"CRITICAL WARNING!" virus removal guide
What is "CRITICAL WARNING!"?
Discovered by Michael Gillespie, "CRITICAL WARNING!" is a fake security warning categorized as a tech-support scam. Its main purpose is to trick people into contacting scammers via the telephone number provided. This scam is displayed in full-screen mode, and thus cannot be closed in the normal way. It can, however, be closed by entering a product key within a text (see below). We strongly recommend that you do not trust this scam or contact the scammers who designed it.
This critical warning purports to be from Windows, however, the operating system has nothing to do with this scam. This is not a legitimate Windows system warning. It states that the operating system license key is revoked and the operating system is blocked. According to this scam, the situation occurred due to suspicious activity with the user's IP address (Windows has detected multiple illegal IPs) and the anti-virus software is no longer responding. To solve this problem, it states that it is necessary to launch a critical update. It also states that it has detected two errors: 0x0803f7001 and 0xc004f074. To close this scam window, users are encouraged to enter a product key and/or to contact scammers via the "888-412-7389" telephone number. In fact, the "CRITICAL WARNING!" window can be closed by entering the "00000-Z0006-000B1-00000-000N0" "key" (unlock code), which has been provided by Michael Gillespie (the person who discovered this scam).
|Name||"CRITICAL WARNING!" scam|
|Threat Type||Screenlocker, tech scam.|
|Scam Message||Full screen window.|
|Scammers Contact||888-412-7389 telephone number|
|Detection Names (CodeBlock Demo - Consumer Application.exe)||CrowdStrike Falcon (win/malicious_confidence_60% (W)), FireEye (Generic.mg.40c0f73c336771da), Qihoo-360 (Trojan.Generic), Rising (Malware.Undefined!8.C (CLOUD)), Full List Of Detections (VirusTotal)|
|Symptoms||Cannot open files stored on your computer, previously functional files now have a different extension (for example, my.docx.locked). A ransom demand message is displayed on your desktop. Cyber criminals demand payment of a ransom (usually in Bitcoins) to unlock your files.|
|Distribution methods||Infected email attachments (macros), torrent websites, malicious ads.|
|Damage||All files are encrypted and cannot be opened without paying a ransom. Additional password-stealing trojans and malware infections can be installed together with a ransomware infection.|
|Malware Removal (Windows)||
To eliminate possible malware infections, scan your computer with legitimate antivirus software. Our security researchers recommend using Malwarebytes.
This scam is similar to "McAfee Has Blocked Your Windows", "Your Windows Has Been Banned", "ERROR_LOCAL_USER" and other similar scams that should not be trusted. Typically, scammers use these bogus errors to extort money from people. Once contacted, scammers urge users to purchase software, pay for technical services, keys, and other features. These scams are often displayed/opened by potentially unwanted applications (PUAs) installed on the system.
How did ransomware install on my computer?
People generally download and install PUAs unintentionally through clicked intrusive (deceptive) ads or when software developers use the "bundling" method. Bundling allows developers to trick users into downloading/installing PUAs with regular software. Typically, developers do not disclose information about the bundling of PUAs into software set-ups and hide them in "Custom", "Advanced" and other similar settings. Clicked intrusive ads and skipped software download/installation steps generally lead to inadvertent downloads and installations.
How to avoid installation of potentially unwanted applications?
Download/install software and browse the web with care. Download applications from official and trustworthy sources (websites) using direct links. Avoid third party software downloaders, Peer-to-Peer networks (eMule, torrents) or other similar sources. Do not rush software download/installation setups. Check "Custom", "Advanced" and other similar settings or options, and dismiss offers to install/download bundled apps. Only then complete the process. If a browser causes random redirects to untrustworthy websites or ads appear on any visited website, it is likely that they are caused by PUAs on the system. Check the list of installed add-ons, plug-ins, and extensions on your browser and remove any unknown, unwanted entries. Also check unwanted programs installed on your operating system. If your computer is already infected with PUAs, we recommend running a scan with Malwarebytes for Windows to automatically eliminate them.
Text in the "CRITICAL WARNING!" message:
License Key Revoked
Your Windows is Blocked
Due to Suspicious activity on your IP Address, Multiple Illegal IP Traced
Critical Update Required, Antivirus Not responding
Error Code 1. 0x0803f7001
Error Code 2. 0xc004f074
CLICK HERE to Check Your IP Address
Enter your 25 Digits products key below
Connect To Support
Screenshot of the "CRITICAL WARNING!" scam after the correct key/code is entered:
Appearance of "CRITICAL WARNING!" scam (GIF):
Another variant of "CRITICAL WARNING!" screen locker. Although cyber criminals use a different telephone number ("1-844-313-6006"), the unlock key (code) remains the same ("00000-Z0006-000B1-00000-000N0"):
Instant automatic malware removal:
Manual threat removal might be a lengthy and complicated process that requires advanced computer skills. Malwarebytes is a professional automatic malware removal tool that is recommended to get rid of malware. Download it by clicking the button below:
- What is "CRITICAL WARNING!"?
- STEP 1. "CRITICAL WARNING!" virus removal using safe mode with networking.
- STEP 2. "CRITICAL WARNING!" virus removal using System Restore.
"CRITICAL WARNING!" virus removal:
Windows XP and Windows 7 users: Start your computer in Safe Mode. Click Start, click Shut Down, click Restart, click OK. During your computer starting process press the F8 key on your keyboard multiple times until you see the Windows Advanced Option menu, then select Safe Mode with Networking from the list.
Video showing how to start Windows 7 in "Safe Mode with Networking":
Windows 8 users: Go to the Windows 8 Start Screen, type Advanced, in the search results select Settings. Click on Advanced Startup options, in the opened "General PC Settings" window select Advanced Startup. Click on the "Restart now" button. Your computer will now restart into "Advanced Startup options menu". Click on the "Troubleshoot" button, then click on "Advanced options" button. In the advanced option screen click on "Startup settings". Click on the "Restart" button. Your PC will restart into the Startup Settings screen. Press "5" to boot in Safe Mode with Networking Prompt.
Video showing how to start Windows 8 in "Safe Mode with Networking":
Windows 10 users: Click the Windows logo and select the Power icon. In the opened menu click "Restart" while holding "Shift" button on your keyboard. In the "choose an option" window click on the "Troubleshoot", next select "Advanced options". In the advanced options menu select "Startup Settings" and click on the "Restart" button. In the following window you should click the "F5" button on your keyboard. This will restart your operating system in safe mode with networking.
Video showing how to start Windows 10 in "Safe Mode with Networking":
Log in to the account infected with the "CRITICAL WARNING!" virus. Start your Internet browser and download a legitimate anti-spyware program. Update the anti-spyware software and start a full system scan. Remove all entries detected.
If you cannot start your computer in Safe Mode with Networking, try performing a System Restore.
Video showing how to remove viruses using "Safe Mode with Command Prompt" and "System Restore":
1. During your computer starting process, press the F8 key on your keyboard multiple times until the Windows Advanced Options menu appears, and then select Safe Mode with Command Prompt from the list and press ENTER.
2. When Command Prompt Mode loads, enter the following line: cd restore and press ENTER.
3. Next, type this line: rstrui.exe and press ENTER.
4. In the opened window, click "Next".
5. Select one of the available Restore Points and click "Next" (this will restore your computer system to an earlier time and date, prior to the "CRITICAL WARNING!" virus infiltrating your PC).
6. In the opened window, click "Yes".
7. After restoring your computer to a previous date, download and scan your PC with recommended malware removal software to eliminate any remnants of the "CRITICAL WARNING!" virus.
If you cannot start your computer in Safe Mode with Networking (or with Command Prompt), boot your computer using a rescue disk. Some viruses disable Safe Mode making its removal complicated. For this step, you require access to another computer. After removing "CRITICAL WARNING!" virus from your PC, restart your computer and scan it with legitimate anti-spyware software to remove any possible remnants of this security infection.
Other tools known to remove this scam:
Commonly, adware or potentially unwanted applications infiltrate Internet browsers through free software downloads. Note that the safest source for downloading free software is via developers' websites only. To avoid installation of adware, be very attentive when downloading and installing free software. When installing previously-downloaded free programs, choose the custom or advanced installation options – this step will reveal any potentially unwanted applications listed for installation together with your chosen free program.
If you are experiencing problems while trying to remove "critical warning!" scam from your computer, please ask for assistance in our malware support forum.
Post a comment:
If you have additional information on "critical warning!" scam or it's removal please share your knowledge in the comments section below.