Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.


CryptoLocker question

  • This topic is locked This topic is locked
1 reply to this topic

#1 JesterJ


  • Members
  • 5 posts
  • Local time:11:13 AM

Posted 22 December 2016 - 12:03 PM

So i was away from my computer, came back and saw this rubbish has taken over my PC. Done some reading about it and have downloaded Malwarebytes anti malware, that didn't get rid of it.

I already had Avira on my PC so even having that didn't stop it coming through. Now using the Kaspersky Internet Security trial to see if that gets rid of it.

Now, i see that a ton of my files have been encrypted, probably all the important ones as usual. 

What do i do from here? Wait for Kaspersky to finish scanning and then remove it, and my files are now useless? So what do i have to do now reinstall Windows and lose all my files?

This is the note, i just deleted the key if that's even necessary:

"Support e-mails: sysgop01@india.com sysgop02@india.com

Your personal files encryption produced on this computer: photos, videos, documents, etc. Encryption was produced using a unique public key (removed) generated for this computer.

To decrypt files you need to obtain the private key.

The single copy of the private key, which will allow to decrypt the files, located on a secret server on the Internet; the server will destroy the key after a time specified in this window. After that nobody and never will be able to restore files.


To obtain the private key for this computer, which will automatically decrypt files, you need pay 1.9 Bitcoin (~1565 USD)

You can easily delete this software, but you must know that without it, you will never be able to get your original files back.

Disable your antivirus to prevent the removal of this software.

For more information on how to buy and send bitcoins, click 'Pay with Bitcoin'. To open a list of encoded files, click 'Show Files'.

Do not delete this list, it will be used for decryption. And do not move your files."

BC AdBot (Login to Remove)


#2 quietman7


    Bleepin' Janitor

  • Global Moderator
  • 52,070 posts
  • Gender:Male
  • Location:Virginia, USA
  • Local time:06:13 AM

Posted 22 December 2016 - 01:54 PM

Most crypto malware ransomware is typically programmed to automatically remove itself...the malicious files responsible for the infection...after the encrypting is done since they are no longer needed. The encrypted files do not contain malicious code so they are safe. Unfortunately, most victims do not realize they have been infected until the ransomware displays the ransom note and the files have already been encrypted. In some cases there may be no ransom note and discovery only occurs at a later time when attempting to open an encrypted file. As such, they don't know how long the malware was on the system before being alerted or if other malware was downloaded and installed along with the ransomware. If other malware was involved it could still be present so be sure to perform full scans with your anti-virus. Disinfection will not help with decryption of any files affected by the ransomware.

If your antivirus did not detect and remove anything, additional scans should be performed with other security programs like Malwarebytes 3.0, HitmanPro and Emsisoft Anti-Malware. You can also supplement your anti-virus or get a second opinion by performing an Online Virus Scan...ESET is one of the more effective online scanners.

From the ransom notes, it looks like you are dealing with PClock2. Unfortunately, newer PClock variants are not decryptable so the Emsisoft Decrypter created for earlier PClock variants will not work. Fabian explains why in Post #987.

You can submit samples of encrypted files and ransom notes to ID Ransomware for assistance with identification and confirmation. This is a service that helps identify what ransomware may have encrypted your files and then attempts to direct you to an appropriate support topic where you can seek further assistance. Uploading both encrypted files and ransom notes together provides a more positive match and helps to avoid false detections.

There are ongoing discussions in these topic where you can post comments, ask questions and seek further assistance. Other victims have been directed there to share information, experiences and suggestions.Rather than have everyone with individual topics, it would be best (and more manageable for staff) if you posted any more questions, comments or requests for assistance in one of the above support topic discussions...they include experiences by experts, a variety of IT consultants, end users and company reps who have been affected by ransomware infections. To avoid unnecessary confusion, this topic is closed.

The BC Staff
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users