You have been re-routed to the Ransom:Win32/LockScreen.AO write up because Trojan%3aWin32%2fLockScreen.AO has been renamed to Ransom:Win32/LockScreen.AO


Microsoft security software detects and removes this threat.

Ransom:Win32/LockScreen.AO is a ransomware that locks you out of your desktop. It asks you to pay a ransom fee so that you can regain use of your desktop.

Find out ways that malware can get on your PC.  

What to do now

Microsoft doesn’t recommend you pay the fine. There is no guarantee that paying the ransom will give you access to your files.

If you've already paid, see our ransomware page for help on what to do now.

Run antivirus or antimalware software

The following free Microsoft software detects and removes this threat:

Even if we've already detected and removed this particular threat, running a full scan might find other malware that is hiding on your PC.

Advanced troubleshooting

To restore your PC, you might need to download and run Windows Defender Offline. See our advanced troubleshooting page for more help.

You can also ask for help from other PC users at the Microsoft virus and malware community.

If you’re using Windows XP, see our Windows XP end of support page.

Threat behavior


Ransom:Win32/LockScreen.AO changes the registry so that it always runs when Windows starts:

In subkey: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
Sets value: "Shell"
With data: "<malware file name>"


Locks you out of your PC

Ransom:Win32/LockScreen.AO locks your PC and prevents you from using it until you enter a code. You can get a code by sending an SMS to a premium number, which woud cost more than the standard SMS rate.

When installed, Ransom:Win32/LockScreen.AO displays the following message:

Analysis by Jireh Sanico


The following could indicate that you have this threat on your PC:

  • When you start your PC up, you see this instead of your usual start screen:


Alert level: Severe
First detected by definition: 1.95.3606.0
Latest detected by definition: 1.209.1114.0 and higher
First detected on: Jan 10, 2011
This entry was first published on: Mar 15, 2011
This entry was updated on: Jun 11, 2014

This threat is also detected as:
  • Trojan.Winlock.2741 (Dr.Web)
  • PWS-Spyeye.e (McAfee)
  • Mal/Zbot-AV (Sophos)
  • Cryp_Zbot-17 (Trend Micro)