My first and foremost bit of information is to have good up to date Virus Protection. Okay now back to the subject at hand. I had a friend recently whose computer had become encrypted from a virus. The name of the virus is called CryptoWall. This virus is transmitted through emails and is in the form of a attachment in a zip file. They generally are disguised as a pdf file. The pdf files that come through will be in the form of an invoice, bill, purchase order, complaint or some kind of a fake business transaction. It basically comes back to the saying if you don't know who it is or you did not ask for it DELETE IT and EMPTY THE DELETED FOLDER . I have seen some people save thousands of emails.
This virus is one of the typical Ransomware viruses where they try to get you to send money to get the unlock key code. Most of the time you send the money and get nothing in return. What the person did was download a program called Shadow Explorer. It is a removal tool to export the encrypted files to preferably to an external hard drive. It can be downloaded at this website link http://www.shadowexplorer.com/downloads.html . The best thing to do is use a clean empty hard drive to move all the folders and files you unencrypt to. You can also download a program called List C Wall. It will check the registry and list all the encrypted files. You should run this before you unencrypt your files. You can download the program at this link http://www.bleepingcomputer.com/download/listcwall/ . After you have determined all the files to unencrypt run the shadow explorer program and follow it through. This can be a long and tedious job, but be patient. I do not know of any av removal tools yet to just clean and unencrypt the whole computer system yet.
Once you have finished unencrypting all the files you will need to clean all the viruses from the computer. If it is windows 8.1 do not run the combofix program, because it does not run on windows 8.1 yet. Other than that run all programs in the safe mode. I would use combofix, tdss killer, free malwarebytes, Super Anti Spyware Portable, Spybot Portable, Clamwin Portable, Eset Online Scanner, A-Squared, Bitdefender Free as a Portable Scanner, Norton Power Eraser and also Free Avast which can be run as a portable virus cleaner off a usb flash drive. These are all free virus removal tools from the internet. Basically you will be doing a manual virus removal of all infections in the system. When all files have been scanned, I would scan the unencrypted files and then delete the encrypted files. Then you can move the unencrypted files back. Make sure you have the unencrypted files saved before you perform the above virus cleaning. Once all files are back, check and make sure the system is working properly and open the various files with their associated program such as Microsoft word or excel. Here is a link to information on all this from bleeping.com http://www.bleepingcomputer.com/virus-removal/cryptowall-ransomware-information .
Just remember that there are still problems with some of these viruses like cryptolocker, which still has no solution. The best thing you can do is back up your data to an external hard drive or to the cloud with carbonite. It is just a shame what people will do to get your money. So remember to always stay safe and protect your data. Also remember to back up all data to the cloud or an external hard drive and always have good virus protection.
I would also say that I have seen some occasions when the data was not able to be unencrypted and gotten back. It depends on how it infected your computer.
Thank You for reading and stay safe.
This an update on my findings with the cryptowall virus. Some have said to delete certain dll files. Next run the system restore in windows or boot off a windows cd and run the system restore. Usually I find that either the system restore does not function or go back far enough. I also have only had one computer function properly after cleaning the system of infections. I have had systems where the cryptowall virus had been found in system files as well as other windows files. It is very possible that the system restore archive may have been infected. Restoring back to a different date may put the virus right back. It may seem okay for awhile and then start up again. I had one system where the computer had been in awhile ago and the system was clean. It seemed to be functioning properly and then became encrypted again. Either the customer infected the system again or the infection lay dormant and then started up again. It was always found that infections entered the system archive files and also the system information file. The system restore should be turned off and then restart the system. That way any infection will be gone. The system information file should be deleted, restart the system and the file is recreated.
In any event you will be taking a chance at restoring the system to an earlier date. I would follow the shadow explorer and export the files to an external hard drive first. Next I would reformat the hard drive or write zeros to it. Then reinstall all software and move the data back in place. This may or may not work so always save your data. Alot depends on how far the infection went in the system. Just deleting certain files because you believe they are from the infection is foolish. Going by guessing makes you a shotgun technician. I would not go to that company for repair especially when they use the word GUESS.
Thank You for reading again.
No comments:
Post a Comment