Your computer is infected with malicious software? Do you have pop-ups on your PC?
If so, search this blog for removal instructions or browse computer threats by category.

Wednesday, January 14, 2015

How to Remove CryptoWall 3.0 Virus and Restore Encrypted Files

Tell your friends:
CryptoWall 3.0 is an updated version of the CryptoWall 2.0 ransomware. Just like the previous version, it encrypts your files and then requires a $500 USD, 500 EUR or 0.5 Bitcoin ransom in order to get a decrypter. And it does encrypt your files, it's not a fake warning or a joke. The CryptoWall 3.0 uses new TOR to Web gateways: torforall.com, torman2.com, torwoman.com, and torroadsters.com. Of course, there are many more gateways, so yours might be completely different. However, they all redirect infected users to the same web page with payment instructions but with unique IDs used to track payments. What's interesting though, that now you don't need to download TOR browser in order to open the CryptoWall 3.0 decryption web page. Cyber crooks also extended deadline time from 5 days to one week. So, now you have one week to pay the ransom. They will double the price after a week from 500 USD/EUR to 1000 USD/EUR.


Additional files on how to pay the ransom and get your files back were created on infected computers as well. HELP_DECRYPT.HTML opens your web browser and displays all the information about the virus, encryption methods and payment options. HELP_DECRYPT.PNG contains more information about the virus. HELP_DECRYPT.TXT shows the same information as the previous file just in plain text. HELP_DECRYPT.URL loads your default browser and display the CryptoWall 3.0 Decrypt Service when you login to Windows. These are the main changes. Everything else is pretty much the same. You don't have to be an academic or a brain surgeon to know that as someone who uses a computer on a regular basis that this ransom virus poses a very real threat to your online safety and most importantly your data. But even if you are aware of this fact, how certain can you be that you're protecting your business, or your personal, data as well as you can be?

No two pieces of malicious software are the same – even the ones that fall under the same category – and as technology, and anti-malware programs become increasingly advance, so too do viruses and malware. Malware developers, hackers and shadowy third parties who pay good money for stolen data are often one step ahead and increasingly use some incredibly sophisticated techniques in an attempt to steal your information or your bank details, or even just to cause computer issues for you – just for fun!

How does the CryptoWall 3.0 virus work? Well, once installed, it starts to encrypt your files in the background and sadly most people do not realize this ransomware virus is on their computer until it displays the ransom note and your files have already been encrypted. The ransom note is a simple HTML file with instructions on how to pay the ransom and get your encryption key. It's not a joke, it's a very serious problem. Here's how the HELP_DECRYPT.HTML reads:

What happened to your files ?
All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0.
More information about the encryption keys using RSA-2048 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)

What does this mean ?
This means that the structure and data within your files have been irrevocably changed, you will not be able to work with them, read them or see them, it is the same thing as losing them forever, but with our help, you can restore them.

How did this happen ?
Especially for you, on our server was generated the secret key pair RSA-2048 - public and private.
All your files were encrypted with the public key, which has been transferred to your computer via the Internet.
Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.

What do I do ?
Alas, if you do not take the necessary measures for the specified time then the conditions for obtaining the private key will be changed.
If you really value your data, then we suggest you do not waste valuable time searching for other solutions because they do not exist.

CryptoWall 3.0 uses the RSA-2048 encryption algorithm to encrypt your files. Cyber crooks don't lie. This has been confirmed by multiple sources. Once your files are encrypted, it deletes the original files and if you don't have back ups there's really not much you can do to get them back. Your last option is to use software that tries to restore files or part of the files from Windows shadow copies. For more information, please read the removal guide below.

Its main goal is to attack and encrypt your personal files that are valuable to you. It encrypts various files not just MS Office documents but also images, audio files and pretty much everything else it finds on your computer. Such viruses are sneaky and stealthy and will install themselves on your computer by pretending to be something that they're really not - i.e. something harmless and useful. They are also distributed via infected websites and fake emails. How ironic is that?

Unfortunately for us, no matter whether you're a home user or you're responsible for the safeguarding of a company network, the ransomware threat is only growing – both in frequency and in terms of sophistication. The previous versions of this virus encrypted more than 5 billions files. So how do you protect yourself against CryptoWall 3.0?

So what should you do your files have been encrypted? Easy to say, but try not to panic and most definitely do not pay any money unless the encrypted files are very important and you can't afford to lose them. If the encrypted files are not very important or you don't have money to pay the ransom, you can remove try to restore your files (at least some of them) using Shadow Explorer and specialized tools listed below. Please note that even of you decide to pay the ransom there's really no guarantee that cyber crooks will recover your files.

If you have any questions, please leave a comment below. Last, but not least, if there's anything you think I should add or correct, please let me know. It might be a pain but the issue needs to be dealt with – and the way to do it is by not giving in, not paying up and not letting the attackers win.

Written by Michael Kaur, http://deletemalware.blogspot.com


Step 1: Removing CryptoWall 3.0 and related malware:


Before restoring your files from shadow copies, make sure CryptoWall 3.0 is not running. You have to remove this malware permanently. Thankfully, there are a couple of anti-malware programs that will effectively detect and remove this malware from your computer.

1. First of all, download and install recommended anti-malware scanner. Run a full system scan and remove detected malware.





2. Then, download ESET Online Scanner and run a second scan to make sure there are no other malware running on your computer.

That's it! Your computer should be clean now and you can safely restore your files. Proceed to Step 2.


Step 2: Restoring files encrypted by CryptoWall 3.0 virus:


Method 1: The first and best method is to restore your files from a recent backup. If you have been regularly performing backups, then you should use your backups to restore your files.

Method 2: Try to restore previous versions of files using Windows folder tools. To learn more, please read Previous versions of files.

Method 3: Using the Shadow Volume Copies:

1. Download and install Shadow Explorer. Note, this tool is available with Windows XP Service Pack 2, Windows Vista, Windows 7, and Windows 8.

2. Open Shadow Explorer. From the drop down list you can select from one of the available point-in-time Shadow Copies. Select drive and the latest date that you wish to restore from.



3. Righ-click any encrypted file or entire folder and Export it. You will then be prompted as to where you would like to restore the contents of the folder to.



Hopefully, this will help you to restore all encrypted files or at least some of them.

86 comments:

Anonymous said...

Thank you so much. Shadow Explorer got me all the Excel files I really needed.
I can't be more thankfull.

Greetings from Argentina.

Anonymous said...

I've Windows XP SP3 and shadow explorer does not work on my system, so how can I decrypt files.

Thanks

Anonymous said...

I was hit with CW 3.0 last week and think I've traced it to a download of Java 8. I'm running Windows 7 Pro and have utilized the steps above. Restore points have been seemingly erased and only offer two dates since the system was cleaned of the infection, and Shadow Explorer will only bring up those dates also.

I've even tried the decryption recommendations for 2.0 using Kasperky.

Is the only option at this point paying for their key? I have data files that I cannot afford to lose.

Thanks,

Anonymous said...

Hi, ..For windows 2000 no tool? or solution? help

Admin said...

Shadow Explorer doesn't work on Windows 2000. If you don't have backups and Windows file restore programs didn't help you then I'm afraid there's nothing much left to do. Of course, you can try to pay the ransom but I don't recommend doing this unless those files are very very important to you.

Anonymous said...

Hi, I tried to download the anti Malware for CW. But my computer showed my security setting does not allow to down load. What do I need to do ?
Thank you.

Anonymous said...

"Anonymous said...
Hi, I tried to download the anti Malware for CW. But my computer showed my security setting does not allow to down load. What do I need to do ?
Thank you. "

Try going to IE. Tools>internet options>Security. make sure it's on Default level. Or, if you've customized your security, make sure "download files" is checked.

Anonymous said...

is there a Software specialized to free those encripted files, that you or someone else use?

Anonymous said...

I got hit with this 3.0 as well. I tried to use Shadow Explorer but nothing shows up in the windows. No drive letters....just nothing.

Fran said...

Hi! I am not worried about losing the files on my computer. They are all school related, and on an online database. Would it work to just delete all files?

Admin said...

@Fran, yes, but make sure you also remove the virus and all related malicious files from your computer. Or even better format your hard drive and perform a clean Windows installation.

Riwan Fery Fendi said...

Shadow explorer restore only files in C drive. When I run it, any other drive (D, E, ...) did not appear.

Anonymous said...

Hi Admin

Is shadow explorer only restore files in C drive?

Admin said...

Shadow Explorer might not detect other drives, only C.

Anonymous said...

can i fix my files after i format my computer?

Anonymous said...

okay...here is something that might help you guys, it helped me. it didnt get rid of the virus, but i was able to recover my files. Right click on the folder your files are in, or the file itself... then click "restore previous versions". Shit worked like jesus...JESUS.

Admin said...

No, you won't be able to fix your files if you format your computer.

Anonymous said...

oh ok..thanks for the information..i have formated my computer..then i must let my files go...

Anonymous said...

I have an encrypted file and the file before it was encrypted. Is there some way to compare the 2 and extract the key?

Arlene Geiger said...

How can I use my computer after this infection? Will it keep encypting new files I put on the computer? Is there any way to completely remove this malware?

Admin said...

@Arlene Geiger,

Don't put new files on your computer while it's still infected. You need to remove the virus first.

Micheal Pena said...

Can i decrpt photos viedos and mushic with shadowexploer

Maghi NanZ said...

My infected file no to much important, but there`s to many junk, this virus created like Help dec, Help dec.txt and many.

can u give me some advie to remove this junk with tool?
or still i have to delete it all manualy?

Admin said...

@Maghi NanZ, Try Malwarebytes and Hitman Pro.

Anonymous said...

If your files don't matter easiest and most sure way to fix issues cause by a virus is a full factory restore.

Yammii said...

Hi,

We got hit by Crypto 3.0 last Friday and just when I thought all hope was gone - I right clicked on every folder in my network and used the "Restore to Previous Version" command. I RECOVERED EVERYTHING!!! More than 20 years worth of work. We only lost about three days which is minimal compared to the original disaster.

I had tried the "Restore to Previous Version" after the attack but I was clicking on the entire network folder and it wouldn't give me options. Today I decided to try folder by folder and it worked!

I hope this helps... :)

Anonymous said...

We just got hit with this sometime last week too. Same story, no restore points, nothing at all of "restore Previous Versions. I used just about everything I could get my hands on: Previx Rootkit Scanner (which has changed names), TDDSS Killer, Malware Bytes. I just saw in here about someone doing a folder by folder restore and lord and behold! It's restoring to a previous version now!

Matnation said...

Shadiw explorer is blank in the drop down I cant choose a drive....nothing there....Why? Anyone know?

iybutt said...

i have a different problem. actually when i got that virus..i format the c_drive and install new window.but the my other files e.g jpeg and video are corrupted...how i will restore them. please help me..

my data is quite expensive.

cheers

Loren Lost said...

Hi & tyvm for the informative Blog!!
I am in the process of removing the CW 3.0 I was infected w/ a few hours ago.
lucky for me I have backups, I just need to be sure I've got all of the malware out!! running the ESET scanner now so we'll see how it goes..

Thank you, Loren

Anonymous said...

Help, I have the crypto virus on my computer and it has encrypted my files. However I notice my turbo tax program I can open and all the info is in there. Can I save the file to a disc or flash drive and it would be safe to open once I wipe my computer clean? I hate to start from scratch on taxes. A quick response would be so appreciated because computer is going to be wiped clean tomorrow. If I can save info to a disc and it not infect computer when I open it will be wonderful!

Anonymous said...

My computer is infected crypto. My turbo tax seems to be untouched. Can I save file to disc and run in uninflected computer without it infecting the domputer.

Yammii said...

I would save the file externally but before re-opening, scan it for viruses or scan the external drive.

Sandi O said...

I got zapped last night. I loaded SpyHunter which detected and deleted the virus. My files are still encrypted. I can't right click to previous versions. I don't have any previous entries to restore to. I also (sadly) do not have a recent back up. Any other suggestions>

Admin said...

Sandi O, have you tried Shadow Explorer? Because it's the only program that can restore at least some of your files if you don't have a recent back up.

Yammii said...

Sandi, did you try to click on folder by folder ad RESTORE to PREVIOUS VERSION? When I originally tried to restore one entire folder, it did not work. I then opened this folder and went folder by folder and it worked. I restored everything, thank Goodness... We run a Windows 7 Server and the Shadow Explorer did not work for us - either on the server or from the machines... Good luck.

Anonymous said...

I paid and it Did not decrypt anything. I have now lost my job. If you can't restore don't pay its only a 50/50 shot of you getting your stuff back.

dazedandconfused said...

I ran this and is took 24 hrs because my gateway if 10 years old. It finally completed then asked me if I wanted to resolve a few issues on the web and I said yes. after a while it just closed. It during the scan it found 358 threats but I never got the screen to fix them. Is there a way to reaccess the results screen? When I reopenned the application it just started another scan from the beginning automatically which I aborted.

Admin said...

@dazedandconfused, I'm afraid you will have to run a system scam again.

Anonymous said...

To those who have WinXP or older all I can say is "Are you kidding me?"

Something else to keep in mind, if you have files that you can't afford to lose you should be backing these up on a regular basis to an external source (i.e. thumbdrive or external harddrive).

Thanks for the post and instructions. Would like to seem more of this type of thing on this blog.

Yuri

Anonymous said...

Restore file from earlier version worked thank you thank you

dazedandconfused said...

So the malware remove has been running on my old windows xp now for 12 hrs and is 68% completed checking files but I am getting some error messages like drwtsn32.exe.exe - application error message that states the application has failed to initialize properly (0xc000142. click ok to terminate the application. Is that referring to a drwtsn32 application and pressing ok will terminate that application or will pressing ok terminate your malware scan which is now over 70% complete? Thank you.

Admin said...

@dazedandconfused, drwtsn32.exe.exe is a part of a Windows program called Dr. Watson used for debugging. It doesn't belong to the malware removal software. So, it shouldn't stop the scan. But I can't say for sure.

dazedandconfused said...

I am going to just close the boxes without pressing ok to see if that works so I can complete the scan and hopefully get to the screen then lets me click Fix errors. Thanks for your input

Jo said...

Thanks so much for the instruction and helpful comments! Several specialists had already given up on my old computer including all files due to Cryptowall 3.0... 'Restore previous version' was the recipe for folders :) single files didn't have one :( But the main data is saved, thanks to you!

dazedandconfused said...

3rd attempt to complete scan was successful. It took It took 55 hours and finally displayed the fix threats button when I selected. Then I was taken into your ransomware and forced to purchase your product which I did. I then went back and selected fix threats again and it forced me to the activate now settings screen which I did and was successful. Now I am just sitting on that activate screen and on the left the registry scan option is yellow highlight but my scan results option is no longer listed. I don't know if it is fixing threats because it stayed on the successful activate now setting screen. If I lose my scan results and an not able to fix threats now or it is not running and you forcing me through those other steps lost my scan results and ability to fix them then I will cancel payment. I submitted problem ticket online thru my new account but it says it will take 24-48 hours for followup. Not impressed and not surprised.

Confused by Linux said...

I encourage everyone to try a Linux distro. Use it as a dual boot to browse the web. While its not malware proof its safer compared to Windows in general. Versions like Lubuntu or LXLE or MINT work on older hardware.

In addition always back up important files to a external hard drive and the cloud. Disconnect your hard drive after backing up and do NOT connect it if you suspect you've been compromised. Rather format your hard drive and reinstall Windows. Run a scan also. Linux can be installed through Windows or better yet by partitioning your hard drive. NTFS for Windows and Ext 4 for Linux.

Jia Rizaira said...

After get infected, I just format my windows. But then, my document still cant open. How to recover it back? Please help me...

Admin said...

@Jia Rizaira, don't format your your hard drive because you won't be able to restore your files. Try Shadow Explorer first.

Anonymous said...

I went looking through my files on my external hdd, and interestingly enough, bitmap and .png images were not affected by the virus. Also, .json files for minecraft were not affected either, which could be used as a cheap backup system that is impervious to this type of threat.
However, there is a comment that I have seen, and I agree with it, that one should be able to take an unencrypted file along with its encrypted counterpart to find the encryption keyword.
Also, is there a way to change the attributes of a file? Even though the files are encrypted, Windows does not see them as such, which I think is to keep people from using the Windows encryption software to decrypt it. I would like to see what I could do if I cause my files to have the encrypted attribute.
Thanks for your time.

Anonymous said...

Hi, I see restore to prev. version... Can I on folder, my documents on c: and on user name (user is on network...). Can I try restore full user, full my doc., full content of folder or doc. by doc. ??? Thanks from Croatia.

Jeff Kitchen said...

jbkitchen said...I have tried using Shadow Explorer but after exporting files to my Desktop they don't open correctly. I tried PDFs, Word docs and Excel sheets. I get errors instead. Any advice?

Thanks!

Anonymous said...

How can I change disk from C to other? And I have only files to april 24 ;/

Mathew Pinard said...

http://blogs.cisco.com/security/talos/cryptowall-3-0

Just in case some of you are not aware, this analysis indicate that Cryptowall 3.0 might disable Shadow copy upon install and remove this mothod of recovering files. So don't rely on Shadow Explorer to save you, and backup any files you cannot afford to lose. And if you don't, it looks like you'll be buying bitcoins in the near future.

Good luck everyone.

