StalinLocker Screenlocker

Also Known As: StalinLocker virus
Distribution: Low
Damage level: Severe

"StalinLocker" virus removal guide

What is "StalinLocker"?

Discovered by MalwareHunterTeam, StalinLocker is newly-discovered malware that stealthily infiltrates the system and locks the computer screen. StalinLocker then displays a full-screen window whilst simultaneously playing the USSR national anthem. In addition, this malware terminates most processes (including "Explorer.exe" and "taskmgr.exe").

StalinLocker scam

The lock-screen window contains Joseph Stalin's portrait and a short message in Russian stating that users must enter an 'unlock code' within 10 minutes (there is a countdown timer) to restore the system. If the code is not entered, the malware will delete all files stored on the computer. Note that this malware provides no information regarding the code - it is unclear as to the format of the code and how to retrieve it. Fortunately, MalwareHunterTeam analyzed StalinLocker's source code and determined the code's formula: subtract the StalinLocker execution (infection) date by 12/30/1922 (the date when the USSR was founded). Once the code is entered, the malware will immediately terminate and remove itself. Fortunately, most reputable anti-virus suites are capable of detecting StalinLocker and preventing infiltration. Therefore, you are advised to have antivirus software installed and running.

StalinLocker has very similar characteristics to Product Key Has Expired, Your Computer is locked !, and many others. All are designed by different cyber criminals, but have identical behavior - they lock the computer screen and demand a code. Unlike StalinLocker, however, these viruses attempt to trick users into paying for the keys or for help in resolving the issue. In case of such infections, never attempt to contact "tech support" (or other people) via email addresses or telephone numbers provided, and certainly do not pay for anything. This is a scam.

How did potentially unwanted programs install on my computer?

Developers proliferate these viruses in various ways, including spam emails, "bundling" method, third party software download sources, fake software update tools, and trojans. "Bundling" is stealth installation of third party apps with regular software. Developers hide "bundled" programs within "Custom/Advanced" settings (or other sections) of the download/installation processes. Therefore, rushing these processes often leads to inadvertent installation of rogue apps. Spam emails are delivered with malicious attachments (e.g., MS Office documents, JavaScript files, etc.) Once opened, these files execute scripts designed to stealthily download and install malware. Unofficial download sources (P2P networks, freeware download websites, free file hosting websites, and similar) present viruses as legitimate software, thereby tricking users into downloading and installing malware. Fake updaters infect the system by exploiting outdated software bugs/flaws or simply downloading and installing viruses rather than updates. Trojans open "backdoors" for other viruses to infiltrate the system.

How to avoid installation of potentially unwanted applications?

The main reasons for computer infections are poor knowledge and careless behavior. Therefore, pay attention when browsing the Internet and downloading/installing software. Think twice before opening email attachments. If the file(s) seems irrelevant or has been received from a suspicious/unrecognizable email address, delete the email immediately and certainly do not open any attachment. We also strongly recommend that you carefully analyze each step of the download/installation processes and opt-out of all additionally-included programs. Software should be downloaded from official sources only, using direct download links. Third party downloaders/installers are monetized by promoting PUPs, and thus, these tools should not be used. The same applies to updating software. Apps should be kept up-to-date using implemented functions or tools provided by the official developer only. Having a legitimate anti-virus/anti-spyware suite installed and running is also paramount. The key to computer safety is caution.

Quick menu:

"StalinLocker" virus removal:

Step 1

Windows XP and Windows 7 users: Start your computer in Safe Mode. Click Start, click Shut Down, click Restart, click OK. During your computer starting process press the F8 key on your keyboard multiple times until you see the Windows Advanced Option menu, then select Safe Mode with Networking from the list.

Safe Mode with Networking

Video showing how to start Windows 7 in "Safe Mode with Networking":

Windows 8 users: Go to the Windows 8 Start Screen, type Advanced, in the search results select Settings. Click on Advanced Startup options, in the opened "General PC Settings" window select Advanced Startup. Click on the "Restart now" button. Your computer will now restart into "Advanced Startup options menu". Click on the "Troubleshoot" button, then click on "Advanced options" button. In the advanced option screen click on "Startup settings". Click on the "Restart" button. Your PC will restart into the Startup Settings screen. Press "5" to boot in Safe Mode with Networking Prompt.

Windows 8 Safe Mode with networking

Video showing how to start Windows 8 in "Safe Mode with Networking":

Windows 10 users: Click the Windows logo and select the Power icon. In the opened menu click "Restart" while holding "Shift" button on your keyboard. In the "choose an option" window click on the "Troubleshoot", next select "Advanced options". In the advanced options menu select "Startup Settings" and click on the "Restart" button. In the following window you should click the "F5" button on your keyboard. This will restart your operating system in safe mode with networking.

windows 10 safe mode with networking

Video showing how to start Windows 10 in "Safe Mode with Networking":

Step 2

Log in to the account infected with the "StalinLocker" virus. Start your Internet browser and download a legitimate anti-spyware program. Update the anti-spyware software and start a full system scan. Remove all entries detected.


Download remover for StalinLocker virus
1) Download and install   2) Run system scan   3) Enjoy your clean computer!

By downloading any software listed on this website you agree to our Privacy Policy and Terms of Use. Free scanner checks if your computer is infected. To remove malware, you have to purchase the full version of Reimage.


If you cannot start your computer in Safe Mode with Networking, try performing a System Restore.

Video showing how to remove viruses using "Safe Mode with Command Prompt" and "System Restore":

1. During your computer starting process, press the F8 key on your keyboard multiple times until the Windows Advanced Options menu appears, and then select Safe Mode with Command Prompt from the list and press ENTER.

Boot your computer in Safe Mode with Command Prompt

2. When Command Prompt Mode loads, enter the following line: cd restore and press ENTER.

system restore using command prompt type cd restore

3. Next, type this line: rstrui.exe and press ENTER.

system restore using command prompt rstrui.exe

4. In the opened window, click "Next".

restore system files and settings

5. Select one of the available Restore Points and click "Next" (this will restore your computer system to an earlier time and date, prior to the "StalinLocker" virus infiltrating your PC).

select a restore point

6. In the opened window, click "Yes".

run system restore

7. After restoring your computer to a previous date, download and scan your PC with recommended malware removal software to eliminate any remnants of the "StalinLocker" virus.

If you cannot start your computer in Safe Mode with Networking (or with Command Prompt), boot your computer using a rescue disk. Some viruses disable Safe Mode making it's removal complicated. For this step, you require access to another computer. After removing "StalinLocker" virus from your PC, restart your computer and scan it with legitimate anti-spyware software to remove any possible remnants of this security infection.

Other tools known to remove this scam: