CryptoLocker Virus – Removal and Decryption Guide

  • Facebook
  • Twitter
  • Google Plus
  • Add to favorites
alert Cryptowall virus ProfessionalCryptowall Information

CryptoWall has very similar features and methods as Cryptolocker, because of this, a lot of people confuse the two. If your infection left any files or notes names “DECRYPT_INSTRUCTIONS”, There is any name that says CryptoWall, or if any ransom notes left have a light blue background, then you most likely have CryptoWall. For removal and decryption information go to
Cryptowall virus – Removal Guide and Decryption



CryptoLocker Virus – Removal and Decryption Information

CryptoLocker Virus

 

The latest Encryption rogue infection is called the CryptoLocker Virus.  This infection is spreading at an alarming rate with thousands of victims around the would already. The goal of this infection is to hold your computer ransom and encrypt your files until you pay the fee to have it removed and the files decrypted.

CryptoLocker attacks the computer by placing a trojan or other hijacker to gain access to vulnerable parts of the computer. This is all done in the background and is hidden. You can typically get this infection by visiting Hijacked sites, malicious sites, Emails, and downloads the trick you into installing the infection.

Once the computer is fully infected you will begin to see a bogus prompt that reads "Your personal Files are Encrypted" and with the prompt comes the inability to navigate properly through windows. With the virus fully infected on the machine, it now has access to system files, the registry and other important features of windows. This lets the virus run in front of windows with complete control, along with blocking your input.

he prompt on the screen will also say that your files are encrypted. This includes Photos, Videos, Documents, Shortcuts and other types of files. To decrypt these files the infection states you must pay 100 dollars ( Or similar currency ) to buy a key to begin decrypting the files. DO NOT ever pay this or any virus. You will not know for certain they will decrypt your files, and with paying them you open yourself to even more attacks in the future, even identity theft.

After the system becomes infected, CryptoLocker Virus will immediately start popping up on the computer in some sort of way (Ex. Messages, Popups, Sites, or even applications). If this happens, the best course of action is to remove it immediately. The longer it stays on the system, the more difficult it becomes to remove and the more damage it can do to the system.

When so many rootkits and infections cause pop ups and adware, it can be hard to pin point what software is causing it and can be difficult to remove. Luckly if you follow the instructions below you will be infection free.

We can be reached at 800.530.8514 if you need a malware removal specialist to assist.

 


What exactly is Ransomware, like CryptoLocker Virus?


Exmaples of Ransomware


Most of these infections are referred to as hostage infections because they prevent users from performing simple functions like running simple programs, websurfing on the Internet, checking their emails, and printing documents you may notice you cannot do a few of these things with the CryptoLocker Virus. Even after doing all these things, the last is the worst. A lot of these ransomwares will now encrypt / lock your personal files so you may never use them again unless payment is made. When this happens the infection will leave a note with instructions on how to pay. You should try to avoid paying by all means, either by loading a backup, or a restore point. Users can get infected by surfing infected websites, opening emails that come attached with the infection, or by downloading free software, games, or music that have the infection attached to the download. Stay away from unknown download sites and peer to peer networks as these tend to attract infection based Internet traffic.

In 9 out of 10 cases, If the system had an up to date Anti-Virus and was properly patched by Microsoft’s security updates, the user would stand a good chance of preventing the infection. After systems become infected, it becomes increasingly difficult to remove the infection. Viruses have put in place defensive measures to make sure users cannot simply install software and remove the virus. This particular infection almost guarantees the need for a certified technician to work on the computer because specific files and folders will have to be manually deleted to complete the removal process.

There are many different forms and shapes Ransomware can take. FBI MoneyPak, FBI, CryptoLocker Virus, MoneyPak, Ukash, yorkshire, UK, Ice, Department of Justice, White screen, jak usunąć, Ransomware Reloaded, WinLock, Reveton, Zeus, Paysafecard, Metropolitan Police Service, Police National E-Crime Unit, Votre ordinateur a ete pour violation de la loi Française, CryptoLocker Virus, CryptoWall, CryptoLocker, BitCrypt, PoshKoder, and CryptoDefense are all different types of Ransomware that does the same thing, Lock you out of your computer or files.

If the Ransomware that you have is not the CryptoLocker Virus, I encourage you to still try these removal steps, as many Ransomware viruses are located in the same area and just have a different name.

To try and get past these roadblocks, we’ve put in place a set of instructions that should help users remove the CryptoLocker Virus from their computers. We recommend backing up all important files before the removal process and we recommend performing full system tune-up after the removal process. These two things will prevent loss of data and maximize computer efficiency. If the following instructions do not work and you cannot get rid of the CryptoLocker Virus using our recommended software, then feel free to call our Virus removal hotline at 800.530.8514, we are open 24 hours a day 7 days a week.

Click here for more about Ransomware..

 



CryptoLocker Virus

How to remove CryptoLocker Virus

CryptoLocker Virus CryptoLocker Virus CryptoLocker Virus
  1. Option 1 – Manual Removal (ADVANCED – 66 Total Steps)
    1. CryptoLocker Virus Removal Applications - 6 Steps
    2. Manual CryptoLocker Virus Removal - 20 Steps
    3. Perform a System Restore - 11 Steps (Possible Decryption)
    4. Safe Mode With Networking- 8 Steps
    5. KickStart Flash Drive Option- 6 Steps
    6. Kaspersky CD removal- 15 Steps

  2. Option 2 – Automated Removal
    1. Download our recommended Spyhunter4 here.
    2. Install and let the software scan your PC.
    3. Once CryptoLocker Virus, and other possible infection has been found, click fix threats, register, and remove.

  3. Option 3 - Advanced Certified Technician
    1. Our friendly technicians are specially trained to remove CryptoLocker Virus, and are standing by ready to help you! Call us at 800-530-8514
    2. Sit back and relax while we remove CryptoLocker Virus, and other needed work!


 

Option 1 – CryptoLocker Virus Removal Applications:

Easily remove the CryptoLocker Virus using Malwarebytes Anti-Malware Software.


1. Before we begin the steps we need to boot into safemode with networking, as there is a good chance if you have CryptoLocker Virus you cannot get into normal mode. So please shut down your computer if you havent done so already by holding down the power button on your computer’s tower for 10 seconds, or until you hear it turn off.



    CryptoLocker Virusware

2. When the computer is off, push the power button once to turn it back on. As soon as you see anything on your computer screen continuously tap "F8" (Windows 8 is Shift-F8) repeatly until you see the “Advanced Boot Options Screen”.



    CryptoLocker Virusware


3. Select “Safemode with Networking” here and allow it to boot up into your desktop. If you immediantly see the virus at boot, please attempt another option, or give us a call.



    CryptoLocker Virusware

4. Open your web browser and download malwarebytes at malwarebytes.org, when at the site click “Free Download“. It will redirect you to “Download.com“. Once there click the big green “Download Now” button



    CryptoLocker Virusware



5. Once you have downloaded and installed Malwarebytes, open into it and run a full system scan by selecting Perform full scan and then clicking on the scan button located at the lower part of the page.

     



    CryptoLocker Virus



6. Once the scan is done, Malwarebytes will display thstronge results, showing the malware and possibly the CryptoLocker Virus that was found. Now you need to select all of the malicious files and click the Remove Selected button on the lower left side of the page.


    CryptoLocker Virus


alert CryptoLocker Virus ProfessionalNote

If Malwarebytes didn’t work, here are some other popular CryptoLocker Virus Removal tools:

Super Anti-Spyware, Hitman Pro, AVG Antivirus, Kaspersky, Microsoft Defender, and Microsoft Security Essentials.




Option 2 – Manual CryptoLocker Virus Removal (advanced):

 

alert CryptoLocker Virus ProfessionalAlert

This option is very advanced and should be handled with extreme care or by a technician, please give us a call if you have any questions or need help. Some of the files described in this sample solution may not be found in your CryptoLocker Virus infection because there are so many different types and they can be named randomly. So do not be alarmed if you cannot find one of the files, as it may not be there and may be named something else. It could also be in a different location.

 

1. Turn off the infected computer completely by holding in the power button of the computer for 10 seconds or until the computer shuts completely off. (If the computer is already off skip this step)


    CryptoLocker Virusware


2. Turn on the computer by pressing the power button and immediately begin to tap the “F8” (Windows 8 is Shift-F8) button over and over until you see the “Advanced Boot Options” screen which looks like this:


    CryptoLocker Virusware


3. Please select “Safe Mode with Command Prompt” after selecting this you will see a large amount of text on the screen, and when it is done you will see a black box labeled “Command Prompt” with a blinking white cursor on it where you could begin typing.


    CryptoLocker Virusware


4. Please type “Explorer.exe” in the black box with blinking cursor and hit the “Enter” key. If done correctly you will see your “Start Menu” and desktop icons come back onto your computer.


    CryptoLocker Virus


5. Now we need to show hidden files. Double click on any folder on your computer to open it.
(EX. “My computer, My Documents, any personal folder even)

While the folder is up hold down the “Alt” key and press “T”. This will bring you to a drop down menu which you need to click “Folder Options” on. When you first get in the “Folder Options” page click on the “View” tab at the top of the page, there will be a list on this page.

About 7 to 8 check boxes down there will be a folder named “Hidden Files and folders” with 2 circle check boxes under it, it is the only option with circle check boxes. Under “Hidden Files and folders”, click the option that says “Show hidden Files and Folders” then click “Apply”, and “OK”. This will display hidden files.


CryptoLocker Virus

6. This step is the most important, removing the CryptoLocker Virus and other infected files. Below is a list of “Locations” and “File names” that you will use to remove the infection.


Main CryptoLocker Virus virus location:

windows XP only
C:\Documents and Settings\%username%\Application Data\
windows vista-8 only
C:\users\%username%\Appdata\Roaming\
All windows versions
%AppData%
Less popular BUT still used locations:
windows XP only
C:\Documents and Settings\%username%\Local Settings\Application Data\
windows XP only
C:\Documents and Settings\%username%\Application Data\
windows XP only
C:\Documents and Settings\All Users\Application Data\CryptoLocker Virus
windows XP only
C:\Documents and Settings\%username%\Start Menu\Programs\Startup
windows vista-8 only
%appdata%\Microsoft\Windows\Start Menu\Programs\Startup
windows vista-8 only
C:\users\%username%
windows vista-8 only
C:\users\%username%\Appdata\
windows vista-8 only
%programdata%
All windows versions
%temp%
All windows versions
%Program Files%\CryptoLocker Virus\

 

alert CryptoLocker Virus ProfessionalNote

Above are the locations that almost every Ransomware virus, like CryptoLocker Virus, lives. There may be odd times with certain infections where they could be in a different location, but these locations are a very good place to start.

Infected File names

alert CryptoLocker Virus ProfessionalNote

Be aware that a lot of the time the name is random, or is even a random set of numbers or letters (EX. TES20893.EXE or Snxtvfntrm.exe). The infection may also put itself in a weirdly named folder also.

 

Now that you know the common locations and file names, we are going to start the removal process with where to type them to. You need to go to the above locations and look for any files that are in the list or any that seem out of place.

