Andreas Gieryic
asked on
CryptoDefense Software
I am very surprised not able to find anything on Experts Exchange referencing CryptoDefense Software
It appears a folder on the users Desktop, his networked H-Drive and many folders and many folders under his other networked drive are severely infected with CryptoDefense Software. All folders and files have a time stamp 4/2/2014 4:27pm. Every folder has a “decrypt” file. Can’t open anything that has the dycrpto files in its folder
http://www.enigmasoftware.com/cryptodefense-removal/
- updated and ran the new Malwarebytes but it found nothing.
- ran a full MSE scan. Found no issues
- attempted to run the Carbonite restore and it failed to open with script errors. Rebooted PC. Carbonite still fails with script errors
- ran a rogue killer program. Found and removed several malicious entries. Required another reboot
- I don’t see the actual QuickBooks files infected but many of its related folders have been infected
I have not yet performed a system restore to an earlier time. I contacted one of my very experienced Windows engineers and he stated that would not help
We could try logging on as the administrator and in safe mode but bottom line is that we need a restore.
From everything I read, we need to perform a restore from before 4/2/2014. Since the Carbonite will not run from the PC, I need to get in touch with the person who has access to the credentials to Carbonite access and restore
Any help would be appreciated
It appears a folder on the users Desktop, his networked H-Drive and many folders and many folders under his other networked drive are severely infected with CryptoDefense Software. All folders and files have a time stamp 4/2/2014 4:27pm. Every folder has a “decrypt” file. Can’t open anything that has the dycrpto files in its folder
http://www.enigmasoftware.com/cryptodefense-removal/
- updated and ran the new Malwarebytes but it found nothing.
- ran a full MSE scan. Found no issues
- attempted to run the Carbonite restore and it failed to open with script errors. Rebooted PC. Carbonite still fails with script errors
- ran a rogue killer program. Found and removed several malicious entries. Required another reboot
- I don’t see the actual QuickBooks files infected but many of its related folders have been infected
I have not yet performed a system restore to an earlier time. I contacted one of my very experienced Windows engineers and he stated that would not help
We could try logging on as the administrator and in safe mode but bottom line is that we need a restore.
From everything I read, we need to perform a restore from before 4/2/2014. Since the Carbonite will not run from the PC, I need to get in touch with the person who has access to the credentials to Carbonite access and restore
Any help would be appreciated
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
You need to understand what being infected means. If you remove it, you remove the only way to decrypt!
ASKER
If I have a good restore, is there more then just removing the infected folders and replacing them with a backup. If I have a good restore, should I perform a system restore to bring the registry back to before the infection?
There is no defense -- except having a backup image.
Yes, if you have a backup, of course all sorts of cleaning are ok.
I have heard that Comodo antivirus is able to get rid of Criptolocker and decrypt your files. May be worth a shot.
http://antivirus.comodo.com/
http://antivirus.comodo.com/
You heard? Where, if I may ask? Comodo cannot decrypt anything. How should it, without the key?
Okay. More than heard as far as protection goes: "CryptoLocker Ransomware Continues to Claim Victims, While Enterprises Remain Safe with Comodo Endpoint Security" at:
< http://www.comodo.com/news/press_releases/2013/11/comodo-endpoint-security-protects-cryptoLocker-ransomware-virus.html >
< http://www.comodo.com/news/press_releases/2013/11/comodo-endpoint-security-protects-cryptoLocker-ransomware-virus.html >
Comodo says they can stop the CrptoLocker virus from entering your system. They don't mention the ability to remote the encryption.
They are the only company I've seen that "offers customers up to a $5,000 limited warranty against infection."
They are the only company I've seen that "offers customers up to a $5,000 limited warranty against infection."
Have we answered your question?
ASKER
Learned a lot about this Cryptolocker in the past 48 hours.
I got Microsoft involved as well. we were looking for certificate that may have been left behind with no luck. Basically there's nothing that can be done to decrypt the folders and files as mentioned above.
Server 2008
- We have a restore to replace all the encrpted folders. However since the server was compromised, it only makes since to rebuild. I am currently rebuilding a 2nd server to take its place to limit downtime
Windows 7 PC
- we have replaced the infected folders but will plan to rebuild in the near future.
Going to take the advice to try to secure the new server and network better
I got Microsoft involved as well. we were looking for certificate that may have been left behind with no luck. Basically there's nothing that can be done to decrypt the folders and files as mentioned above.
Server 2008
- We have a restore to replace all the encrpted folders. However since the server was compromised, it only makes since to rebuild. I am currently rebuilding a 2nd server to take its place to limit downtime
Windows 7 PC
- we have replaced the infected folders but will plan to rebuild in the near future.
Going to take the advice to try to secure the new server and network better
Glad we could all help!
ASKER
thanks for everyone's help
ASKER