Remove Crypto1CoinBlocker Ransomware Virus And Decrypt Files

Crypto1CoinBlocker is a mix of another ransomware viruses called Xorist, CryptoLocker and others. It is usually distributed through spam emails as an attachment. When opened it infects your computer and immediately starts encrypting your files. The original files are deleted while the encrypted ones are changed to have a bitcoin address as their extension (.1AcTiv7HDn82LmJHaUfqx9KGG55P9jCMyy). It then requires to pay a ransom in order to get decryption key and program and retrieve your files. However, paying the ransom does not guarantee that you will receive your files back.

The only reliable way to protect your PC against this threat is to completely remove it and secure your computer with a proper antivirus software. Below we have a tool that will automatically detect and remove the ransomware virus and protect your computer from future attacks. You can also follow our manual removal guide if you feel confident in editing Windows system files and settings.


Recommended Method: Download Crypto1CoinBlocker Virus Removal Tool

Version:   All Updated:   2 days ago Compatible OS:   All
This is the most suitable program for automatically removing the threat and repairing your PC.
Works with: Windows 10, Windows 8, Windows 7, Windows Vista, Windows XP. Read instructions here
File name Size
mb3-setup.exe 56.5 MB

Click here to download alternative tool

What is Crypto1CoinBlocker virus?

Crypto1CoinBlocker virus is usually distributed through spam emails. It tries to trick users into opening the attached file (“Please find the attachment”, “I am sending you the documents”, “Invoice_pdf.pif”) and infects the computer immediately. It then employs a complicated RSA-2048 encryption algorithm and starts enciphering all files that are stored on the infected machine. The virus works in the background until all files are encrypted.

Refrain from opening any suspicious mail attachments. Double check the attachments with antivirus scanners like virustotal.com even if you expect a file to be sent by somebody as their computer might be already infected. We also recommend having a full backup of all your important files stored separately.

IMPORTANT: If you think that you have just been infected by this or any other ransomware, check your CPU, RAM and hard disk space usage. If it is above normal or if the computer feels sluggish, chances are that the virus is currently using your resources to encrypt the files. In such case, turn off your computer immediately to prevent further damage and use our automatic removal tool or follow manual removal instructions. You can resume using your PC normally only after you remove the threat completely!

After the virus finishes encrypting your files it deletes the original ones and adds .1AcTiv7HDn82LmJHaUfqx9KGG55P9jCMyy endings to the ransomed files. The file extension might differ but it is always a 26-35 alphanumeric characters long BitCoin address. The virus then displays a popup with information on how to recover your files and a list of encrypted files. It also creates a ransom note called HOW TO DECRYPT FILES.txt and places it on your desktop. The virus asks to pay a ransom of 1 to 5 BitCoins.

Here are the contents of the ransom note popup:

Your personal files are encrypted!
Your important files encryption produced on this computer: photos, videos, document, etc. 
Here is a complete list of encrypted files, and you can personally verify this. 
Encryption was produced using a unique public key RSA-2048 generated for this computer. 
To decrypt files you need to obtain the private key. 
The single copy of the private key, which will allow you to decrypt the files, 
located on a setter server on the Internet: the server will destroy the key after a time 
specified on this window. After that, nobody and never will be able to restore files… 
Payment required. Server accepts payment in Bitcoin (BTC) only. 
1. Pay amount 1 BTC. to access 1AcTiv7HDn82LmJHaUfqx9KGG55P9jCMyy 
2. Transaction will take about 15-20 minutes to confirm. 
Decryption will start automatically. 
Do not: power off computer, run antivirus program, disable Internet connection. 
Failures during key recovery and file decryption may lead to accidental damage of files. 
These instructions are also saved to file named DecryptAllFiles.txt in Documents folder. 
You can open it and use copy-paste for address and key.

