How to remove CryptoLocker Ransomware and Restore your files

Cryptolocker (also known as “Troj/Ransom-ACP”, “Trojan.Ransomcrypt.F”) is a Ransomware software that when it infects your computer, it encrypts all the files in it. The bad news with this virus is that, once it infects your computer, your critical files are encrypted with strong encryption and it is practically impossible to decrypt them. 

The Cryptolocker Ransomware demands that you make a payment of 300$ or 300€  in a specific period of time (e.g. 72h or 100h), through a payment service (e.g. MoneyPak, Ukash, PaySafeCard, etc.) in order to unlock your files. otherwise -after that period- nobody can restore or decrypt them.

cryptolocker

 

The Cryptolocker is not a virus, but a malware software and it probably infects your computer when you open an email attachment from a legitimate sender that seems innocent or from your network shares or from an external USB drive that was plugged on your computer.

Once Cryptolocker infects your computer, it starts to encrypt all personal files on your computer and then it sends the decryption key – known as “CryptoLocker ID” – to an online server. When Cryptolocker finishes encrypting your files, then a notification message comes on your screen demanding an immediate payment to unlock them. The message informs you that “Your personal files have been encrypted and you have 72 hours to pay us 300$”.

From our research on several sites, we can inform our readers that in some cases, the files remain encrypted, despite the fact that the user makes the payment. So make this decision (to pay to unlock your files) at your own risk. The other choice is to remove CryptoLocker Ransomware infection from your computer, but in this case, you must realize that your files will remain encrypted, even if you disinfect your computer from this nasty malware. If you take this decision (to disinfect your computer) the only way to restore your files is from shadow copies by using Windows' “Restore previous versions” feature found at the latest operating systems.

ONCE MORE: DO NOT CONTINUE TO REMOVE CRYPTOLOCKER VIRUS UNLESS:

YOU HAVE A CLEAN BACKUP COPY OF YOUR FILES STORED IN A DIFFERENT PLACE (like an unplugged portable hard disk)

or

YOU DON”T NEED THE ENCRYPTED FILES BECAUSE THEY ARE NOT SO IMPORTANT TO YOU.

or

YOU WANT TO GIVE IT A TRY TO RESTORE YOUR FILES USING SHADOW COPIES  FEATURE (Step 5).

So, if you have taken your final decision, then proceed first to remove Cryptolocker Ransomware infection from your computer and then try to restore your files by following the steps bellow:

How to get rid of CryptoLocker RansomWare & Restore Cryptolocker Encrypted files.

CryptoLocker RansomWare Removal Guide

Step 1: Start your computer in “Safe Mode with Networking”

To do this,

1. Shut down your computer.

2. Start up your computer (Power On) and, as your computer is booting up, press the "F8" key before the Windows logo appears.

3. Using your keyboard arrows select the "Safe Mode with Networking" option and press "Enter".

safe-mode-with-networking_thumb1_thu[1]

Step 2. Stop and clean malicious running processes.

1. Download and save "RogueKiller" utility on your computer'* (e.g. your Desktop)

Notice*: Download version x86 or X64 according to your operating system's version. To find your operating system's version, "Right Click" on your computer icon, choose "Properties" and look at "System Type" section

saa_thumb2_thumb_thumb_thumb_thumb1

2. Double Click to run RogueKiller.

3. Let the prescan to complete and then press on "Scan" button to perform a full scan.

Rogue

3. When the full scan is completed, press the "Delete" button to remove all malicious items found.

m4oeejuj_thumb1_thumb_thumb1

4. Close RogueKiller and proceed to the next Step.

 

Step 3. Clean your computer from remaining malicious threats.

Download and install one of the most reliable FREE anti malware programs today to clean your computer from remaining malicious threats. If you want to stay constantly protected from malware threats, existing and future ones, we recommend that you install Malwarebytes Anti-Malware PRO:

Malwarebytes™ Protection
Removes Spyware, Adware & Malware.
Start Your Free Download Now!

1. Run "Malwarebytes Anti-Malware" and allow the program to update to it's latest version and malicious database if needed.

