How To Delete CryptoWall 3.0 and Restore Encrypted Files

CryptoWall 3.0

Complete Explanation on CryptoWall 3.0

In the past few days, a new and improved variant of CryptoWall ransomware virus has been infecting the users PC worldwide. The new CryptoWall 3.0 threat uses the localized ransom message and divert traffic to a website where the victimized users can pay for the decryption tool needed to unlock the files encrypted by this malware through Tor and the I2P anonymous networks. It is a type of file-encrypting ransomware virus which once activated on the infected system encrypts the certain files on it and then demands a fine of 500 US Dollars in order to provide the victim with a decryption tool. The ransom money is to be paid in the form of Bitcoin digital currency within the given time period of first 168 hours.

Lets talk about the new properties of CryptoWall 3.0

New Tor to the Web gateways like,, and are used by the new version of this CryptoWall ransomware virus. Either one of these websites redirects the victim to the same websites that containing the payment instructions. But, the IDs for tracking payments are unique. However, the payment period is extended from almost four days to a whole week and after which the ransom fee is raised to $1000. The con artists have created some additional files containing instructions about the payment method and the retrieving of encrypted data:

  • HELP_DECRYPT.URL: It uses your current Internet browser in order to display the CryptoWall 3.0 Decrypt Service whenever the system gets loaded.

  • HELP_DECRYPT.HTML: This file uses your browser to display further information about this malware, its encryption process and the payment methods.

  • HELP_DECRYPT.TXT: Same as mentioned in previous one, but in the plain text.

  • HELP_DECRYPT.PNG: It also uses your web browser to display CryptoWall 3.0 Decrypt Service when the Windows is loaded.

Important: Once the file encryption process is over, the original system files are deleted. In case, if you don't have a backup copies of your files, then you could use a reliable data recovery software to recover them or part of them from Windows shadow copies. Below in this article, you will find the detailed instructions on how to do so.

How is CryptoWall 3.0 virus dropped onto the computer?

CryptoWall ransomware threat has been around long enough for the malware researchers in order to collect detailed information about its encryption and distribution methods. This virus is distributed primarily through the emails with .ZIP attachments. Those attachments may contain an executable files masked as a PDFs. The files in the question can be any form of social or business communication such as:

  • Complaints
  • Invoices
  • Bills
  • Purchase orders (POs)

Once the malicious PDF is opened, the CryptoWall 3.0 will be installed onto the machine. The harmful files will be located in one of the two system folders %Temp% or %AppData% . Then after, the malware will start scanning the computer's drivers in order to find the files to encrypt. All drive will be scanned, including removal drives, DropBox mapping and network shares. Any drive letter on the infected PC will be checked for the data files.

Here is a list of all locations whereCryptoWall 3.0 ransomware may be situated:

  • %LocalAppData%
  • %Temp%
  • %ProgramData%
  • %AppData%
  • C:\[random]\[random].exe

Free Scan your Windows PC to detect CryptoWall 3.0


Free Scan your Windows PC to detect CryptoWall 3.0

A: How To Remove CryptoWall 3.0 From Your PC

Step: 1 How to Reboot Windows in Safe Mode with Networking.

  • Click on Restart button to restart your computer
  • Press and hold down the F8 key during the restart process.

Step 1 Safe Mode

  • From the boot menu, select Safe Mode with Networking using the arrow keys.

Safe mode

Step: 2 How to Kill CryptoWall 3.0 Related Process From Task Manager

  • Press Ctrl+Alt+Del together on your keyboard

TM 1

  • It will Open Task manager on Windows
  • Go to Process tab, find the CryptoWall 3.0 related Process.


  • Now click on on End Process button to close that task.

Step: 3 Uninstall CryptoWall 3.0 From Windows Control Panel

  • Visit the Start menu to open the Control Panel.

Win 7 CP 1

  • Select Uninstall a Program option from Program category.

Win 7 CP 2

  • Choose and remove all CryptoWall 3.0 related items from list.

Win 7 CP 3

B: How to Restore CryptoWall 3.0 Encrypted Files

Method: 1 By Using ShadowExplorer

After removing CryptoWall 3.0 from PC, it is important that users should restore encrypted files. Since, ransomware encrypts almost all the stored files except the shadow copies, one should attempt to restore original files and folders using shadow copies. This is where ShadowExplorer can prove to be handy.

Download ShadowExplorer Now


  • Once downloaded, install ShadowExplorer in your PC
  • Double Click to open it and now select C: drive from left panel


  • In the date filed, users are recommended to select time frame of atleast a month ago
  • Select and browse to the folder having encrypted data
  • Right Click on the encrypted data and files
  • Choose Export option and select a specific destination for restoring the original files

Method:2 Restore Windows PC to Default Factory Settings

Following the above mentioned steps will help in removing CryptoWall 3.0 from PC. However, if still infection persists, users are advised to restore their Windows PC to its Default Factory Settings.

System Restore in Windows XP

  • Log on to Windows as Administrator.
  • Click Start > All Programs > Accessories.


  • Find System Tools and click System Restore


  • Select Restore my computer to an earlier time and click Next.


  • Choose a restore point when system was not infected and click Next.

System Restore Windows 7/Vista

  • Go to Start menu and find Restore in the Search box.

system restore


  • Now select the System Restore option from search results
  • From the System Restore window, click the Next button.

  • Now select a restore points when your PC was not infected.

  • Click Next and follow the instructions.

System Restore Windows 8

  • Go to the search box and type Control Panel

  • Select Control Panel and open Recovery Option.

  • Now Select Open System Restore option

  • Find out any recent restore point when your PC was not infected.

  • Click Next and follow the instructions.

System Restore Windows 10

  • Right click the Start menu and select Control Panel.

  • Open Control Panel and Find out the Recovery option.

  • Select Recovery > Open System Restore > Next.

  • Choose a restore point before infection Next > Finish.

Method:3 Using Data Recovery Software

Restore your files encrypted by CryptoWall 3.0 with help of Data Recovery Software

We understand how important is data for you. Incase the encrypted data cannot be restored using the above methods, users are advised to restore and recover original data using data recovery software.

Download Data Recovery Software