, now in order to “unblock our prisoner” you need to go to the registry, since viruses are usually registered there.
Click Ctrl+Alt+Del. Then “Launch Task Manager”. In the new window that appears - “File”, then in the drop-down menu “ New task(Run...)”:
In the following we enter the command “regedit” and then click “OK”:
The “Run” command can be called even easier if, of course, it works out - by pressing the Win + R buttons on the keyboard. Who doesn't know, Win is a key with Windows picture, usually at the bottom left end of the keyboard.
If everything worked out, we will find ourselves in the registry editor. Here, be very careful and careful. Don't touch anything unnecessary. Because wrong actions can lead to unpleasant and sometimes unpredictable consequences in the operation of the computer.
So we need to get here: HKEY_LOCAL_MACHINE/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Winlogon. I will show you two windows so that you can understand where and what to click to implement this idea.
In the first window, find the line that says “HKEY_LOCAL_MACHINE” and click on the triangle to the left of it:
The list below this line will expand. There you need to find the line “SOFTWARE” and also click on the triangle:
Don’t be alarmed, the lists there are very large, don’t forget about the bottom slider - move it to see the inscriptions in full.
When you reach Winlogon in this way, click not on the triangle on the left, but on the word “Winlogon” itself. Then turn your gaze to right panel, where you will need to check the parameters: “Shell” and “Userinit” (If it’s hard to see, click on the picture - it will enlarge):
We look at the Shell parameter - its value is only “explorer.exe”. Userinit" should look like this: "C:\WINDOW\Ssystem32\userinit.exe," .
Please note that there is a comma at the end after “exe”! If there are any other values, then we correct them to the ones indicated above. To do this, just click on “Shell” or “Userinit” with the right mouse button, click “Change”, and write the desired value in the pop-up window.
This, I think, will not cause you any particular difficulties.
Final work and actions in case of failure
In some cases, it happens that these parameters are fine. Then we find the following section: HKEY_LOCAL_MACHINE / SOFTWARE / Microsoft / Windows NT / CurrentVersion / Image File Execution Options and expand it. If there is a subsection explorer.exe there, delete it without regret. Well, we did everything to unblock our “prisoner”.
Now you can restart your computer. If the virus is not more insidious, everything should return to its place. If so, then we can laugh at the grief - SMS - extortionists. And of course, after all the work done, be sure to full check antivirus program. And it wouldn’t hurt to go through a cleaner before doing this - like CCleaner.
If nothing helps or you are hesitant to do the steps described above, contact a specialist. But don’t send SMS in any case. You can also check out other unlocking methods from Trojan virus Winlock on the VirusStop website or on the Kaspersky website.
That's all. Now you know how to unlock your computer without SMS. But it would be better if you never needed to do this, at least on your computer.
At the present time, with modern development technologies and high data transfer rates, users personal computers, laptops, tablets and smartphones very often (even with installed antivirus protection) catch some kind of virus. Nowadays, programs that infect a device while blocking access to it with a banner on the desktop are very popular among hackers. How to unlock the computer in this case? How can I regain access to it?
What banners exist?
The most common are the following: Internet access is blocked, Windows is blocked, the rules for using the Internet have been violated, your account has been hacked and now spam is being sent from it, and so on. The computer owner is offered help in solving the problem. For this he is asked to send just one SMS via short number. By doing this, you will lose at least 250-300 rubles. And, accordingly, the banner in almost all cases does not go anywhere.
Basic ways to solve the problem
What to do? How to unlock your computer from a virus and continue to use your device? Exist various ways salvation. The main ones:
- Restoring the operating system.
- Removal virus program from OS startup.
- Application of special unlock codes from Dr.Web and Kaspersky websites.
- Using an antivirus.
It must be remembered that universal method There is no way to unlock your computer from a virus. Each of the above is only suitable for a specific situation. Now let's dwell on this a little.
Solving the problem via the Internet
This option is good for someone who has access to the network or has a connection with someone willing to help. The official websites of Kaspersky and Doctor Web have codes that can unlock your device. If they are not there, we go another way.
Removing the banner from startup
How to unlock your computer this way? This path is very simple. You need to boot your device in safe mode. To do this, press F8 when loading it. A menu with options will appear in front of us Windows boot. Choose the one you need. Then one of two things: the banner has not gone away, or the system will boot without the virus. IN the latter case Click "Start" and enter msconfig in command line. Go to startup, uncheck suspicious items there and reboot the PC.