2. When the "Malwarebytes Anti-Malware" main window appears on your screen, choose the "Perform quick scan" option and then press "Scan" button and let the program scan your system for threats.

ahefjplu_thumb2_thumb_thumb

3. When the scanning is completed, press “OK” to close the information message and then press the "Show results" button to view and remove the malicious threats found.

juygdz2u_thumb2_thumb_thumb.

4. At the "Show Results" window check - using your mouse's left button- all the infected objects and then choose the "Remove Selected" option and let the program remove the selected threats.

54j5pumd_thumb2_thumb_thumb

5. When the removal of infected objects process is complete, "Restart your system to remove all active threats properly"

kh15degq_thumb2_thumb_thumb

6. Continue to the next step.

Step 4. Delete Cryptolocker Ransomware hidden files.

Notice: You must enable the hidden files view to perform this  task.

 

1. Navigate to the following paths and delete all Cryptolocker Hidden files:

For Windows XP:

  • C:\Documents and Settings\<YOUR USERNAME>\Application Data\RandomFileName.exe

e.g. {DAEB88E5-FA8E-E0D1-8FCD-BFC7D2F6ED25}.exe

  • C:\WINDOWS\system32\msctfime.ime

For Windows Vista or Windows 7:

  • C:\Users\<YOUR USERNAME>\AppData\Roaming\RandomFileName.exe

e.g. {DAEB88E5-FA8E-E0D1-8FCD-BFC7D2F6ED25}.exe

  • C:\WINDOWS\system32\msctfime.ime

 

2. Finally delete all files and folders under your TEMP folders:

For Windows XP:

  • C:\Documents and Settings\<YOUR USERNAME>\Local Settings\Temp\
  • C:\Windows\Temp\

For Windows Vista or Windows 7:

  • C:\Users\<YOUR USERNAME>\AppData\Local\Temp\
  • C:\Windows\Temp\

 

Restore your files from Shadow Copies.

Step 5. Restore your files after Cryptolocker Infection

After you have disinfected your computer from Cryptolocker virus, then it is time to try to restore your files back to their state prior to the infection. For these methods, we use the Shadow Copy feature which is included in Windows XP and the latest operating systems (Windows 8, 7 & Vista)

Method 1: Restore Cryptolocker encrypted files using Windows “Restore Previous versions” feature.

Method 2: Restore Cryptolocker encrypted files using Shadow Explorer.

Method 1: Restore Cryptolocker encrypted files using Windows “Restore Previous versions” feature.

How to restore CryptoLocker encrypted files using  Windows “Restore Previous versions” feature:

1. Navigate to the folder or the file that you want to restore in a previous state and right-click on it.

2. From the drop-down menu select “Restore Previous Versions”. *

Notice* for Windows XP users: Select “Properties” and then the “Previous Versions” tab.

resore previous versions

3. Then choose a particular version of folder or file and the press the:

  • Open” button to view the contents of that folder/file.
  • Copy” to copy this folder/file to another location on your computer (e.g. you external hard drive).
  • Restore” to restore the folder file to the same location and replace the existing one.

previous folder version

Method 2: Restore Cryptolocker encrypted files using Shadow Explorer.

How to restore CryptoLocker encrypted files using “Shadow Explorer” utility.

ShadowExplorer, is a free replacement for the Previous Versions feature of Microsoft Windows Vista/ 7 / 8. You can restore lost or damaged files from Shadow Copies.

1. Download ShadowExplorer utility from here. (You can either download the ShadowExplorer installer or the Portable version of the program).

2. Run ShadowExplorer utility and then select the date that you want to restore the shadow copy of your folder/files.

ShadowExplorer

3. Now navigate to the folder/file that you want to restore its previous version, right-click on it and select “Export

ShadowExplorer export[5]

4. Finally specify where the shadow copy of your folder/file will be exported/saved (e.g. your Desktop) and press “OK

shadow explorer export location

That’s it.

If this article was useful for you, please consider supporting us by making a donation. Even $1 can a make a huge difference for us in our effort to continue fighting spam while keeping this site free: