New PClock CryptoLocker Ransomware discovered

I have an interesting one here. I have a customer's computer and it has been encrypted by CTB-Locker. It has changed all the file extensions to ".dxgqqxc". I haven't seen this one before. I will check tomorrow on any replies.
 
Thanks in advance.

PClock VB6 Cryptolocker Patcher

 

 

Link: http://download.bleepingcomputer.com/Nathan/CryptolockerVB6_Patcher.exe

 

This patcher was made to help victims of PClock Cryptolocker (VB6 CryptoLocker) get their files back. This patcher works with both versions of the infection. As Fabian said above, this patcher will only work if you still have the infection present and running on the machine. If you no longer have the infection on the machine you can download it again from the URL below:

Hxxp://invisioncorp.com.au/scripts/wl/cl.exe

(THIS LINK DOES CONTAIN A INFECTION! DO NOT DOWNLOAD UNLESS YOU HAVE ALREADY BEEN INFECTED BY THIS INFECTION AND HAVE REMOVED IT!)

If you do not want to deal with downloading an infection and you have accidentally removed your infection, you can wait for Fabian to come out with a Decrypter for the new version.

 

If you have ran Fabians decrypter, you will need to not only install the infection again, but also rename all backed up encrypted files back to their original name before running my patcher.

 

If you are a victim that just got this infection and it is still on your machine and you have no tried Fabians decrypter, you may ignore all the above comments.

 

Instructions:

 

1.) Make sure the infection is running and you can see the main screen of the infection (Says 'Your Personal Files Have Been Encrypted').

2.) Download the patcher and place it on your desktop or similar location, and run the application.

3.) You will see a application that looks like the image above, simply click on "Patch!" to begin. (If you get errors at this step ensure the infection is running, and you have correct permissions.)

4.) A Messagebox will prompt and tell you to wait 5-10 minutes so the patch can work. Make sure to NOT close the application after this. Do not close the application until all files are decrypted.

5.) After a few minutes the virus screen will turn into a Decrypt Screen. Click the Decrypt button and all your files will be decrypted.

6.) Click "Finish!" and enjoy your files.

 

 

REMEMBER!

This infections code is very unstable and armature, and sometimes it can put files in the list of encrypted files that are NOT encrypted. This means when the decryption process is ran, it can corrupt files that aren't encrypted. So before decryption you should try and check the list and make sure there aren't files that are ok on the list. Sometimes this is not possible with the volume of files encrypted and that is understandable, this is simply a warning.

 

Enjoy. 

 

 

The link to download the virus CL.exe does not work! any other way of getting the virus? My antivirus erased it!  

Hello, i have the new variant, that encrypt mp3. I used the decrypt_pclock, in my laptop i have few space so i didn't use a backup  option in the decrypter. The message finally says "successfull decrypted" but when i tried to open a file, it didn't open.

My antivirus erased the CL.exe

I tried to download the virus CL.exe does not work.

I'm waiting a new decrypter that fix my "decrypted" files.

Thank you for your inconditional work, sorry my english.

today,3 victims reported to me that their pc got hit with this virus. all of them got hit with second variant. one of them tried using nathan's tool and said that she had to wait too long (in step number 4. and she said nothing changed on her files). so i think i will tell them to wait for fabian's new decryptor tool for second variant. i really hope this new tool won't take months and wont have to run virus again,because all of them kind of affraid to run the virus again. still always thanks to nathan and fabian

I just checked the patcher on the latest version and it still works fine. Ensure the infection is running when running the patcher. You do not need to download the infection if you already have it still on the machine. I suggest running the patcher first until the newer tool comes out. Also, if you need to download the infection remember you need to replace Hxxp with http or it wont download.

Hello Nathan and Fabian,

Well the cryptolocker did a fantastic work on my pc.  Over 45,000 files were destroyed (close to 45gb)! 

I tried the initial fix (no luck), so I restored all .decbak to originals, but cannot d/l the cl.exe (not found) to see if the second fix will work.

Waiting for your new tool and hopefully can recover some of my (recent) files back.  Thanks in advance for your work.

Evan (from Greece)

I just checked the patcher on the latest version and it still works fine. Ensure the infection is running when running the patcher. You do not need to download the infection if you already have it still on the machine. I suggest running the patcher first until the newer tool comes out. Also, if you need to download the infection remember you need to replace Hxxp with http or it wont download.

Hi Nathan, i replaced hxxp with http, the page says: "404 not found".

Thank you for your work.

Also, if you need to download the infection remember you need to replace Hxxp with http or it wont download.

Hi Nathan, Fabian & team,

The patch works well, I have recovered/decrypted most of my important photos, videos etc.

As expected it didn't decrypt the files that I had previously attempted to decrypt using the original decrypter from Fabian, I'll will get onto the process of re-infecting the files tommorrow and post back the results.

You gave us confidence in recovering our files and promptly provided us the solution. Your work is appreciated! thank-you

sorry, didn't realize I was on a cached page. The only way for the moment until the next tool is out is to restore the infection from a Av quarantine if possible.

I have an interesting one here. I have a customer's computer and it has been encrypted by CTB-Locker. It has changed all the file extensions to ".dxgqqxc". I haven't seen this one before. I will check tomorrow on any replies.
 
Thanks in advance.

I have an interesting one here. I have a customer's computer and it has been encrypted by CTB-Locker. It has changed all the file extensions to ".dxgqqxc". I haven't seen this one before. I will check tomorrow on any replies.
 
Thanks in advance.

CTB-Locker now uses random extension. Still no way to decrypt unfortunately.

I have this malware running (latest version).  When downloading the patcher emsisoft identifies it as malware.  Should that be the case?

Can anybody please provide the NEW version of WinCL.exe?

It's been removed from the hacked server at this location: http://invisioncorp.com.au/scripts/

I need to re-infect myself but can't seem to find the file after removing it initially.

Is there any update on Emsisoft Decrypter?