CryptoLocker Virus – Removal and Decryption Guide

  • Facebook
  • Twitter
  • Google Plus
  • Add to favorites

CryptoLocker Virus – Removal and Decryption Information

CryptoLocker Virus

 

The latest Encryption rogue infection is called the CryptoLocker Virus.  This infection is spreading at an alarming rate with thousands of victims around the would already. The goal of this infection is to hold your computer ransom and encrypt your files until you pay the fee to have it removed and the files decrypted.

After the system becomes infected, the CryptoLocker Virus will immediately start popping up on the computer.  If this happens, the best course of action is to remove it immediately.  The longer it stays on the system, the more difficult it becomes to remove and the more damage it can do to the system.

We can be reached at 800.530.8514 if you need a malware removal specialist to assist.


What exactly is Ransomware CryptoLocker Virus?

CryptoLocker attacks the computer by placing a trojan or other hijacker to gain access to vulnerable parts of the computer. This is all done in the background and is hidden. You can typically get this infection by visiting Hijacked sites, malicious sites, Emails, and downloads the trick you into installing the infection.

Once the computer is fully infected you will begin to see a bogus prompt that reads "Your personal Files are Encrypted" and with the prompt comes the inability to navigate properly through windows. With the virus fully infected on the machine, it now has access to system files, the registry and other important features of windows. This lets the virus run in front of windows with complete control, along with blocking your input.

The prompt on the screen will also say that your files are encrypted. This includes Photos, Videos, Documents, Shortcuts and other types of files. To decrypt these files the infection states you must pay 100 dollars ( Or similar currency ) to buy a key to begin decrypting the files. DO NOT ever pay this or any virus. You will not know for certain they will decrypt your files, and with paying them you open yourself to even more attacks in the future, even identity theft.

ALERT:
All acusations made by any viruses are UNTRUE and paying these cyber criminals can cause further problems and issues.


CryptoLocker Virus Ransom  How to remove CryptoLocker

Depending on the severity of the CryptoLocker Virus or how long the computer has been infected, users infected by ransomware will require different removal steps. listed here are the options to remove Ransomware for all stages of progression and all types.

  1. CryptoLocker Removal Applications – Automatically clear out all infections and Ransomware CryptoLocker Virus.

  2. Manual CryptoLocker Removal- Remove associated CryptoLocker Virus files. (ADVANCED)

  3. System Restore – Restore your computer to a time and date before the Ransomware CryptoLocker Virus.

  4. Safe Mode With Networking – Manual infection removal and automated infection scan for the CryptoLocker Virus.

  5. Flash Drive Option – Load Antivirus (or AM) software to a flash drive, scan for and remove the CryptoLocker Virus

 

Option 1 – Ransomware CryptoLocker Virus Removal Applications:

Easily remove the Ransomware CryptoLocker Virus using Malwarebytes Anti-Malware Software.


1. Before we begin the steps we need to boot into safemode with networking, as there is a good chance if you have ransomware you cannot get into normal mode. So please shut down your computer if you havent done so already by holding down the power button on your computer’s tower for 10 seconds, or until you hear it turn off.



    CryptoLocker Virus Ransomware

2. When the computer is off, push the power button once to turn it back on. As soon as you see anything on your computer screen continueilously tap "F8" (Windows 8 is Shift-F8) repeatly until you see the “Advanced Boot Options Screen”.



    CryptoLocker Virus Ransomware


3. Select “Safemode with Networking” here and allow it to boot up into your desktop. If you immediantly see the virus at boot, please attempt another option, or give us a call.



    CryptoLocker Virus Ransomware

4. Open your web browser and download malwarebytes at malwarebytes.org, when at the site click “Free Download“. It will redirect you to “Download.com“. Once there click the big green “Download Now” button



    CryptoLocker Virus Ransomware



5. Once you have downloaded and installed Malwarebytes, open into it and run a full system scan by selecting Perform full scan and then clicking on the scan button located at the lower part of the page.

     



    CryptoLocker Virus ransom



6. Once the scan is done, Malwarebytes will display thstronge results, showing the malware and possibly the CryptoLocker Virus that was found. Now you need to select all of the malicious files and click the Remove Selected button on the lower left side of the page.


    CryptoLocker Virus ransom


Note

If Malwarebytes didn’t work, here are some other popular Ransomware CryptoLocker Virus Removal tools:


Super Anti-Spyware, Hitman Pro, AVG Antivirus, Kaspersky, Microsoft Defender, and Microsoft Security Essentials.

