Follow:

You have been re-routed to the Ransom:Win32/LockScreen write up because Trojan%3aWin32%2fLockScreen has been renamed to Ransom:Win32/LockScreen
 

Ransom:Win32/LockScreen


Microsoft security software detects and removes this threat.

The threat locks your screen and prevents you from using your desktop. It shows you a message saying that if you want to regain access to your desktop, you have to pay a fine in the form of an SMS sent to a premium number.

This type of threat is known as ransomware.

Find out ways that malware can get on your PC.



What to do now

Microsoft doesn’t recommend you pay the fine. There is no guarantee that paying the ransom will give you access to your files.

If you've already paid, see our ransomware page for help on what to do now.

Run antivirus or antimalware software

The following free Microsoft software detects and removes this threat:

Even if we've already detected and removed this particular threat, running a full scan might find other malware that is hiding on your PC.

Advanced troubleshooting

To restore your PC, you might need to download and run Windows Defender Offline. See our advanced troubleshooting page for more help.

You can also ask for help from other PC users at the Microsoft virus and malware community.

If you’re using Windows XP, see our Windows XP end of support page.

Threat behavior

Installation

Ransom:Win32/LockScreen usually drops a copy of itself in various locations using variable file names, like in the following examples:

It makes a few changes to your registry so that its copy automatically runs every time Windows starts:

In subkey: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
Sets value: "Shell"
With data: "<malware file name>"

In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Sets value: "install"
With data: "<malware file name>"

In subkey: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
Sets value: "Userinit"
With data: "<system folder>\userinit.exe,<system folder>\usrinit.exe"

Payload

Prevents you from accessing your PC

Ransom:Win32/LockScreen shows a full-screen message preventing you from accessing your desktop. The message tells you to send an SMS to a premium number at a higher cost if you want to regain access to your PC. This type of threat is called ransomware.

Some variants might also show adult content and open websites containing adult content before showing you the ransom message.

Some variants also hide the taskbar window and disable Task Manager.

Analysis by Elda Dimakiling


Symptoms

The following could indicate that you have this threat on your PC:

  • You might be unable to access your desktop, and you see an image on your screen that tells you to send an SMS to a premium number to regain acess

Prevention


Alert level: Severe
First detected by definition: 1.71.2310.0
Latest detected by definition: 1.177.2434.0 and higher
First detected on: Jan 16, 2010
This entry was first published on: Jan 27, 2011
This entry was updated on: Jun 18, 2014

This threat is also detected as:
  • Trojan-Ransom.Win32.PornoBlocker.bho (Kaspersky)
  • W32/Ransom.KB (Norman)
  • Trojan.PornoBlocker!CvjyYihPT7M (VirusBuster)
  • TR/Ransom.PornoBlocker.bho (Avira)
  • Win32/LockScreen.XU (ESET)
  • Trojan-Ransom.Win32.PornoBlocker (Ikarus)
  • TROJ_RANSOM.FP (Trend Micro)