Remove CryptoLocker Virus

By | September 9, 2013

CryptoLocker is a virus, Trojan, or malware on one code that attempts to seek money from computer users. This kind or computer infection can be considered as ransomware. However, it will not lock the computer and demands for payment to obtain the unlock code. CryptoLocker encrypts entire files on the infected computer and requires user to get the private key that is needed for decryption. What also differentiates CryptoLocker from other ransom virus is its time-based destruction of key. Failure to pay the private key on specified time will destroy the key from the server. It simply means, there is no way that you can unlock all affected files on the computer.

CryptoLocker message states the following:

“Your personal files are encrypted! 

Your important files encryption produces on this computer: photos, videos, documents, etc. Here is a complete list of encrypted files, and you can personally verify this.

Encryption was produced using a unique public key RSA-2048 generated for this computer. To decrypt files, you need to obtain the private key.

The single copy of the private key, which will allow you to decrypt the files, located on a secret server on the Internet; the server will destroy the key after a time specified in this window. After that, nobody and never will be able to restore files…

To obtain the private key for this computer, which will automatically decrypt files, you need to pay 100 USB / 100EUR / similar amount in another currency.
Click Next to select the method of payment and the currency.

Any attempt to remove or damage this software will lead to the immediate destruction of the private key by server.”

CryptoLocker

As you can see, author of CryptoLocker virus intends to collect money by locking files on the infected computer. Whether or not the content of the window is true, we still do not encourage paying for the private key to be able to resolve the issue. First you need to remove CryptoLocker from the computer. Then, decrypt all files with valid tools.

Other Detections:

Different anti-virus and anti-malware programs may name this threat according to their patterns. Here are some detection names: Trojan.Cryptolocker.F

How to Remove CryptoLocker Ransomware

Stage 1: Scan the Computer with ESET Rogue Application Remover (ERAR)

1. Download the free scanner called ESET Rogue Application Remover.
Download Link for ERAR (this will open a new window)

2. Choose appropriate version for your Windows System. Save the file to a convenient location, preferably on Desktop.

3. After downloading the file, Windows will prompt that download has completed. Click Run to start the program. Another option is to browse the location folder and double click on the file ERARemover_.exe.

errar1

4. On ESET Rogue Application Remover SOFTWARE LICENSE TERMS, click Accept to continue.

5. The tool will start scanning the computer. It will prompt when it finds CryptoLocker and other malicious entities. Follow the prompt to proceed with the removal.

ERAR

Stage 2: Double-check for CryptoLocker’s leftover with Microsoft’s Malicious Software Removal Tool

1. Download the free scanner called Malicious Software Removal Tool.
Malicious Software Removal Tool Download Link (this will open a new window)

download-msrt

2. The tool automatically checks the operating system and suggest appropriate download version. Click on Download button to begin. Save the file to a convenient location, preferably on Desktop.

3. After downloading the file, Windows will prompt that download has completed. Click Run to start scanning for CryptoLocker. Another option is to browse the location folder and double click on the file to run.

msrt-icon

4. The tool will display Welcome screen, click Next. Please note the message “This tool is not a replacement for an antivirus product.” You must understand that this program is made specifically to find and remove malware, viruses, Trojans, and other harmful elements on the computer. It was not designed to protect the computer.

msrt1

5. Next, you will see Scan Type. Please choose Full Scan to ensure that all CryptoLocker entities and other harmful files left on the computer will be found and removed. For advanced computer user, you can opt for Customized Scan, if there are other drives or folders you wanted to include in this scan.

msrt2

6. Full scan may take a while, please wait for Malicious Software Removal Tool to complete the tasks. However, you may cancel the scan anytime by clicking on the Cancel button.

msrt3

7. After scanning, the tool will reveal all identified threats. There may be other threats that our first scan fails to detect. Please remove/delete all detected items.

8. When removal procedure is complete, you may now close Malicious Software Removal Tool. We hope that CryptoLocker have been completely deleted from the computer. Please restart Windows to proceed with the normal operation.