REMEMBER!
If you have any issues or problems with removing the infection on your computer, we can help! We are open 24/7 and will be more than happy to help you remove the infection with ease. We can be reached at 800.530.8514.


Decrypting Your Files
Remember that this guide is only for removing the infection! Decrypting the files on your computer can only be handled by a Microsoft Certified Technician. This is a time consuming and very delicate process and must be handled with care. Please call us at 800.530.8514 for help with decrypting your files.

Option 2 – Manual CryptoLocker Virus Removal (advanced):

 

Alert
This option is very advanced and should be handled by a technician, please call at 800.530.8514 with any questions. Some of the files described in this sample solution may not be found in your Ransomware because there are so many different types and they can be named randomly. So do not be alarmed if you cannot find “Ctfmon” (a file in the steps below) as it may not be there and may be named something else in a different location.

 

1. Turn off the infected computer completely by holding in the power button of the computer for 10 seconds or until the computer shuts completely off. (If the computer is already off skip this step)


    CryptoLocker Virus Ransomware


2. Turn on the computer by pressing the power button and immediately begin to tap the “F8” (Windows 8 is Shift-F8) button over and over until you see the “Advanced Boot Options” screen which looks like this:


    CryptoLocker Virus Ransomware


3. Please select “Safe Mode with Command Prompt” after selecting this you will see a large amount of text on the screen, and when it is done you will see a black box labeled “Command Prompt” with a blinking white cursor on it where you could begin typing.


    CryptoLocker Virus Ransomware


4. Please type “Explorer.exe” in the black box with blinking cursor and hit the “Enter” key. If done correctly you will see your “Start Menu” and desktop icons come back onto your computer.


    CryptoLocker Virus Ransom


5. Now we need to show hidden files. Double click on any folder on your computer to open it.
(EX. “My computer, My Documents, any personal folder even)

While the folder is up hold down the “Alt” key and press “T”. This will bring you to a drop down menu which you need to click “Folder Options” on. When you first get in the “Folder Options” page click on the “View” tab at the top of the page, there will be a list on this page.

About 7 to 8 check boxes down there will be a folder named “Hidden Files and folders” with 2 circle check boxes under it, it is the only option with circle check boxes. Under “Hidden Files and folders”, click the option that says “Show hidden Files and Folders” then click “Apply”, and “OK”. This will display hidden files.


CryptoLocker Virus ransom

6. This step is the most important, removing the CryptoLocker Virus and other infected files. Below is a the location of the infection:


Infected File Location

%Appdata%

Infected File Names

zesatwsw.Dat

[Random].Dat

Note
Be aware that a lot of the time the name is random, or is even a random set of numbers or letters (EX. TES20893.dat or Snxtvfntrm.dat). Confused on which file is the infected file? Call us! 800.530.8514

 

Now that you know the common location and file names, we are going to start the removal process with where to type them to. You need to go to the above locations and look for any files that are in the list or any that seem out of place.

A. Luckily location "%appdata%" will work on any version of windows. The Ransomware CryptoLocker Virus will be in this folder most of the time, compared to the other locations. So if you find a random or suspicious file here, chances are this is your virus.


    Below is an example of a user that has the “CryptoLocker” Infection. Notice the "Zesatwsw.dat” in the %appdata%” location. This is simply an example picture to show you how the infection could look when you find it.

     


    CryptoLocker Virus

 

B. Bring up the “Run Box” we talked about in the above step by holding down the “Windows” key and taping the letter “R”.

WR CryptoLocker Virus


    CryptoLocker Virus run  box

     


    Note
    This will bring up a run box with a location for you to type in. This run box can take you to the location written above. It will be your key to finding the infection on your computer.

     


C. When the “Run Box” is displayed please type “%APPDATA%” (Without the Quotes) in the text field on the “Run Box” and press “OK” or hit the “Enter” key.


    CryptoLocker Virus run  box

     


D. This will display your “Application Data” folder. 9 out of 10 times, the virus will be in this location. This location should have quite a few folders in them that help your applications like Microsoft office, internet explorer, and FireFox run to your preferences. There will never be a file in this location that if you delete, would render your system from running.