A. Luckily the very first location, which is the most popular location for CryptoLocker Virus, will work on any version of windows. The CryptoLocker Virus will be in this folder most of the time, compared to the other locations. So if you find one of the listed files or a random file here, chances are this is your virus. But feel free to go through each and every location to be sure. Another popular location is %ProgramData%


Below is an example of a user that has 3 different “Infections”. They also are all in the “%appdata%” location. This is simply an example picture to show you how the infection could look when you find it.

ransom example

 

B. Bring up the “Run Box” we talked about in the above step by holding down the “Windows” key and taping the letter “R”.

WR CryptoLocker Virus


    CryptoLocker Virus run  box

     

    alert CryptoLocker Virus ProfessionalNote

    This will bring up a run box with a location for you to type in. This run box can take you to every location written above. It will be your key to finding the CryptoLocker Virus on your computer.

     

C. When the “Run Box” is displayed please type “%APPDATA%” (Without the Quotes) in the text field on the “Run Box” and press “OK” or hit the “Enter” key.


    CryptoLocker Virus run  box

     


D. This will display your “Application Data” folder. As stated above 8 out of 10 times, the virus will be in this location. This location should have quite a few folders in them that help your applications like Microsoft office, internet explorer, and Fire Fox run to your preferences. There will never be a file in this location that if you delete, would render your system from running.

CryptoLocker Virus

    alert CryptoLocker Virus ProfessionalNote

    This doesn’t mean delete items that look legitimate, but it should help ease your mind about what you are removing. So please look in this location for any file in the list above, or any file that seems out of place or random. There is a very high chance that any file that ends in .EXE , .DAT , .INI , .BAT, .COM or simply has no extension can be removed from this location.)


E. Once you have found a file or multiple files that are in the list, or seem like a virus in this location, delete them and then empty your recycling bin on the desktop by right clicking it and selecting “Empty”.


    CryptoLocker Virus

    CryptoLocker Virus Delete

F. If you did not find a suspicious file(s) in this location it may be in any of the other locations that were listed earlier, or even if you did find a file and removed it that you believed to be a virus, but want to make sure, you can navigate to these other locations using the same steps. Simply reference the next location in the list and start back at step 6-B and when you get to step 6-C replace “%APPDATA%” with the location you referenced on the list.

    alert CryptoLocker Virus ProfessionalNote

    When checking other locations you will need to determine what version of windows you have and only type in the locations that are for your version of windows and the ones for all versions of windows.

    For Example: If I have Windows XP I would type in the locations that have either “windows XP only” or “All windows versions“ above them. If I have Windows Vista, 7, or 8 I would type the locations that have either “windows vista-8 only“ or “All windows versions” above them.

    If you are unsure which version of windows you have, just use them all. Windows will tell you when one of the locations you typed in is not right or does not exist on your windows version.

    Remember though, %APPDATA% is the only location that mainly has only folders, making the search easier. The rest of the locations will require a more in depth search as deleting wrong files in other locations could harm your computer. If you need help with this please give us a call.



G. After going through the locations you wanted to go through and deleted the CryptoLocker Virus and other virus files, Or even if you didn’t find any virus files, the next step is important. Even after deleting the virus files that prevent you from booting up, there still could be some hind in your %Temp% directory. Also if you didn’t find any files that matched the description of a virus file in the previous steps, they could be hiding in the %temp% directory. This step is quite easy though, as everything in this location isn’t needed. Just like step 6-B, and 6-C, bring up the run box by holding down the “windows” key and taping “R”.

WR CryptoLocker Virus


• When it is displayed type “%temp%” (without the quotes) in the “Run box” text field.

CryptoLocker Virus Temp


•This will display your Temporary folder. There may be a lot of folders and files in here, or very few. Either way they are not needed. Hold down the left “Ctrl” button and press “A” to selected all the items in the folder, or click the first item in the folder and scroll all the way down to the bottom. Hold down the “Shift” key and while holding it down, click on the last item in the folder and this will also highlight all the items in the folder.




With all the items highlighted press the “DEL” key on your keyboard or right click and click “Delete” then click “Yes” to confirm you want to delete the items. Some of the items may be in use and will ask you to skip them because they cant be deleted, simply skip those files and let it delete the rest. When you are done you should have no files or a very small amount left in this folder.


    CryptoLocker Virus


H. Now that the CryptoLocker Virus files are gone, you must remove the registry keys that were attached to these infected files, or it could cause errors when starting up your computer in the future.

alert CryptoLocker Virus ProfessionalAlert

Entering the Registry with no knowledge of how to use it could completely render your computer incapable of starting again. Please proceed with extreme caution or get the help of a technician by calling us!


    Open the run box (Refer to step 6-B and 6-C) and type “Regedit” and press “OK” or “Enter


    • This will open the windows registry editor. If you remember the name of the infected file you deleted, you can search for it in the registry by holding down “Ctrl” and pressing “F”.
    If you do not know the name of the file, or did not find any infected files you will have to go through the registry and delete any values you find from the list below.


CryptoLocker Virus Registry

Infected Registry locations






Option 3 – Restore-Recover Computer:

A lot of the time Cryptolocker will fail to remove System restore points. When this happens, it is your best method of decryption for cryptolocker. Please follow the steps below to restore to a previous point to get your files back. For personal files with windows Vista – 8 you can right click on any folder and choose “Restore to previous version” and select a date when your files were not effected. You can also try Shadow explorer to help the process

There are three different ways to restore and recover your system


Option 1: Start Menu Restore:


A. Open Windows Start Menu and select All Programs.

Start CryptoLocker Virus

B. Select the Accessories folder.

start2 CryptoLocker Virus


C. Select System tools then select "System Restore". You may be asked for confirmation.

Start3 CryptoLocker Virus


D. Follow the instructions given to restore your computer back to a previous date before the virus was on your computer.

Rstrui CryptoLocker Virus

 

Option 2: Windows run box Rstrui.exe Restore:


A. Open windows run box by holding down the “windows” button and pressing the "R” key, in the run box type "rstrui.exe" and press enter.
(On windows XP type “C:\windows\system32\restore\rstrui.exe)

WR CryptoLocker Virus

Run restore CryptoLocker Virus


B. Follow the instructions given in the Window’s Restore Wizard to restore your computer back to a time and date before you were infected by CryptoLocker Virus.