Stage 3 : Unlocking files that were encrypted by CryptoLocker

1. Download the program Panda Ransomware Decrypt.
pandaunransom.exe Download Link (this will open on a new window)

2. Save the file to your hard drive, Desktop, or any location.
3. Once the download completed, double-click on the file pandaunransom.exe to run it.
4. You will see Panda Ransomware Decrypt program. Please refer to the image below.

pandaransomware

5. Next, use Windows Explorer or My Computer to make a folder “PandaTest” and copy some of the encrypted files into this folder.

6. Go back to Panda Ransomware Decrypt program and click on Select Folder button. Select the newly created folder PandaTest.

7. Click on START button to begin. Process may take a while, please wait until it is completed.

8. If you were able to decrypt contents of the PandaTest folder, you may run the tool on all the affected files and folders on the computer.

45 thoughts on “Remove CryptoLocker Virus

  1. grant

    what is the deal with the key? Your example shows a key, when i run the program no key is present. What are you doing to try and identify the correct key? or should the program do this on its own.

  2. jeremix

    I have some friends who are currently trying to recover their files from CryptoLocker virus infection. So far, they are still trying various decryption tools. They have managed to remove the CryptoLocker from their computer; however, files are remained encrypted.

    I still don’t know if removing files and registry entries dropped by CryptoLocker will be able to help. So far, here are what I have found:

    CryptoLocker Files:
    C:\WINDOWS\system32\msctfime.ime
    C:\Documents and Settings\User\Application Data\{DAEB88E5-FA8E-E0D1-8FCD-BFC7D2F6ED25}.exe
    C:\DOCUME~1\User\LOCALS~1\Temp\CryptoLocker.exe
    C:\WINDOWS\system32\rsaenh.dll

    CryptoLocker Registry Entries:
    HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\IMM
    HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders
    HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\CTF
    HKEY_LOCAL_MACHINE\Software\Microsoft\CTF\SystemShared
    HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders
    HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
    HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run = “CryptoLocker.exe”
    HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
    HKEY_CURRENT_USER\Software\CryptoLocker
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\Defaults\Provider\Microsoft Enhanced Cryptographic Provider v1.0
    HKEY_LOCAL_MACHINE\Software\Microsoft\Cryptography\Offload
    HKEY_LOCAL_MACHINE\Software\Microsoft\Cryptography\DESHashSessionKeyBackward
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\Defaults\Provider\Microsoft Enhanced RSA and AES Cryptographic Provider
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\Defaults\Provider\Microsoft Enhanced RSA and AES Cryptographic Provider (Prototype)

  3. James

    Hey,

    We were hit with this on 09/09. It was on 1 pc that happens to be a part of a shared drive that is for or warehouse and encrypted all the docs and apps for the drive and server. Will this work?

  4. MV

    this is not working at all for my client. Same situation, hit one machine, then spread through the network… Decryptor says no files are encrypted but they were all affected by the CryptoLocker.exe ransomware.

    Please help!!!

  5. Malware Guy

    We have seen this several times this week at our company. You can not decrypt the files without the private key which is stored on the hacker’s servers. That panda tool will not be able to do it. you can use a tool called shadow explorer which may help you as long as you have system protection turned on.

  6. Sunrise

    Hi, I have this Cryptolocker on my pc that shares files on Dropfox which seem we cannot open. Can this program clean the trojan off the dropbox. I am in the middle of cleaning the first phase of ESAT Rogue

  7. Pam

    I have the same problem, hit one pc and dropbox server. Panda did not decrypt the file nor did shadow explorer. Can someone please HELP !

  8. LarryB

    Hit our Church, I have not found an answer – panda and shadow copy did not work, it had disabled my ability to restore to a restore point – This is a beast – any help is appreciated.

  9. George D

    Correct the Panda tool can not decrypt the files. Your only hope is to to use shadow explorer which definitely works as long as you have system restore points enabled….the key is to remove the virus before you run shadow explorer. We have successfully restored files with it.

  10. Neil T

    Yes Shadow copy works. I think I’ll be cleaned in another hour.
    Thanks for post all of this.

  11. Helmut Reinhardt

    we have this same CRYPTOLOCKER it hit us about 5 am this morning, and encrypted 2 network drives, resulting in about 112,000 files being encrypted.

    pandaunransom.exe didn’t do anything – looks like panda needs the decrypt key

  12. Sam Rolph

    We have 3 PC’s (All Win 7 64bit running Trend Micro Officescan Client 10.5 AV) infected with CryptoLocker. We managed to remove the virus with MalwareBytes, Hijack This and physical deletion of Virus files but again all local files were left encrypted. We think this was contracted from opening an email supposedly from Fedex.

    I have asked Trend for advice but it is not looking hopeful of salvaging local files thankfully shared drives haven’t been infected (yet).

  13. DanaK

    We were hit on 25th and it has taken several times to remove the bulk of this virus
    still awaiting on AVast remover it seems to be working it has been an extreme hassel and
    it seems to of come into only one email via an intuit spam mail. again use your virus blocker
    more often than usual it helps in keeping the systems up on new viruses.
    i’ll post tomorrow how we fair in our offices.

  14. Ric S

    We were hit on 9/28. Anyone able to decrypt the files? I don’t have a current backup

  15. RAW

    I can’t seem to see any difference (files I can’t get to or are corrupt), but I got that nasty message! I have removed CryptoLocker from my computer, what would happen if I used system restore to go back to before this happened?

  16. Guruthesecond

    We were hit two days ago. It only affected one computer but since she was mapped to all the shares, they are all encrypted. We’ve finally agreed to pay the ransom I’m just concerned because I read on another thread how payment had been blocked and we may never get our files back.

  17. Dann French

    Best option is to reinstall os from an image created before the virus has hit your system.
    I have done this on an infected computer and it works great.
    It is very important to back up your system to an offsite drive. I run a new image every week on my systems and delete the older images. This way I will only loose a weeks worth of data.

    This is the only thing that I have found that works reliably every time.

  18. Abhi

    Any of this methods are not going to be successful, instead all are going to stuck with the same problem. What is the possible way to remove this thing. Please help!

  19. Cherrelyn Joy Moreno

    Thank you very much for this information though the decryption process didn’t work but the CyrptoLocker Virus was gone.. Thank you very much… a million Thanks to you :-)

    FROM PHILIPPINES

  20. Bud Green

    Guruthesecond,,

    Did paying the fee get you the private key and allow you to decrypt the files again? I have an end user client whos business files were all encrypted on the network share and is desperate for a resolution. Before I clean the malware, I want to know if this solution is valid. Ransom true, but when the client needs the files, a ransom is better than nothing. The infected PC is off the network and isolated right now.’

    PEACE

  21. Daniel

    We have been hit with this twice now. Fortunately we have backup processes in place so the loss of data was not a huge problem.

    To remove the software we have used System restore and Malware Bytes. Be sure you do this without the network cable plugged in.. especially if you are on a domain and have access to shares.

    Hopefully someone will find the fix to decrypting the docs, and or finds the culprits and smashes them up.

  22. Gary

    You MAY fix the encrypted files by paying the money, supposedly, they will send the decryption key and it does work. It does take a while, I think one site said about 5gb per hour, but don’t wait too long looking for a solution that doesn’t come. If you don’t have backups and you need these files, once that timer goes reaches zero, the key is destroyed and your files are pretty much forever encrypted. Best thing to do is kill the drive, start fresh from your back ups. System restore will do nothing for you as System restore does nothing to change the files this particular variant is designed to encrypt, only system files and Windows start up files. Your computer will work fine, but yo won’t be able to open the extensions mentioned in the above link until they are decrypted or removed and restored from backup. Make sure you remove the virus before restoring from backup, otherwise it would be redundant.

    We had the issue yesterday on one of our user computers. She opened an attachment, that’s all it took. Not only did it encrypt all files on her desktop, any user directory she had connected to our server where she had write privs, were also encrypted. Spent the better half of the night last night weeding through directories and files, deleting encrypted files and restoring from backups.

    Take note, as long as her computer was on the network and had write access to the server, every time I would replace an encrypted file on the server, it would encrypt the restored almost simultaneously, fortunately she just had write access to her own user directory and a community directory that is used to share files, no access to any system or admin files. Make sure you remove the infected computer totally off the network before trying to resolve and restore. Turning it off and rebooting it or trying to remove it won’t destroy the key, the virus itself is easy to remove, but in doing so guarantees your files stay encrypted.

    Nobody wants to pay $300, but its the most guaranteed way you get your files back, its why its called ‘Randsomware’. You can try to beat it, but know that in messing with it you could speed up, or just finalize the process of preventing any way of ever applying the decryption key. This is a fairly new entity and is rarely caught by most AVs and even many Firewalls overlook it, don’t depend alone on your securities. I’ve been the system administrator with my company for over 11 years, and have secured with quad redundancy on every level, but we still got in… Get your users aware of these threats… You can have the most secure house on the block with the most cutting edge alarm system, but if someone opens the door to the thief… Well, doesn’t do any good.

    She had files on her desktop, I told her I’d fix it for $300, other than that, files on her desktop are gone. Backup Backup Backup awareness Backup Backup Backup…

    Best prevention is user awareness.

  23. Aig

    I have been hit with this nasty piece of work, i completely removed it from my system and just successfully replaced all of the files on the system that had been encrypted using shadow explorer…however the encryption also affected my NAS which was on the same network thus not under the window shadow copy …….if anyone know of a decryption tool that works please kindly let us know

  24. seema

    I got hit by this virus early this week. While I have managed to remove the virus, my files are still encrypted. Need help to drcrypt the files. Tries Panda but did not help :( any suggestions?

  25. Tahir Mansoor

    Thanks god it removes Virus for me …Thanks alot for useful information

  26. JOSS

    Hello,

    I have this virus in every computer´s. In my network we have 2 servers Windows 2003 and 20 computers Windows XP.

    I´m very worried because all of our “.pdf” documents are damged and we can´t opened them.

    I don´t know what to do to recover the pdf documents.

    Any update?

  27. Brett Storsved

    Any one have any luck recovering files? Would appreciate any help.

  28. Paul

    Hi all,
    I am sorry to be the bearer of bad news but my brother in law has just told me that there is no way you can recover the encrypted files unless you have the decrypt key from Cryptolocker which definitely does not exist anyway. They are only interested in the unfortunate people who pay the money and then do nothing anyway. My brother in law is a super computer geek and he knows his stuff. In short you won’t get back your files but you can easily remove the virus using malwarebytes.

  29. CARL

    I got infected yesterday – not good.
    Unable to open up word files/ excel files on laptop prior to infection.
    I have been able to use files received after malware taken off laptop
    Good news is that all files stored on my ISP both sent and received emails not affected and i am able to restore files as I go along – I have not deleted emails in the last 4 years so have 7300 sent and 10400 received so this should allow me to restore 80%+ of my files so that I can open them / replace the damaged files.

  30. Dr. Ram Reddy

    I got infected on 01 OCT 2013 .
    Unable to open up word files/ excel/pdf files on my system.
    I have been able to use files received after malware taken off system
    emails not affected both sent and received.
    I don´t know what to do to recover the documents.

    Any update?

    From Dr Ram Reddy, Hyderadad, India.

  31. Pranay

    Hello,
    I have this virus in every computer´s. In my network we have 2 servers Windows 2003 and 20 computers Windows XP.
    I´m very worried because all of our “.pdf” documents are damged and we can´t opened them.
    I don´t know what to do to recover the pdf documents.
    Any update?

  32. beebioologi

    Thank you so much… cryptolocker is gone, but now I can fix my file… panda, shadow explore cant decrypt my file. T.T what can I do? Someone can tell me how to fix it with other program maybe, because that’s my important file.

  33. Senior Level Tech

    Hello. I deal with this infection as well as FBI’s and others on a daily basis. I can tell you that I am MTP certified and have 7 years in Infection removal, in fact I am an infections Specialist with my firm. For starters. Never listen to anyone that tells you to just pay the $300 because it is the only way your files will get decrypted. In actual fact, you can pay the money but you will NOT get your files back.

    When you first see the CryptoLocker screen, it is best to completely shut your PC down immediately and seek out an infection removal expert.

    I find the best way to remove the infection in manually without the use of useless scanners. These scanners will only find part of the infection if any of it at all.

    Here is the most effective and guaranteed removal technique..
    1. Power on the machine
    2. Boot to Safe mode with Networking.
    3. Open Explorer and view hidden files and folders. Check every user, appdata folder under local and roaming. you are looking for a very distinct file that is usually in .dat or .exe extention.
    The name of the file will not be a word, instead, it will be a series of numbers and letters, usually about 13-25 characters long. Once found delete them immediately.

    4. Holding the windows key down press r and type in regedit
    Search local user and local machine/software/Microsoft/windows/windowsNT/Winlogon
    Check the Powershell as well, it should be set at explorer.exe
    Be sure it is not named anything else.

    5. Once you have found the infection and completely removed it from your machine, you will still see the cryptolocker splash page. This is the easy part.

    6. run msconfig check for anything out of the norm in startup, usually it will be in .exe extention, uncheck it and click save. DO NOT REBOOT YET!

    On your desktop you will find the image file for the Cryptolocler splash page, delete it and empty the recycle bin.

    Now reboot.

    Ok, now your docs are encrypted, what do you do now…..

    I have the million dollar answer and it has worked 80% of the time. The name of the program is (drum roll…) Icare. Such a sweet name and an over all life saver for a lot of people.

    I really hope that you follow my guidelines step by step. If you do, you will conquer this awful Virus and possibly get all of your files back. For free no less.

    Your’e welcome in advance =)

  34. mohammad

    I removed the virus but it encrypted my files
    please help me

  35. Trumalou

    Had a customer infected with this. Paid the ransom and very quickly got decrypt private key. Seems as though hackers will give you the key if you pay up. Customer had backup from previous night, but with the time it takes to restore and rebuild infected laptop, it was quicker and easier to pay up. Laptop had mapped network drives, so spread to half the docs on the network before network cable was pulled from the laptop. The encryption is RSA encryption and would take years to crack. Without the key from the hackers, your only option is backups and hope it doesn’t take long to restore, shadow copy or previous versions enabled.

    If you decide to pay and get the key, the program runs, decrypts the files, then will give you an opportunity to retry and skipped files. Customer had taken a USB drive out, so had to skip those files, then ran again when drive was put back in.

    Once you end the program, it removes itself from the system, so make sure you have run it against all encrypted files. Program remembers exact drive mappings, so if you’ve disconnected drive mappings, you will have to map to the same drive letter as before.

    Then hope no-one else opens up attachments without being certain what they are. This really is a case of once you let the crooks in, you’re at their mercy, unless you have a good backup solution. Once the timer counts down, that’s it, you can’t then decide to pay, but if you’ve paid, the counter will suspend while payment is being verified.

    One other thing – had no luck whatsoever trying to pay by the UK option of bit coins. You can create a wallet, but getting money into that wallet is damn near impossible! Had to get a US contact to pop into a 7 Eleven and buy a Moneypak card, put money on it using PayPal and then send the Moneypak card number to put into the program! You can’t use PayPal or Credit card to fund a bit coin account, so good luck with that!

    Hope additional info helps, as I spent half a day looking into how to pay!!

  36. Mauricio Delgado Robles

    Malware CryptoLocker was removed using both tools, first the Sophos Software and then I check with Malicious Software Removal, but those software just delete the malware, panda doesn’t decrypt the files touched for virus, the only software to fix this was ShadowExplorer, this work very good, quick and effective..

    Regards

    Mauricio

  37. Bully

    Accountants infected,they Paid via bitcoin from UK (£270) ,(not as easy as it sounds) over 50,000 encrypted files,(xls(x),doc(x) pdf’s, decryption took 12 hours.. seems to have worked (cant test 50,000 files) backups were 5 days old! maybe now backups might be more important and double clicking any attachment might be thought twice about!

  38. Anil Pandey

    Dear Users,,

    I think you should not pay any thing to any one, i have just tried a very simple solution, i just formatted my c drive than i re installed my operating system, after that i have deleted my other drives also, then by using recovery software that is available freely online Ease US i have recovered 80 -90 % of my files and those files are not encrypted or corrupted.

    I think some thing is better that nothing,,, i any of you can recover files by using my technique than please let me know

  39. Chris

    Just got hit with the Malware Cryptolocker. What steps do I need to take to get rid of this?

  40. John

    Searched google for removal of the parasite, but it is very difficult restore your encrypted files.

  41. Robert

    Kao prevenciju možete koristiti BitLocker, nemaju ga svi Windows OS ,ali tko ga ima uključi ga i šifriraj datoteke, uvjek je bolje spriječiti nego liječiti.

Leave a Reply

Your email address will not be published. Required fields are marked *