CryptoLocker Virus ransom

    Note

    This doesn’t mean delete items that look legitimate, but it should help ease your mind about what you are removing. So please look in this location for any file in the list above, or any file that seems out of place or random. There is a very high chance that any file that ends in .EXE , .DAT , or simply has no extension can be removed from this location. If you need any help with this step please contact us at 800.530.8514 !


E. Once you have found the infected file(s), Write down the name of the file then delete it and then empty your recycling bin on the desktop by right clicking it and selecting “Empty”.

Note

Writing down the name of the infected file is very important as it is used in a later step!



    CryptoLocker Virus ransom

    CryptoLocker Virus Delete

F. If you did not find a suspicious file(s) in this location it may be hidden in another location, please continue the guide to remove other parts of the infection to make finding the file easier.


G. Even after deleting the virus files, there still could be some hiding in your %Temp% directory. Also if you didn’t find any files that matched the description of a virus file in the previous steps, they could be hiding in the %temp% directory. This step is quite easy though, as everything in this location isn’t needed. Just like step 6-B, and 6-C, bring up the run box by holding down the “windows” key and taping “R”.

WR CryptoLocker Virus


• When it is displayed type “%temp%” (without the quotes) in the “Run box” text field.

CryptoLocker Virus Temp


•This will display your Temporary folder. There may be a lot of folders and files in here, or very few. Either way they are not needed. Hold down the left “Ctrl” button and press “A” to selected all the items in the folder, or click the first item in the folder and scroll all the way down to the bottom. Hold down the “Shift” key and while holding it down, click on the last item in the folder and this will also highlight all the items in the folder.




With all the items highlighted press the “DEL” key on your keyboard or right click and click “Delete” then click “Yes” to confirm you want to delete the items. Some of the items may be in use and will ask you to skip them because they cant be deleted, simply skip those files and let it delete the rest. When you are done you should have no files or a very small amount left in this folder.


    CryptoLocker Virus ransom


H. Now that the CryptoLocker Virus files are gone, you must remove the registry keys that were attached to these infected files, or it could cause errors when starting up your computer in the future.

  1. Alert:
    Entering the Registry with no knowledge of how to use it could completely render your computer incapable of starting again. Please proceed with extreme caution or get the help of a technician by calling us! 800.530.8514


    Open the run box (Refer to step 6-B and 6-C) and type “Regedit” and press “OK” or “Enter


    • This will open the windows registry editor. Take the name of the infected file you deleted, you can search for it in the registry by holding down “Ctrl” and pressing “F”.


CryptoLocker Virus Registry


    If you do not know the name of the file, or did not find any infected files you will have to go through the registry manually to this location:

    CryptoLocker Virus


    • Once there Delete any suspicious looking startup items, like the one listed below.

CryptoLocker



REMEMBER!
If you have any issues or problems with removing the infection on your computer, we can help! We are open 24/7 and will be more than happy to help you remove the infection with ease. We can be reached at 800.530.8514


Decrypting Your Files
Remember that this guide is only for removing the infection! Decrypting the files on your computer can only be handled by a Microsoft Certified Technician. This is a time consuming and very delicate process and must be handled with care. Please call us at 800.530.8514 for help with decrypting your files.


Option 3 – Restore-Recover Computer:


There are three different ways to restore and recover your system


Option 1: Start Menu Restore:


A. Open Windows Start Menu and select All Programs.

Start CryptoLocker Virus

B. Select the Accessories folder.

start2 CryptoLocker Virus


C. Select System tools then select "System Restore". You may be asked for confirmation.

Start3 CryptoLocker Virus


D. Follow the instructions given to restore your computer back to a previous date before the virus was on your computer.

Rstrui CryptoLocker Virus

 

Option 2: Windows run box Rstrui.exe Restore:


A. Open windows run box by holding down the “windows” button and pressing the "R” key, in the run box type "rstrui.exe" and press enter.
(On windows XP type “C:\windows\system32\restore\rstrui.exe)

WR CryptoLocker Virus

Run restore CryptoLocker Virus


B. Follow the instructions given in the Window’s Restore Wizard to restore your computer back to a time and date before you were infected by ransomware.

Rstrui CryptoLocker Virus



Decrypting Your Files
Remember that this guide is only for removing the infection! Decrypting the files on your computer can only be handled by a Microsoft Certified Technician. This is a time consuming and very delicate process and must be handled with care. Please call us at 800.530.8514 for help with decrypting your files.


 

Option 3: Safe Mode With Command Prompt Restore:


This step is suggested if you are unable to access Window’s desktop.

Note

If windows is having trouble starting into "safe mode" and Window’s comes up with a black screen and the words "safe mode" in all four corners of the screen, move your cursor to the lower left corner, over the area where the Windows Start Menu search box would be located, and it will come up. If safemode wont boot up please call us at 800.530.8514.


A. Reboot your computer, if you are having problems restarting it, simply unplug it.

CryptoLocker Virus Ransomware


B. To enter safe mode press "F8" repeatedly as your computer restarts, if done properly you will see the Windows Advanced Options Menu with three safe mode options. Select the option "Safe Mode with Command Prompt" using your arrow keys on your keyboard and press enter.

CryptoLocker Virus Ransomware


C. Type "explorer" when the Command Prompt opens and press enter. When your desktop is back and displayed hold down the "Windows key" (located at the bottom left of your keyboard) and tap "R", this will open the run box.

WR CryptoLocker Virus


D. Once the run box shows up browse to:

Win XP: C:\windows\system32\restore\rstrui.exe and press "Enter"
Win Vista/Seven: C:\windows\system32\rstrui.exe and press "Enter
"

Run restore CryptoLocker Virus


E. Now just follow the steps given to restore or recover your computer back to a time before the virus was on your computer, called a restore point.

Rstrui CryptoLocker Virus


REMEMBER!
If you have any issues or problems with removing the infection on your computer, we can help! Call us at 800.530.8514. We are open 24/7 and will be more than happy to help you remove the infection with ease.


Decrypting Your Files
Remember that this guide is only for removing the infection! Decrypting the files on your computer can only be handled by a Microsoft Certified Technician. This is a time consuming and very delicate process and must be handled with care. Please call us at 800.530.8514 for help with decrypting your files.


Option 4 – Safe mode with Networking:


This option is for users who need addtional files off the internet, or has applications that are malfunctioning because of the virus. The idea to this step is to get connected to the internet and get a application to remove the Ransomware.


1. Turn off your computer by holding in the power button for ten seconds or until you hear/see it turn off, unplug your computer if needed, press the power button to turn the computer back on.

CryptoLocker Virus Ransomware

2. As soon as you turn the computer back on continuously press "F8" until "Windows Advanced Options" Menu comes up. Use the arrows on your keyboard to scroll down to "Safe Mode with Networking" and press "Enter".

CryptoLocker Virus Ransomware

Note

If windows is having trouble starting into "safe mode" and Window’s comes up with a black screen and the words "safe mode" in all four corners of the screen, move your cursor to the lower left corner, over the area where the Windows Start Menu search box would be located, and it will come up.


3. There are 2 options to choose from here:


• Follow steps 6 A- H to preform a manual removal from this point.

Download Malwarebytes, to remove malicious files on your computer.

A. Download the free or paid version of Malwarebytes.org

CryptoLocker Virus Ransomware


B. Once you have downloaded Malwarebytes, open into it and run a scan by selecting Perform quick scan and then clicking on the scan button located at the bottom of the page.

CryptoLocker Virus ransom
C. once the scan is complete Malwarebytes will display the results, showing the malware that was detected. now you need to select all of the malicious files and click the Remove Selected button on the lower left side of the page.

CryptoLocker Virus ransom

Note

If Malwarebytes didn’t work, here are some other popular Ransomware CryptoLocker Virus Removal tools:


Super Anti-Spyware, Hitman Pro, AVG Antivirus, Kaspersky, Microsoft Defender, and Microsoft Security Essentials.




Decrypting Your Files
Remember that this guide is only for removing the infection! Decrypting the files on your computer can only be handled by a Microsoft Certified Technician. This is a time consuming and very delicate process and must be handled with care. Please call us at 800.530.8514 for help with decrypting your files.


Option 5 – USB trick:


Useful for users who can get into safe mode with command prompt but cannot find the virus.


1.
On a different uninfected computer, download Malwarebytes or a different Anti-virus you trust and save the setup.exe file to the USB flash drive .


