I've red about it but had never seen in the 'wild'. My normal strategy when I encounter malware/adware is to run MalwareBytes first and then AdwCleaner. Just to be save I also run DrWeb Cureit!. However in this case, because of the severity of the problem, I started with Kaspersky Rescue Disk 10. I created a bootable CD (on a Mac) with the Rescue Disk iso file. I booted the PC with the CD and a full day of scanning the Rescue Disk only found a few infected files (see image below). After I rebooted the PC with Windows 7 CryptoLocker was still very alive.
So I decided to return to my regular Malwarebytes/AdwCleaner strategy. Malwarebytes came up with hundreds of infected files but was not able to remove CryptoLocker. Next I tried booting in Windows Save Mode. Normally this is F8 but somehow the PC didn't respond to that (due to CryptoLocker?). A bit desperate I interrupted the next boot process. This gave me the option to Launch Startup Repair (from the Error Recovery Window). This brought me in the Advanced Boot Options Window and from there I could start Windows Save Mode with Networking.
Next I ran Malwarebytes (update first) and Adwcleaner. This time Malwarebytes did detect CryptoLocker and could remove it. From then on it was simple to remove the other unwanted programs. With CCleaner I fixed issues e.g. with the registry. The PC is clean again however all document (jpg, docs etc) are encrypted. Luckily my friend had a back-up disk of the documents. I scanned with Malwarebytes and McAfee (which was on his PC).
|Cryptolocker in the wild.|
|Results Malwarebytes with Windows 7 in Normal Mode already gives 326 infections.|
|Malwarebytes in Safe Mode finally nails CryptoLocker.|
|All documents on the PC are encrypted.|