How To Remove Fake “This PC Has Been Blocked” Warning Screen

This PC Has Been Blocked is another Trojan which displays a fake Blue Screen of Death. It looks almost identical to Your Windows Has Been Banned scareware and is probably an updated version made by the same creators.

Just like other versions of this lockscreen this one also blocks your PC and asks to call a fake support line (for example, 1-844-703-1130). It tries to scare the users by stating that “Your pc has been infected with viruses”. The only threat that is dangerous to your machine is the lockscreen itself.

While the scammers pretend to be Microsoft technicians in reality there is no such error in Windows system. Instead, it is only designed to scare unsuspecting users and extort money. The scammers ask you to pay in order to unlock your computer. Also, the support line number might have increased calling rates and result in even more costs than you expected. Therefore, you should never call the provided line.

Luckily, it is quite easy to remove the threat. While closing with ALT + F4 does not work anymore with the updated version, an unlock code has already been found. We have a manual guide with instructions on how to remove this virus. However, we recommend using the automatic removal and protection tool listed below as it will also prevent any potential infections from entering your system in the future.


Recommended Method: Download “This PC Has Been Blocked” Virus Removal Tool

Version:   All Updated:   2 days ago Compatible OS:   All
This is the most suitable program for automatically removing the threat and repairing your PC.
Works with: Windows 10, Windows 8, Windows 7, Windows Vista, Windows XP. Read instructions here
File name Size
mb3-setup.exe 56.5 MB

Click here to download alternative tool

What is “This PC Has Been Blocked” warning screen virus?

This screenlocker is an imitation of a Windows component called Blue Screen of Death. It is completely fake since there is no real Windows error that would lock your PC due to virus activity and ask to call a support technician. The only dangerous threat actually present on your computer is this locker itself.

Since the design imitates legitimate system components, less experienced users might be scared enough to actually call the provided phone number. This is where the scammers take over the control of the situation and demand for a payment before they tell you a unlock code. They can also ask you for personal details or even login to your computer for “remote assistance” and steal data.

There are many versions of this virus and each new one has slight improvements. However, it is still removable quite easily as it has the unlock code embedded in the virus executable file. This allows security researches extract the code and close the warning. Since only one code is used globally, the code can be used by anybody who gets infected by this malware.

Here is the virus text designed to scare users:

Your PC has been blocked because we detected an unsual activity on your computer. 
Your pc has been infected with viruses that do an unusual activity like botnet,ddos etc 
to grant access back to your computer
please contact trusted Microsoft Technician and the Microsoft Technician will give you 
a code to unlock your computer to further remove the virus. 
To get a code please click button down below to contact the nearest Microsoft Technician.

1-844-703-1130

Currently there is no information on how this virus spreads and infects computers. Most likely it uses popular methods of infecting free downloads, torrents, files on P2P networks or using exploit kits.

Please have in mind that while removing this threat is quite easy since the unlock code has already been discovered, you should still perform a proper cleanup afterwards and secure your computer.

Screenshots of the virus:

 


 Manual Removal Instructions:

NB: Bookmark this page as a computer restart might be required during the process.

If you are not comfortable with editing important Windows files and settings you can simply use the automatic removal tool after Step 1.

Step 1:

Enter the following unlock code in the “Already have unlock code?” field and click Submit:

XP8BF-F8HPF-PY6BX-K24PJ-RAA00

It should trick the virus into thinking that you have paid the fee. If you still cannot close the locker proceed to the second step.

If you have successfully closed the locker you can skip to the third step.

Step 2:

If you cannot close the locker you will need to restart your Windows machine in Safe Mode.

When your computer is infected by a virus some of its features may be locked or compromised. You need to bypass this by rebooting your computer using Safe Mode. This will allow you to remove the virus.

Since Safe Mode only has the most basic features do not be scared that your Windows look completely different!

Click here to show how to reboot Windows 98, XP, Vista or Windows 7 in Safe Mode

  1. Restart your computer (if it is locked you can do this by physically pressing the power button on your computer).
  2. As soon as the PC starts booting begin constantly clicking F8 key on the keyboard until you get the following screen:
  3. Use arrow keys to highlight Safe Mode With Networking and press Enter.
  4. Wait for the Windows to launch.

