How to remove Cryptolocker

Discussion in 'Virus Removal Service (VRS)' started by Bala, Oct 2, 2013.

  1. Bala

    Bala Administrator Staff Member

    CryptoLocker is a new ransomware which is doing the rounds. What is basically does is once it has infected your computer it encrypts all of your files and shows a message demanding you to pay up. 

    Detailed information is here

    In this guide we will try to focus on removing this malware. 

    After doing some research of my own I have found out that CryptoLocker uses a custom encryption to encrypt files and has a one time decryption key. It is very difficult to crack or brute force it due to the complexity of the algorithm and the time it would take.

    Removal can be done easily by either using Malwarebytes Anti-malware with a combination of R-Kill tool to do it. But this is not the main concern as even once this virus is removed it is not possible to decrypt your files. 

    Retrieval of files:-
    Retrieving the files will be a bit of a job to tackle. If you have a full working backup it is going to be very easy to do so and get back all the files. 
    This again ellcudiates the importance of backing up your data. 
    Now, if you do not have a backup you can take one of the two options.
    1- System Restore:- System restoring back to a time before virus intrusion is a good idea and should be done. This can be easily done from safe-mode but will not decrypt or return to original state most of your files. 

    2- Shadow copy:- By default Windows Vista+ Oses keep a copy of a file called shadow copy. This can be found and restored from the file properties dialog box but for a multitude of files it is going to be highly difficult. 
    To ease the process we will use a tool called Shadow-Explorer to do so. 
    You can download it from here  
    This will enable to access the shadow cache and get the files out of them. 

    If you are lucky enough you should have shadow-copies of most files and should get the job done. Most guides on the internet are just copies of some thoughts and do not give the shadow defender pathway. 

    Please do not do a restore or refresh before. This may wipe out the shadow files. 

    If none of these works, you have lost it and there is nothing that can be done. If you are stuck in such a situation you may have to end up paying to them. 
    It has been confirmed that it does decrypt the files. Please make use of a disposable card to do so and do not give any other of your financial details. I may be the first one urging to pay but if your data is very valuable and you have no backups this might be the time do it and not waste it. 

    Also remember to install a proper security software. If possible purchase a good one or use a tight freeware combo. If you had Comodo with Defense+, which is a free software of course this ransom virus would have been thwarted. 
    For detailed instructions and recommendations for security software please make a thread here

    The next step would be to do a complete re-install formatting all your hard-disk partitions. I would recommend using a linux live CD for this purpose. 
    wwd likes this.
  2. Google Adsense

  3. ahmadkhaje

    ahmadkhaje Senior Member

    A way that you can know whether or not infected computers
    Where you should know that a malware in the system has
    wwd likes this.
  4. Morale

    Morale Initiat3

    wwd and RGiskardR like this.
  5. jasonX

    jasonX Giveaways Moderator Staff Member

    -- Backing up (externally) is really the most sane and effective way for any infection. You can reformat the OS many times over but losing those files and trying to decrypt them will make you loose your mind.
    revC0de, wwd and RGiskardR like this.
  6. revC0de

    revC0de MTAC Moderator Staff Member

    It is appreciable the implementation of specific standalone antiransomware tools and decryption software but the best and rock-solid prevention is always a good backup plan.
    Keep your data PHYSICALLY outside the ransomware claws!
    wwd and RGiskardR like this.

Share This Page