Remove “Windows Defender Prevented Malicious Software” Virus

“Windows Defender prevented an unrecognised and malicious software on your computer” is a tech support scam. It locks your computer’s screen and asks to enter a 25 character code to “activate Windows”. Your normal Windows license code does not work and therefore you are forced to call the fake tech support phone line. The scammers then try to extort money or access your machine remotely before unlocking it.

While the locker screen is designed to look like a legitimate Windows error message in reality such error does not exist and your computer is fine. The only thing preventing your machine from resuming the work as normal is the malware. You should never contact the support phone as you might lose money either because of increased calling rates or because the scammers will demand for a payment. They might also request you to allow access to your machine. Never agree to do so since this puts in danger all your personal data as well.

You should remove this threat as soon as possible in order to regain access to your PC. The removal process is relatively easy and we have an automatic tool available to do the job. The tool will also protect you from any other threats in the future. We have also prepared a manual removal guide. However, it requires some experience in editing important Windows system files and settings as well as it does not guarantee that this or any threat will never come back unless you secure your computer with a proper antivirus afterwards.


Recommended Method: Download Tech Support Scam Locker Removal Tool

Version:   All Updated:   2 days ago Compatible OS:   All
This is the most suitable program for automatically removing the threat and repairing your PC.
Works with: Windows 10, Windows 8, Windows 7, Windows Vista, Windows XP. Read instructions here
File name Size
mb3-setup.exe 56.5 MB

Click here to download alternative tool

What is “Windows Defender Prevented Malicious Software” locker virus?

It is designed to trick users into thinking that their computer has a malicious software installed and therefore they need to enter a Windows Product Key. In reality this warning is completely fake and is aimed at persuading the victims to call the fake support line. The scammers then ask you to either pay or provide access to your machine allowing them to view your personal files and control the settings.

Most of the locker versions cannot be closed using ALT + F4 combination and forbid the access to your computer completely. Additionally, Task Manager, Registry Editor and Windows Explorer might be terminated as well. However, there is already a working “Product Key” code discovered so you can close the warning yourself. You will still need to completely remove the malware if you do not want the fake error to reappear.

Here is a typical text shown on the locker:

Customer Support : 1-877-360-0485

Microsoft Windows

Product Key

Please Enter Product Key

Windows Defender prevented an unrecognized and malicious software on your computer. 
Please enter your Windows Product Key. 
The Product Key should be on a label or the card inside the box that Windows Disk came in 
or in the confirmation email you recieved after buying it. 
if you have upgraded to Windows 10, you have a digital license instead of a key.

A product key is a 25 character code used to active Windows. 
It look like this:
PRODUCT KEY: XXXXX-XXXXX-XXXXX-XXXXX-XXXXX

Another version states that your system has a corrupted file:

Windows Defender has detected Critically Corrupted File System!
Your PC/Device ran into a problem and needs to be repaired.
The digital Signature for this File couldn’t be verified.
File: \windows\system32\boot\winload.exe
Error code: 0xc0000428
The problem seems to be caused by the following file: atikmdag.sys
You’ll need to use recovery tools. 
Contact your PC administrator or PC/Device manufacturer on these numbers.
Some charges may be applied by local operators for toll-free numbers in certain countries or regions.
Toll free: 1-844-563-0240
Error code: 31058

There are many ways to get infected by this trojan. Sometimes it comes bundled with other programs and you install it unwillingly. In other cases it can be attached to various downloads from P2P networks, torrent files and other suspicious software.

Associated fake tech support lines:

1-877-360-0485
1-844-459-8882
1-844-208-3526
1-844-563-0240

You should remove this virus as soon as possible. This is required in order to restore a regular access to your machine. Also, you need to remove all files belonging to the malware in order to make sure that the scammers do not have access to your personal data. We have prepared a manual removal guide, however, we recommend the automatic tool listed above as it is both the easiest and most reliable option. The removal tool will also protect your computer from any possible viruses in the future as well.

Some screenshots of the virus in action. The text may vary depending on the version you got infected with:

   


 Manual Removal Instructions:

NB: By removing the virus manually you remove the symptoms only and this or any other threat might reappear in the future. We recommend using the tool provided at the top of this page in order to not only remove the virus but also secure your computer from any possible breaches in the future.

Make sure you bookmark this page as a computer restart will be required.

Step 1:

Start by entering the following code into the product key field (if you are asked for a product key):

THTY4-89LK6-RTI23-XZTOP-05ERY

Click OK.

You can also try ALT + F4 keys in order to close this locker.

Another option is to click on the “TeamViewer”, “GoToAssist” or “Supremo” buttons in order to minimize the lock screen.

In case the above methods fail try restarting the system in safe mode as described in the next step.

Step 2:

Reboot system in Safe Mode.

When your computer is infected by a virus some of its features may be locked or compromised. You need to bypass this by rebooting your computer using Safe Mode. This will allow you to remove the virus.

Since Safe Mode only has the most basic features do not be scared that your Windows look completely different!

Click here to show how to reboot Windows 98, XP, Vista or Windows 7 in Safe Mode

  1. Restart your computer (if it is locked you can do this by physically pressing the power button on your computer).
  2. As soon as the PC starts booting begin constantly clicking F8 key on the keyboard until you get the following screen:
  3. Use arrow keys to highlight Safe Mode With Networking and press Enter.
  4. Wait for the Windows to launch.

 

Click here to show how to reboot Windows 8, 8.1 or Windows 10 in Safe Mode

F8 method (1/4):

Restarting and constantly hitting F8 might not work for this version of Windows since the booting is much faster and does not always react to the key presses. Try this method first and then proceed to other methods if this does not help.

  1. Restart your computer (if it is locked you can do this by physically pressing the power button on your computer).
  2. As soon as the PC starts booting begin constantly clicking F8 key on the keyboard.
    If it does not work try repeating the same procedure but this time holding Shift key and clicking F8.
  3. Follow instructions from Step 5 below:

Shift+Restart method (2/4):

  1. Click the Power icon at the login screen or in the settings charm.
  2. Hold Shift key on your keyboard and click Restart with your mouse while holding:
  3. Click Troubleshoot:

  4. Click Advanced options:
  5. Click Startup Settings:
  6. Click Restart:
  7. Now press F5 key on your keyboard to enable Safe Mode With Networking:

System configuration method (3/4):

  1. Press and hold Windows () key and click R key.
  2. Enter msconfig.exe and click OK:
  3. When System Configuration opens go to the Boot tab:
  4. Check the box “Safe Boot” in Boot options and click OK.
  5. When prompted, click Restart.
  6. Windows will now start in Safe Mode.

System Recovery method (4/4):

If everything above fails you can try inserting System Recovery CD or DVD (works only with Windows 8) or System Recovery USB Memory Stick (works with Windows 8 and 8.1). You will be able to choose Troubleshoot option. The steps are then identical as in Shift + Restart method starting from #3.

Step 3:

If Windows Explorer is still disabled, access it by holding Windows () key and clicking E key.

Then clean up Windows temporary files.

Removing all temporary files is completely safe for your computer.

Hold Windows () key and click R key.

Enter the following in the field:

%Temp%

Click OK.

Simply select all files and folders displayed in the temporary files directory and delete them permanently by simultaneously pressing CTRL + A and then SHIFT + DELETE while the files are selected.

Step 4:

Use Windows search by clicking the start () and entering the following file name in the search field:

adobe flash player.exe

The usual path to this file is as follows:

C:\Program Files (x86)\adobe flash player.exe

Delete this file permanently by pressing SHIFT + DELETE simultaneously.

Repeat the search with the following files and delete them if found:

Productkeyupdate.exe
black.exe

They are usually located in the same directory.

Step 5:

Delete registry values created by this virus.

Press and hold Windows () key and click R key.

Enter the following in the field:

regedit.exe

Click OK.

Use the folder tree on the left to navigate to the following location:

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

Right-click and choose Delete on a value that contains the following:

Adobe Flash Player

Delete any other values associated with the virus if you see them.

Step 6:

This is an additional step to make sure you remove all impact to your system settings made by this virus.

You need to have a relatively recent restore point in order to restore your settings successfully. If you restore a very old restore point some unwanted settings might come back. Also, make sure the restore point has been created before the infection happened.

Restore the old system settings using System Restore.

Press and hold Windows () key and click R key.

Enter the following in the field:

rstrui.exe

Click OK.

Click Next.

Check Show more restore points.

If you see any restore points, restore the system. Make sure you select a point that has been created before the infection happened but is not too old.

It will restore your system settings only and will not affect your files.

If you do not see any restore points the virus might have removed it or they might have never been created.

After removing the virus

When you have finished removing the virus make sure to protect your computer by installing a good antivirus suite that would identify the threats online and in programs you have downloaded. Also avoid downloading unofficial torrents, illegal cracks or other files from P2P networks.


Share your experience with us by leaving a comment!

Leave a comment to tell us about your experience removing this threat!
We can also help you if you run into any problems during the process, just don't hesitate to ask!

Leave a Reply

Your email address will not be published. Required fields are marked *