Remove Cuzimvirus Lockscreen from Your Computer - How to, Technology and PC Security Forum |

Remove Cuzimvirus Lockscreen from Your Computer

cuzimvirus-lockscreen-computer-blocked-ransomware-sensorstechforum-com“Comuter Blocked!!” – this is what users who have opened the malicious “procleaner.exe” file see after infection with the latest screen locker virus which many refer to as Cuzimvirus. The malware aims to lock the screen of infected computers and hence cause panic in users and get them to pay a hefty ransom fee to unlock their blocked computers. In addition to the lockscreen the virus may also cause other damages to the encrypted computer, such as steal files, block the user from logging in with administrative privileges and other. Anyone who has had their screens locked by Cuzimvirus should be advised that this virus is removable and should not pay any form of ransom payoff to the cyber-criminals behind this malware. We advise reading this article if you are interested in removing Cuzimvirus completely and unlocking your computer.

SensnorsTechForum team is currently investigating this cyber-threat. We will update this article with more details about Cuzimvirus shortly.

Threat Summary



TypeLockscreen Ransomware
Short DescriptionThe malware locks the screen of it’s victims until a ransom is paid.
SymptomsThe user may witness a red lockscreen with a message saying the computer is blocked.
Distribution MethodVia an Exploit kit, Dll file attack, malicious JavaScript or a drive-by download of the malware itself in an obfuscated manner.
Detection Tool See If Your System Has Been Affected by Cuzimvirus.
Data Recovery ToolWindows Data Recovery by Stellar Phoenix Notice! This product scans your drive sectors to recover lost files and it may not recover 100% of the encrypted files, but only few of them, depending on the situation and whether or not you have reformatted your drive.

How Does Cuzimvirus Cause an Infection

The Cuzimvirus’s files may be redistributed via several different methods. It’s payload is likely believed to be downloaded from a third-party malware that will cause the infection while remaining undetected. This third-party malware may be malicious JavaScript, an Exploit Kit or a Trojan.Dropper or downloader. Either way it may exist in an archive as an e-mail attachment or via malicious web links disguised as fake buttons or others, like the below-detected phishing PayPal web-page, by STF researchers earlier this week:


Cizimvirus Ransomware – Infection Process

When the user clicks on such a fake URL or opens the malcious file, the infection scenarios on his/her computer are the following:

Malicious web link may cause a redirect and a drive-by-download of malicious files.
A file may remotely connect to a shady host and download the payload of Cizimvirus.
The virus may directly begin to modify the Windows Registry entries and lock the screen.

After the infection is complete, Cizimvirus gets down right to business. The virus immediately locks the screen of the user PC, denying all access to it’s functions and the data in it. After this has completeted, Cizimvirus changes the lock screen to a red and black Screen Saver-like image which says the following:

“Computer Blocked!!
To unlock the Computer follow the 3 easy steps:
Send me a message to this email: and i send you the code
when you written me i send you the code. then paste the code in the textbox and press “unlock”
then press okay and your computer is unlocked”

At the moment it is not entirely clear what type of modifications Cizimvirus may have performed but researchers like Karste Hahn @struppigel report it to drop a “procleaner.exe” file in one of the key folders on Windows:

  • %SystemDrive%
  • %AppData%
  • %ProgramFiles%
  • %User’s Profile%

After this it is believed the following registry keys to be affected:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\”SD” = “%SystemDrive%\[file with random characters]”
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\”SD” = “%SystemDrive%\[file with random characters]”
HKEY_CURRENT_USER\Software\Microsoft\SystemCertificates\AuthRoot\Certificates = [file with random characters] HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System\”DisableTaskMgr”

Remove Cizimvirus and Unlock Your Computer

In order to get rid of Cizimvirus, it is strongly recommended to follow our removal instructions below. They will make sure you get past the lockscreen so that you can hunt for the malicious encrypted files either manually or automatically. In case you lack professional experience in removing malware by hand, we advise you to turn to an advanced anti-malware software which according to researchers will make a heuristic scan and should be able to remove all of the related files of Cizimvirus and unlock your computer automatically as well as protect your computer from other threats.


Ventsislav Krastev

Ventsislav has been covering the latest malware, software and newest tech developments at SensorsTechForum for 3 years now. He started out as a network administrator. Having graduated Marketing as well, Ventsislav also has passion for discovery of new shifts and innovations in cybersecurity that become game changers. After studying Value Chain Management and then Network Administration, he found his passion within cybersecrurity and is a strong believer in basic education of every user towards online safety.

More Posts - Website

Follow Me:

Leave a Comment

Your email address will not be published. Required fields are marked *

Time limit is exhausted. Please reload CAPTCHA.

Share on Facebook Share
Share on Twitter Tweet
Share on Google Plus Share
Share on Linkedin Share
Share on Digg Share
Share on Reddit Share
Share on Stumbleupon Share