The Trojan.Ransom.Gen Trojan is the malware infection responsible for many ransomware variants such as the infamous Ukash Virus family as well as North American ransomware infections, such as the FBI Moneypack ransomware threat. Trojan.Ransom.Gen is distributed via malicious email attachments and social engineering attacks targeting inexperienced computer users. Once Trojan.Ransom.Gen infiltrates a computer, Trojan.Ransom.Gen installs a ransomware threat that blocks access to the targeted computer as a way of forcing the victim to pay a large amount of money. If you cannot gain access to your computer due to the presence of an obtrusive, full screen message claiming to belong to law enforcement, ESG security researchers strongly advise using a reliable and fully updated anti-malware application to remove Trojan.Ransom.Gen and its associated malware from your computer permanently.
The basic principle behind most ransomware infections is taking the victim’s computer hostage in order to demand a ransom from the computer user. Trojan.Ransom.Gen is not exception; this malware infection prevents the PC user from gaining access to the infected machine. To do this, Trojan.Ransom.Gen creates a fake message from a law enforcement agency. This message varies depending on the victim’s computer’s IP address. The IP address can be use to determine a computer’s geographical location. Using this information, Trojan.Ransom.Gen displays a message in the targeted victim’s language and supposedly being sent by the law enforcement agency belonging to the victim’s country (for example, victims in the United States receive a message from the FBI while victims in the United Kingdom receive a message from the Metropolitan Police or from Scotland Yard). This message will typically allege that the targeted computer was associated with illegal activities, such as copyright infringement or viewing forbidden pornographic material. It will usually threaten the victim with jail time unless a fine is paid using the Ukash or Moneypak money transfer services.
Since Trojan.Ransom.Gen blocks access to the infected computer, it may be difficult to remove this threat without being able to access anti-malware software on the infected machine. Fortunately, Windows allows computer users to bypass Trojan.Ransom.Gen by using Safe Mode to start up the infected computer. This can also be done by starting up the infected computer from an external memory device, such as a CD or a shared drive.
How Can You Detect Trojan.Ransom.Gen?
Trojan.Ransom.Gen Removal Details
Trojan.Ransom.Gen has typically the following processes in memory:
- C:\Program Files\USB TV\EM28XX\BDARemote.exe
- C:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE
- C:\Program Files\Adobe\Acrobat 10.0\Acrobat\Acrotray.exe
- C:\Program Files\Internet Explorer\iexplore.exe
- C:\Program Files\Bonjour\mDNSResponder.exe
- C:\Program Files\Java\jre6\bin\jqs.exe
- C:\Program Files\Dell\Media Experience\DMXLauncher.exe
- C:\Program Files\Common Files\LogiShrd\LComMgr\LVComSX.exe
- C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
- C:\Program Files\Microsoft Small Business\Business Contact Manager\BcmSqlStartupSvc.exe
- C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
- C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
- c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
- C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe
- C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe
- C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
- C:\Program Files\Logitech\SetPoint\SetPoint.exe
- C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
- C:\Program Files\Common Files\Java\Java Update\jusched.exe
- C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe
- c:\Program Files\Microsoft SQL Server\90\Shared\sqlbrowser.exe
Trojan.Ransom.Gen creates the following files in the system:
- C:\WINDOWS\system32\svchost.exe -k NetworkService
- C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
- C:\WINDOWS\system32\svchost.exe -k imgsvc
- C:\WINDOWS\System32\svchost.exe -k netsvcs
- C:\WINDOWS\system32\svchost.exe -k LocalService