2.
Turn off the infected computer completely by holding in the power button of the computer for 10 seconds or until the computer shuts completely off. (If the computer is already off skip this step)

CryptoLocker Virus Ransomware


3. Turn on the computer by pressing the power button and immediately begin to tap the “F8” (Windows 8 is Shift-F8) button over and over until you see the “Advanced Boot Options” screen.
Please select “Safe Mode with Command Prompt

 

CryptoLocker Virus Ransomware


5. Please type “Explorer.exe” in the black box with blinking cursor and hit the “Enter” key. If done correctly you will see your “Start Menu” and desktop icons come back onto your computer.

CryptoLocker Virus Ransom


6. Remove the USB the uninfected computer and plug it into the infected computer, start to install Malwarebytes (or your trusted Anti-virus) using the setup.exe file located on the USB flash drive.


7. Run a full system scan, and remove any found infections.

mbam CryptoLocker Virus


8.Restart your machine

CryptoLocker Virus Ransomware



Decrypting Your Files
Remember that this guide is only for removing the infection! Decrypting the files on your computer can only be handled by a Microsoft Certified Technician. This is a time consuming and very delicate process and must be handled with care. Please call us at 800.530.8514 for help with decrypting your files.

 

 

 

 

 

 

 

 


REMEMBER!
If you have any issues or problems with removing the infection on your computer, we can help! Call us at 800.530.8514. We are open 24/7 and will be more than happy to help you remove the infection with ease.
Nate - Admin

Nate - Admin

Growing up i always had a passion for computers and programming. My goal now is to take that knowledge and help others who do not have it. With the rapid growing rate that infections are released everyday, its hard for everyone to keep on top of it. That's what this site was made for. I'm currently a Computer Programmer at a Tech Support company, but have always been a Technician at heart. I spend my free time Reverse engineering viruses to develop cures, and learn how they work. This makes helping people who have been infected with any kind of virus a easy and fun task for me. Need help? Leave a comment on any page, or use the "Contact Us" Page and i will respond as soon as i can!

More Posts - Website

58 comments on “CryptoLocker Virus – Removal and Decryption Guide

  1. Microsoft can’t decrypt your files for you – they don’t have the private key. The title of this article is misleading. Cleanup process is good, but the only way to get your encrypted files back is to restore from backup or Shadow Copies (Previous Versions). Please update your article accordingly.

    • Hi Rob,
      Thanks for responding! Cryptolocker and other cryptic infections can be a tricky thing to recover from, and I understand what you are saying. But at FreeTechSupport, we can decrypt alot of the currently popular infections that encrypt your files and even if we cant, we have very in depth ways of preforming disaster recovery. This method proves very successful in areas where decryption isn’t possible as the infection will delete the original file after replacing it with a encrypted copy.

      You see when a file is deleted on Windows, it isn’t completely gone. In a way Windows simply unattaches the file from the partition. To a regular Windows user this looks and seems like the file is completely gone, but in actuality, the file is still there! Pulling these files back though can be a long and difficult process, and can require a skilled person to accomplish it. So we have trained technicians in disaster recovery for these situations to pull back precious files deleted from these nasty viruses.

      So if you do have this infection and your files are encrypted, Please STOP all use of the infected computer and turn it off, as using the computer after the original files are deleted can make the recovery harder for any technician performing the disaster recovery.

      Thanks,
      Nate

  2. Of course, this is all moot, since CryptoLocker also irreparably destroys networking (in Windows 7 at least), and no post anywhere gives the procedure for restoring it! It’s re-build time!!!

    • Hello Bob,
      I do not understand what you are referring to. Cryptolocker has never had any reports of “Destroying” networking on any version of windows. Also in my personal experience of dealing with Cryptolocker, which has been more times then i care to know, Cryptolocker will enter a computer through a dropper (Email, Web, RDP, false download, Hijacked site, etc.) and infect the computer. When all of Cryptolockers malicious files have been properly placed, and the encryption of your files has started, it will display a splash screen that your computer is locked and has a timer. After this timer expires, the screen will go away but all your files will remain encrypted, and also the malicious files are left. This is all the Cryptolocker does. Of course i can go into more detail of what happens on the back end, but this is a small summary.

      Now if you are referring to a “Netoworking Drive” then yes, Cryptolocker can encrypt files on a network drive mapped out to your infected computer. Is this what you were referring to?

  3. Jagadeesan. on said:

    Hi, I have this problem ( Crypto locker ). I removed the virus , but my files are encrypted. can you help. I am in Chennai, India.

