The “You shall not pass” message is a computer virus, which will block you from visiting Facebook, Google, Youtube and other websites, and instead it will display a picture of Gandalf saying You shall not pass.
This threat is distributed through several means. Malicious websites, or legitimate websites that have been compromised, may drop this trojan onto a compromised computer. This drive-by-download often happens surreptitiously. Another method used to propagate this type of malware is spam email containing infected attachments or links to malicious websites. The threat may also be downloaded manually by tricking the user into thinking they are installing a useful piece of software.
The “You shall not pass” virus is also prevalent on peer-to-peer file sharing websites and is often packaged with pirated or illegally acquired software.
Once install on a computer, “You shall not pass” virus will drop several malicious files, and it will modify the Windwos HOSTS file to redirect your web browser to their malicious domains. The HOSTS file is like an address book, when you type an address like www.facebook.com into your browser, the Hosts file is consulted to see if you have the IP address, or “telephone number,” for that site. When infected with this trojan, the cyber criminals will add to your Hosts some new lines, which will resolve domain names to their malicious IP addresses.
After your HOSTS file is modified, whenever you’ll try to visit Amazon, Twitter, Bing and other popular websites, you’ll be redirect a to malicious domain which will display a “You shall not pass” notification.
The “You shall not pass” notification is not hard to remove, however in some cases this infection will install a piece of malware known as Backdoor:Win32/Fynloski.A
Backdoor:Win32/Fynloski.A is a trojan that allows unauthorized access and control of an affected computer. It is capable of performing the following functions:
- Capture video from the webcam
- Control the clipboard
- Control the mouse, including the clicks
- Display a message box
- Download and execute files
- Gather system information
- Hide the operating system’s default screens and windows
- Open and close the CD-ROM drive door
- Record sound produced by the computer
- Record the keystrokes
- Set a custom background
- Steal passwords from known applications
- Type text on the screen
If your computer is infected with “You shall not pass” virus, we recommend that you perform our malware removal guide, and because this trojan is installed with additional pieces of malware, we recommend that you change the passwords for your online accounts.
“You shall not pass” Redirect – VIRUS REMOVAL GUIDE
STEP 1: Reset the Windows Hosts file back to its default settings
The “You shall not pass” trojan has modified your Hosts file, so that you’ll be redirected to those survey websites. To reset the Hosts file back to its default settings, we will run Microsoft Fix it 50267. To reset the Hosts file back to its default settings, we will run Microsoft Fix it 50267, however because usually the cyber criminals have changed the permissions for the HOSTS file, we will first need to revert this modification.
- Hosts-perm.bat is a batch file that will reset the permissions for the Windows HOSTS file.
This infection will change the permissions on the HOSTS file so that you are unable to delete it or modify it. Hosts-perm.bat will reset these permissions so that you will once again have full access to it.
You can download Hosts-perm.bat from the below link:
HOSTS-PERM.BAT DOWNLOAD LINK (This link will open a new web page from where you can download Hosts-perm.bat)
Double-click the hosts-perm.bat file and when it is done you will see a message stating “The Permissions on the HOSTS file have been reset.”.Press any key on your keyboard to exit the batch file.
- Download Microsoft Fix it 50267 from the below link.
MICROSOFT FIX IT 50267 DOWNLOAD LINK (This link will automatically download Microsoft Fix it 50267 on your computer)
- Double click on MicrosoftFixit50267, then follow the prompts to reset your Windows Hosts file.
STEP 2: Remove “You shall not pass” malicious files with Malwarebytes Anti-Malware FREE
Malwarebytes Anti-Malware is a powerfull on-demand scanner which will remove “You shall not pass” malicious files from your computer.
- You can download Malwarebytes Anti-Malware Free from the below link, then double click on it to install this program.
MALWAREBYTES ANTI-MALWARE DOWNLOAD LINK (This link will open a download page in a new window from where you can download Malwarebytes Anti-Malware Free)
- When the installation begins, keep following the prompts in order to continue with the setup process. DO NOT make any changes to default settings and when the program has finished installing, make sure you leave both the Update Malwarebytes’ Anti-Malware and Launch Malwarebytes’ Anti-Malware checked,then click on the Finish button.
- On the Scanner tab,select Perform quick scan and then click on the Scan button to start scanning your computer.
- Malwarebytes’ Anti-Malware will now start scanning your computer for “You shall not pass” malicious files as shown below.
- When the Malwarebytes scan will be completed,click on Show Result.
- You will now be presented with a screen showing you the malware infections that Malwarebytes’ Anti-Malware has detected.Please note that the infections found may be different than what is shown in the image.Make sure that everything is Checked (ticked) and click on the Remove Selected button.
- After your computer restarts, open Malwarebytes Anti-Malware and perform a full system scan to verify that there are no remaining threats.
STEP 3: Remove “You shall not pass” rootkit with HitmanPro
In some cases,”You shall not pass” will also install a rootkit on victims computer.To remove this rootkit we will use HitmanPro.
- Download HitmanPro from the below link,then double click on it to start this program.
HITMANPRO DOWNLOAD LINK (This link will open a new web page from where you can download HitmanPro) IF you are experiencing problems while trying to start HitmanPro, you can use the Force Breach mode.To start HitmanPro in Force Breach mode, hold down the left CTRL-key when you start HitmanPro and all non-essential processes are terminated, including the malware process. (How to start HitmanPro in Force Breach mode – Video)
- HitmanPro will start and you’ll need to follow the prompts (by clicking on the Next button) to start a system scan with this program.
- HitmanPro will start scanning your computer for “You shall not pass” malicious files as seen in the image below.
- Once the scan is complete,you’ll see a screen which will display all the infected files that this utility has detected, and you’ll need to click on Next to remove this malicious files.
- Click Activate free license to start the free 30 days trial and remove all the malicious files from your computer.
STEP 4: Double check for any left over infections with Emsisoft Emergency Kit
- You can download Emsisoft Emergency Kit from the below link,then extract it to a folder in a convenient location.
EMSISOFT EMERGENCY KIT DOWNLOAD LINK (This link will open a new web page from where you can download Emsisoft Emergency Kit)
- Open the Emsisoft Emergency Kit folder and double click EmergencyKitScanner.bat, then allow this program to update itself.
- After the Emsisoft Emergency Kit has update has completed,click on the Menu tab,then select Scan PC.
- Select Quick scan and click on the SCAN button to search for “You shall not pass” malicious files.
- When the scan will be completed,you will be presented with a screen reporting which malicious files has Emsisoft detected on your computer, and you’ll need to click on Quarantine selected objects to remove them.
STEP 5: Remove “You shall not pass” from Internet Explorer, Firefox and Chrome with AdwCleaner
- You can download AdwCleaner from the below link.
ADWCLEANER DOWNLOAD LINK (This link will automatically download AdwCleaner on your computer)
- Before starting this utility, close all open programs and internet browsers.
- Double click on adwcleaner.exe to run the tool.
- Click on Delete, then confirm each time with Ok.
- Your computer will be rebooted automatically. A text file will open after the restart.
- NEXT, double click on adwcleaner.exe to run the tool.
- Click on Uninstall, then confirm with yes to remove this utility from your computer.