“Your Windows Has Been Banned” Lock Screen Virus Removal

Your Windows Has Been Banned is a Trojan that locks your computer and displays a fake warning imitating Blue Screen of Death. It tries to scam people by tricking them into calling a fake support technician number. The virus promises to give you an unlock code after you pay a fee. In addition, the phone numbers might have increased calling rates and charge you while you are talking to the scammers.

There are several variations of this malware. Some are removed quite easily and the unlock codes have already been found. Others seem more aggressive and threaten to delete your files in 72 hours if you do not pay the required amount and also require you to tweet a specific text. Despite these claims, most likely your files are safe since the virus is not as harmful as majority of other ransomware. You can also successfully close their warning screens by simply pressing ALT + F4 in most cases.

Even though this virus does not look as harmful as other ransomware you still need to remove it completely from your system. The virus progresses so you might have a more advanced version which is capable of doing more harm than its predecessors. The best way to prevent any further damage is to remove the virus and secure your computer. We have an automatic tool for this listed below. It will not only remove the threat but also secure your computer so you will not get infected in the future. You can also follow manual remvoal guide provided in this page but this does not guarantee that the threat will not come back in the future.


Recommended Method: Download “Your Windows Has Been Banned” Virus Removal Tool

Version:   All Updated:   2 days ago Compatible OS:   All
This is the most suitable program for automatically removing the threat and repairing your PC.
Works with: Windows 10, Windows 8, Windows 7, Windows Vista, Windows XP. Read instructions here
File name Size
mb3-setup.exe 56.5 MB

Click here to download alternative tool

What is “Your Windows Has Been Banned” virus?

This virus is designed to make users believe that the computer has run into an error and they need to contact a support technician by calling a phone number. It has a design similar to Windows style and uses scare tactics in order to extort money from its victims. The malware focuses on scaring the user instead of actually making harm to the data and therefore is very simply coded. This simplicity helps the virus infiltrate computers easily but it can be removed quite easily as well.

Since the virus has several variations the titles and texts differ across them. The first ones are made very offhandedly and include many grammar mistakes while the later ones are made to look more convincing and have updated design.

Here are several titles you might see when infected with this screen locker:

Your computer hasbeen banned
Your Windows hasbeen banned
Your Windows has been banned

The text that encourages you to contact the fake support line usually goes as follows:

Your Windows Has Been Banned
This PC has been banned for terms of use violations. 
To Protect the Windows service and its members. Microsoft does not provide details about specific PC bans. 

Your PC has been banned because we detected an unusual activity on your computer. 
To protect the windows service and its members your PC maybe has been infected with viruses 
that do an unusual activity like botnet, dos, etc. 
to grant access back to your computer please pay some fee to trusted Microsoft Technicians 
and the Microsoft Technician will give you a code to unlock 
to get a code please click button down below to contact the nearest Microsoft Technician. 
Nearest Microsoft Technician Found! Contact: +62 081224380320

Sometimes the virus arrives in an alternative form and displays the following message:

Dear Windows User, Your PC have been banned and we are sorry to say that we are now Hijacking 
(legally) to your computer and we are now trying to Encrypt (Lock) your files, 
because of fake Windows. To know more about this kinds of Windows bans, visit:

The virus presents several numbers and emails as their support lines. Here are some of them:

+62 081224380320
1-914-465-0012
microsoftxyber@hackindex.com

A README.txt note is also created and placed on the desktop. It falsely threatens to delete your files if you do not tweet a message but this is just a scare tactic:

Your PC has been infected with Black virus,
this virus will destroy all your files in 72 hours,
to prevent this you just have to send a tweet with this template:
@BlackVirus
You get me,
and my ID is: ruehpyvh.i44
so now libert me.

There are several ways this virus reaches your computer. Although it does not have one distinct method to spread, you usually get infected when downloading suspicious torrent files, cracks, fake programs or email attachments. It also spreads through corrupted links and advertisements on the web. It has also been reported that this virus represents itself as a software called Agnot Viewer as well as Windows update.

We have manual removal instructions below. However, we recommend using the free automatic tool listed at the top of this page as you will not need any experience in editing Windows system files and settings for this. The tool will protect you from any future threats as well.

Here are some screenshots of the virus:

     


 Manual Removal Instructions:

NB: The removal of this particular virus is not as complicated as in most other screen locker cases. However, by removing it manually you remove the symptoms only and this or any other threat might reappear in the future. We recommend using the tool provided at the top of this page in order to not only remove the virus but also secure your computer from any possible breaches in the future.

Step 1:

Start by pressing ALT + F4 keys in order to close the lock screen.

If this does not help you can try inputting one the following codes that are set by the virus creator:

30264410
123456
6666666666666666
nvidiagpuareshit

It should trick the virus into thinking that you have paid the fee. If you still cannot close the locker proceed to the second step.

If you have successfully closed the locker you can skip to the third step.