Rstrui CryptoLocker Virus

 

Option 3: Safe Mode With Command Prompt Restore:


This step is suggested if you are unable to access Window’s desktop.


alert CryptoLocker Virus ProfessionalNote

If windows is having trouble starting into "safe mode" and Window’s comes up with a black screen and the words "safe mode" in all four corners of the screen, move your cursor to the lower left corner, over the area where the Windows Start Menu search box would be located, and it will come up.



A. Reboot your computer, if you are having problems restarting it, simply unplug it.

CryptoLocker Virusware


B. To enter safe mode press "F8" repeatedly as your computer restarts, if done properly you will see the Windows Advanced Options Menu with three safe mode options. Select the option "Safe Mode with Command Prompt" using your arrow keys on your keyboard and press enter.

CryptoLocker Virusware


C. Be ready to type "explorer" when the Command Prompt opens and press enter. you only have a few seconds to do so, otherwise the CryptoLocker Virus will prevent you from typing. When your desktop is back and displayed hold down the "Windows key" (located at the bottom left of your keyboard) and tap "R", this will open the run box.

WR CryptoLocker Virus


D. Once the run box shows up browse to:

Win XP: C:\windows\system32\restore\rstrui.exe and press "Enter"
Win Vista/Seven: C:\windows\system32\rstrui.exe and press "Enter
"

Run restore CryptoLocker Virus


E. Now just follow the steps given to restore or recover your computer back to a time before the virus was on your computer, called a restore point.

Rstrui CryptoLocker Virus







Option 4 – Safe mode with Networking:

This option is for users who need addtional files off the internet, or has applications that are malfunctioning because of the virus. The idea to this step is to get connected to the internet and get a application to remove the CryptoLocker Virus.


1. Turn off your computer by holding in the power button for ten seconds or until you hear/see it turn off, unplug your computer if needed, press the power button to turn the computer back on.

CryptoLocker Virusware

2. As soon as you turn the computer back on continuously press "F8" until "Windows Advanced Options" Menu comes up. Use the arrows on your keyboard to scroll down to "Safe Mode with Networking" and press "Enter".

CryptoLocker Virusware


alert CryptoLocker Virus ProfessionalNote

If windows is having trouble starting into "safe mode" and Window’s comes up with a black screen and the words "safe mode" in all four corners of the screen, move your cursor to the lower left corner, over the area where the Windows Start Menu search box would be located, and it will come up.



3. There are 2 options to choose from here:


• Follow steps 6 A- H to preform a manual removal from this point.
(Click the link above and follow the steps.)

OR

Download Malwarebytes, to remove malicious files on your computer.
(Follow the Steps directly below.)



A. Download the free or paid version of Malwarebytes.org

CryptoLocker Virusware


B. Once you have downloaded Malwarebytes, open into it and run a scan by selecting Perform quick scan and then clicking on the scan button located at the bottom of the page.

CryptoLocker Virus
C. once the scan is complete Malwarebytes will display the results, showing the malware that was detected. now you need to select all of the malicious files and click the Remove Selected button on the lower left side of the page.

CryptoLocker Virus

alert CryptoLocker Virus ProfessionalNote

If Malwarebytes didn’t work, here are some other popular CryptoLocker Virus Removal tools:

Super Anti-Spyware, Hitman Pro, AVG Antivirus, Kaspersky, Microsoft Defender, and Microsoft Security Essentials.





KickStart USB Removal:

With some infections you cannot get into safe mode of any kind. This can make things a little more complicated. Luckily, there is a way to remove the infection outside of the windows environment. In this option we are going to use HitmanPro Kickstart application to remove it.

This option requires a Flash Drive, and an additional clean computer. The flash drive you will be using will be erased in the process of putting HitmanPro on it, so please be sure there is no important files, pictures, music, or documents on the flash drive!

1. Log on to your Clean uninfected computer and download the setup file of HitmanPro Kickstart. The link below will take you to HitmanPro’s download page.

Click here to Download HitmanPro Kickstart

2. After you have the HitmanPro Setup file downloaded, place a USB flash drive into your computer, you will install HitmanPro Kickstart onto this USB so you need to use a USB you can erase all information from. Open the file HitmanPro.exe, either for 32-bit Windows or 64-bit Windows, depending on your computer’s Windows version.

Watch the video below to learn how to make your USB into a HitmanPro.Kickstart USB flash drive:

How to use HitmanPro.Kickstart to Delete Ransomeware Infections


Make sure your infected computer is turned off completely.
On your infected computer, put your USB with HitmanPro.Kickstart on it, into your computer. As the computer restarts press F8,F10, F11, or F12 to enter the Boot Menu of your BIOS, these buttons differ depending on your BIOS manufacturer. Choose HitmanPro.Kickstart USB flash drive.

• Download Malwarebytes, to remove malicious files on your computer.

 + Textarea4 +

Follow the video beneath to learn how to use your HitmanPro.Kickstart USB flash drive to delete your infection.





Kaspersky Rescue Disk Removal:

If the other steps did not remove the infection from your computer, you can use this step. You will need a clean computer that is not infected and has internet access, you will need a dvd or a cd that is blank, and you need to make sure the clean computer has a dvd/cd burner.

