How to Remove "Your Browser Has Been Blocked" Virus
Written by Tomas Meskauskas on
YOUR BROWSER HAS BEEN BLOCKED - how to remove this ransomware virus?
"Your browser has been blocked," "All activities on this computer have been recorded," and "All your files are encrypted" are messages that can appear while browsing the Internet. These messages are not legitimate. Browser blocking pop-ups, demanding payment of $300, 200 GBP, or 200 Euro fines (using Ukash, PaySafeCard, or GreenDot MoneyPak) to unlock computers are not associated with any legitimate authorities.
The messages are created by cybercriminals to steal money from unsuspecting Internet users. Paying fines demanded by these browser-blocking messages is equivalent to sending money directly to cybercriminals.
Internet Explorer, Google Chrome, Mozilla Firefox, and Safari blocking messages are called ransomware viruses. Cybercriminals responsible for creating these scams exploit the names of various authorities worldwide (For example, the FBI, EUROPOL, RCMP, Gendarmerie nationale, etc.) Ransomware viruses rely on fake law violation notifications (copyright and related rights laws, viewing or distributing prohibited pornographic content, neglectful use of PCs, etc.) to scare computer users into paying a bogus fine.
Cybercriminals have created several different variants of ransomware viruses, and this particular one is called "Browlock." It only affects users' Internet browsers by employing Java script, but several other ransomware families block the entire screen and encrypt files.
"Your Browser has been blocked" virus removal:
These Internet browser-blocking messages rely on JavaScript. Each time an Internet user attempts to leave such a page, a warning message appears: "YOUR BROWSER HAS BEEN BLOCKED. ALL PC DATA WILL BE DETAINED AND CRIMINAL PROCEDURES WILL BE INITIATED AGAINST YOU IF THE FINE IS NOT PAID." After clicking OK, users are presented with another message: "Are you sure you want to leave this page?", after clicking "Leave this page," the cycle of these messages continues.
If your Internet browsers are locked by one of these messages, do not pay any fines. The correct way to deal with this scam is to eliminate it.
To close the window containing the fake message, terminate your Internet browser's process:
Press ctrl+alt+del on your keyboard and select Task Manager. In the opened window, select the processes tab, and end the process associated with your Internet browser.
Internet Explorer process name - iexplore.exe, Google Chrome process name - chrome.exe, Safari process name - Safari.exe, Mozilla Firefox process name firefox.exe
After successfully closing your Internet browser, scan your computer for possible malware infections. Download recommended malware removal software.
Alternative method:
To close the browser's window, users need to temporarily disable Javascript. After successfully closing the ransomware message, do not forget to enable Javascript. Moreover, if your Internet browser has redirected you to a ransomware page, it could be an indication of a severe security infection. To maintain your computer's safety, always keep your software up-to-date and use legitimate antivirus and anti-spyware programs.
Once you have successfully closed the Internet browser's window containing the fake message, scan your computer for possible malware infections.
Scan your computer for possible malware infections
Eliminate the "Your Browser has been locked" virus from Internet Explorer (disable JavaScript in IE):
1. Click on the "gears" icon. Select "Internet Options."
2. Click the "Security" tab, click the "Internet" symbol, click the "Custom Level…" button.
3. In the Settings list, scroll down to the "Scripting" section. Under Active Scripting, click the radio button to the left of "Disable."
4. After temporarily disabling Javascript in Internet Explorer, you will be able to close the fake "Your browser has been locked" message. To ensure that your computer is not infected with malware, scan your computer for possible malware infections. Use recommended malware removal software.
Eliminate the "Your Browser has been locked" virus from Mozilla Firefox (disable JavaScript in Firefox):
1. Click on the Firefox button and select "options."
2. In the top row of icons, click "Content." Click the check box to the left of "Enable JavaScript."
3. After temporarily disabling Javascript in Mozilla Firefox, you will be able to close the fake "Your browser has been locked" message. To ensure that your computer is not infected with malware, scan your computer for possible malware infections. Use recommended malware removal software.