 

Click here to show how to reboot Windows 8, 8.1 or Windows 10 in Safe Mode

F8 method (1/4):

Restarting and constantly hitting F8 might not work for this version of Windows since the booting is much faster and does not always react to the key presses. Try this method first and then proceed to other methods if this does not help.

  1. Restart your computer (if it is locked you can do this by physically pressing the power button on your computer).
  2. As soon as the PC starts booting begin constantly clicking F8 key on the keyboard.
    If it does not work try repeating the same procedure but this time holding Shift key and clicking F8.
  3. Follow instructions from Step 5 below:

Shift+Restart method (2/4):

  1. Click the Power icon at the login screen or in the settings charm.
  2. Hold Shift key on your keyboard and click Restart with your mouse while holding:
  3. Click Troubleshoot:

  4. Click Advanced options:
  5. Click Startup Settings:
  6. Click Restart:
  7. Now press F5 key on your keyboard to enable Safe Mode With Networking:

System configuration method (3/4):

  1. Press and hold Windows () key and click R key.
  2. Enter msconfig.exe and click OK:
  3. When System Configuration opens go to the Boot tab:
  4. Check the box “Safe Boot” in Boot options and click OK.
  5. When prompted, click Restart.
  6. Windows will now start in Safe Mode.

System Recovery method (4/4):

If everything above fails you can try inserting System Recovery CD or DVD (works only with Windows 8) or System Recovery USB Memory Stick (works with Windows 8 and 8.1). You will be able to choose Troubleshoot option. The steps are then identical as in Shift + Restart method starting from #3.

Step 3:

Clean up Windows temporary files as the locker might operate from this folder.

Removing all temporary files is completely safe for your computer.

Hold Windows () key and click R key.

Enter the following in the field:

%Temp%

Click OK.

Simply select all files and folders displayed in the temporary files directory and delete them permanently by simultaneously pressing CTRL + A and then SHIFT + DELETE.

Step 4:

Use Windows search by clicking the start () and entering the following file name in the search field:

AdvancedRansomware1.exe

If found, delete this file permanently by pressing SHIFT + DELETE simultaneously.

Repeat the search to make sure there are no more instances of this file left. Then repeat the search and delete process with the following file names associated with the virus:

winban.exe
1.vir.HSvir
13f1494bd756.exe
h57s.exe
1.exe
Install.exe

Step 5:

Clear your hosts file from any suspicious IPs.

Press and hold Windows () key and click R key to open “Run” window.

Enter the following in the field:

notepad %windir%/system32/Drivers/etc/hosts

Click OK.

“Hosts.ini” will open in Notepad text editor. Delete all entries from the bottom of the file that are not marked by “#” in front of them. Leave the 127.0.0.1 localhost in the file.

Step 6:

Remove suspicious programs from your startup config so they would not launch as soon as you boot your computer.

Hold Windows () key and click R key.

Enter the following in the field:

msconfig.exe

Click OK.

Go to the Startup tab and uncheck all suspicious entries.

The infected or fake startup items usually have “Unknown” listed as Manufacturer. However, sometimes they might pretend to be legitimate programs.

Check process location by hovering your mouse over the “Command” column. Navigate to the location and scan the file using virustotal.com if it looks suspicious but you are not sure.

Click OK when you are finished unselecting all potentially dangerous processes.

Step 7:

Restore the old system settings using System Restore.

Press and hold Windows () key and click R key.

Enter the following in the field:

rstrui.exe

Click OK.

Click Next.

Check Show more restore points.

If you see any restore points, restore the system. Make sure you select a point that has been created before the infection happened but is not too old.

It will restore your system settings only and will not affect your files.

If you do not see any restore points the virus might have removed it or they might have never been created.

After removing the virus

When you have finished removing the “This PC Has Been Blocked” virus files and reverting your browser settings make sure to protect your computer by installing a good antivirus suite that would identify the threats online and in programs you have downloaded. Also avoid downloading unofficial torrents, illegal cracks or other files from P2P networks.


Share your experience with us by leaving a comment!

Leave a comment to tell us about your experience removing this threat!
We can also help you if you run into any problems during the process, just don't hesitate to ask!

Leave a Reply

Your email address will not be published. Required fields are marked *