Remove Trojan.Ransomlock

Posted on: April 23rd, 2009


Discovered: April 15, 2009
Updated:

April 15, 2009 4:22:57 PM
Type:

Trojan
Systems Affected:

Windows 2000, Windows 95, Windows 98, Windows Me, Windows NT, Windows Server 2003, Windows Vista, Windows XP
Recommended Action:
In order to remove Remove Trojan.Ransomlock you need to Download
the ‘No Adware’ remover software. Based on our testing this was the best peforming remover of Trojan.Ransomlock..


No Adware Review

Technical Details:

When the Trojan executes, it creates the following file:
%Temp%\don[RANDOM CHARACTERS].tmp

The Trojan modifies the following registry entry so that it executes whenever Windows starts:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\"Userinit" = "%System%\userinit.exe, %Temp%\don[RANDOM CHARACTERS].tmp"

The Trojan then displays a message in Russian, which has been translated into English below:
To unlock you need to send an SMS with the text
[RANDOM NUMBERS]
To the number
3649
Enter the resulting code:
[TEXT BOX]

Any attempt to reinstall the system may lead to loss of important information and computer damage

The Trojan attempts to lock the desktop making the computer unusable.

The threat executes every time the computer is started, even in safe mode
Action Steps:
FREE SCAN: NoAdware can remove Trojan.Ransomlock. Click the link below for your free download & scan your PC now.

MANUAL REMOVAL: Please click here for manual removal instructions.

Posted on Thursday, April 23rd, 2009 at 7:23 am - filed under Blog, Trojan.