1. /
  2. Security Response/
  3. Trojan.Ransomlock

Trojan.Ransomlock - Removal

Risk Level 1: Very Low

Discovered:
April 15, 2009
Updated:
September 22, 2014 12:05:03 PM
Also Known As:
Trojan:W32/Agent.AF [F-Secure]
Type:
Trojan
Infection Length:
Varies
Systems Affected:
Windows 98, Windows 95, Windows XP, Windows Server 2008, Windows Me, Windows Vista, Windows NT, Windows Server 2003, Windows 2000
GENERAL RANSOMLOCK REMEDIATION STEPS (ALL VARIANTS)
Before proceeding further, we advise that you run a full system scan on the compromised computer with the latest antivirus definitions (perform a LiveUpdate). If that does not resolve the problem or your computer is completely inaccessible as a result of ransomware, we suggest that you try the options available below.



FOR NORTON USERS
If you are a Norton product user, we recommend that you try the following resources to completely remove deeply embedded or difficult to remove ransomware.


Part 1: Create and reboot the computer using a Norton Bootable Recovery Tool (NBRT) disk
Norton Bootable Recovery Tool will allow you to boot into a completely isolated environment from your Windows operating system and carry out advanced removal scans to remediate your computer. If your computer is completely inaccessible as a result of ransomware, the first and second steps (NBRT disk creation) can be carried out from a separate computer.

Steps
  1. Download the Norton Bootable Recovery Tool installation wizard online at http://security.symantec.com/nbrt/nbrt.aspx and follow the download and installation instructions on the website.

  2. Once installed and the Norton Bootable Recovery Tool wizard starts, you will be presented with a number of options for how to create a customized NBRT tool. We recommend that you select Create on CD/DVD media and proceed with creating an NBRT bootable CD.



    Figure 1. Norton Bootable Recovery Tool installation wizard

  3. After your NBRT CD/DVD creation is complete, remove it from the computer (if a separate computer is used to create the disk) and insert it into the computer compromised by ransomware. Restart the computer and boot from the disk.
    Note: You may need to enable the CDROM as bootable in your system BIOS settings.

  4. The NBRT disk will load a separate environment isolated from your compromised Windows computer. Once loading has completed, it will ask for a Norton product key. Insert the product key and select Norton Advanced Recovery Scan.


    Figure 2.
    Norton Bootable Recovery Tool menu


  5. Click Start Scan and an advanced recovery scan will begin.
    Note: All session scan information will be saved to your computer’s hard drive if you need to undo any scan operations.

  6. Once the scan is completed, check to see if any ransomware is detected. Click Continue to fix all security threats that are detected.

After the scan, the status of all security threats should be Resolved. If status is Repair Failed or the scan does not detect any ransomware infections, then proceed to Part 2. If status is Resolved, then proceed to Part 3.


Part 2: Force reboot into Norton Power Eraser using Norton Bootable Recovery Tool disk
Please ensure you have followed the preceding steps in Part 1 before proceeding.

Steps
  1. Once again, boot into Norton Bootable Recovery Tool and enter your product key.

  2. Select Norton Power Eraser Recovery Scan from the Norton Bootable Recovery Tool menu.
    Note: If Norton Power Eraser Recovery Scan is not selectable from the main menu, this may be a result of your computer’s network card driver.

  3. Once initialized, Norton Power Eraser will download the latest version of the removal tool along with the latest antivirus definitions. After Norton Power Eraser has initialized, click Scan for Risks.

  4. Choose the appropriate operating system to scan from the list and then the Norton Power Eraser scan will begin.

  5. After the scan completes, click Fix to repair all the detected issues.

  6. Exit the tool and boot into the Windows operating system.
If your system is still locked or the repair fails, please contact Norton Support for further assistance.


Part 3: Scan using installed product post remediation
At this stage, it is important to carry out a full system scan using the latest antivirus definitions to ensure that no threat artifacts remain on the computer and that the computer is fully cleaned.

Steps
  1. Start your Windows operating system as normal.

  2. Go to the Norton product installed on the computer and perform a LiveUpdate to ensure that your computer is protected against the latest variants of the ransomware.

  3. Perform a full system scan on your computer.
Writeup By: John-Paul Power

Search Threats

Search by name
Example: W32.Beagle.AG@mm
STAR Antimalware Protection Technologies
Internet Security Threat Report
Symantec DeepSight Screensaver