    • Hello Jagadeesan,
      Getting your personal files back from Cryptolocker can be tricky. You may be able to though by either looking through your shadow copies / previous versions to bring back the original file, or have a technician do a Disaster Recovery on your computer. If you need help at all with this process please give us a call, we will do everything we can to bring back your personal files with our Disaster Recovery Software. We can also assist you on making sure the virus is gone, and stays gone.

  4. monsterpcsolutions@live.com on said:

    To Bob….the malware changes your IP address in your networking adapters’ properties

    • Hello monster,

      Thanks for sharing this information. If you notice that the infected computer has no internet after being remove or the splash screen goes away you can regain it by changing your IP back to what it was before the attack:

      Step 1: Hold down the “Windows” Keys and press “R”. This will display the run box.

      Step 2: type in “ncpa.cpl” (Without quotes). This will display your “Network Connections”

      Step 3: If you use a wire (Ethernet Cable) to connect to the internet, Right click the “Local Area Connection” that is assigned to your network and click “Properties”. If you use a wireless connection to connect to the internet, Right click the “Wireless Network Connection” that is assigned to your network and click “Properties”.

      Step 4: Double Click on “Internet Protocol Version 4 (TCP/IPv4) in the Properties List. (If you use IPv6 Click it instead, though this is quite rare.)

      Step 5: If you have a static IP enter it in the “IP Adress” field. Otherwise simply click “Obtain an IP adress Automatically” and click OK.

      This will bring your internet back to normal.

  5. BS Spotter on said:

    You need to retitle this to removal guide. You do not show, nor is it possible, to decrypt the files or restore to a previous version without a backup not connected to the computer infected. You simply took a very long winded approach to say “Run Malwarebytes, when your unable to recover your files, call us.”

    • Hello,

      It is unfortunate that you feel this way, but you are misinformed. Though with some infections decryption is impossible, there are always ways around it. It makes things harder when you do not have a backup, but to say that it is impossible to get your files back without a previous version or backup is wrong. This kind of situation is exactly what extensive Data Recovery was made for. Getting your most precious files back without a single backup. In a comment above this one i explain the rough edges of how it works. All that you need to do to have a chance at getting your files back through Data Recovery is cease to use the computer after your files and encrypted and run the appropriate software. Thanks for the comment!

  6. Keith Duvall on said:

    So you’re saying that you can recover files because the Malware deletes the original after creating an encrypted copy. You can recover deleted files from a hard drive because the data still exists, the File Allocation Table just doesn’t know about it. The flaw in your logic is that the virus is constantly creating new encrypted files and deleting the originals. This process will overwrite the hard drive platter residual files that you’re claiming you can recover. I think you may be able to get a small amount of data, but nothing substantial. The bottom line is this is a very effective virus. It’s shreds your documents and demands $$ to unshred them. You HAVE to pull from a backup otherwise you’re finished. Don’t even think about paying them – unless you would like to see what having your identity stolen is like.

    • Hello Keith,

      Thank you for the information you provided! But not all of your statement is true. I agree that you should not pay for this Ransomware to decrypt your files, but “CryptoLocker” does not zero out any files. Nor does it keep going over encrypted files over and over. It creates a list of files to encrypt, then uses a server side RSA key to encrypt them. There are also some lower forms of encryption it uses on top of RSA, but no need to go into that. After encrypting your files the splash screen stays up until the timer has ran out, and then the damage is done. Here at FTS preform at least 1 Data Recovery a day from the CryptoLocker virus, and many have had great results and received all their personal documents back. Others who have used their computer too long after the infection hit them, aren’t so lucky, but even they get a few documents back.

      Thanks!

  7. I found an easy solution to quickly disable this thing: Use with Option 2, and after locating the bad file(s) right click with Windows Explorer, go to Properties | Security and Edit permissions and click “Deny” for “Full Permission” for all users, including System and Administrators. And then restart in Safemode without networking. Guaranteed it will not execute, because all access to this file will be denied including the run command from the registery. After safely restarting, you will be able to delete this bad file, and run your favorite Malicious code removal software. The reason why I used this method was that deleting the bad keys in the registery did not work, it would appear again after restarted. Also it was nearly impossible to run the Malware scanner while this thing was running in the background.

    • Hello Jas,

      Thanks for all the wonderful information! Though it may not work on some, because if Cryptolocker is attached to a process before “Group Polices” is started, then the file will start regardless. As long as you remove the registry keys, the infected files, and run a Anti-Virus / Malware for safe measure, you should be CryptoLocker free! Once again thanks for all the wonderful information, and i hope it helps others that are having a hard time with the above steps!