Outdated way unlocking
If the banner has not disappeared anywhere, then you can try to unlock your computer from the virus using the outdated method, but sometimes effective method. To do this, we reboot it in safe mode, and set the clock forward about a week. This may help, but most likely not for long, since viruses are also updated regularly. System time It is possible to change it in the BIOS. It is also possible to perform a system restore.
Powerful professional way
If all the previous does not help resolve the issue of how to unlock your computer, we will fight the banner using an antivirus. If you can access the desktop in safe mode, then use Removal-tool Kaspersky or Cureit Doctors Web, the most famous of all. If this is not possible, we use LiveCD - a special boot disk, which downloads the antivirus without any problems and removes the banner. To do this, we write its image onto a flash drive or disc, then onto a computer, after which we scan the system for viruses. This option can be difficult to use ordinary user, so it is recommended to turn to professionals. So we figured out how to unlock your computer.
Today it costs nothing to catch a virus on your computer. All you have to do is go to a dubious site or open unknown file- and it’s done. Now there are a lot of them, but one of the most insidious viruses is banner ransomware. First of all, because it almost completely blocks the operation of the PC. Therefore, you usually cannot do without a second computer or laptop here.
So, the initial data is as follows. They approached me with a request to help me deal with my laptop. After rebooting it, suddenly when logging into Windows, the system began asking for a password. Although no one installed it (yesterday everything turned on without a password). The user tried all his passwords, but, of course, they did not work.
Actually, this information didn’t tell me much – I thought I’d have to bypass the password. It was useless to try any combinations, so I didn’t enter anything and just pressed Enter. And then - voila, the system booted. Hurray, problem solved? Not at all - what happened next was even better.
You are blocked, pay a fine!
After turning on the laptop, a huge full-screen banner appeared on the desktop. It stated that Windows system blocked for watching “interesting films” and all that.
Honestly, I sometimes understand parents. When you read such a banner on your child’s laptop and see the reason for the blocking, the thought immediately appears in your head: “Oh, you’re such and such a prankster.” And the hands themselves reach for the belt. This is probably why children are afraid to report this and do completely unnecessary things - for example, paying a fine to the attacker.
So, from the banner it immediately becomes clear that this is a virus. Actually, you just need to find it and delete it. But there is one problem: the banner blocks the system, and you won’t be able to do anything on the desktop.
First of all, you need to try. If the virus does not allow you to do this, then the only option left is treatment. antivirus utility from a flash drive launched through BIOS.
Trying to remove the virus with an antivirus utility
So, to get rid of the virus, you need to burn any anti-virus Live CD utility to a flash drive. It could be Dr. Web, Avast, Kaspersky - whatever.
Since the infected laptop is locked, you will need another PC. With its help, you can find this utility and write it to a flash drive. It’s good that today almost every home has 2-3 computers/laptops :)
The flash drive must be bootable. Those. it must be written using special program. For example, you can.
If you do everything correctly, it will start instead of Windows antivirus utility. Next, you just need to run a virus scan and wait for it to finish.
In my case, the check took more than an hour. Or more. Then I got tired of waiting. And the sad look of a person worried about his laptop and the data on it suggested that something needed to be changed. As a result, I canceled this ill-fated check and decided to look for another way.
Removing a banner using AntiSMS
There is one great utility AntiSMS. Great for inexperienced users who encountered a similar problem for the first time.
Its advantage is that it does not scan the entire system for viruses, but immediately removes this annoying banner. You can get rid of it manually, but to do this you need to know how. The AntiSMS utility performs all these actions automatically. As a result, the ransomware banner is removed in literally 10 minutes.
Again: you need to write the utility to bootable USB flash drive, boot through BIOS and launch it. Then wait a couple of minutes until you see a message that the virus was successfully removed. Restart your PC or laptop - it should turn on and the banner will no longer appear. Actually, in my case the problem was solved with the help of AntiSMS.
The utility is free and can be found on the official website. Plus it has already appeared new program from the same developers - SmartFix.
This is how we managed to unlock the computer from the virus. By the way, according to the user, this infection was most likely picked up on the abstracts website. Got out advertising banners: when trying to close them, the system froze, then a reboot followed - and voila, when entering Windows already asks for a password. And then, as it turned out, a virus was waiting for us with a threatening message to pay a fine for unlocking the PC.
Of course, you don’t need to pay anyone - this will not make the banner disappear. The only benefit will be only to the attacker: he will understand that this method of “earning money” works and will continue to spread his viruses on all kinds of sites.
With the help of Trojans of the Winlock family, known as “Windows blockers,” ordinary users have been extorting money for more than five years. By now, representatives of this class of malware have seriously evolved and become one of the most common problems. Below we offer ways to combat them yourself and provide recommendations for preventing infection.
The appearance of a Trojan on a system usually occurs quickly and unnoticed by the user. A person performs the usual set of actions, browses web pages and does not do anything special. At some point, a full-screen banner simply appears, which cannot be removed in the usual way.
The picture can be openly pornographic, or vice versa – it can be framed as strictly and menacingly as possible. There is only one result: in a message located on top of other windows, you need to transfer the specified amount to such and such a number or send a paid SMS message. It is often supplemented by threats of criminal prosecution or destruction of all data if the user does not hurry up with payment.
Of course, you shouldn’t pay extortionists. Instead, you can find out which operator cellular communications belongs specified number, and report it to security. In some cases, they may even tell you the unlock code over the phone, but you shouldn’t really count on it.
Treatment methods are based on understanding the changes that the Trojan makes to the system. All that remains is to identify them and cancel them in any convenient way.
With bare hands
For some Trojans there actually is an unlock code. In rare cases, they even honestly delete themselves completely after entering the correct code. You can find it on the corresponding sections of the sites. antivirus companies– see examples below.
You can access specialized sections of the websites of Doctor Web, Kaspersky Lab and other anti-virus software developers from another computer or phone.
After unlocking, do not rejoice prematurely and do not turn off the computer. Download any free antivirus and perform a full system scan. To do this, use, for example, the Dr.Web CureIt! or Kaspersky Virus Removal Tool.
Simple measures for simple horses
Before use complex methods and special software, try to make do with the available means. Call the task manager using the key combination (CTRL)+(ALT)+(DEL) or (CTRL)+(SHIFT)+(ESC). If it works, then we are dealing with a primitive Trojan, fighting which will not cause problems. Find it in the list of processes and forcefully terminate it.
Third Party Process gives a vague name and lack of description. If in doubt, simply unload all suspicious ones one by one until the banner disappears.
If the task manager does not open, try using a third-party process manager through the Run command, launched by pressing the (Win) + (R) keys. This is what a suspicious process looks like in System Explorer.
You can download the program from another computer or even from your phone. It only takes up a couple of megabytes. The “check” link searches for information about the process in an online database, but usually everything is clear. After closing the banner, you often need to restart Explorer (the explorer.exe process). In the task manager, click: File -> New task (Run) -> c:Windowsexplorer.exe.
When the Trojan is deactivated for the duration of the session, all that remains is to find its files and delete them. This can be done manually or use a free antivirus.
A typical location for a Trojan is the user, system, and browser temporary files directories. It is still advisable to perform a full scan, since copies can be located anywhere, and trouble does not come alone. Look full list autorun objects will be helped by the free Autoruns utility.
Military stratagem
A peculiarity in the behavior of some will help you deal with the Trojan at the first stage. standard programs. When you see the banner, try blindly launching Notepad or WordPad. Press (WIN)+(R), write notepad and press (ENTER). A new one will open under the banner Text Document. Type any abracadabra and then briefly press the power button on system unit. All processes, including the Trojan, will begin to terminate, but the computer will not shut down.
Notepad will stop the galloping horse and return access to the admin!Old school
More advanced versions of Trojans have means to counter attempts to get rid of them. They block the launch of the task manager and replace other system components.
In this case, restart your computer and hold down the (F8) key while Windows boots. A window for selecting a download method will appear. We need " Safe mode with command line support" ( Safe Mode with Command Prompt). After the console appears, write explorer and press (ENTER) - Explorer will start. Next we write regedit, press (ENTER) and see the registry editor. Here you can find the records created by the Trojan and discover the place where it autoruns.
Most often you will see the full paths to the Trojan files in the Shell and Userinit keys in the branch
HKLMSoftwareMicrosoftWindows NTCurrentVersionWinlogon
In “Shell” the Trojan is written instead of explorer.exe, and in “Userinit” it is indicated after a comma. Copy full name Trojan file to the clipboard from the first detected entry. On the command line we write del, add a space and call right key mice context menu.
In it, select the “insert” command and press (ENTER). One Trojan file has been deleted, we do the same for the second and subsequent ones.
Removing a Trojan from the console - the file was in a temporary folder.Then we search the registry by the name of the Trojan file, carefully review all the entries found and delete suspicious ones. We clear all temporary folders and the trash. Even if everything went perfectly, don’t be lazy and then run a full scan with any antivirus.
If they stopped working because of a Trojan network connections, try to restore Windows settings Sockets API AVZ utility.
Operation under anesthesia
It is useless to fight cases of serious infection from under an infected system. It’s more logical to boot into something that is known to be clean and calmly cure the main one. There are dozens of ways to do this, but one of the simplest is to use free utility Kaspersky WindowsUnlocker, included in Kaspersky Rescue Disk. Like DrWeb LiveCD, it is based on Gentoo Linux. The image file can be written to a blank or made into a bootable flash drive using the Kaspersky USB Rescue Disk Maker utility.
Prudent users do this in advance, while others turn to friends or go to the nearest Internet cafe during infection.
When you turn on the infected computer, hold down the key to enter the BIOS. This is usually (DEL) or (F2), and the corresponding prompt appears at the bottom of the screen. Paste Kaspersky Rescue Disk or bootable flash drive. In the download settings ( Boot options) select the drive as the first boot device optical disks or a flash drive (sometimes it may appear in the HDD drop-down list). Save changes (F10) and exit BIOS.
Modern BIOS version allow you to choose boot device on the fly, without entering the main settings. To do this, you need to press (F12), (F11) or a key combination - for more details, see the message on the screen, in the instructions for motherboard or laptop. After reboot it will start launch Kaspersky Rescue Disk.
The Russian language is available, and treatment can be performed automatically or manual mode – step by step instructions on the developer's website.
Early struggles
A separate subclass consists of Trojans that attack the main boot entry(MBR). They appear before Windows boots, and you will not find them in the startup sections.
The first stage of dealing with them is to restore source code MBR. In the case of XP, for this we boot from installation disk Windows, by pressing the (R) key, call up the recovery console and write the fixmbr command in it. Confirm it with the (Y) key and reboot. For Windows 7, a similar utility is called BOOTREC.EXE, and the fixmbr command is passed as a parameter:
After these manipulations, the system boots again. You can start searching for copies of the Trojan and its delivery means using any antivirus.
On a crusade with a Phillips screwdriver
On low-power computers and especially on laptops, the fight against Trojans can take a long time, since downloading from external devices difficult, and verification takes a very long time. In such cases, simply remove the infected hard drive and connect it to another computer for treatment. To do this, it is more convenient to use boxes with an eSATA or USB 3.0/2.0 interface.
In order not to spread the infection, we first disable autostart from the HDD on the “treating” computer (and from other types of media it would not hurt). The most convenient way to do this is with the free AVZ utility, but it is better to perform the check itself with something else. Go to the "File" menu, select "Troubleshoot Wizard". Check " System problems", "All" and click "Start". After that, check the “Allow autorun from HDD” option and click “Fix noted problems”.
Also, before connecting an infected hard drive, you should make sure that resident anti-virus monitoring is running on the computer with adequate settings and there are fresh databases.
If the sections of the external hard drive are not visible, go to Disk Management. To do this, in the “Start” -> “Run” window, write diskmgmt.msc and then press (ENTER). The external hard drive partitions must be assigned letters. They can be added manually using the “change drive letter...” command. After that check external hard drive entirely.
To prevent reinfection you should install any antivirus with a real-time monitoring component and adhere to general rules security:
- try to work from under account with limited rights;
- use alternative browsers– most infections occur through Internet Explorer;
- disable Java scripts on unknown sites;
- disable autorun from removable media;
- install programs, add-ons and updates only from official developer sites;
- always pay attention to where the proposed link actually leads;
- block unwanted pop-ups using browser add-ons or standalone programs;
- promptly install updates to browsers, general and system components;
- allocate a separate disk partition for the system, and store user files on another.
Following the last recommendation makes it possible to make small images system partition(Symantec Ghost programs, Acronis True Image, Paragon Backup and Recovery or at least standard Windows tool“Archiving and recovery”). They will help you to ensure that your computer is restored in a matter of minutes, regardless of what it is infected with and whether antivirus software can detect a Trojan.
The article provides only the basic methods and general information. If you are interested in the topic, visit the GreenFlash project website. On the forum pages you will find many interesting solutions and tips for creating a multiboot flash drive for all occasions.
The distribution of Winlock Trojans is not limited to Russia and neighboring countries. Their modifications exist in almost all languages, including Arabic. In addition to Windows, attempts are being made to infect Mac OS X with similar Trojans. Linux users It is not possible to experience the joy of victory over an insidious enemy. Architecture of this family operating systems does not allow you to write any effective and universal X-lock. However, you can “play doctor” on virtual machine with Windows guest OS.
