Dennis Miller
asked on
how to remove Crytolocker
I have a user who has a cryto locker ransom virus on their personal laptop. My son says there is a good fix now to undue the damage? I see many tools in Google but my question is, is there truly a fix and where without getting something as bad or malware can this fix be had?
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
David after seeing how some other virus issues I have had to try to fix and none as bad as this, I would tend to agree. It seems no matter what you clean and how it says it is clean, the laptop ends up coming back to me again. I have yet to really get any laptop cleaned if a virus (not malware) hits. The easiest way is to just re-install but I would like to at least get this guys music and pictures off. I will try one of the above and then after I get the music or whatever he has to have off, I will just re-install the image. Thanks. I will let you guys all know how the fix works.
ASKER
I just talked to one of the techs and he went to bleeping computers which always seems to have a fix and downloaded rkill and says it did clean the laptop but I also again agree that a re-image is just the safest way. I will run the rkil tonight and see what happens and also run the download that shows what has been decrypted and this was off the site David had. It is also nice that I have someone else's laptop to test it on since he thinks it is dead anyway. I love testing on another laptop that is not mine.
You need to make sure it really is CryptoLocker - that particular strain of malware was taken down last year and, while it's been trying to make a comeback, a lot of fake ransomware strains have been making use of the name (without actually encrypting the files). Unfortunately, a strain called CryptoWall has filled in the niche lately and comprises the wast majority of recent crypto ransomware outbreaks. I say "unfortunately", because there are no known means of decrypting CryptoWall infected machines (and the recent payloads also started to include a credential stealing spyware module). See an earlier question about CryptoWall 3.0 ramifications here.
Ransomware, if it is such, can be easily determined. Check a single file by uploading to the crypto server. and see my article.
if the files have been encrypted they are gone just a like a catastrophic disk error, format the disk.. if the files are not now encrypted then add the drive to another machine and copy the files over. Belt and suspenders route is to use a different o/s host machine like linux to copy the files.
ASKER
Thanks to all that helped. Bleeping computers had a ton of great info. The virus trashed the MBR so I had to re-format. It had been on there too long. I ended up wiping the drive and re-imaged. His music was not able to be had any longer. Thanks for all the help.
once the damage is done.. the only real recourse is re-install the operating system (recent backup??) and restore the files from backup. Don't try and cheat by just removing the malware. Why not. you ask? The simple answer is that once a machine is compromised you can never trust that machine again. If I was a malware author, I'd add a scheduled task for sometime in the future to re-aquire and install the malware at a later date.