      Thanks!

  8. One more thing, be sure to return the permissions to the default in order to delete it.

  9. Jackie on said:

    The pop up window just showed up today. I’m running the malware scan and it’s taking a while. 4 hours already. Should I wait? Or is there another quicker option?

    • Hello Jackie,

      Do you mean that the CryptoLocker window just showed today? If so, i would immediately shut down your computer and use either Hitman Pro Kickstart step, or Kaspersky CD Step. The less use of your computers Windows OS the better.

  10. Yet another item that may help: with a search with regedit of this “cryptolocker”, came up with a list of the affected files: (for example) [HKEY_USERS\S-1-5-21-431169243-120942345-1887955387-1001\Software\CryptoLocker\Files] = this will give you some idea which files need attention. While all on the list may be corrupted, a full system restore may be averted and you can just focus on which files on the list that are important to you, saving time and headaches. Hope this helps!

  11. Almost forgot, if you right click on this registry key describe in the previous message while in regedit (which lists the effected files), you can script it out separately to a “.reg” file. Then, renaming this file to a “.txt” will allow you to view and edit it with your favorite text editor. I used Notepad++ (free tool) because I can search and replace and script out a .bat file or similar and automate the cleanup, or restore operation. Cheers and kudos to all who have helped to control and disable this malware.

  12. Francis on said:

    The Worst thing Ive encountered in this virus, is that all my drivers and services are disabled, thanks to malwarebytes, ive get rid of the virus, but the files are still enrypted, is there any other process aside from shadow explorer and panda unransom??? pls send me back or add me on my faceboook, –Removed Email to protect user from Spam–

    • Hello Francis,

      Thanks for the Comment! Unfortunately there is no other way besides Back Ups, Previous Versions, Shadow copies, And Advanced Data Recovery. Also in this case, Panda Unransom will not help. Please contact us for more information!

      Thanks!

  13. gazpefoc on said:

    safest way is to unplug the computer from the wallplug, immediately after the pop-up showed up and not start again. then, remove the hdd, put it in another computer that is clean and has an antivirus that detects this virus and run a software to recover deleted files.

    • Hello gazpefoc,

      You are entirely right! Your best bet to make it through this infection with your personal files intact is to immediately turn off your machine and use either a live disk or another computer to remove the infection and preform Data Recovery. If you ever need any help with this, please call us at (800) 530-8514 .

  14. RAWINFO on said:

    What about if all of your files are already encrypted? Will this ransomeware still be able to unencrypt and then re-encrypt your files using their key?

    • Hello RAWINFO,

      Thanks for the comment! But i am unsure of what you are asking. If your asking if you encrypted your files yourself and then you get the virus, if it will still encrypt them, then yes it will. It uses RSA encryption and will simply encrypt over your own. I hope this answers your question, and if not please post back!

      Thanks!

  15. RAWINFO on said:

    Thanks for your answer to my previous question. It did tell me what I wanted to know. A follow-up question. It says that it will also encrypt files on mapped drives on the infected computer. If the infected computer (client) is shut off will it continue to encrypt files on the mapped drive (server) or will it stop once the infected machine is shut down?

    • Hello rawinfo,

      I’m glad my previous answer helped! As for your follow up question, If you shut down the infected computer it will stop the encryption if the infection is not also on the server. But as soon as you start up the infected computer again, it will start right where it left off. If the computer is infected i would suggest turning it off right away, booting into a live disk of some sort (WinPE etc.) and removing the infection and preforming data recovery. That way the damage is very minimal. Thanks.

  16. Non Ogm on said:

    Hello, a question, please : are the computers running under Linux (i.e. UBUNTU) concerned too? Thank you for your reply.

    • Hello Non Ogm,

      Thanks for the comment, and no. Linux based OS’s are not bothered by this infection at all. In fact you can use a Ubuntu disk to remove the infection from your windows based computer!

  17. mohamed on said:

    Great

  18. mohamed on said:

    Thanks a lot for your support.
    Can you tell me what is the best DATA Recovery Software to use after removing the Virus.
    Appreciate your Support

    • Hello mohamed,

      After removing the virus, if you do not have any Data Recovery experience, I would try using “Shadow Explorer”.