Eliminate the "Your Browser has been locked" virus from Safari (disable JavaScript in Safari):
1. Click on the Safari menu, click on Preferences.
2. Click the Security icon. In the "Web content" section, uncheck the tick next to "Enable JavaScript."
Eliminate the "Your Browser has been locked" virus from Google Chrome (disable JavaScript in Chrome):
1. Click on the "bars" icon. Select "Settings"
2. Scroll down and click on "Show advanced settings…"
3. In the "Privacy" section, click on the "Content settings…" button.
4. In the JavaScript section, select "Do not allow any site to run JavaScript" and click the "Done" button.
5. After temporarily disabling Javascript in Google Chrome, you will be able to close the fake "Your browser has been locked" message. To ensure that your computer is not infected with malware, scan your computer for possible malware infections. Use recommended malware removal software.
Presently, cybercriminals target 27 countries, and computer users are presented with localized variants of browser-blocking messages.
Update 2013.12.31 - Cyber criminals responsible for creating this scam started using CloudFlare services and are masking the real source of their ransomware with these URLs:
- hxxp://alert.police-agent-secure.com
- hxxp://Block.highqualitypolice.net
- hxxp://Block.policeprotector.biz
- hxxp://Cops-help.com
- hxxp://Police-help.com
- hxxp://Error.servepolice.biz
- hxxp://Error.safestep-police.net
- hxxp://Alert.policeprotector.biz
- hxxp://Police-service.net
- hxxp://Error.expresspolicelocation.com
- hxxp://AlmostPolice.co
- hxxp://FormalPolice.org
- hxxp://Nominalpolice.com
- hxxp://PoliceGuardState.org
- hxxp://Police-save.second-shine.com
- hxxp://Police-save.empirehydrogen.org
- hxxp://TrustPolice.biz
Update 2014.09.29 - Cybercriminals have created a new browser locking ransomware called "INTERPOL ASSOCIATION NATIONAL SECURITY AGENCY." It uses Java to block user's Internet browsers (the same as previously discovered browser blocking ransomware).
INTERPOL ASSOCIATION NATIONAL SECURITY AGENCY - Attention! Your browser has been blocked up for safety reasons listed below. All the actions performed on this PC are fixed. All your files are encrypted. Audio and video recording in progress. You are accused of viewing/storage and/or dissemination of banned pornography (child pornography/zoophilia/rape etc). You have violated World Declaration on non-proliferation of child pornography. You are accused of committing the crime envisaged by Article 161 of United States of America criminal law.
New Zealand: hxxp://police.govt.nz.id[random numbers].com
New Zealand Police - All activities of this computer have been recorded. All your files are encrypted.
Poland: hxxp://policja.pl.id[random numbers].com
Polska Policja - Alle Aktivitäten des Computers wurden aufgenommen. Alle Ihre Dateien werden verschlüsselt.
Spain: hxxp://policia.es.id[random numbers].com
Cuerpo Nacional de Policía - "Se han grabado todas las actividades de este ordenador. Todos sus ficheros están cifrados" or "Atención! Su navegador ha sido bloqueado".
Sweden: hxxp://polisen.se.id[random numbers].com
Polisen - "Alla dina filer är krypterade. Försök inte att låsa upp din dator!" or "Viktigt! Din webbläsaren blev blockerad".
Turkey: hxxp://egm.gov.tr.id[random numbers].com
TURKISH NATIONAL POLICE - Alle Aktivitäten des Computers wurden aufgenommen. Alle Ihre Dateien werden verschlüsselt.
Switzerland: hxxp://polizei.id[random numbers].com
Schweizerische Eidgenossenschaft - Alle Aktivitäten des Computers wurden aufgenommen. Alle Ihre Dateien werden verschlüsselt.
Slovakia: hxxp://minv.sk.id[random numbers].com
International Police Association Slovenská sekcia - Alle Aktivitäten des Computers wurden aufgenommen. Alle Ihre Dateien werden verschlüsselt.
Norway: hxxp://politi.no.id[random numbers].com
POLITIET - Alle dine filer er kryptert. Ikke prov a lase opp maskinen!
Luxembourg: hxxp://police.public.lu.id[random numbers].com
POLICE - Achtung!
Latvia: hxxp://vp.gov.lv.id[random numbers].com
Valsts Policija - Alle Aktivitäten des Computers wurden aufgenommen. All Ihre Daten werden verschusselt.
Hungary: hxxp://police.hu.id[random numbers].com
Szolgálunk és Védünk - Minden fájl titkosított. Ne próbálja meg kinyitni a számítógépet!
Estonia: hxxp://politsei.ee.id[random numbers].com
Politsei- ja Piirivalveamet - Alle Aktivitäten des Computers wurden aufgenommen. All Ihre Daten werden verschusselt.
Portugal: hxxp://psp.pt.id[random numbers].com
POLICIA PORTUGAL - Todos os arquivos são encriptados. Não tente desbloquear o seu computador!
Finland: hxxp://poliisi.fi.id[random numbers].com
POLIISI - "Alle Aktivitäten des Computers wurden aufgenommen. All Ihre Daten werden verschusselt" or "Huomio! Selaimesi on lukittu".
Australia: hxxp://afp.gov.au.id[random numbers].com
AFP - All activities of this computer have been recorded. All your files are encrypted.
United Kingdom: hxxp://europol.europe.eu.id[random numbers].com
Europol - All activities of this computer have been recorded. All your files are encrypted.
Czech Republic: hxxp://policie.cz.id[random numbers].com
Policie České republiky - Alle Aktivitäten des Computers wurden aufgenommen. All Ihre Daten werden verschusselt.
Canada: hxxp://rcmp.gc.ca.id[random numbers].com
Royal Canadian Mounted Police - All activities of this computer have been recorded. All your files are encrypted.
United States: hxxp://fbi.gov.id[random numbers].com
FBI - All activities of this computer have been recorded. All your files are encrypted. Do not try to unlock your computer! Your browser has been blocked due to at least one of the reasons specified below.
Germany: hxxp://polizei.de.id[random numbers].com
BundesPolizei - "Alle Aktivitäten des Computers wurden aufgenommen. Alle Ihre Dateien werden verschlüsselt" or "Warnung! Zugang von Ihrem Browser wurde vorlaufig".
Italy: hxxp://polizia-penitenziaria.it.id[random numbers].com
Polizia Penitenziaria - "Tutte le attività di questo computer sono state registrate. Tutti i suoi file sono crittografati" or "Attenzione! Il Suo computer personale è stato bloccato".
Netherlands: hxxp://politie.nl.id[random numbers].com
Politie Nederland - "Alle activiteiten van de computer zijn geregistreerd. Al uw bestanden worden versleuteld" or "Attentie! Uw Webbrowser wordt geblokkeerd".
Austria: hxxp://polizei.gv.at.id[random numbers].com
POLIZEI - Alle Aktivitäten des Computers wurde aufgenommen. Alle Ihre Dateien werden verschlüsselt.
Denmark: hxxp://politi.dk.id[random numbers].com
POLITI - Alle dine filer er krypterede. Forsøg ikke at låse op din computer!
France: hxxp://europol.europe.eu.france.id[random numbers].com
Gendarmerie Nationale - "Toutes les activités de cet ordinateur ont été enregistrées. Tous votre fichiers sont cryptés" or "Attention! Votre browser est bloqué".
Mexico: hxxp://sep.gob.mx.id[random numbers].com
SEGOB - Se han grabado todas las actividades de este ordenador.
Ireland: hxxp://garda.ie.id[random numbers].com
An Garda Síochána - All activities of this computer have been recorded. All your files are encrypted.
Fine has been paid. Your case has been closed. You can pay $450 processing fee to delete all criminal records.
Cybercriminals responsible for creating this scam have added one additional payment that supposedly clears all users' criminal records. This fake message is displayed to users who have already paid the fine to unblock their Internet browsers.
FINE HAS BEEN PAID. YOUR CASE HAS BEEN CLOSED.
YOU CAN PAY $450 PROCESSING FEE TO DELETE ALL CRIMINAL RECORDS.To Delete this case from all criminal records and avoid any problems at work and other places where criminal records can be checked, you are obliged to pay a release fee of $450, payable through GreenDot MoneyPak (you have to purchase MoneyPak card, load it with $450 and enter the code). You can buy the code at any shop or gas station. MoneyPak is available at the stores nationwide.
This message is merely an additional scam. It is a fake message, and there are no actual criminal cases opened.
▼ Show Discussion