Trojan:Win32/Lockscreen.C is a screen-locking trojan that holds your computer hostage by displaying a full-screen alert you can't dismiss. This threat typically masquerades as a law enforcement warning — claiming you've violated copyright laws or visited illegal websites — and demands payment to unlock your system. Unlike ransomware that encrypts files, lockscreen trojans simply block access to your desktop, making the machine appear unusable even though your data remains intact beneath the fake warning screen.
First detected in the early 2010s during the "ransomware" boom, Trojan:Win32/Lockscreen.C belongs to a family of screen-lockers that evolved from simple nuisances into convincing social-engineering attacks. While modern variants are less common than file-encrypting ransomware, they still circulate through malvertising networks and software bundling schemes, particularly targeting home users who may panic at official-looking warnings.
Threat Profile
| Attribute | Details |
|---|---|
| Threat Family | Trojan:Win32/Lockscreen (screen-locker trojan) |
| Common Aliases | Winlocker, FBI Virus, MoneyPak Virus, Police Trojan (historical names for similar variants) |
| Platform | Windows XP through Windows 11 (32-bit and 64-bit) |
| First Observed | 2012–2013 (this specific variant designation; family dates to ~2010) |
| Distribution Methods | Malicious advertisements, software bundles, fake codec installers, exploit kits, phishing emails |
| Persistence Mechanism | Registry Run keys, Windows shell replacement (alternate shell hijack), Winlogon Userinit modification |
| Primary Behavior | Displays full-screen lock window on startup; blocks Task Manager, Safe Mode access in some variants; demands payment via prepaid cards or cryptocurrency |
| File Encryption | None (screen-lock only — files remain accessible once trojan removed) |
| Typical Artifacts | Random-named .exe in %APPDATA% or %TEMP%, modified Shell/Userinit registry values, disabled Task Manager group policy settings |
| Network Behavior | May beacon to C&C server for updated lock-screen images or payment instructions; no large data exfiltration typical for this family |
| Removal Difficulty | Moderate (often requires Safe Mode boot and registry repair, but no decryption needed) |
| Data Loss Risk | Low (does not destroy or encrypt files; primary risk is user paying the ransom unnecessarily) |
How It Spreads
Trojan:Win32/Lockscreen.C relies heavily on social engineering and deceptive advertising to reach victims. The most common infection pathway involves malicious advertisements (malvertising) placed on legitimate websites — particularly streaming sites, torrent indexes, and free-software portals. When you click an ad or a disguised "Download" button, a drive-by-download chain begins: the ad redirects through several intermediary domains before landing on an exploit kit or fake update page that drops the trojan payload. Many users report encountering this threat after clicking what appeared to be a Flash Player update or codec installer required to view video content.
Software bundling is another major vector. Freeware installers downloaded from third-party hosting sites often include "optional offers" that aren't clearly disclosed. If you speed through the installation wizard using Express or Recommended settings, you may inadvertently agree to install browser toolbars, adware, and potentially unwanted programs — one of which may be a dropper for Lockscreen.C. The trojan can also arrive as a secondary payload dropped by other malware already on the system, creating a chain-infection scenario where removing one threat reveals another.
Less common but still relevant distribution methods include:
- Phishing emails with malicious attachments: ZIP or RAR archives containing executables disguised as invoices, shipping notices, or tax documents
- Compromised websites: Legitimate sites injected with iframes or JavaScript that redirect to exploit kits
- Torrent and peer-to-peer networks: Cracked software, key generators, and game trainers bundled with trojans
- Fake tech support scams: Pop-ups claiming your system is infected and offering a "fix" that's actually the trojan installer
- USB and removable media: Autorun-enabled drives that execute the trojan when connected
What It Does On Your Machine
Once executed, Trojan:Win32/Lockscreen.C establishes persistence by modifying critical Windows registry keys that control the startup process. The most common technique involves changing the HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell value from the default explorer.exe to point to the trojan's executable. This means that instead of loading the normal Windows desktop after you log in, the system launches the trojan's lock-screen interface. Some variants also modify the Userinit value in the same registry location, or create entries in HKCU\Software\Microsoft\Windows\CurrentVersion\Run to ensure the trojan starts even if the shell hijack is repaired.
The lock screen itself is a full-screen window — often configured to stay on top of all other windows and to disable standard escape methods. You'll see what appears to be an official notice from the FBI, Department of Justice, or another law enforcement agency, complete with official-looking logos and seals. The message typically claims your computer has been used for illegal activities: viewing copyrighted content, visiting illegal websites, distributing malware, or other fabricated violations. It demands payment of a "fine" (usually $200–$500) via prepaid MoneyPak cards, Ukash vouchers, or more recently, cryptocurrency like Bitcoin. The screen may display your IP address and approximate location to add legitimacy, creating panic that you're genuinely under investigation.
In reality, no law enforcement agency locks your computer or demands payment through prepaid cards. The entire interface is generated locally by the trojan — it's theater designed to exploit fear and urgency. Behind the scenes, the trojan may also disable Task Manager by setting registry policies, making it difficult to end the process through conventional means. Some variants detect Safe Mode attempts and adjust their behavior to load even in Safe Mode, though this is less common in the Lockscreen.C designation specifically.
Manual Removal — Step by Step
Disconnect from the network immediately
Power off the computer if it's currently locked. When you power it back on, do not allow it to connect to the internet — disconnect the Ethernet cable or disable Wi-Fi before Windows fully loads. This prevents the trojan from downloading updated instructions or lock-screen images from its command server.
Boot into Safe Mode with Networking
Restart the computer and repeatedly press F8 during the boot sequence (before the Windows logo appears) to access the Advanced Boot Options menu. Select "Safe Mode with Networking" using the arrow keys and press Enter. Safe Mode loads only essential drivers and services, often preventing the trojan from executing its lock-screen interface. If F8 doesn't work on Windows 10/11, you may need to boot from a recovery drive or use the Shift+Restart method from the login screen if accessible.
Open Task Manager and identify the trojan process
Once in Safe Mode, press Ctrl+Shift+Esc to open Task Manager (if it's not disabled). Look for suspicious processes with generic names like svchost.exe running from an unusual location (under your user profile rather than System32), or processes with random alphanumeric names. Right-click the suspicious process, select "Open file location," then return to Task Manager and end the process. Note the file path for deletion in the next step.
Delete the trojan executable and related files
Navigate to the folder identified in Step 3 (typically something like C:\Users\[YourName]\AppData\Roaming\{random-GUID}\). Delete the entire folder. Also check C:\Users\[YourName]\AppData\Local\Temp\ for any recently created .exe or .tmp files and delete suspicious items. You may need to show hidden files and folders through File Explorer's View options to see the AppData directory.
Repair the Shell and Userinit registry values
Press Windows+R, type regedit, and press Enter. Navigate to HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon. Check the Shell value — it should be explorer.exe with no additional paths or executables. If it points to a suspicious .exe file, double-click Shell and change it back to explorer.exe. Also verify that Userinit is set to C:\Windows\system32\userinit.exe, (note the trailing comma). Correct it if modified. Then navigate to HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run and delete any suspicious entries pointing to the trojan's executable.
Re-enable Task Manager if disabled
In Registry Editor, navigate to HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System. Look for a DWORD value named DisableTaskMgr. If it exists and is set to 1, either delete the value entirely or change it to 0. This restores access to Task Manager. Also check HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System for the same value and correct it if present.
Run a full system scan with reputable anti-malware software
Download and install Malwarebytes Free (or update it if already installed) while still in Safe Mode with Networking. Run a full Threat Scan to detect any remnants of the trojan or additional malware that may have been installed alongside it. Quarantine or delete all detected items. Consider running a second-opinion scanner like HitmanPro or Emsisoft Emergency Kit to catch anything the first tool missed.
Check browser settings and reset if necessary
Screen-lockers sometimes arrive bundled with browser hijackers or adware. Open each installed browser and check for unfamiliar extensions, changed homepages, or new search engines. Remove suspicious extensions and reset browser settings to defaults if anything looks altered. In Chrome, go to Settings → Reset settings → Restore settings to their original defaults. Similar options exist in Firefox and Edge.
Change passwords and monitor for suspicious activity
While Lockscreen.C itself doesn't typically steal credentials, it often arrives with other malware that does. After cleaning the system, change passwords for important accounts — especially banking, email, and any sites where you've saved payment information. Use a different, clean device for these password changes if possible. Monitor your accounts for unauthorized access over the following weeks.
Restart normally and verify full system functionality
Exit Safe Mode by restarting the computer normally. Reconnect to the network and watch the startup process carefully. The desktop should load normally without any lock screens or unusual warnings. Open Task Manager and verify that only legitimate Windows processes are running. Test all programs and verify that you can access your files. If the lock screen returns or you experience unusual behavior, the trojan may not be fully removed — bring the machine to our shop for professional cleaning.
Prevention
- Keep Windows and all software updated. Enable automatic updates for Windows and set all installed programs to auto-update when possible. Many trojans exploit known vulnerabilities that patches have already fixed. The Windows Update service should run regularly — check Settings → Update & Security → Windows Update to verify you're current.
- Use reputable antivirus software with real-time protection. Windows Defender (built into Windows 10/11) provides solid baseline protection, but consider supplementing it with Malwarebytes Premium for real-time behavior monitoring. Keep definitions updated and ensure real-time scanning is enabled. Don't disable your antivirus to install software — if a program requires that, it's almost certainly malicious.
- Download software only from official sources. Avoid third-party download sites like Softonic, Download.com, or CNET Downloads. Go directly to the software publisher's website or use the Microsoft Store. Never download software from pop-up ads or search result ads (which often mimic legitimate sites). Torrent sites and key generators are particularly high-risk sources.
- Pay attention during software installation. Always choose "Custom" or "Advanced" installation mode rather than Express. Read each screen carefully and uncheck any boxes offering toolbars, browser extensions, or additional software you didn't explicitly want. Legitimate software doesn't need to bundle unrelated programs — bundling is a red flag.
- Be skeptical of online video players and codec requests. You should never need to download a special player or codec to watch video in 2024 — modern browsers handle all common formats. If a website claims you need to install Flash Player, a video codec, or a special player, it's a scam. Close the page immediately.
- Don't trust law enforcement warnings on your computer. Real law enforcement agencies do not lock computers, display warnings through pop-ups, or demand payment via prepaid cards or cryptocurrency. If you see such a warning, it's malware. Legitimate legal processes involve official letters, phone calls from verified numbers, or in-person visits — never screen-locker messages.
- Enable User Account Control and use a standard user account for daily activities. UAC prompts you before allowing system changes, blocking many trojans from establishing persistence. For day-to-day use, operate under a standard (non-administrator) account. This limits malware's ability to modify system-wide settings. Create a separate admin account only for installations and maintenance.
- Create regular backups of important data. Even though Lockscreen.C doesn't encrypt files, other threats do — and infections often layer. Maintain automatic backups to an external drive or cloud service. If malware strikes, you can restore from backup rather than paying ransoms or losing data. Disconnect backup drives when not actively backing up to prevent malware from accessing them.
Bring It In
Screen-locker trojans like Trojan:Win32/Lockscreen.C can be deeply unsettling — especially when they display convincing law enforcement warnings. While manual removal is possible following the steps above, the process requires registry editing and careful file deletion that many home users understandably prefer to avoid. If you're not confident in your ability to safely modify the registry, or if the trojan keeps returning after you've attempted removal, professional help is the smart choice. Computer Repair Roswell has handled countless screen-locker infections and can typically restore full access within a few hours, including verification that no secondary malware remains on the system.
We're located in Roswell, Georgia, at 1 Clairmont Road, just minutes from downtown. Our shop is open Monday through Friday, 10 AM to 6 PM, and Saturday 10 AM to 4 PM. Call us at (770) 637-1435 to describe your symptoms — if you're currently locked out, we can often talk you through a basic unlock procedure over the phone, or schedule same-day service if you prefer to bring the machine in. Our flat-rate malware removal service includes complete threat removal, security software installation, system optimization, and that 90-day warranty for your peace of mind. Don't waste time fighting with a fake FBI warning — let us handle it while you get back to what matters.