The contents of ransom note text file:

Your Documents, Photos, database And other important Files Encrypted Crypto1CoinBlocker 2017 Variant, 
The only one way You can recover Your Files is BUY A decryption Key, 
Payment Method BTC Via Get Bitcoins in Minutes www.localbitcoins.com, coincafe.com, libertyx.com, 
coinatmradar.com, paxful.com, coinjar.com, coinify.com, xcoins.io, bitquick.co, expresscoin.com, 
p.s if you pay after 5 day? Ok price 5 bitcoin final, Contact ME after Pay>activation2017@mail-on.us, 
Sent 1 To Address 1AcTiv7HDn82LmJHaUfqx9KGG55P9jCMyy

The virus also displays fake error with the following text:

Your Documents, Photos, databases And other important Files Encrypted Crypto1CoinBlocker 2017 Variant, 
The only one way You Can recover Your Files is BUY a decryption Key, Payment Method BTC Via Get bitcoin in Minutes. 
If you pay after 5 say? Ok price 5 bitcoin final, Contact ME After Pay>activation2017@mail-on.us, 
Sent 1 To Address 1AcTiv7HDn82LmJHaUfqx9KGG55P9jCMyy

We strongly discourage you from paying the ransom. The virus seems to be created very offhandedly and inconsistently (for example, another ransomware’s title, CryptoLocker, is left in the title of ransom note popup) and the creator might not even have the means to recover your files. Even if you receive the private key and program there are chances that the attacker will use vulnerabilities left in your PC for further attacks. Moreover, the cybercriminals will see you as a paying victim and might target you in the future.

The only way to really remove the threat and prevent future attacks is to follow our removal instructions.

Here are some screenshots of Crypto1CoinBlocker. You might see a bit different variations of it as ransomware viruses tend to be updated quite regularly.

   


 Manual Removal Instructions:

NB: Even if you successfully remove the virus manually there still are chances of the threat coming back later in the future. Make sure you properly secure your PC with an antivirus to prevent this from happening.

Remember to bookmark this page in order to access it after you restart your computer while working on the removal process!

Step 1:

Restart your computer in Safe Mode.

When your computer is infected by a virus some of its features may be locked or compromised. You need to bypass this by rebooting your computer using Safe Mode. This will allow you to remove the virus.

Since Safe Mode only has the most basic features do not be scared that your Windows look completely different!

Click here to show how to reboot Windows 98, XP, Vista or Windows 7 in Safe Mode

  1. Restart your computer (if it is locked you can do this by physically pressing the power button on your computer).
  2. As soon as the PC starts booting begin constantly clicking F8 key on the keyboard until you get the following screen:
  3. Use arrow keys to highlight Safe Mode With Networking and press Enter.
  4. Wait for the Windows to launch.

 

Click here to show how to reboot Windows 8, 8.1 or Windows 10 in Safe Mode

F8 method (1/4):

Restarting and constantly hitting F8 might not work for this version of Windows since the booting is much faster and does not always react to the key presses. Try this method first and then proceed to other methods if this does not help.

  1. Restart your computer (if it is locked you can do this by physically pressing the power button on your computer).
  2. As soon as the PC starts booting begin constantly clicking F8 key on the keyboard.
    If it does not work try repeating the same procedure but this time holding Shift key and clicking F8.
  3. Follow instructions from Step 5 below:

Shift+Restart method (2/4):

  1. Click the Power icon at the login screen or in the settings charm.
  2. Hold Shift key on your keyboard and click Restart with your mouse while holding:
  3. Click Troubleshoot:

  4. Click Advanced options:
  5. Click Startup Settings:
  6. Click Restart:
  7. Now press F5 key on your keyboard to enable Safe Mode With Networking:

System configuration method (3/4):

  1. Press and hold Windows () key and click R key.
  2. Enter msconfig.exe and click OK:
  3. When System Configuration opens go to the Boot tab:
  4. Check the box “Safe Boot” in Boot options and click OK.
  5. When prompted, click Restart.
  6. Windows will now start in Safe Mode.

System Recovery method (4/4):

If everything above fails you can try inserting System Recovery CD or DVD (works only with Windows 8) or System Recovery USB Memory Stick (works with Windows 8 and 8.1). You will be able to choose Troubleshoot option. The steps are then identical as in Shift + Restart method starting from #3.

Step 2:

Find any processes that might be associated with the virus and terminate them.

Press CTRL + SHIFT + ESC at the same time to launch Windows Task Manager. You can also launch it by right-clicking on Windows toolbar/startbar and clicking Start Task Manager.

Go to Processes tab.

All currently running processes will be listed.

Now you will have to check each process manually.

We recommend not skipping any of the processes as viruses sometimes hide in various processes that look like essential Windows components.

Right-click on each of the processes in the list and choose Open File Location.

Go to virustotal.com and upload the opened file for a scan.

