All services rendered by myself through this Google Site are subject to this disclaimer.
CryptoLocker is a Trojan ransomware that allegedly encrypts files on an affected system and demands ransom for recovering the data back. It first appeared on the Internet in 2013 and targeted Windows Operating Systems.
CryptoLocker spreads by way of compromised email attachments or through a botnet. Once downloaded and activated, it looks for certain file types to encrypt using RSA public key cryptography and then sends the private key to some remote servers. It then demands the system owner to pay a ransom in order to decrypt or recover his/her affected files; failure to do so will result in losing the private key.
These are automated removal instructions for a scenario where everything on your device has been fully encrypted by ransomware, making use of Emsisoft Harasom Decrypter.
This infection makes it difficult to access your documents and programs on your device, because it locks the screen entirely.
In order to bypass this locker, we need to reboot into Safe Mode with Networking. To do this, please perform the steps here.
Windows will now boot into safe mode with networking and prompt you to login as a user. When you are prompted to login, please login as the user that is infected with the ransomware. Now download Emsisoft Harasom Decrypter and copy the file decrypt_harasom.exe to the device.
Double-click on the decrypt_harasom.exe icon to start the program. If Windows Smart Screen issues an alert, please allow the program to run anyway. When the Decrypter starts you will be shown a screen showing all of the drives detected on your computer as seen in the image below.
To start the decryption process, please click on the Decrypt button. The Emsisoft Harasom Decrypter will now scan your computer for variants of the Harasom infection and quarantine them. If it detects any encrypted files it will decrypt them and save them in their original location.
When it has finished, please review the results and then close the program. You can now check your data and if it opens properly, delete the encrypted versions found on your hard drive. As this infection is known to be installed by vulnerabilities in out-dated and insecure programs, please make sure the device has updated antivirus software on it.
O4 - HKCU\..\Run: [<Various Names>] %LocalAppData%\<Various Path Names>\<Various Names>.exe
Check these folders: %AppData%\ %AppData%\Video\ %LocalAppData %LocalAppData%\<Various Path Names>\
Check this registry key: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run "<Various Names>" = "%LocalAppData%\<Various Path Names>\<Various Names>.exe"