Lubrican: Blog

Back to Lubrican's Blog

Winlocker viruses and how to avoid them

March 8, 2013
Posted at 11:49 pm
Updated: March 9, 2013 - 10:44 am

If you've been keeping up with the blog, you know I posted a link to a tumblr site in an earlier post, so that interested readers could see an example of the kind of site referenced in all the tumblr stories.

You also know that a reader who went to that link got what is commonly called a "winlocker virus". What that means is that it locks the window and you can't get out of it. There is text there, and images that are supposed to look official. Many of them represent themselves to be from law enforcement agencies, threatening to ruin your life for looking at porn, stealing music, etc if you don't pay "a fine." Others may say if you pay by texting a phone number, you'll be given a code that will unlock your computer.

The first thing you need to know is they aren't from any law enforcement agency, and they won't give you anything that will unlock your computer, even if you pay them. So don't do that.

What follows is what I'll call an article, written mostly by one of my readers who prefers to remain anonymous. I have paraphrased some of what he sent me, and added in some things from other readers and sources and even dropped a few things, for the sake of brevity. He's a funny guy (assuming he's really a guy and not a girl) but this is a serious issue, so I shortened it. This may help you avoid the problem, and help you get rid of it if you don't.



So, it has happened. Your computer has been merrily coughing up your tumblr pictures for you, when suddenly a black (blue, red, green, whatever) screen pops up, telling you, that you have watched too much child/gay/midget/Santa Claus/ PORN. And, unless you send a money to a link on the page you will be arrested, prosecuted and exposed to your boss/wife/girlfriend/midget lover. So pay up or ... no more computer for you, you sick pervert.

Sound familiar? It will to a lot of you, because the bastards who promote this crap are all over the place.
On the other hand, I have never ever seen a Winlocker on my computer in all my life.


Part 1. Prevention is the best protection.

This program is freeware, and it does not exactly take a genius to install it. Download it from its official webpage (, install it through several "Next's" - voila, you're done. Now look at your Desktop, particularly at the "Sandboxed Web Browser" shortcut. In the future, every time you'd like to visit something you are not too sure about, just double-click this icon, and notice the yellowish border surrounding your browser. Now you can download viruses, Trojans, backdoors, rootkits and whatnot - your system just won't be affected. You can also launch suspicious programs in the sandbox - without any harm to your system. Some antivirus companies, such as Kaspersky and Avast, have already started to implement sandbox functions in their products.

{Lubrican comment: I downloaded sandboxie, but because I am computer illiterate, I have yet to figure out how to get it to do what it says it will do. Every time I tell it to go to work, it brings up my html text editor and puts a lovely yellow border around it. So this may be great stuff, but I can't make it work.}

Browser protection

Gone are the good old times, when 90% of threats to your PC could be eliminated by disabling the autorun. Scripts, clickjacking, XSS, exploits, malicious iframes...the list can go on and on. Now, in order to protect yourself (and to finally see some damn porn :)), you need to make your browsing as secure as possible. Luckily, it's also rather simple and depends on what browser you use.

1. Really, REALLY try to start using Firefox or Chrome. If you use Internet Explorer, download Firefox or Chrome. If you're stuck with IE, because you're at work...then why are you reading this at all? Soon enough you'll have all the porn you want. It will mostly be BDSM, you will be a submissive one, and your boss will be a Dom...but you can't have everything! Now...where was I? Ah, right, protection for your browser.

1. First of all, get rid of those ads. For Firefox and Chrome, it's the Adblock Plus extension.

2. Next, let's get rid of the so-called "tracking cookies". Ghostery extension -again, for both browsers - to the rescue!

3. Firefox has a wonderful extension, which blocks all scripts from executing on a webpage. Noscript - the best thing since sliced bread. Chrome has something similar, but it's still in beta version.

{Lubrican comment: I use Firefox, with Adblock and Ghostery. I can see them working. But I also bought PC-Cillin from Trend Micro, back in 2002 and, while it costs me $60 bucks a year, I have never had any kind of virus on my computer. Not any.}

To conclude this section, 99% of danger to your PC can be eliminated by running a browser (Firefox or Chrome) in a sandboxed environment (Sandboxie) without ads (Adblock Plus), tracking cookies (Ghostery) and scripts (Noscript - Firefox).

{Lubrican comment: Several people have recommended Malwarebytes in responses to earlier blog entries. I checked it out and it will not only keep you from getting the virus, it will also clean it off of machines that have the virus. There's a really good You tube video about cleaning a machine with this program. It shows you where the three files are that make up one of these ransom viruses, and how to get rid of them. Just go to You tube and do a search for "winlocker removal" or something similar. The site I went to was a "buy it now" kind of place, but this link gives you a choice between a pared down free version and the deluxe version.}

Part 2 - So you didn't prevent it, and now the virus is holding you hostage. Let The Combat Begin!

Foreword. Whatever you elect to do, send no money. The whole screen is one big lie. They are not from the police, and the police aren't coming for you. Even if you pay them, they can't remove the virus from your machine. You will achieve absolutely nothing and lose money. Oh, and you will probably subscribe to something and have a certain amount of money deducted from your phone on a monthly basis. But you will get no code (99.99…9%).

The virus is located on your desktop, and in two other files on the computer. The way it works is that it autoruns the virus program upon bootup, and fills the window of the account it was acquired in. If you caught it in a guest account, it will be on the guest account desktop, and lock that window. So that means the administrator account still works fine. If you caught it on the administrator account, then your life is more difficult, but it can still be done.

Here are some methods, coming from top downward, the easiest being on top. Ready?

Method One.

Pay someone else to remove it from your machine. Most companies that do this have one specialist just for doing this, because he is kept busy all month. It will cost you about a hundred bucks. But all he's going to do is the same thing you could do.

Method Two.

Use your system restore program to go back to the last save point which (hopefully) does not have the virus on it. All you've lost is the data you saved since that last restore point was generated.

Method Three.

Even if your whole window is blocked by the winlocker, it is relatively easy to launch Notepad/Wordpad/Word. Just press Ctrl+Esc, then up > up > up >Enter. That will give you a command type prompt. Put in something like «winword» (or other word processing program) and press Enter once more.

Type any letter in the invisible new document and press the PC shutdown button. Windows starts to kill the processes. Let that happen, because you have a wordprocessing document open that hasn't been saved. What do we see? The virus process gets killed during the shutdown process (till the next reboot, that is), and the clever document asks: «What do you want to do with the new document? Save, do not save, cancel?» By pressing cancel, we stop the shutdown procedure and get a temporarily unlocked PC. And then? Clean the registry, get a LiveCD antivirus, scan the disk with Malwarebytes Anti-Malware, rescue your stuff and reinstall the system. And think about changing the antivirus - this lazy bastard has let the winlocker in, after all.

{Lubrican comment: If you get to this point, and can use the internet, it's worth buying Malwarebytes, because it will scan the machine and remove the virus right then and there. I don't know how much it costs, but it's probably no worse than what you'd have to pay that computer company to remove it.}

Method Four.

Access these two webpages:" and" (the last one is a page belonging to the Russian antivirus company Kaspersky Labs, so you might want to use Google Translate). They have information on several kinds of winlockers and what codes deactivate them.

These are only a few of the methods that can be used to get rid of a hostage taking bastard. There are others. The main thing to understand is that it doesn't take an expert in computers. You don't have to pay someone else to do this. And if you have a good virus protection program, you won't have the problem in the first place.

So if you're going to spend money, spend it on protection and prevention, instead of repairs.

You might want to print this off and have it in a safe place, should the unthinkable somehow lock your screen.

I hope it has been helpful.