If the scan shows that the file is dangerous, right-click on the process and choose End Process, then delete that file in the location you have opened.

Repeat this until you have checked all processes.

Step 3:

Check your hosts file for any suspicious IPs.

Press and hold Windows () key and click R key while holding to open “Run” window.

Enter the following in the field:

notepad %windir%/system32/Drivers/etc/hosts

Click OK.

Notepad will open your “hosts.ini” file. Delete any IPs that are listed in the end of the file and do not have “#” in front of them.

Step 4:

Look for any suspicious programs in your startup config.

Hold Windows () key and click R key.

Enter the following in the field:

msconfig.exe

Click OK.

Go to the Startup tab.

Uncheck all suspicious entries. Usually they have “Unknown” listed as Manufacturer. However, sometimes they might have a fake manufacturer.

Check process location by hovering your mouse over the “Command” column. Navigate to the location and scan the file using virustotal.com if it looks suspicious but you are not sure.

Click OK when you are finished unselecting all potentially dangerous processes.

Step 5:

Clean up your registry entries.

Hold Windows () key and click R key.

Enter the following in the field:

regedit.exe

Click OK.

Press keyboard buttons CTRL + F and enter:

crypto1

Click Find Next.

If you find any registry entries, delete them by right-clicking on it and choosing Delete.

Be careful not to accidentally delete important registry entries not related to the virus as they might damage the computer file system!

Repeat this search until no results are found anymore. Then repeat this step with the following search queries:

1AcTiv7HDn82LmJHaUfqx9KGG55P9jCMyy
cryptolocker
xorist

Step 6:

Clean up Windows temporary files. Many ransomware viruses are known to operate from temporary files directory so you need to remove them all.

You can remove all temporary files without posing any risk to your computer.

Hold Windows () key and click R key.

Enter the following in the field:

%Temp%

Click OK.

All temporary files will be listed in the directory.

Select all temporary files by simultaneously pressing CTRL + A and delete them.

Step 7:

Check for any recent changes in all the other important system files.

Hold Windows () key and click R key.

Enter the following in the field:

%AppData%

Click OK.

Do not delete anything here! Search for any recent changes (by “Date Modified”) in the files first. Only if you see that a file has just been changed scan it with virustotal.com. Remove only files marked as dangerous. Otherwise you might remove critical system files and Windows might stop working.

Repeat this step with the following three directories while being very careful:

%LocalAppData%
%ProgramData%
%WinDir%

Remember that these directories contain many important system files!

 Decrypting The Files:

Move on to decrypting files only if you have successfully removed the threat. Otherwise the virus might come back and do more harm.

Check for Crypto1CoinBlocker decryptor here: List of currently available decryptors. Currently we have no information that such decryptor is available but it might be added in the future so check the list before continuing.

We have a list of extensive file recovery methods available here. We recommend reading it. The instructions below are just a short version of the simplest methods.

Step 1:

Start by restoring the old system settings using System Restore. The virus might have changed them so you need to revert to the old ones first.

Some variations of the virus might remove your system restore points so this step might be unsuccessful.

Press and hold Windows () key and click R key.

Enter the following in the field:

rstrui.exe

Click OK.

A System Restore wizard will open.

Click Next.

Check Show more restore points.

If you see any restore points, restore the system. Make sure you select a point that has been created before the attack happened.

If there are no restore points you will see “No restore points have been created…” error.

Step 2:

Restore earlier file versions.

Download Shadow Explorer.

When you run the program you will see the list of all shadow copies created.

Select the drive and date that you want to restore from.

Right-click on a folder name and select Export. The folder will be restored.

Read more here about how to restore files from shadow copies.

Step 3:

Read more on how to restore files (including backups) on our file recovery guide. This guide includes instructions how to restore the files from a backup or shadow copies as well as how to use a professional file recovery program (which has a very high success rate) if everything else fails.

Alternatively you could make a backup with all encrypted files and wait for a Crypto1CoinBlocker decryptor to be created. New free decryptors for various ransomware appear every week but we cannot estimate the waiting time and if it is going to be created at all.


Share your experience with us by leaving a comment!

Leave a comment to tell us about your experience removing this threat!
We can also help you if you run into any problems during the process, just don't hesitate to ask!

Leave a Reply

Your email address will not be published. Required fields are marked *