Solved

copy the restore image and transplant to a new computer

Posted on 2014-02-20
2
336 Views
Last Modified: 2014-02-20
I am working on a clients computer which has been infected with Cryptolocker. Is there a way to pinpoint where and when this became infected?
I want to try moving the restore image to a new computer to see if the files can be  opened that way. I tried restoring back to before the infection, but the files are still encrypted/corrupted. Can data recovery restore these files? Is moving the image feasible?
0
Comment
Question by:atf3doc
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
2 Comments
 
LVL 23

Assisted Solution

by:Thomas Grassi
Thomas Grassi earned 50 total points
ID: 39874041
Have you tried going back to the earliest system restore point
By default it only shows the most current click show more to see all
0
 
LVL 62

Accepted Solution

by:
☠ MASQ ☠ earned 450 total points
ID: 39874092
If they got the red ransom page display then their files are already encrypted. There is no recovery other than paying the ransom.  If you disabled and removed the process before the ransom message then only the files encrypted up to that point will have been lost.

Moving the files to another machine has no advantage.

It's fairly academic about the infection entry point but you can either use the date of the active component of the win32 ransom trojan or usually the date of the infected email attachment dropper as this is almost always a socially engineered email attachment activation that launches the trojan.

See also http://www.experts-exchange.com/Security/Encryption/Q_28295419.html and other Cryptolocker threads on this site.

Afraid a System Restore will have no effect either :(
0

Featured Post

Windows Server 2016: All you need to know

Learn about Hyper-V features that increase functionality and usability of Microsoft Windows Server 2016. Also, throughout this eBook, you’ll find some basic PowerShell examples that will help you leverage the scripts in your environments!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
PGP software 3 75
application server backups 2 40
Doing a system restore with a temporary profile. 5 46
DER-Encoded Cert for 2012 Server R2 6 23
This paper addresses the security of Sennheiser DECT Contact Center and Office (CC&O) headsets. It describes the DECT security chain comprised of “Pairing”, “Per Call Authentication” and “Encryption”, which are all part of the standard DECT protocol.
This guide will walk you through the essential considerations and tech stack for building scalable websites. Know how to grow your business the smart way!
This tutorial will walk an individual through the process of installing of Data Protection Manager on a server running Windows Server 2012 R2, including the prerequisites. Microsoft .Net 3.5 is required. To install this feature, go to Server Manager…
Viewers will learn how to use the Hootsuite Dashboard.

739 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question