CryptoJoker Ransomware Removal Guide

If you download and open unfamiliar PDF files, CryptoJoker Ransomware could slither in without you even realizing it. According to our research, the installer of this malicious, clandestine threat is concealed as a PDF file using a PDF icon, and users open it expecting to find a document. Of course, you will see nothing when you launch this file. Instead, a malicious ransomware will be executed, and various malicious processes will be initiated. If you come across an unfamiliar spam email, it is best to delete it as soon as possible. If you realize that you have unleashed malware right away, you might be able to save yourself with the help of an automated malware removal tool or by deleting malicious files manually. Of course, this would take time, which is why we recommend using antimalware software. If executed successfully and completely, you will still be able to delete CryptoJoker Ransomware, but your personal files will be encrypted.

CryptoJoker Ransomware is a file-encrypting infection that affects documents, photos, PowerPoint presentations, and other personal files that many users have no way of restoring. Fortunately, more and more users realize the importance of backing up personal files. Whether you fear the attacks of malicious threats or computer malfunctions, it is wise to back up your most sensitive, valuable files that you do not want to lose. If you have taken care of this prior to the attack of ransomware, you can delete it using the guide below without any fear. Afterward, simply replace the encrypted files with healthy ones. Now, if the files encrypted by the ransomware cannot be replaced, you are in a predicament. The .crjoker extension will be attached to these files (e.g., Text Document.txt.crjoker), and you will not be able to open them. Even if you remove this extension, this will not help you decrypt files. CryptoJoker Ransomware encrypts files using the AES-256 encryption system, which means that a special decryption key stored on a remote server (possibly server6.thcservers.com) needs to be applied.

The types of files that CryptoJoker Ransomware has been found to encrypt: .asp, .aspx, .csv, .db,.doc, .docm, .docx, .ht ml, .java, .jpeg, .jpg, .mdb, .odt, .php, .pdf, .png, .ppt, .pptm, .pptx, .psd, .pptx, .sln, .sql, txt, .xls, .xlsx, .xlsb, .xlsm, .xml.

It was found that the malicious ransomware can encrypt files in different directories. It can even encrypt files in Temp and Windows directories. Besides encrypting files, this infection also creates new files. The .txt files on the Desktop carry the same message that is introduced via a pop-up window message. Whether you open README!!!.txt, GET MY FILES.txt, ПРОЧТИ.txt, or any other file created on the Desktop, you will find the same message in English and Russian explaining how to get the decryption key and decrypt files. Our research also shows that CryptoJoker Ransomware can disable Registry Editor and Task Manager to stop you from deleting malicious registries and terminating malicious files that could alleviate their removal. These utilities are disabled by drvpci.exe, windefrag.exe, and winpnp.exe files that are created in the %Temp% directory along with such files as windrv.exe, crjoker.html, GetYouFiles.txt, imgdesktop.exe, README!!!.txt, new.bat, and a file with a random name. New.bat is a batch file that contains commands that disable Windows startup repair, as well as delete the shadow copies of the files encrypted. Needless to say, all of these files require immediate removal.

When it comes to the removal of CryptoJoker Ransomware, you have two options. You can install an automated malware removal tool, which you can do without any disruption. Alternatively, you can remove the files in the %Temp% and %AppData% directories, as well the registry keys associated with this ransomware. Of course, neither of these options will help you with file decryption. If you pay the ransom requested, your files might be decrypted, but we cannot guarantee this. After all, it is cyber criminals who are making these promises, and trusting them blindly would be naive. We advise researching authentic file decryption tools; however, it is most likely that your files are lost for good. Hopefully, your personal files are backed up. If not, learn from your mistakes, and do not repeat them in the future.

Removal step 1: restart in Safe Mode

Windows 10

1. Click the Windows icon on the Taskbar.
2. Click Power for more options.
3. Hold the Shift key and click Restart.
4. In Troubleshooting click Advanced options.
5. Select Startup Settings and click Restart.
6. Choose F4 to restart in Safe Mode.

Windows 8.1 or Windows 8

1. Click the Power Options icon.
2. Hold the Shift key and click Restart.
3. In Troubleshooting select Advanced options.
4. Move to Startup Settings.
5. Click Restart and tap F4 to restart in Safe Mode.

Windows 7/Windows Vista

1. Restart the computer and wait for BIOS window to load.
2. Start tapping F8 on the keyboard to launch the Advanced Boot Options menu.
3. Using arrow keys on the keyboard select Safe Mode and tap Enter.

Windows XP

1. Restart the PC and wait for the BIOS window to load.
2. Immediately start tapping F8 to access the Windows Advanced Options Menu.
3. Use arrow keys on the keyboard to launch Safe Mode and tap Enter.

Removal step 2: delete malicious components

1. Simultaneously tap Win+R to launch RUN.
2. Type %Temp% and click OK to open the Temp folder.
3. Right-click and Delete all malicious files (see the list below).
4. Launch RUN, type %AppData%, and click OK.
5. Right-click and Delete malicious files (see the list below).
6. Launch RUN, type regedit, and click OK.
7. In the Registry Editor move to HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run.
8. Right-click and Delete these registries: drvpci (Value data C:\Users\user\AppData\Local\Temp\drvpci.exe), windefrag (Value data C:\Users\user\AppData\Local\Temp\windefrag.exe), and winpnp (Value data C:\Users\user\AppData\Local\Temp\winpnp.exe).
9. Move to HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run.
10. Right-click and Delete this registry: random name (e.g., baefefbed) with Value data REG_SZ C:\Users\user\AppData\Roaming\[random file name].

Malicious files in the Temp folder: drvpci.exe, windefrag.exe, winpnp.exe, new.bat, windrv.exe, crjoker.html, GetYouFiles.txt, README!!!.txt, imgdesktop.exe, a file with a random name (e.g., sdajfhdfkj).
Malicious files under %AppData%: README!!!.txt22 and a file with a random name (e.g., baefefbed.exe).