Remove Trojan.Ransomlock.G (Complete Removal)


remove trojan.ransomlock.G

If you are seeing “The peoples republic welcomes your allegiance” message – don’t panic!

Trojan.Ransomlock.G is a severe infection that can be regarded as ransomware because it demonstrates the same behavior. Once it gets installed on your system, this infection will encrypt all the files on your PC and will deny you access to any programs or applications. A full-screen message will appear on your screen saying that you will not be able to regain access to your files unless you purchase a private key with the help of which you will decrypt the files. This private key costs 100 EUR or USD, or whatever the currency in your country is. You are also given a time limit presented by a timer to make the matter even more pressing. Although it is normal to panic in this situation, we would advise you to try to remain calm and not rush into making payments. What needs to be done is to remove Trojan.Ransomlock.G from the PC.

Ransomaware infections like Trojan.Ransomlock.G are distributed the same way as potentially unwanted programs, which means that they can enter the system together with compromised downloads, fake program updates, from malicious or infected websites, and so on. However, the most common way for infiltrating the PC that Trojan.Ransomlock.G uses is attached to spam emails. When you come across emails from unknown senders in your spam folder containing attachments, you should   not open them, not to mention download the attached files. Such email messages should immediately be deleted as they will surely contain some infection which might as well be Trojan.Ransomlock.G. Another thing you should have in mind is that your system needs to be properly maintained so that potential threats cannot access it.

Without doubt there are many other infections more malicious than Trojan.Ransomlock.G. Still, it can cause quite a lot of damage to your system as well. It is almost certain that you will not be able to decrypt all the files decrypted by Trojan.Ransomlock.G. That is no guaranteed even if you purchase the private key. You can only restore the files if you have backed them up beforehand. In case you have not, you should consider doing that in future. You already know that it is useless to spend money on the private key, but you should know that it is also dangerous to do that because you will share your credit card details with cyber criminals. In order to be able to use your PC again you should follow the instructions below this article as they will help you get rid of Trojan.Ransomlock.G for good.

Trojan.Ransomlock.G Removal Instructions

STEP 1: Start Your Computer into Safe Mode with Networking

  • Make sure you do not have any floppy disks, CDs, and DVDs inserted in your computer
  • Restart the computer
  • When you see a table, start tapping the F8 key every second until you enter the Advanced Boot Options

kbd F8

  • in the Advanced Boot Options screen, use the arrow keys to highlight Safe Mode with Networking , and then press ENTER.


  • Once the operating system loads press simultaneously the Windows Logo Button and the R key.


  • A dialog box should open. Type iexplore


  • Internet Explorer will open and a professional scanner will prompt to be downloaded
  • Run the installer
  • Follow the instruction and use the professional malware removal tool to detect the files of the virus.
  • After performing a full scan you will be asked to register the software. You can do that or perform a manual removal.

Remove Trojan.Ransomlock.G Manually

You need to delete the following files and registry keys. These were in our case:

%UserProfile%\Start Menu\Programs\Startup\ctfmon.lnk
%UserProfile%\Application Data\nur-xcp-sabb.pad

%UserProfile%\Application Data\lsass.exe

the Trojan creates the following registry entries which you need to delete:
HKCU\Software\Microsoft\Internet Explorer\Main\”NoProtectedModeBanner” = “1”

Delete the created registry entries to revert the internet protection of the compromised computer:
HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\”2500″ = “3”
HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\”2500″ = “3”
HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\”2500″ = “3”
HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\”2500″ = “3”
HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\”2500″ = “3”

Modifies the following registry entries:
HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\”1609″ = “0”
HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\”1609″ = “0”
HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\”1609″ = “0”
HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\”1609″ = “0”
HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\”1609″ = “0”

the Trojan locks the computer and displays a fraudulent message on the screen informing the user that they are in breach of copyright law. You need to locate the picture and delete it.

You can alternatively use your msconfig to double check the execution point of the virus. Please, have in mind that the names in your machine might be different as they might be generated randomly, that’s why you run the professional scanner to identify the files.

It is always a good idea to use a reputable anti-malware program after manual removal, to prevent this from happening again.

Leave a Comment