Remove Torrentlocker Ransomware

If you are seeing “warning-we have encrypted your files with cryptolocker virus” message – you are infected with Torrentlocker Ransomware!

Torrentlocker can easily be classified as a ransomware infection because it behaves exactly the same way. Thus, once it enters your PC, the infection will encrypt all the files on it and will display a full-screen message saying that you need to pay a certain amount of money to obtain a private key for decrypting your files. To put even more pressure on you, you will be given a time limit and warned that the key will be destroyed unless you make the payment in time. This makes the whole situation rather stressful, so it is in your best interests to take measures against Torrentlocker immediately.

How did I get infected with?

What all infections have in common is that certain activity by the user is necessary for them to get distributed. This means that if everyone is careful when they are on the web, they will not have to deal with malware. Of course, it also matters how well the system is maintained. So, properly kept up PC together with safe browsing habits are the winning combination for a infection-free system. In the case of Torrentlocker, it is most often spread through ads promoting system optimizers, program updates, and other software. Hence, clicking such ads may lead to infecting your system with Torrentlocker. It is also possible that the infection is distributed as an attachment to spam emails, with which you should also be careful.

Why is this Dangerous?

The consequences of having the Torrentlocker infection on your computer may vary according to the files you store on it. For example, if you keep important documents, account details and passwords, you will suffer a great loss because the encrypted files cannot be restored unless you have backed them up. Even the offered private key will not help you because it is most likely to be fake. What is more, all this important information can be misused if it falls in the wrong hands. If your PC has been infected with Torrentlocker, you have to make sure you remove the virus as quickly as possible, and remember to do regular system back-ups to prevent data loss in future.

How to Remove Torrentlocker?

from Windows 7 (Win 8 instructions are further below)

• Make sure you do not have any floppy disks, CDs, and DVDs inserted in your infected computer
• Restart the computer
  
• When you see a table, start tapping the F8 key every second until you enter the Advanced Boot Options

• in the Advanced Boot Options screen, use the arrow keys to highlight Safe Mode with Networking , and then press ENTER.

• Once the operating system loads press simultaneously the Windows Logo Button and the R key.

• A dialog box should open. Type iexplore www.virusresearch.org/download-en

• your Internet Explorer will open and a professional scanner will start downloading
• Follow the instruction and use the professional malware removal tool to detect the files of the virus.
• After performing a full scan you will be asked to register the software. You can do that or perform a manual removal as shown in step 2

from Windows 8

Start Your Computer into Safe Mode with Networking

• Make sure you do not have any floppy disks, CDs, and DVDs inserted in your computer
• Move the mouse to the upper right corner until the windows 8 charm menu appears
  
• Click on the magnifying glass

• select Settings
• in the search box type Advanced
• On the left the following should appear

• Click on Advanced Startup Options
• Scroll down a little bit and click on Restart Now

• Click on Troubleshoot

• Then Advanced options

• Then Startup settings

• Then Restart

• When you see this screen press F5 – Enable Safe Mode with Networking

• Once the operating system loads press simultaneously the Windows Logo Button and the R key.

• A dialog box should open. Type iexplore www.virusresearch.org/download-en

• Internet Explorer will open and a professional scanner will start downloading
• Follow the instruction and use the professional malware removal tool to detect the files of the virus.
• After performing a full scan you will be asked to register the software. You can do that or perform a manual removal.
• To perform Manual removal you need to follow the steps below.

STEP 2: Locate the virus start-up point

Simultaneously press the Windows Logo Button and then “R” to open the Run Command

while in safe mode, simultaneously press the Windows Logo Button and then “R” to open the Run Command

 

Type “services.msc” carefully review all services disable if you see a suspicious one.

Open your Windows Registry Editor

navigate and delete the following registry keys:

HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN|ksdqnxis, C:\ProgramData\lsjfneds.exe

HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN|ksdqnxis, C:\ProgramData\lsjfneds.exe

or if you are using 64 bit Operating system, the registry keys will be:

HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN|ksdqnxis, C:\ProgramData\lsjfneds.exe

HKCU\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN|ksdqnxis, C:\ProgramData\lsjfneds.exe

Please, note, that the file names are random and yours might be different.

Restart Windows.

STEP 3: Restore Encrypted Files

There are several methods you can use, however nothing is guaranteed.

Method 1 – recover the encrypted files by hand:

You can try to use the built in feature of Windows called System Restore. By default the system restore feature is automatically turned on. Windows creates shadow copy snapshots that contain older copies since the system restore was performed. These snapshots will let us to recover any previous version of your file, although it will not be the latest one, still you can recover some important information. Please note, that Shadow Volume Copies are only available with Windows XP SP2, Vista, Windows 7 and Windows 8.

Method 2 – partially restore the encrypted files by using Microsoft Office junk files:

Basically you need to show your hidden files. The fastest way to do that is:

1. Open Folder Options by clicking the Start button .
2. In the search box type “FOLDER OPTIONS”.
3. Select View TAB
4. Under Advanced settings, find Show hidden files and folders and select it and then click OK.

In the picture above I marked two hidden files. You are interested in every file that looks like ~WRL382.tmp This is actually a Microsoft office junk file that contains the previous version of the Word document itself. The Cryptowall parasite will not encrypt these files. The name of the file will be unknown, but you can recover a lot of lost documents using this method. This can be utilized for Microsoft Word and Microsoft Excel. In addition you can try to match the file sizes in order to figure out what is what and eventually you can restore a slightly older original document. In the picture on the left there is another method you can locate the files in question.All you have to do is to hit the start button and type *.tmp. You will be presented a list of all the temp files located in your computer. The next thing is to open them one by one with Microsoft Word/Excel and recover the lost information, by saving it to another place. You can do that, by opening a new instance of MS Word/Excel, trough the file menu select open and then navigate to the location of the TMP file.

Method 3 – Decrypt Encrypted Files

Unfortunately, there is no possibility to decrypt the crypted by Torrentlocker files for now, unless you pay the ransom. Please, consider this as the very last option, because you might be funding further criminal activities.