      But if you have no system restore points, this step will not work. If you have no system restore points try, “Icare Data Recovery”.
      You can have great success with this software if you did not use your computer alot after the infection was removed.

  19. dhananjay on said:

    Hello Sir,i got a virus (cryptorbit) form internet.after that my all data is encrypted.how to decrypt all effected document. please help me…

    • Hello,
      Dhananjay, i have sent you an email. Please respond if you have the time. But for now, treat this as the same infection as you see above, and take the proper steps to remove it.

  20. So to prevent Infection I presume you can do this? : Windows+R type:gpedit.msc Computer Configuration → Windows Settings → Security Settings → Public Key Policies → Encrypting File System in the Group Policy Editor. Right-click on Encrypting File System and select Properties. Select Don’t Allow under the category File Encryption using File Encryption System. Then click OK to save the settings. Voilà..

  21. davidt on said:

    hi nate.how do you do? i read your page i just want to say thanck you for your favore,for your time that want to help others. thanck you.good luch.

  22. How quickly the cryptolocker captures drive C:/, within а minutes, hours or days? Thanks in advance for any reply.

    • durion,

      The infection can happen within minutes.

      • Hi Dear,
        I bought McAfee antivirus totalprotection version, installed it and scanned all drives. After it ran for a few hours to finish, I found out all my drives, including the external drives connected to my laptops (which I used to connect via logmein to my office computer (infected computer) have been encrypted.
        What should I do and what can you help? What would be the cost to decrypt all infected files?
        Please help.

        • Currently the only way to restore files from cryptolocker is to use a backup, System restore point, or try a disaster recovery software. Also the price if you pay the ransom varies as it is in bitcoins. I believe it starts at 400 for the first 3 days, and then jumps to 1000, and then over 2000

      • I removed cryptolocker from my computer.
        All word docs. and excel spreadsheets were on a UBS Flash drive which are encrypted.
        Is there a way to decrypt the flash drive ?

        • The only way currently to restore files from cryptolocker is to restore from a backup or disaster recovery software. You may also try a system restore if the infection did not succeed in removing them

  23. Pingback: Security Concerns for 2014 | Business Management and Technology

  24. steve on said:

    hello I got hit with cryptolocker on my laptop and being dumb I plugged in my external drive and copied a folder to the external drive then unplugged it. now after that I found a button on the cryptolocker screen that said for a list ofinfected files click here so I did and all the files on my hard drive showed up and only the one folder on my external drive showed up now my question is if I plug that drive into another computer will cryptolocker take that computer over to or will the files in the effected folder just be unuasable? I can live wit that because there are other folders on there with files i use that are older but will be better then loseing all of them

  25. Harry on said:

    Hi… I work for a charity and we don’t have an IT expert. We’ve come into work and found one of our PC’s has been infected with the “cryptolock” virus… which I have now removed. However I cannot open a number of MS Word documents on our shared drive. I just get a garbled message etx box. Is there any way I can recover these files?
    thanks in advance
    Harry

  26. i was infected with that cryptolocker virus recently, but im in colombia, can you tell me if you still can help me decrypting the files, can you send me info on my email about this, if you ask for money how much is it? thanks

  27. Nick on said:

    Hi,

    I saw all the steps and everything seems to be logical to me, my only question is what if you have a server and got the cryptolocker virus. when i go to restore the previous versions it tells me you don’t have any previous versions i guess the server doesn’t carry previous versions
    what should i do in this case.

    Thank you

    • Servers can have restore points, but it all depends on if you had them turned on, or ever made one. If not the only other option is to restore from a backup or use a disaster recovery software (Which doesnt always work.)

  28. Hi, my laptop and my external hard infected by “howdecrypt” virus. I removed the virus , but my files ( images , videos , words and excels ) are encrypted. please help me to restore or repair my files.

  29. giangdq on said:

    Hi Admin, My PC has been infected this, I don’t know about it and i has been ghosted pc, since all file (.doc, .ppt, pdf, .xls,…) crypted.
    please Can you send me a file help to tell me to decrypt file crypt? thanks!
    this is 4 file!

  30. surya on said:

    Thanks for your posting about cryptolocker. Is it same virus or runsomware with howdecrypt?

Leave a Reply

Your email address will not be published. Required fields are marked *

*

* Copy This Password *

* Type Or Paste Password Here *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>