Click here to visit Original posting
Your Windows Hasbeen Banned Screenlocker Removal Guide
- Wed, 14 Dec 2016 11:43:01 EST
- Read 4301 times
The Your Windows hasbeen banned or Your Windows Has Been Banned screen locker is a Trojan that displays a fake security screen stating that the PC has been banned due to unusual activity being detected. It then tells you to contact the nearest Microsoft technician to get a an unlock code to unlock it. Once you enter the correct code, the screen will unlock and another screen will be displayed that contains instructions on how to remove the Trojan.
Thankfully, the unlock code for this scam could be retrieved from the executable and can be entered into the field to terminate the screen locker. The first version, which has the title Windows HasBeen Banned uses a unlock code of 123456. The second version, whose title was fixed to "Windows Has Been Banned" uses a different passcode, which is nvidiagpuareshit.
You can also use the Alt+F4 keyboard combination to shutdown the current variants of this screenlocker, but this may be disabled in the future.
Note: Once the screenlocker is closed, you still need to remove the infection. Most AV programs should detect it at this point.
The text of the screenlocker is:
Your PC has been banned because we detected an unusual activity on your computer. To protect the windows service and its member
your PC maybe has been infected with viruses that do an usual activity like botnet,ddos,etc to grant access back to your computer please pay some fee to trusted Microsoft Technician and the Microsoft Technician will give you a code to unlock to get a code please click button down to below to contact the nearest Microsoft Technician.
Once the correct pass code is entered, the alert that is shown will contain this text:
Thanks for buying the unlock code from me! You are fooled
i am not microsoft
To Remove My Virus Follow the Instructions
1) Enter "123456" as a Unlock Code
2) Open Start Menu
3) Go to Start Up
4) Delete the exe file "AdvancedRansomware1.exe"
How did the Your Windows hasbeen banned screenlocker get on my computer?
It is not currently known how this Trojan is being distributed. It could be distributed using fake software cracks or through free programs you download off of the Internet. As more information becomes available, we will update it here.
As the current unlock code is known and we can use Alt+F4 to terminate the program, removing this infection is fairly easy. If the code does not work or you are unable to terminate the infection, you can use the removal guide below to remove it for free.
%AppData%\Microsoft\Windows\Start Menu\Programs\Startup\AdvancedRansomware1.exe %AppData%\Microsoft\Windows\Start Menu\Programs\Startup\Agnot Viewer.exe C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\AdvancedRansomware1.exe
File Location Notes:
%AppData% refers to the current users Application Data folder. By default, this is C:\Documents and Settings\<Current User>\Application Data for Windows 2000/XP. For Windows Vista and Windows 7 it is C:\Users\<Current User>\AppData\Roaming.