Trojan.Ransomlock.P Description

Trojan.Ransomlock.P is a ransom Trojan that locks the desktop of the affected computer by making the PC unusable. Trojan.Ransomlock.P then asks the PC user to pay a ransom of 100 Euro to unlock the computer. Once executed, Trojan.Ransomlock.P creates several malicious files. Next, Trojan.Ransomlock.P modifies the registry by creating the certain registry entry so that it can run automatically whenever Windows starts. Next, Trojan.Ransomlock.P also creates and modifies several registry entries in order to disable Registry Editor, Windows Task Manager, and System Configuration.

» Learn more about SpyHunter's Spyware Detection Tool
and steps to uninstall SpyHunter.

Then, Trojan.Ransomlock.P contacts the certain domain [http://][REMOVED] and downloads a HTML page that includes ransom information. The page illustrates details about the ransom and suggests a way for the PC user to enter an unlock code that can be received after paying the ransom by making an online transaction via Paysafecard or Ukash.


Trj/Dtcontx.D [Panda]W32/Injector.ZVR!tr [Fortinet]Win32/LockScreen.AKU [ESET-NOD32]Trojan.Ransomlock.F!rem [PCTools]Artemis!AAC73468E7E5 [McAfee-GW-Edition]Heur.Suspicious [Comodo]Mal/EncPk-AGD [Sophos]UDS:DangerousObject.Multi.Generic [Kaspersky]TROJ_GEN.R47H1DM [TrendMicro-HouseCall]Suspicious_Gen4.DQHSR [Norman]

More aliases (12)

Trojan.Ransomlock.P Automatic Detection Tool (Recommended)

Is your PC infected with Trojan.Ransomlock.P? To safely & quickly detect Trojan.Ransomlock.P we highly recommend you run the malware scanner listed below.

Technical Details

File System Modifications

Tutorials: If you wish to learn how to remove malware components manually, you can read the tutorials on how to find malware, kill unwanted processes, remove malicious DLLs and delete other harmful files. Always be sure to back up your PC before making any changes.
  • The following files were created in the system:
    # File Name Detection Count
    1 %USERPROFILE%\ rundll32.exe 7
    2 decrypted_file.exe 197
    3 file.exe 31
    4 %System%\[20 HEXADECIMAL NUMBERS].exe N/A
    5 %Temp%\[10 RANDOM CHARACTERS].pre N/A
    6 %Temp%\[10 RANDOM CHARACTERS].pre N/A
    7 %UserProfile%\Application Data\[10 RANDOM CHARACTERS]\[20 HEXADECIMAL NUMBERS].exe N/A

Registry Modifications

Tutorial: To edit and delete registry entries manually, read the tutorial on how to remove malicious registry entries.

Tip & Warning: Editing and removing the wrong registry keys can severely damage your PC, so remember to backup your Windows Registry! To optimize your Windows Registry and speed up your PC, download RegHunter's registry cleaner.
  • The following newly produced Registry Values are:
    HKEY..\..\{Value}HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System\"DisableRegedit" = "1"HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System\"DisableRegistryTools" = "1"HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System\"DisableTaskMgr" = "1"HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\"[RANDOM CHARACTERS]" = "%UserProfile%\Application Data\[10 RANDOM CHARACTERS]\[20 HEXADECIMAL NUMBERS].exe"HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe\"Debugger" = "P9KDMF.EXE"HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe\"Debugger" = "P9KDMF.EXE"HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe\"Debugger" = "P9KDMF.EXE"HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\"DisableRegedit" = "1"HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\"DisableTaskMgr" = "1"

Additional Information

  • The following messages's were detected:
    # Message
    1'Welcome to Windows Update You have been infected with a Windows Verschlusselungs Trojans. For security reasons your Windows system was blocked. Your visit to pages with pornographic content has led to the ransom Trojan infection. This virus encrypts your hard drive with a 256 bit AES Key and a standardized self-ended decryption is not feasible.'
    2'Willkommen bei Windows Update Sie haben sich mit einem Windows-Verschlusselungs Trojaner infiziert. Aus Sicherheitsgrunden wurde lhr Windows system blockiert. Das Besuchen von Seiten mit pornografischen und infizierten Inhalten hat dazu gefuhrt, das lhr System von einem Computerverschlusselungstrojaner befallen wurde. Dieses Virus verschlusselt Ihre Festplatte mit einem 256 Bit AES Shlussel und eine selbststandige Entschlusselung ist nicht mehr machbar.'
Posted: May 23, 2012 | By
Rate this article:
1 Star2 Stars3 Stars4 Stars5 Stars (No Ratings Yet)
Loading ... Loading ...
Threat Metric
Threat Level: 9/10
Detection Count: 7
Home Malware ProgramsTrojans Trojan.Ransomlock.P

Leave a Reply

What is 2 + 2 ?
Please leave these two fields as-is:
IMPORTANT! To be able to proceed, you need to solve the following simple math (so we know that you are a human) :-)