1. Download Kaspersky Rescue disk and burn it to a cd

A. Below is a link to download Kaspersky Rescue Disk:

Click here to Download Kaspersky Rescue Disk

B. Download ImgBurn from the link provided beneath,
this is needed to make your rescue disk:

Click here to Download ImgBurn

C. Place your blank cd or dvd into your computers disk drive,
open ImgBurn and select Write image file to disk.

D. Select Browse for file located in the Source section and go to the
where you saved Kaspersky Rescue Disc, it will look
like Kav_rescue_10.iso, press Write to begin creating your rescue disk.

 

CryptoLocker Virus

 

2. Use your Kaspersky Rescue Disk to Cure the Infection

A. In your infected computer, place your rescue disk into your disk drive, hold down the power button for ten seconds to power down your computer, when your computer is completely shut down press the power button to turn it back on. Almost immediately a screen will appear asking you to press any key to enter the menu, press any key and your computer will continue to boot from the rescue disk.

CryptoLocker Virus

B. Select a language and press on Kaspersky Rescue Disk.Graphic Mode, then hit ENTER. This will start your rescue disk.

CryptoLocker Virus

3. Use Kaspersky Rescue Disk to Scan and Remove the Infection from your Computer

A. When its finished booting you should see a desktop similar to what a Windows desktop looks like. Kaspersky Rescue Disk will be open in the center of the screen..

CryptoLocker Virus

B. Go into the My Update Center tab. Press Start update, this will update the program for any new definitions for anti-viruses or for any new information that the program may be able to use. This may take some time to finish.

CryptoLocker Virus

C. When the update is complete, go to the tab named Objects Scan, choose which drivers you want the program to scan, when you have chosen the drivers you want to be scanned press Start Objects Scan.

CryptoLocker Virus

D. Kaspersky Antivirus will alert you that it has found a virus or Trojan on your computer. Press Delete or Quarantine to delete the virus from your PC.

CryptoLocker Virus

E. Now that the virus removal is complete you need to reboot you computer. Make sure to remove the rescue disk from your disk drive, to avoid booting back into the Kaspersky Rescue Disk. On the bottom left of the screen where the Windows Start button would normally be is the Kaspersky Start buttom. Press on the blue Kaspersky start button and press Restart. Your computer will now start up into your normal Windows operating system.




Nate - Admin

Growing up i always had a passion for computers and programming. My goal now is to take that knowledge and help others who do not have it. With the rapid growing rate that infections are released everyday, its hard for everyone to keep on top of it. That's what this site was made for. I'm currently a Computer Programmer at a Tech Support company, but have always been a Technician at heart. I spend my free time Reverse engineering viruses to develop cures, and learn how they work. This makes helping people who have been infected with any kind of virus a easy and fun task for me. Need help? Leave a comment on any page, or use the "Contact Us" Page and i will respond as soon as i can!

More Posts - Website

71 comments on “CryptoLocker Virus – Removal and Decryption Guide

  1. Microsoft can’t decrypt your files for you – they don’t have the private key. The title of this article is misleading. Cleanup process is good, but the only way to get your encrypted files back is to restore from backup or Shadow Copies (Previous Versions). Please update your article accordingly.

    • Hi Rob,
      Thanks for responding! Cryptolocker and other cryptic infections can be a tricky thing to recover from, and I understand what you are saying. But at FreeTechSupport, we can decrypt alot of the currently popular infections that encrypt your files and even if we cant, we have very in depth ways of preforming disaster recovery. This method proves very successful in areas where decryption isn’t possible as the infection will delete the original file after replacing it with a encrypted copy.

      You see when a file is deleted on Windows, it isn’t completely gone. In a way Windows simply unattaches the file from the partition. To a regular Windows user this looks and seems like the file is completely gone, but in actuality, the file is still there! Pulling these files back though can be a long and difficult process, and can require a skilled person to accomplish it. So we have trained technicians in disaster recovery for these situations to pull back precious files deleted from these nasty viruses.

      So if you do have this infection and your files are encrypted, Please STOP all use of the infected computer and turn it off, as using the computer after the original files are deleted can make the recovery harder for any technician performing the disaster recovery.

      Thanks,
      Nate

  2. Of course, this is all moot, since CryptoLocker also irreparably destroys networking (in Windows 7 at least), and no post anywhere gives the procedure for restoring it! It’s re-build time!!!

    • Hello Bob,
      I do not understand what you are referring to. Cryptolocker has never had any reports of “Destroying” networking on any version of windows. Also in my personal experience of dealing with Cryptolocker, which has been more times then i care to know, Cryptolocker will enter a computer through a dropper (Email, Web, RDP, false download, Hijacked site, etc.) and infect the computer. When all of Cryptolockers malicious files have been properly placed, and the encryption of your files has started, it will display a splash screen that your computer is locked and has a timer. After this timer expires, the screen will go away but all your files will remain encrypted, and also the malicious files are left. This is all the Cryptolocker does. Of course i can go into more detail of what happens on the back end, but this is a small summary.

      Now if you are referring to a “Netoworking Drive” then yes, Cryptolocker can encrypt files on a network drive mapped out to your infected computer. Is this what you were referring to?

  3. Jagadeesan. on said:

    Hi, I have this problem ( Crypto locker ). I removed the virus , but my files are encrypted. can you help. I am in Chennai, India.

    • Hello Jagadeesan,
      Getting your personal files back from Cryptolocker can be tricky. You may be able to though by either looking through your shadow copies / previous versions to bring back the original file, or have a technician do a Disaster Recovery on your computer. If you need help at all with this process please give us a call, we will do everything we can to bring back your personal files with our Disaster Recovery Software. We can also assist you on making sure the virus is gone, and stays gone.

  4. monsterpcsolutions@live.com on said:

    To Bob….the malware changes your IP address in your networking adapters’ properties

    • Hello monster,

      Thanks for sharing this information. If you notice that the infected computer has no internet after being remove or the splash screen goes away you can regain it by changing your IP back to what it was before the attack:

      Step 1: Hold down the “Windows” Keys and press “R”. This will display the run box.

      Step 2: type in “ncpa.cpl” (Without quotes). This will display your “Network Connections”

      Step 3: If you use a wire (Ethernet Cable) to connect to the internet, Right click the “Local Area Connection” that is assigned to your network and click “Properties”. If you use a wireless connection to connect to the internet, Right click the “Wireless Network Connection” that is assigned to your network and click “Properties”.

      Step 4: Double Click on “Internet Protocol Version 4 (TCP/IPv4) in the Properties List. (If you use IPv6 Click it instead, though this is quite rare.)

      Step 5: If you have a static IP enter it in the “IP Adress” field. Otherwise simply click “Obtain an IP adress Automatically” and click OK.

      This will bring your internet back to normal.

  5. BS Spotter on said:

    You need to retitle this to removal guide. You do not show, nor is it possible, to decrypt the files or restore to a previous version without a backup not connected to the computer infected. You simply took a very long winded approach to say “Run Malwarebytes, when your unable to recover your files, call us.”

    • Hello,

      It is unfortunate that you feel this way, but you are misinformed. Though with some infections decryption is impossible, there are always ways around it. It makes things harder when you do not have a backup, but to say that it is impossible to get your files back without a previous version or backup is wrong. This kind of situation is exactly what extensive Data Recovery was made for. Getting your most precious files back without a single backup. In a comment above this one i explain the rough edges of how it works. All that you need to do to have a chance at getting your files back through Data Recovery is cease to use the computer after your files and encrypted and run the appropriate software. Thanks for the comment!

  6. Keith Duvall on said:

    So you’re saying that you can recover files because the Malware deletes the original after creating an encrypted copy. You can recover deleted files from a hard drive because the data still exists, the File Allocation Table just doesn’t know about it. The flaw in your logic is that the virus is constantly creating new encrypted files and deleting the originals. This process will overwrite the hard drive platter residual files that you’re claiming you can recover. I think you may be able to get a small amount of data, but nothing substantial. The bottom line is this is a very effective virus. It’s shreds your documents and demands $$ to unshred them. You HAVE to pull from a backup otherwise you’re finished. Don’t even think about paying them – unless you would like to see what having your identity stolen is like.

    • Hello Keith,

      Thank you for the information you provided! But not all of your statement is true. I agree that you should not pay for this Ransomware to decrypt your files, but “CryptoLocker” does not zero out any files. Nor does it keep going over encrypted files over and over. It creates a list of files to encrypt, then uses a server side RSA key to encrypt them. There are also some lower forms of encryption it uses on top of RSA, but no need to go into that. After encrypting your files the splash screen stays up until the timer has ran out, and then the damage is done. Here at FTS preform at least 1 Data Recovery a day from the CryptoLocker virus, and many have had great results and received all their personal documents back. Others who have used their computer too long after the infection hit them, aren’t so lucky, but even they get a few documents back.

      Thanks!

  7. I found an easy solution to quickly disable this thing: Use with Option 2, and after locating the bad file(s) right click with Windows Explorer, go to Properties | Security and Edit permissions and click “Deny” for “Full Permission” for all users, including System and Administrators. And then restart in Safemode without networking. Guaranteed it will not execute, because all access to this file will be denied including the run command from the registery. After safely restarting, you will be able to delete this bad file, and run your favorite Malicious code removal software. The reason why I used this method was that deleting the bad keys in the registery did not work, it would appear again after restarted. Also it was nearly impossible to run the Malware scanner while this thing was running in the background.

    • Hello Jas,

      Thanks for all the wonderful information! Though it may not work on some, because if Cryptolocker is attached to a process before “Group Polices” is started, then the file will start regardless. As long as you remove the registry keys, the infected files, and run a Anti-Virus / Malware for safe measure, you should be CryptoLocker free! Once again thanks for all the wonderful information, and i hope it helps others that are having a hard time with the above steps!

      Thanks!

  8. One more thing, be sure to return the permissions to the default in order to delete it.

  9. Jackie on said:

    The pop up window just showed up today. I’m running the malware scan and it’s taking a while. 4 hours already. Should I wait? Or is there another quicker option?

    • Hello Jackie,

      Do you mean that the CryptoLocker window just showed today? If so, i would immediately shut down your computer and use either Hitman Pro Kickstart step, or Kaspersky CD Step. The less use of your computers Windows OS the better.

  10. Yet another item that may help: with a search with regedit of this “cryptolocker”, came up with a list of the affected files: (for example) [HKEY_USERS\S-1-5-21-431169243-120942345-1887955387-1001\Software\CryptoLocker\Files] = this will give you some idea which files need attention. While all on the list may be corrupted, a full system restore may be averted and you can just focus on which files on the list that are important to you, saving time and headaches. Hope this helps!

  11. Almost forgot, if you right click on this registry key describe in the previous message while in regedit (which lists the effected files), you can script it out separately to a “.reg” file. Then, renaming this file to a “.txt” will allow you to view and edit it with your favorite text editor. I used Notepad++ (free tool) because I can search and replace and script out a .bat file or similar and automate the cleanup, or restore operation. Cheers and kudos to all who have helped to control and disable this malware.

  12. Francis on said:

    The Worst thing Ive encountered in this virus, is that all my drivers and services are disabled, thanks to malwarebytes, ive get rid of the virus, but the files are still enrypted, is there any other process aside from shadow explorer and panda unransom??? pls send me back or add me on my faceboook, –Removed Email to protect user from Spam–

    • Hello Francis,

      Thanks for the Comment! Unfortunately there is no other way besides Back Ups, Previous Versions, Shadow copies, And Advanced Data Recovery. Also in this case, Panda Unransom will not help. Please contact us for more information!

      Thanks!

  13. gazpefoc on said:

    safest way is to unplug the computer from the wallplug, immediately after the pop-up showed up and not start again. then, remove the hdd, put it in another computer that is clean and has an antivirus that detects this virus and run a software to recover deleted files.

    • Hello gazpefoc,

      You are entirely right! Your best bet to make it through this infection with your personal files intact is to immediately turn off your machine and use either a live disk or another computer to remove the infection and preform Data Recovery. If you ever need any help with this, please call us at (800) 530-8514 .

  14. RAWINFO on said:

    What about if all of your files are already encrypted? Will this ransomeware still be able to unencrypt and then re-encrypt your files using their key?

    • Hello RAWINFO,

      Thanks for the comment! But i am unsure of what you are asking. If your asking if you encrypted your files yourself and then you get the virus, if it will still encrypt them, then yes it will. It uses RSA encryption and will simply encrypt over your own. I hope this answers your question, and if not please post back!

      Thanks!

  15. RAWINFO on said:

    Thanks for your answer to my previous question. It did tell me what I wanted to know. A follow-up question. It says that it will also encrypt files on mapped drives on the infected computer. If the infected computer (client) is shut off will it continue to encrypt files on the mapped drive (server) or will it stop once the infected machine is shut down?

    • Hello rawinfo,

      I’m glad my previous answer helped! As for your follow up question, If you shut down the infected computer it will stop the encryption if the infection is not also on the server. But as soon as you start up the infected computer again, it will start right where it left off. If the computer is infected i would suggest turning it off right away, booting into a live disk of some sort (WinPE etc.) and removing the infection and preforming data recovery. That way the damage is very minimal. Thanks.

  16. Non Ogm on said:

    Hello, a question, please : are the computers running under Linux (i.e. UBUNTU) concerned too? Thank you for your reply.

    • Hello Non Ogm,

      Thanks for the comment, and no. Linux based OS’s are not bothered by this infection at all. In fact you can use a Ubuntu disk to remove the infection from your windows based computer!

  17. mohamed on said:

    Great

  18. mohamed on said:

    Thanks a lot for your support.
    Can you tell me what is the best DATA Recovery Software to use after removing the Virus.
    Appreciate your Support

    • Hello mohamed,

      After removing the virus, if you do not have any Data Recovery experience, I would try using “Shadow Explorer”.

      But if you have no system restore points, this step will not work. If you have no system restore points try, “Icare Data Recovery”.
      You can have great success with this software if you did not use your computer alot after the infection was removed.

  19. dhananjay on said:

    Hello Sir,i got a virus (cryptorbit) form internet.after that my all data is encrypted.how to decrypt all effected document. please help me…

    • Hello,
      Dhananjay, i have sent you an email. Please respond if you have the time. But for now, treat this as the same infection as you see above, and take the proper steps to remove it.

  20. So to prevent Infection I presume you can do this? : Windows+R type:gpedit.msc Computer Configuration → Windows Settings → Security Settings → Public Key Policies → Encrypting File System in the Group Policy Editor. Right-click on Encrypting File System and select Properties. Select Don’t Allow under the category File Encryption using File Encryption System. Then click OK to save the settings. Voilà..

  21. davidt on said:

    hi nate.how do you do? i read your page i just want to say thanck you for your favore,for your time that want to help others. thanck you.good luch.

  22. How quickly the cryptolocker captures drive C:/, within а minutes, hours or days? Thanks in advance for any reply.

    • durion,

      The infection can happen within minutes.

      • Hi Dear,
        I bought McAfee antivirus totalprotection version, installed it and scanned all drives. After it ran for a few hours to finish, I found out all my drives, including the external drives connected to my laptops (which I used to connect via logmein to my office computer (infected computer) have been encrypted.
        What should I do and what can you help? What would be the cost to decrypt all infected files?
        Please help.

        • Currently the only way to restore files from cryptolocker is to use a backup, System restore point, or try a disaster recovery software. Also the price if you pay the ransom varies as it is in bitcoins. I believe it starts at 400 for the first 3 days, and then jumps to 1000, and then over 2000

      • I removed cryptolocker from my computer.
        All word docs. and excel spreadsheets were on a UBS Flash drive which are encrypted.
        Is there a way to decrypt the flash drive ?

        • The only way currently to restore files from cryptolocker is to restore from a backup or disaster recovery software. You may also try a system restore if the infection did not succeed in removing them

  23. Pingback: Security Concerns for 2014 | Business Management and Technology

  24. steve on said:

    hello I got hit with cryptolocker on my laptop and being dumb I plugged in my external drive and copied a folder to the external drive then unplugged it. now after that I found a button on the cryptolocker screen that said for a list ofinfected files click here so I did and all the files on my hard drive showed up and only the one folder on my external drive showed up now my question is if I plug that drive into another computer will cryptolocker take that computer over to or will the files in the effected folder just be unuasable? I can live wit that because there are other folders on there with files i use that are older but will be better then loseing all of them

  25. Harry on said:

    Hi… I work for a charity and we don’t have an IT expert. We’ve come into work and found one of our PC’s has been infected with the “cryptolock” virus… which I have now removed. However I cannot open a number of MS Word documents on our shared drive. I just get a garbled message etx box. Is there any way I can recover these files?
    thanks in advance
    Harry

  26. i was infected with that cryptolocker virus recently, but im in colombia, can you tell me if you still can help me decrypting the files, can you send me info on my email about this, if you ask for money how much is it? thanks

  27. Nick on said:

    Hi,

    I saw all the steps and everything seems to be logical to me, my only question is what if you have a server and got the cryptolocker virus. when i go to restore the previous versions it tells me you don’t have any previous versions i guess the server doesn’t carry previous versions
    what should i do in this case.

    Thank you

    • Servers can have restore points, but it all depends on if you had them turned on, or ever made one. If not the only other option is to restore from a backup or use a disaster recovery software (Which doesnt always work.)

  28. Hi, my laptop and my external hard infected by “howdecrypt” virus. I removed the virus , but my files ( images , videos , words and excels ) are encrypted. please help me to restore or repair my files.

  29. giangdq on said:

    Hi Admin, My PC has been infected this, I don’t know about it and i has been ghosted pc, since all file (.doc, .ppt, pdf, .xls,…) crypted.
    please Can you send me a file help to tell me to decrypt file crypt? thanks!
    this is 4 file!

  30. surya on said:

    Thanks for your posting about cryptolocker. Is it same virus or runsomware with howdecrypt?

  31. AJ Ramirez on said:

    Hello. I have recently been infected witpartitionetolocker virus. Now I have completely removed the virus, but since my files are all saved on a partitioned drive, and an external drive as a backup there are now shadow files to recover from. Is there any way or any software that can help me recover or repair such files. Thanks.

  32. Habib on said:

    Hi Nate .
    Two days back my computer infected by a cryptolocker virus .
    its ” README TO ONLOCK ” text is copied below :
    ——————————————————————————————–
    ——————————————————————————————–

    Your files are locked and encrypted with a unique RSA-1024 key!
    To regain access you have to obtain the private key (password).
    ++++++++++++++++++++
    To receive your private key (password):
    Go to http://u5ubeuzamg54x5f3.onion.to and follow the instructions.
    You will receive your private key (password) within 24 hours.
    Your ID# is 28403489

    If you can’t find the page, install the Tor browser (https://www.torproject.org/projects/torbrowser.html.en) and browse to
    http://u5ubeuzamg54x5f3.onion
    ++++++++++++++++++++
    BEWARE – this is NOT a virus.
    The ONLY way to unlock your files/data is to obtain your private key (password) or you may consider all your data lost.
    You have just 5 days before the private key (password) is deleted from our server, leaving your data irrevocably broken.
    ++++++++++++++++++++
    LOCKED ON POSSESSION OF COPYRIGHTED MATERIAL AND SUSPICION OF (CHILD)PORNOGRAPHIC MATERIAL.
    —————————————————————————————————-
    —————————————————————————————————-

    When i came to know that my computer has been infected I re installed my windows 7 and removed the virus by avast antivirus . As you know all my files remains locked and I don’t know how can I decrypt my files . I tried to regain my files by using “previous version” option in my windows to restore or repair my locked files but it seems that no other versions were existed . The problem is that I have no back up from my infected files .
    I like you please to answer these two of my questions :
    1 : Is there any solution for my problem to regain my locked files ?
    2 : In case the lack of solution , Is a good Idea that I write and keep and all of these locked files on a DVD to find a way in the future to recover them or it causes more difficulties ?

    Thanking You

    • Sadly this infections site doesn’t even work, so its hard to do research on it. I would need the dropper of the file that infected you to figure out anything further, and you wiped your computer so i do not think this is possible :( i apologize.

    • Habib,

      Another user recently gave me a dropper of this infection, and i was able to find a way of decrypting the files. Please message me if you are still around, as i will be able to help you get your files back i believe.

      Any other user reading this, This is not the real cryptolocker, and this decryption method doesn’t apply to the real Cryptolocker

  33. Toby Nichols on said:

    Fairly sure i have the infected computer off line now as the encrypting stopped and the owner of the files was the person logged into the machine. We have good backups so we will be able to recover most files. My problem is that I can’t find a trace of the actual virus on what appears to be the culprit machine. Malware bytes is not showing anything and no cryptolock in the registry anywhere.

    Any advice?

    Thanks
    Toby

    • Seeing as you have gotten infected after the FBI seizing of Cryptolocker, are you sure you do not have CryptoWall? This infection will remove itself when done, and only leave a note for you.

  34. Claudiu on said:

    Hi, my laptop infected by “Win32/Sefnit.AS” trojan. I removed the trojan , but my files ( .jpeg , videos , .pdf, words and excels ) are encrypted. please help me to restore or repair my files.

    • Cryptolocker was seized before your infection, and chances are you have CryptoWall. In order to give sound advice we would need to confirm this, does any of the notes left by the infection have a light blue background?

  35. Phil K. on said:

    Hi Nate,
    Just wanted to let you know that your advise is sound, I have found the earlier you detect this sort of virus the better the chances are at recovering the lost files. And in the case of the overwritten partition I have had some succes in recovering the infected “target” partition and then retrieving the deleted data. But you are right the longer the system stays up live and on the more files the malicous software encrypts. Thanks for a very in depth explaination of a very successful malicous virus.

    I have been in the field of computer repair in the greater NYC area for over twenty years and this one takes the cake but anything created by man can be undoned for the key to all data is just “0″ and “1″ .

    Phil K.

  36. Shaul on said:

    Hi i had this virus a long time ago, i had managed to get rid of it, but all my files are encrypted! every so often i check on line if there is some more information on this that would help me get my useless files back, i had no back up or restore point, do you have any news on this?

    • Sadly, at the moment, if no backup or restore point, there isn’t much you can do. Cryptolocker has also been taken down for now, so there may be some possibility in the future to get your files back. You are doing the correct thing though, which is to save your files just in case!

Leave a Reply

Your email address will not be published. Required fields are marked *

*

* Copy This Password *

* Type Or Paste Password Here *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>