Step 2:

If you cannot close the locker you will need to restart your Windows machine in Safe mode.

When your computer is infected by a virus some of its features may be locked or compromised. You need to bypass this by rebooting your computer using Safe Mode. This will allow you to remove the virus.

Since Safe Mode only has the most basic features do not be scared that your Windows look completely different!

Click here to show how to reboot Windows 98, XP, Vista or Windows 7 in Safe Mode

  1. Restart your computer (if it is locked you can do this by physically pressing the power button on your computer).
  2. As soon as the PC starts booting begin constantly clicking F8 key on the keyboard until you get the following screen:
  3. Use arrow keys to highlight Safe Mode With Networking and press Enter.
  4. Wait for the Windows to launch.

 

Click here to show how to reboot Windows 8, 8.1 or Windows 10 in Safe Mode

F8 method (1/4):

Restarting and constantly hitting F8 might not work for this version of Windows since the booting is much faster and does not always react to the key presses. Try this method first and then proceed to other methods if this does not help.

  1. Restart your computer (if it is locked you can do this by physically pressing the power button on your computer).
  2. As soon as the PC starts booting begin constantly clicking F8 key on the keyboard.
    If it does not work try repeating the same procedure but this time holding Shift key and clicking F8.
  3. Follow instructions from Step 5 below:

Shift+Restart method (2/4):

  1. Click the Power icon at the login screen or in the settings charm.
  2. Hold Shift key on your keyboard and click Restart with your mouse while holding:
  3. Click Troubleshoot:

  4. Click Advanced options:
  5. Click Startup Settings:
  6. Click Restart:
  7. Now press F5 key on your keyboard to enable Safe Mode With Networking:

System configuration method (3/4):

  1. Press and hold Windows () key and click R key.
  2. Enter msconfig.exe and click OK:
  3. When System Configuration opens go to the Boot tab:
  4. Check the box “Safe Boot” in Boot options and click OK.
  5. When prompted, click Restart.
  6. Windows will now start in Safe Mode.

System Recovery method (4/4):

If everything above fails you can try inserting System Recovery CD or DVD (works only with Windows 8) or System Recovery USB Memory Stick (works with Windows 8 and 8.1). You will be able to choose Troubleshoot option. The steps are then identical as in Shift + Restart method starting from #3.

Step 3:

Clean up Windows temporary files as the locker might operate from this folder.

Removing all temporary files is completely safe for your computer.

Hold Windows () key and click R key.

Enter the following in the field:

%Temp%

Click OK.

Simply select all files and folders displayed in the temporary files directory and delete them permanently by simultaneously pressing CTRL + A and then SHIFT + DELETE.

Step 4:

Use Windows search by clicking the start () and entering the following file name in the search field:

AdvancedRansomware1.exe

Delete this file permanently by pressing SHIFT + DELETE simultaneously.

Repeat the search to make sure there are no more instances of this file left. Then repeat the search and delete with the following file names associated with the virus:

winban.exe
1.vir.HSvir
13f1494bd756.exe
h57s.exe
1.exe
Install.exe

Step 5:

Clear your hosts file from any suspicious IPs.

Press and hold Windows () key and click R key to open “Run” window.

Enter the following in the field:

notepad %windir%/system32/Drivers/etc/hosts

Click OK.

“Hosts.ini” will open in Notepad text editor. Delete all entries from the bottom of the file that are not marked by “#” in front of them. Leave the 127.0.0.1 localhost in the file.

Step 6:

Remove suspicious programs from your startup config so they would not launch as soon as you boot your computer.

Hold Windows () key and click R key.

Enter the following in the field:

msconfig.exe

Click OK.

Go to the Startup tab and uncheck all suspicious entries.

The infected or fake startup items usually have “Unknown” listed as Manufacturer. However, sometimes they might pretend to be legitimate programs.

Check process location by hovering your mouse over the “Command” column. Navigate to the location and scan the file using virustotal.com if it looks suspicious but you are not sure.

Click OK when you are finished unselecting all potentially dangerous processes.

Step 7:

Restore the old system settings using System Restore.

Press and hold Windows () key and click R key.

Enter the following in the field:

rstrui.exe

Click OK.

Click Next.

Check Show more restore points.

If you see any restore points, restore the system. Make sure you select a point that has been created before the infection happened but is not too old.

It will restore your system settings only and will not affect your files.

If you do not see any restore points the virus might have removed it or they might have never been created.

After removing the virus

When you have finished removing the virus and reverting your browser settings make sure to protect your computer by installing a good antivirus suite that would identify the threats online and in programs you have downloaded. Also avoid downloading unofficial torrents, illegal cracks or other files from P2P networks.

One comment on ““Your Windows Has Been Banned” Lock Screen Virus Removal


Share your experience with us by leaving a comment!

Leave a comment to tell us about your experience removing this threat!
We can also help you if you run into any problems during the process, just don't hesitate to ask!

Leave a Reply

Your email address will not be published. Required fields are marked *