There Are No Hopeless Situations: Defeating a Windows Blocker Virus Through Accessibility Features

Not long ago, user ilzarka wrote on his blog about an interesting virus that blocks Windows.

Let me remind you: the virus displays a window on screen offering to send an SMS to a certain number to unlock Windows. Ctrl + Alt + Del, Alt + Tab, and all other key combinations that should minimize/close/switch to another program are naturally blocked. Rebooting — even in Safe Mode — ends with the same window appearing.

I encountered this virus myself (I admit, I was running without antivirus). My first thought was to boot from a Live CD. But I didn't have one (I admit again — you should always have a Live CD handy). After meditating for five minutes in front of my computer, I was starting to think the situation was hopeless. But...

What to Do?

I tried every key combination I knew to get rid of this window sitting on top of everything — everything was blocked. I had almost given up completely, but then I remembered that annoying Windows feature that used to drive me crazy when I played Counter-Strike. If you hold Shift for 8 seconds, this window appears:

I tried it — it works! At least some variety. I didn't have much hope it would be useful, but I clicked the "Settings" button and started examining all the tabs:

I didn't find anything that could help, and I fell into despair again. I was already reaching for the red X to close the window, but then I noticed a button with a question mark next to it. I clicked it and hovered over one of the buttons in the settings window — a help tooltip popped up:

Right-clicking on that yellow square unexpectedly showed a context menu. I didn't even know that existed:

I didn't need to copy anything, but I clicked "Print Topic." Bingo! A new window:

Print settings! I wonder how many people have ever used this Windows feature? At that moment, I was incredibly grateful to Microsoft for stuffing their operating system with so much questionable functionality. I wasn't going to print the help file, of course, but I began thoroughly examining the new window. I felt like Sherlock Holmes. After a brief investigation, I clicked the "Settings" button and saw the familiar printer settings dialog with a bunch of tabs:

Sherlock carefully examined every item and again started falling into despair. What saved me this time? Help again! Clicking the Help button, I moved one step closer to victory over the virus:

I didn't bother reading the fascinating texts — what immediately caught my eye was the standard Windows menu bar: File, Edit, etc.

Holding my breath, I clicked File → Open, and there it was — a basic, but still functional, file browser:

I wanted to find my beloved firefox.exe to read about this virus on the internet, but another setback: this browser only showed help files, and the "File type" dropdown didn't offer any other alternatives. Windows came to the rescue once again. In the right-click context menu for any folder, there was an "Explorer" option that opened the standard Windows Explorer. Bingo!

Using the standard Explorer, I easily found a browser, googled information about the virus: it turns out you just need to delete the files blocker.exe and blocker.bin. After deleting them with the same Explorer, I rebooted and logged into Windows normally.

The Moral of This Story

1. Don't neglect antivirus software — splurge on a license, it's not that expensive for home computers.
2. Keep a Live CD handy, and don't wait until thunder strikes (like I did).
3. Obviously, never send any SMS messages to those numbers.
4. Never give up — there's always a way out. :-)