CryptoWall 3.1

User avatar
Doc.AElstein
BronzeLounger
Posts: 1483
Joined: 28 Feb 2015, 13:11
Location: Hof, Bayern, Germany

CryptoWall 3.1

Post by Doc.AElstein »

Hi,
. Sometime between Friday night and Saturday morning CryptoWall 3.1 attacked a small Notebook of my Wife’s (LG X120) with XP Operating System XP. All Files became encrypted and I had “ransom” Notifications everywhere for links to pay for the deciphering!
. After Googling a bit I did not get too far and even ended up getting fooled into downloading Spyhunter 4 which ended up being something dodgy as well.
. I have little computer experience with viruses.
. For now I reset the Notebook to an earlier start point (after taking some time to find \WINDOWS\system32\Restore\rstrui.exe which was not clearly to be found in the normal Windows Control Panel).
. The Notebook seems OK. But I think I must accept all Files are lost. –Even those on an USB stick were affected. Luckily they were not too important

Questions
.1) Has anyone else experience with this virus. And any advice to prevent it happening to me again? I have a few old Notebooks with XP and I would like to keep them but as support has run out from Microsoft I am scared to connect them now to the internet!
.2) I am particularly scared that something similar may happen to my main Windows 7(Starter) Notebook and old Vista Computer.
Can I take it that normal Windows updates will protect me from this?
Thanks
Alan
\ -_- / :heavy: :jollyroger:

User avatar
Rudi
gamma jay
Posts: 25339
Joined: 17 Mar 2010, 17:33
Location: Cape Town

Re: CryptoWall 3.1

Post by Rudi »

Alan,

Please wait for additional posts to ensure you have all the info you need to resolve this, but based on what I have read up, this infection is irrevesable, barring paying the ransom. The encryption on this virus is too complex based on the following reports on this virus. However, please don't take my word for it as others might have additional info that I have overlooked or am ignorant about.

I cannot speak on your behalf, but I'd never pay the ransom!! (...esp. since you say the files are not too important).
As for future reference, be vigilant in making and keeping a few copies of backups of files you know you cannot lose). I use Syncback Free to do my file backups of all my important files and I store these on two different portable hard drives, as well as on my company network. Backing up files does not take as long as full system images, though I make sure i have a fairly recent image of my system too (which includes the files and folder structures too).

I hope you can recover from this infection without too much loss. Good luck.

See:
-- CryptoWall and HELP_DECRYPT Ransomware Information Guide and FAQ
-- CryptoWall Ransomware
Regards,
Rudi

If your absence does not affect them, your presence didn't matter.

User avatar
Doc.AElstein
BronzeLounger
Posts: 1483
Joined: 28 Feb 2015, 13:11
Location: Hof, Bayern, Germany

Re: CryptoWall 3.1

Post by Doc.AElstein »

Hi Rudy,
. Many thanks Rudy for the quick answer. Much appreciated. Looks like my best option for now is to back up quickly everything on something external. And importantly to remove that if it is a USB stick or similar (Hard disc) – as all files on a USB which was connected to the Effected Notebook were also corrupted by CryptoWall 3.1.


.. in the meantime I just hit on this Video
https://www.youtube.com/watch?v=gPelrlpQIJg" onclick="window.open(this.href);return false;
, After watching I followed the steps, restarting the Notebook in the safe mode, and found
. 1) Still had 4 Files to remove found by … Start …. All Programs ….Startup..

.2) Then found again another 4 Files to delete by ….Start ….. search “%appdata%"

. 3) I then got a bit lost / confused finding the other places suggested in that Video.
. But so far I have found myself groups of 4 Files again in variuos places..
.3a) Direct on the C: Drive
.3b) Document and settings.
.3c) In EVERY User Folder (Including the ALL USER Folder)
.3d) In any users : Common Document Folder ; Own data Foder ; Download Folder

… In total about so far about 20 x 4
What a nightmare. There are probably more! And I still do not know if the Notebook is „safe now“
.. My first real experience with a bad computer virus. Up until now, restarting the system to an earlier start point had always cured any problem…

.. I have restarted normally the Notebook. Seems mostly OK……I am still very nervous about getting hit on my main computer. As it is Vista rather than XP maybe it is protected a bit better than XP through Microsoft Updates.

One last couple of question for anyone

. 3) Can I check to see if I already have it “Hidden” somewhere on a computer? That is to say it is waiting to do its bad deeds sometime? The only thing I can think of that I have downloaded recently was a Screenshot tool “SnippingToolPlusv3-4-1-0”. So I mention that just in case anyone recently installing that has a similar problem.
. Usually I try to avoid downloading as much as possible- I am trying to tackle an important Private project alone and so have no real support when something bad like this happens.

. 4). I am also somewhat nervous of using some “Cloud” type Company which frequently offer me a (Not Free!) possibility to continually back up my Computer Files. I have little experience and again it involves software from the Internet having access to my computer, which is the cause of my current problem. Anyone Got any views / recommendations on that one?

