Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.


CryptoLocker Infection, want to Recover Files

  • This topic is locked This topic is locked
1 reply to this topic

#1 pcpunk


  • Members
  • 6,327 posts
  • Gender:Male
  • Location:Florida
  • Local time:07:17 PM

Posted 27 January 2016 - 03:43 PM

Hey guys, I would like to recover some Tax files for my neighbor on his XP machine, HP 6220 Laptop, he has ALS and is disabled.  He has some Tax Files on the machine that I tried to get off but could not.  Don't really need XP as I was going to install Linux on it for him.  He has another pc and I understand XP is no longer Safe to use.
The pc was not very usable until I ran RougueKiller and then Malwarebytes with Rootkits Ticked.  I used the directions at this site but stopped at running MBAM.
I can see the CryptoLocker icon Gear on the desktop so I'm only assuming this is what it is.  And have the Ransom Note if you need it.  I can also see that there a lot of .ecc File extensions appended to files.
I tried Shadow Copy and Shadow Explorer from bc.com but neither would work.  Also looked to see if there was a System Restore for Shadow to use, but none that I could see.
I tried real hard to resolve this before coming here, hope it don't make things worse for you.  
I also deleted Temp files shown by another Tutorial along with "Show Hidden File" and Un-ticked "Hide extensions for known filetypes.

Thanks a lot guys, I know this work is not easy.

Edited by quietman7, 27 January 2016 - 07:38 PM.


Created by Mike_Walsh


KDE, Ruler of all Distro's



BC AdBot (Login to Remove)


#2 quietman7


    Bleepin' Janitor

  • Global Moderator
  • 52,055 posts
  • Gender:Male
  • Location:Virginia, USA
  • Local time:07:17 PM

Posted 27 January 2016 - 07:39 PM

You are dealing with TeslaCrypt ransomware which includes several known versions with various extensions for encrypted files such as .ecc, .ezz, .exx, .xyz, .zzz, .aaa, .abc, .ccc, .vvv as described here.

A repository of all current knowledge regarding TeslaCrypt, Alpha Crypt and newer variants is provided by Grinler (aka Lawrence Abrams), in this topic: TeslaCrypt and Alpha Crypt Ransomware Information Guide and FAQ

Information for decrypting files with .ecc, .ezz, .exx, .xyz, .zzz, .aaa, .abc, .ccc, or .vvv extensions can be found here and in this support topic. Instructions how to recover the key for decryption are also included in TeslaDecoder.zip.

There is an ongoing discussion in this topic where you can ask questions and seek further assistance.Support for decryption requests can be posted in this topic:Rather than have everyone start individual topics, it would be best (and more manageable for staff) if you posted any questions, comments or requests for assistance in one of those topic discussions, particularly the last if dealing with one of the newer variants. Doing that will also ensure you receive proper assistance from our crypto malware experts since they may not see this thread. To avoid unnecessary confusion...this topic is closed.

I removed you log since I had to move this topic and those logs are not permitted in that forum.

The BC Staff
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users