Link to home
Start Free TrialLog in
Avatar of JimSills
JimSills

asked on

Remove Cryptowall 3.0 Virus

Our business server was compromised by a workstation with Cryptowall 3.0.  I restored the server files from backup so I don't need to recover the encrypted files.

Question:  How do I clean (remove) the virus from the workstation?  I know I could reinstall the OS from scratch but this is a VERY heavy duty workstation with many applications and I would really like a removal solution rather than having to rebuild from scratch.

Environment:  Windows 7 Enterprise

Thanks much.
ASKER CERTIFIED SOLUTION
Avatar of Thomas Zucker-Scharff
Thomas Zucker-Scharff
Flag of United States of America image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
"If you discover that your computer is infected with CryptoWall you should immediately scan your computer with an anti-virus or anti-malware program" See http://www.bleepingcomputer.com/virus-removal/locker-ransomware-information#clean

That page also prevention methods.

A popular scanner is Malwarebytes Anti-Malware
SOLUTION
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
SOLUTION
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Malwarebytes is able to remove Crypto Wall, though I would agree that the safest bet would be a rebuild.

Just as an fyi, I have generally been able to recover encrypted files by rolling them back to the last stored version.

I was able to use this on a server where the mapped drives were encrypted by an infected workstation to restore the files. I wiped the workstation but this saved me from have to rebuild the server from our backups.
Make sure this is not CryptoFortress or a variant since that can encrypt network shares that are not mapped.
I've requested that this question be deleted for the following reason:

Not enough information to confirm an answer.
There was plenty of good advice given.
The OP has simply not replied to any of it.
I suggest leaving the question here as the replies may be useful to others.
Either divide up the points or assign no points but please don't delete the question.
I would agree that a lot of good information is in this question, please leave if at all possible. L
Avatar of JimSills
JimSills

ASKER

To All Respondents:

I apologize if I failed to follow Experts Exchange protocol. I was of the understanding that points are to be awarded for solutions and I did not receive a solution. My question was, “How do I clean (remove) the virus from the workstation?”

No one was able to tell me how to do that successfully with ongoing OS integrity. I received a lot of preventive information, virus removal information that would not work and advice not to pay the ransom, but I didn’t get an answer to my question.

I’ve been doing computer troubleshooting since 1981, before IBM and Bill Gates released the first IBM PC with MS DOS. That’s what I have done for a living for 34 years. My problem workstation and server were at one of my client accounts.

 I considered the Experts Exchange advice I received as good information for rookies but not for me. Out of everything that was written the only two things that I gleaned as helpful information were:
1. akb’s, “Crypto Wall can only get to the server from a work station if the work station has mapped drives to the server. For this reason I recommend you remove mapped drives from all work stations and use URL paths to get to the server.” A good tip, thank you.
and
2. Thomas Zucker-Scharff’s, “Make sure this is not CryptoFortress or a variant since that can encrypt network shares that are not mapped.” A good tip, thank you.

But even though they were good tips, neither of those provided a solution to my question.

Perhaps my question was a ringer, in that, there is no removal solution. Sorry if that’s the case. Maybe the best response to my question would have been, “Sorry, you’re screwed. Zero out the workstation and rebuild it from scratch.”

As Moderator thermoduric stated: “Points are not awarded just for effort.”

If someone would have solved my problem satisfactorily I would have been happy to award points.

I’m all ears. Does anyone have any suggestions how I should deal with this matter and the points? I don't want to be an ass about it.

Thanks
Thanks for the feedback.
If you had replied to some of the experts you may have received more assistance.
Sometimes there is no precise answer to the asked question but we may be able to provide assistance /advice to help you sort out your problem.
I'd suggest you accept your own reply as the answer. No points awarded but the question will stay for others to read.
I'll start things off and say that I agree that you should rebuild.

However if your insist on removing the ransomeware then these are the steps that i would personally take.

1. Since you have all the data backed up i would remove all the profiles that are stored locally. LOTS of malware likes to hide in appdata and users' ntuser.dat files. Also remove all known locations where the encr

2. Do a full scan the workstation with kaspersky rescue disk. This will scan the computer while all files are inactive and remove the infected ones. Change the setting to do the deepest scan possible. I don't know off hand which setting. **This will take a very long time**

3. Boot into safe mode and do another full scan with Malwarebytes enable rootkit scan before the scan.

4. Do normal boot and scan again with malwarebytes and also kaspersky virus removal tool is very effective.

5. After all scans are complete and detect no malware then i would run SFC /SCANNOW from the administrative command prompt. This will repair any damaged system files. Then i would do a chkdsk /f

Hope this helps you out some.

Josef
I would have to say that if it is indeed ransomeware, you would have no choice but to restore from backups or do a clean install.
I agree 100%. Although ransomware is not intended to destroy the operating system rather to get money for your data. As stated above, the computer cannot be trusted anymore. You may spend more time removing the malware than it would take to reinstall the OS and all the programs.
Dear thermoduric:

I will defer to your assessment, and therefore, concur with the award of points as you indicated.  I have been a Member of EE since 2003 but have only asked two questions, this one being the second.

In that regard, I am not familiar with the award process.  Since you have seen fit to intervene, I "assume" that you have awarded the points and that I need not take further action.

If that is incorrect, please so advise.

Thank you,

Jim