Thanks Again
Alan
\ -_- / :heavy: :jollyroger:

User avatar
HansV
Administrator
Posts: 72605
Joined: 16 Jan 2010, 00:14
Status: Microsoft MVP
Location: Wageningen, The Netherlands

Re: CryptoWall 3.1

Post by HansV »

The articles mentioned by Rudi provide all the information you need:

In particular, note
CryptoWall is distributed via emails with ZIP attachments that contain executables that are disguised as PDF files. These PDF files pretend to be invoices, purchase orders, bills, complaints, or other business communications. When you double-click on the fake PDF, it will instead infect your computer with the CryptoWall infection
In the future, please be very careful with e-mails that you receive. Do NOT open attachments unless you are absolutely sure that they are safe. In case of doubt,scan the attachment with a program such as the free version of Malwarebytes Anti-Malware before opening it.

Your documents are lost irretrievably, unless you want to pay the ransom.
Make sure that you backup all your documents frequently from now on.
Regards,
Hans

User avatar
StuartR
Administrator
Posts: 11641
Joined: 16 Jan 2010, 15:49
Location: London, Europe

Re: CryptoWall 3.1

Post by StuartR »

As Hans says, to prevent this kind of attack the most important thing is that you DON'T open attachments, except if you have discussed them with the sender and you KNOW that they are genuine.

To recover from any future infection you need offline backups. Either on a removable drive or on a cloud service that requires you to enter a password each time you want to access it.

The only way to be absolutely sure that you have removed the infection is to completely reinstall Windows and all your applications. This might seem a bit drastic, but the alternative could be that there is a hidden infection on your computer just waiting to get you again. Do you have everything you need to do this - not only the media but also all the license keys?
StuartR


User avatar
Doc.AElstein
BronzeLounger
Posts: 1483
Joined: 28 Feb 2015, 13:11
Location: Hof, Bayern, Germany

Re: CryptoWall 3.1

Post by Doc.AElstein »

Hi HansV,

. Thanks for the Reply

. I read the articles from Rudy. I shall do so again. As I have limited computer experience I appreciate you mentioning the important bit. Strangely I do not remember opening any PDF files on the effected computer. And any attachments were Excel Files from my main Computer. I do see on another Windows 7(Starter) Notebook some PDF “offer” files that I do not remember. I shall not open those!!! (They are in the default download Folder)

. Thanks for the Tip on the Software. That is helpful as because I mentioned I am nervous of Downloading, not knowing what is genuine or likely to give me further problems.
. I have installed that free Software on the effected Notebook and in addition my main Vista Computer and another Windows 7(Starter) Notebook. I did not immediately see a way to check for problems with Email attachments. It did however give me after installation an option to ”Scan Now”. I am letting that Run now on all three Computers. It appears to take some time, especially on the Notebooks. On my main computer has just finished after over an hour and has detected 2 “Malicious items” and 284 “Non – malware” items. I shall attempt to review those shortly.




……………………………………………

Hi StuartR

. Thanks for your reply.
. I do not have any media; the Computers are as I bought them. On the Notebooks (LG X120) there are in addition no Disc Drives for any installation CDs.
. With my current experience level, I am very reluctant to try re-installing the system myself. But thanks for the advice. Possibly that will be a future option if I contact a handler.

……………………………………………..

. I guess the best advice then is to back up externally. I actually have got in the habit of storing mostly to a USB. I think what I have learnt new now is maybe always removing that Frequently, and not leaving in “unattended” as it were for long periods.

. Thanks again, I appreciate the replies.
. Alan
Bavaria
Germany
\ -_- / :heavy: :jollyroger:

User avatar
Doc.AElstein
BronzeLounger
Posts: 1483
Joined: 28 Feb 2015, 13:11
Location: Hof, Bayern, Germany

Re: CryptoWall 3.1

Post by Doc.AElstein »

P.s. StuartR, I believe the original License keys are still underneath on a label. I shall note them should I take the reinstallation suggestion further
\ -_- / :heavy: :jollyroger:

User avatar
Doc.AElstein
BronzeLounger
Posts: 1483
Joined: 28 Feb 2015, 13:11
Location: Hof, Bayern, Germany

Re: CryptoWall 3.1

Post by Doc.AElstein »

Just some quick further Feedback….

The detected items from my main Computer

...To mention just a few.

“Non-malware items”
Outbrowse
MySearchDia.A
Snapdo.T
OpenCandy.A
DomaIQ
MyPCBackup.A

Etc. etc….!! too many to list

The “Malicious items”
Trojan.Dropper.FJ
Backdor.Bot

. It suggests I “Quarantine them”.. Not sure if I should do that. I will think about it. If anyone has any suggestions on that I would be grateful.
\ -_- / :heavy: :jollyroger:

User avatar
HansV
Administrator
Posts: 72605
Joined: 16 Jan 2010, 00:14
Status: Microsoft MVP
Location: Wageningen, The Netherlands

Re: CryptoWall 3.1

Post by HansV »

I'd quarantine the lot of them; there is no reason to keep any of those.
Regards,
Hans

User avatar
Doc.AElstein
BronzeLounger
Posts: 1483
Joined: 28 Feb 2015, 13:11
Location: Hof, Bayern, Germany

Re: CryptoWall 3.1

Post by Doc.AElstein »

Thanks Hans,
. I will do that
Alan
\ -_- / :heavy: :jollyroger: