theITbaby

the IT city, the I.T. Baby

Informative

Cryptolocker removal (no video, you’re an IT pro)

Cryptolocker wallpaperHey, we’ll skip the video, SEO-enabled article on Cryptolocker, all that jazz and get right down to it. (I’ll tell you a story after I tell you how to remove this.)

Cryptolocker in its current form seems to have changed from everything I found on the internet, here’s how I removed it on May 30th, 2014.

This removal method left all the documents encrypted on the host machine, but removed the malware, so be aware there’s no saving those unless you have a good backup or want to pay the ransom.

Step 1 – locate the Cryptolocker task name, kill it

Open task manager, you should see two tasks in there you don’t recognize. Ending one task causes the other to respawn it so you need to kill both tasks at the same time.

To do this open a command window (you might need to open with administrative rights,) then type “taskkill /F /IM Crypt*” – in this case we’re assuming everything with a task name that started with “Crypt” was to be killed.

In my tenant’s case it was something like “Tcsmogfcisoqo.exe” – I’m betting your filename will be different though.

Step 2 – clean up Cryptolocker

You need to get a program called RogueKiller. If you want a direct like to the file and trust me, here’s the x86 link, and here’s the x64 link.

Many sources list that this will terminate the Cryptolocker task and clean it, but I never managed to get it to terminate the task properly, so I had to go with step 1.

Step 3 – restore

Nothing to tell you here, Cryptolocker did a number on your files, hopefully you have a backup. 2048-bit encryption will take some time to decrypt, nothing to be done about it. I’d run a malwarebytes scan afterward also just to be sure you’re set.

Should be noted that Malwarebytes did not locate the Cryptolocker malware on the computer I was working on, but it did locate some other stuff. My guess is they changed it to throw off MWB.

Story time, but no need to read further IT pro, you’re done

My story begins with a call left on my work from Comcast in which their security department had called up on some targeted phishing that was coming from our building. Of course they didn’t bother to explain that in the voicemail and I had to sit on hold for 20+ minutes just to find out what a simple email would have told me.

Turned out it was one of our tenants, and after a little searching I found which one. He had a big image on his desktop and an application that refused to quit that was attempting to extort him for $500 to recover his personal documents.

After looking at many useless videos on YouTube on how to remove this and giving them advertising impressions, I gave up on their methods and tackled it differently. This is my attempt to give you the tools and instructions to remove the malware, but remember it also removes any ability to ever get your documents back.

Also if you’re wondering why theITbaby is writing about this, meh, I do that from time to time… babies, technology, whatever I’m thinking about or working on…

If I helped you out, you can donate to my baby’s food fund (bottom right) or just drop in and say hey.

If I didn’t, the malware has probably morphed and I’d appreciate a nice “this no longer works” comment.

Paul King

Paul King lives in Nashville Tennessee with his wife, two daughters and cats. He writes for Pocketables, theITBaby, and is an IT consultant along with doing tech support for a film production company.