Anonymous said...

after googling my little heart out i tried 'TDDSS Killer'an d it seemed to have removed the virus that I got from the stupid AFP traffic infringement email. all of my files are still encrypted though, if anyone has any more suggestions PLEASE HELP!! I can not see any 'restore to previous version' anywahere.
am about to google linux... :(

Anonymous said...

I also got caught by the AFP traffic infringement virus. All jpeg, pdf and doc files on my laptop now have the extension "encrypted" after them. Eg. "doc.encrypted" and can't be accessed. Can't do a system restore as there are no restore points prior to the virus. I have removed the virus, but everything remains encrypted. Has anyone beaten the encryption for the AFP traffic infringement virus, and if so, please advise how? Thanking you!

Marius M said...

Thank you all for the Shadow Explorer suggestion it worked like a charm!!!

Anonymous said...

If I manually remove and replace the infected files - will I still have to re-format the disk?

Admin said...

It would be better to reformat the disk.

Anonymous said...

I got this virus from an email posing as a resume for a position with my company. I felt like an idiot after I opened it and immediately received the message listed above. I found this page, bought the SpyCleaner, and followed all listed suggestions. Nothing worked...UNTIL I read this in the comments section

"okay...here is something that might help you guys, it helped me. it didnt get rid of the virus, but i was able to recover my files. Right click on the folder your files are in, or the file itself... then click "restore previous versions". Shit worked like jesus...JESUS."

Using the right click and hitting restore previous versions WORKED!!!! OMG, now I an breath. THANK YOU!

Anonymous said...

Okay, I am no longer getting the message about my settings not allowing the download. But unfortunately it's saying that it cannot be downloaded, regardless of the message. All help will be accepted!

Anonymous said...

has Anyone who paid the bitcoins received their data back?

Admin said...

Try to download anti-malware program using a different web browser or restart your computer in safe mode with networking and try again.

Anonymous said...

Help, I've the crypto virus affected all the files on my external hard drive. I can access my file which are on my laptop as they were not encrypt, my laptop is protected by AVG anti-virus. I've done a full scan on my laptop and it seem to be fine..i hope i dont need to be worried about that now. It's all my back up files on my hard drive that need to be decrypt...please help. Appreciate you rkind assistance.

Marwen said...

Shadow explorer did'nt offer me any date bur today, is this because I dont have any back ups? thanks for all this comments, But I still look for a miracle

Anonymous said...

As the virus works by making a copy of your files encrypting them, and deleting the originals, you could try software that undeletes files from your hard disk.

I know that some people are working on a way to figure out the private key that is used to encrypt the files, based on the fact that it is your computer that generates the key and sends it to the criminals server. And your computer cannot generate a truely random key, it will be loosely based on the system clock value at the time you were infected. This means that you could save the earliest versions of the help_decrypt files to know the date and time of infection, and attempt to use software to try all the random numbers around that time as potential keys. However, I haven't found any software that has solved this yet.

I didn't realise that my computer was infected until well after a week had passed, so even paying these crooks isn't an option for me. Lets hope the FBI finds them and puts them away permanently.

siew leng said...

hi, i just realize that all my files had been encrypted by the cryptowall 3.0 virus. i tried the malwarebyte and hitman. they detected 3000+ viruses in my computer. unfortunately, it doesnt remove/delete/repair the files. i want to restore my files and remove the virus. i tried to use the spyhunter and it detected 500+ threats..and i need to buy the full version to fixed it. im a student and have no money :'( im in my Final Year Project and need to finished it as soon as possible..All my data and pictures have been infected with the virus..i really 1000000000000000x need your help..please :'( your response is very important to me :'(

Admin said...

@siew leng, Malwarebytes should be able to remove this virus from your computer. As for your files, you basically have three options: restore from previous file versions or use Shadow Explorer and Recuva. These programs are free. They work in a slightly different way, so I suggest you to use both.

Aroma said...

I've Windows XP SP3 and shadow explorer does not work on my system, so how can I decrypt files.

Anonymous said...

I have windows 7 and the data encrypted is on an external hard drive. can someone please suggest how to restore my files

Anonymous said...

I have XP SP3, the free antivirus AVAST cleared the virus in few hours.
I have no problem with the encrypted files, excell and word, i have two external back ups of all my software.

Aging Ophelia said...

Malwarebytes didn't even detect this for me until I had begun finding it everywhere. Then, Malwarebytes and Spybot each found a few pieces-- but to get it off of my computer, I had to literally go into every nook and cranny of every file and delete each one, and its shortcut, separately. It took 2 days+. That, I used Spybot for-- but I'm still stuck with all of my novels, stories, and lyrics & pics encrypted-- it even worked over my kindle books, amazon music dowloads, and made it into some backup files and the recovery drive. I don't know if it made it through the partition, but that seems likely!

And it was fast-- one day, I didn't have it, the next, it was everywhere. I have Webroot (paid) and free versions of Malwarebytes and Hijack this, all of the time-- none of them caught it.

Anonymous said...

I just want to say that while our hired out IT was getting ready to pay these crooks, I found this website and followed the instructions. We used Malwarebytes to delete the
virus and the shadow program to restore the files. We were infected 3:00 Monday and were back up and running by noon today. My hats off to all of you brilliant people who added their knowledge to this blog!!!

Anonymous said...

My project manager's computer got hit with this virus and ive been attempting to download malwarebytes and a few others as well and everytime the download is interrupted and i am unable to download the anti-malware. any suggestions?

Admin said...

Use another computer to download anti-malware software and then transfer it to the infected one using USB flash drive. Or you can restart your computer in safe mode with networking and try to download anti-malware from there.

Robert Likas said...

Will Advast virus software check and remove all cryptowall virus from folders and files when a deep scan is run.

Admin said...

@Robert Likas, I haven't tried Avast but I'm pretty sure it detects Crytowall ransomware.

Sanjo said...

Hello,

Restoring previous versions of my encrypted files have failed, it shows no previous versions.
And the encrypted files were not in C:/ ,So as I had guessed, ShadowExplorer did not work as well.
I've read comments of people paying and nothing is recovered. And I can't risk that.

My files are important and sadly still encrypted.
I'm out of ideas.

Is there any harm keeping the encrypted files ? Hoping a solution to fit my problem will ever be released ?

SOS!

Admin said...

Hi Sanjo, There's no harm, encrypted files are not malicious. You can try Recuva data recovery tool which is free and at least in theory should be able to recover some of the files. There are other data recovery tools available as well, use Google to find them.

anonymous said...

My computer got hit yesterday. I brought it to iT store and they are not hopeful. I have not had a chance to try restore methode noted above. I will ask IT to try it. Family pictures with no recent backup. Is there any sense in making a copy of all he encrypted files and wait for a solution in the future? Is it possible a few years from now cracking the encryption will be possible?

Admin said...

@anonymous, you can try data recovery software like Recuva (free) or some other applications (mostly paid, google data recovery). Shadow Explorer is an option too but only if the virus leaves shadow copies on your computer. Certain variants of this virus remove shadow copies thus making Shadow Explorer useless. As for encrypted files, sure you can make a copy and wait for a solution. I don't think it can be cracked (unless you have a super computer) but I know two cases when cyber criminals made private decryption keys public (not sure why) and there was also one successful attack against servers control by cyber criminals and as a result all decryption keys were leaked. All in all, try data recovery software or just wait for possible data leak.

Ivy Rose Rosales said...

my laptop was infected with this HELP_DECRYPT ransomware but I did not notice it at first. When I saw that almost all my folders have this kind of file, I tried to delete some and then shut down my laptop. Next day when I trid to use it, I cannot continue since my laptop is malfunctioning, switching screens from desktop to blank to the start menu then blank again. thus I cannot perform anything to stop the malware. any tips you can recommend to fix this? thanks!

Anonymous said...

after my laptop was infected by HELP_DECRYPT, I save my files on a hard drive and reformat my pc. is there a possibility that i can still recover my original files?

Admin said...

There's a slight chance that cyber criminals will make encryption keys public just like CryptoLocker authors did last year allowing all victims to their decrypt files.

Angel said...

I got the ransom HELP_DECRYPT on my computer a year ago and haven't needed my photos and videos until now. I did try a few things to get them back, but nothing worked then. There was a program that I downloaded that as I was in the program and clicked on my photos I could see them, but once I got out of it, there where gone. It was weird almost like there were clouded. I'm attempting to get my stuff back now and have done step 1, but I've since upgraded to the new Window 10 and Shadow Explorer only goes back a couple months. Now what do I do?

Admin said...

Hi Angel, you can use Recuva and PhotoRec. Both programs are free and may help you to restore at least some of your files. They are designed to recover lost files including video, documents and archives from hard disks, CD-ROMs, and lost pictures. Since the virus encrypted your files you can't just encrypt. Your best bet would be to use these two programs to find previous versions of your files before they were not encrypted and export them.