This page contains description and removal procedures for CryptoLocker virus. Follow the guide carefully to delete the virus and regain access to your files. You can use "Previous Vesions" feature of Windows to recover files from the PC.
CryptoLocker is a virus or ransomware program that will encrypt files on the infected computer. This malware arrives on the computer through another infection. Trojan or other form of malware may explorer target computer for known weaknesses. This will be use as the channel to drop CryptoLocker on the system. Upon execution, the virus will inject code into the system folder as well as in the registry. This action allows CryptoLocker to run on each Windows bootup.
When running on the computer, CryptoLocker always remind computer user that files were locked. It demands payment for the encryption key costing 100 US or Euro, depending on the location of the victim. CryptoLocker also tries to scare computer users stating that any attempt to remove the virus will lead to immediate destruction of the private key. Thus, file will remain encrypted forever.
In the message, CryptoLocker states the following:
“Your personal files are encrypted!
Your important files encryption produced on this computer: photos, videos, document, etc. Here is a complete list of encrypted files, and you can personally verify this…
To obtain the private key for this computer, which will automatically decrypt files, you need to pay 100 USD / 100EUR / similar amount in another currency.”
Here is the scary part:
“Any attempt to remove or damage this software will lead to immediate destruction of the private key server.”
Paying for the ransomware like CryptoLocker is likely supporting the online fraud activity. We highly encourage computer users not to pay the private key. You may duplicate the encrypted file on a separate hard drive and run legitimate decryption tools to find the one the works best with CryptoLocker.
September 15, 2013: Ransom goes up from $100 to $300
New version of CryptoLocker demands a ransom of $300. It actually triples the price of the previous version. Attackers behind this malware are now maximizing the full advantage of its ransomware potential. They know that users now have full view that there is no way out other than pay for the demand. Even MS Security Center, who identified this threat as Trojan:Win32/Crilock.A states that complex method are being used in the encryption process.
Nov 09, 2013: Re-infecting and recovering files
Attackers behind this CryptoLocker malware now devices a method to still allow users to request for private key even if the virus has been deleted from the computer and required registry keys are erased by antivirus program. CryptoLocker Decryption Service was launched on November 1, as number or computer users decided to re-infect their computer with the virus to avail of the $300 private key.
With the CryptoLocker Decryption Service, you will have to submit one infected file in order for the server to search for the matching key pair. Once found, you can now order and pay for the key that is required in recovering encrypted files. Be aware that this service can cost you 10 Bitcoins, that is roughly $2,120 at the current rate.
Ways to recover files encrypted by CryptoLocker.
Below, we have procedures in removing CryptoLocker from the computer. Since public and private key combination is needed to decrypt files, it is impossible to recover affected files at this point. We hope to find a workaround with this trouble in the following days. For the meantime, we will maximize whatever we have on hand.
If your PC is running on Windows Vista and Windows 7, there is a feature called ‘Previous Versions’. Although this function only works if restore point was saved prior to CryptoLocker infection or if System Protection is enabled on the computer. Use Previous Versions to recover files without having to pay for the private key.
CryptoLocker Removal Procedures
Systematic procedures to get rid of the threat are presented on this section. Make sure to scan the computer with suggested tools and scanners.
Step 1 : Reboot Windows Into Safe Mode With Networking.
First thing you should do is reboot the computer in Safe Mode with Networking to avoid CryptoLocker from loading at start-up.
NOTE: You will need to PRINT or BOOKMARK this procedure, as we have to restart the computer during the removal process.
1 Remove all media such as Memory Card, cd, dvd, and USB devices. Then, restart the computer.
2 Boot Windows computer into SafeMode with Networking.
Instructions for Windows XP, Windows Vista, and Windows 7 system
a) Before Windows begins to load, press F8 on your keyboard.
b) It will display the Advanced Boot Options menu. Select Safe Mode with Networking.
Procedures for Windows 8 and Windows 10
a) Before Windows begins to load, press Shift and F8 on your keyboard.
b) On Recovery interface, click on 'See advanced repair options'.
c) Next, click on Troubleshoot option.
d) Then, select Advanced options from the list.
e) Lastly, please choose Windows Startup Settings and click on Restart. When Windows restarts, you will be send to a familiar Advanced Boot Options screen.
f) Select Safe Mode with Networking from the selections menu.
Step 2 : Detect and Remove CryptoLocker with Anti-malware Tool
3 Once the computer boots into Safe Mode with Networking, download the Removal Tool and save it on your Desktop or any location on your PC.
4 When finished downloading, locate and double-click on the file to install the application. Windows' User Account Control will prompt at this point, please click Yes to continue installing the program.
5 Follow the prompts and install with default configuration.
6 Before the installation completes, check prompts that software will run and update on itself.
7 Click Finish. Program will run automatically and you will be prompted to update the program before doing a scan. Please download needed update.
8 When finished updating, the tool will run. Select Perform full scan on main screen to check your computer thoroughly.
9 Scanning may take a while. When done, click on Show Results.
10 Make sure that all detected threats are checked, click on Remove Selected. This will delete all files and registry entries that belongs to CryptoLocker.
11 Finally, restart your computer.
Note: If CryptoLocker prevents mbam-setup.exe from downloading. Download the software from another computer. Renaming it to something like 'anything.exe' can help elude the malware.
Step 3 : Additional Anti-virus and Anti-rootkit Scans
Ensure that no more files of CryptoLocker are left inside the computer
12 Click on the button below to download Norton Power Eraser from official web site. Save it to your desktop or any location of your choice.
13 Once the file is downloaded, navigate its location and double-click on the icon (NPE.exe) to launch the antivirus program.
14 Norton Power Eraser will run. If it prompts for End User License Agreement, please click on Accept.
15 On NPE main window, click on Advanced. We will attempt to remove CryptoLocker components without restarting the computer.
16 On next window, select System Scan and click on Scan now to perform standard scan on your computer.
18 When scan is complete. All detected risks are listed. Remove them and restart Windows if necessary.
Alternative Removal Procedure for CryptoLocker
Use Windows System Restore to return Windows to previous state
During an infection, CryptoLocker drops various files and registry entries. The threat intentionally hides system files by setting options in the registry. With these rigid changes, the best solution is to return Windows to previous working state is through System Restore.
To verify if System Restore is active on your computer, please follow the instructions below to access this feature.
Access System Restore on Windows XP, Windows Vista, and Windows 7
a) Go to Start Menu, then under 'Run' or 'Search Program and Files' field, type rstrui.
b) Then, press Enter on the keyboard to open System Restore Settings.
Open System Restore on Windows 8 and Windows 10
a) Hover your mouse cursor to the lower left corner of the screen and wait for the Start icon to appear.
b) Right-click on the icon and select Run from the list. This will open a Run dialog box.
c) Type rstrui on the 'Open' field and click on OK to initiate the command.
If previous restore point is saved, you may proceed with Windows System Restore. Click here to see the full procedure.
Is CryptoLocker Dangerous?
Yes, CryptoLocker can badly affect your computer and slow down its performance and usability.
Can I Remove CryptoLocker from my Computer?
Yes, CryptoLocker can be removed by downloading our recommended antivirus software and scanner.
How Easy is it to Remove CryptoLocker Virus?
Nearly all paid antivirus scanners and removal tools should help remove the CryptoLocker virus from your computer.
Once I remove CryptoLocker do I still need antivirus?
Yes, new viruses such as CryptoLocker are created everyday and the only way to stay 100% protected is to use antivirus on your device.