Remove Cryptowall 3.0 Virus

Our business server was compromised by a workstation with Cryptowall 3.0.  I restored the server files from backup so I don't need to recover the encrypted files.

Question:  How do I clean (remove) the virus from the workstation?  I know I could reinstall the OS from scratch but this is a VERY heavy duty workstation with many applications and I would really like a removal solution rather than having to rebuild from scratch.

Environment:  Windows 7 Enterprise

Thanks much.
JimSillsAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Thomas Zucker-ScharffSolution GuideCommented:
Considering what you say there is even more reason to do a complete rebuild.  If you don't,  first you can't recover the files and second you can't ever trust that computer again.

The only way to recover from a crypto Trojan is if you have been compromised with one of the publicly available decryption keys (public because they have been posted from servers that were taken down by raids). See the comments at the end of my article:

http://www.experts-exchange.com/articles/18086/Ransomware-Prevention-is-the-only-solution.html
1

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
NVITCommented:
"If you discover that your computer is infected with CryptoWall you should immediately scan your computer with an anti-virus or anti-malware program" See http://www.bleepingcomputer.com/virus-removal/locker-ransomware-information#clean

That page also prevention methods.

A popular scanner is Malwarebytes Anti-Malware
0
andreasSystem AdminCommented:
After an infection you really do not know if the attacker just places the cryptowall malware. It could very well be that the system is also infected with other things your AV-scanner might not be able to detect.

Some newer malware does not even need files, it can entirely hide in the registry and ram only.

A forensic analysis of the machine to ensure you have catched all is far more time consuming than reinstallation of the box.

such a forensic analysis need to include:

checksum scan of all files in the system and compare to known good sums, all unclear files need to be checked manually.
offline scan of the system with at least 3 different AV-scanners and offline and online scans with spyware removal tools.
rootkit scans to find discrepancy in HDD contents and what windows can see, also for registry keys.
checking of the logs/eventviewer for any suspicious activity
checking of firewall and IDS logs if available

Furthermore you need to change all passwords for all accounts that has been used on the machine during the infection period.
It also might be that the cryptowall was the LAST infection and that the attacker put a keylogger to steal passwords much much more early.

Personally for me I always prefer a clean reinstall instead of a cleaning. As there is NO way to be 100% sure your system is really clean and all traces of the attack are removed and all holes are plugged.
1
Ultimate Tool Kit for Technology Solution Provider

Broken down into practical pointers and step-by-step instructions, the IT Service Excellence Tool Kit delivers expert advice for technology solution providers. Get your free copy now.

akbCommented:
Crypto Wall does a lot of damage to the PC. If you don't have a image you can restore from then you need to format the HDD and reload the OS. If you don't do this you will have endless problems with the computer. Maybe there is another similar PC you could use as a starting point for a recovery image?

Just a side note - Crypto Wall can only get to the server from a work station if the work station has mapped drives to the server. For this reason I recommend you remove mapped drives from all work stations and use URL paths to get to the server. It is easy to set up shortcuts on user's desktops to the required server shares. You can also add them to the user's favourites so they can get to them easily when opening or saving documents.
0
Tyler BrooksNetwork and Security ConsultantCommented:
Malwarebytes is able to remove Crypto Wall, though I would agree that the safest bet would be a rebuild.

Just as an fyi, I have generally been able to recover encrypted files by rolling them back to the last stored version.

I was able to use this on a server where the mapped drives were encrypted by an infected workstation to restore the files. I wiped the workstation but this saved me from have to rebuild the server from our backups.
0
Thomas Zucker-ScharffSolution GuideCommented:
Make sure this is not CryptoFortress or a variant since that can encrypt network shares that are not mapped.
0
LeeTutorretiredCommented:
I've requested that this question be deleted for the following reason:

Not enough information to confirm an answer.
0
akbCommented:
There was plenty of good advice given.
The OP has simply not replied to any of it.
I suggest leaving the question here as the replies may be useful to others.
Either divide up the points or assign no points but please don't delete the question.
1
Thomas Zucker-ScharffSolution GuideCommented:
I would agree that a lot of good information is in this question, please leave if at all possible. L
0
JimSillsAuthor Commented:
To All Respondents:

I apologize if I failed to follow Experts Exchange protocol. I was of the understanding that points are to be awarded for solutions and I did not receive a solution. My question was, “How do I clean (remove) the virus from the workstation?”

No one was able to tell me how to do that successfully with ongoing OS integrity. I received a lot of preventive information, virus removal information that would not work and advice not to pay the ransom, but I didn’t get an answer to my question.

I’ve been doing computer troubleshooting since 1981, before IBM and Bill Gates released the first IBM PC with MS DOS. That’s what I have done for a living for 34 years. My problem workstation and server were at one of my client accounts.

 I considered the Experts Exchange advice I received as good information for rookies but not for me. Out of everything that was written the only two things that I gleaned as helpful information were:
1. akb’s, “Crypto Wall can only get to the server from a work station if the work station has mapped drives to the server. For this reason I recommend you remove mapped drives from all work stations and use URL paths to get to the server.” A good tip, thank you.
and
2. Thomas Zucker-Scharff’s, “Make sure this is not CryptoFortress or a variant since that can encrypt network shares that are not mapped.” A good tip, thank you.

But even though they were good tips, neither of those provided a solution to my question.

Perhaps my question was a ringer, in that, there is no removal solution. Sorry if that’s the case. Maybe the best response to my question would have been, “Sorry, you’re screwed. Zero out the workstation and rebuild it from scratch.”

As Moderator thermoduric stated: “Points are not awarded just for effort.”

If someone would have solved my problem satisfactorily I would have been happy to award points.

I’m all ears. Does anyone have any suggestions how I should deal with this matter and the points? I don't want to be an ass about it.

Thanks
0
akbCommented:
Thanks for the feedback.
If you had replied to some of the experts you may have received more assistance.
Sometimes there is no precise answer to the asked question but we may be able to provide assistance /advice to help you sort out your problem.
I'd suggest you accept your own reply as the answer. No points awarded but the question will stay for others to read.
0
Josef Al-ChacarSystems AdministratorCommented:
I'll start things off and say that I agree that you should rebuild.

However if your insist on removing the ransomeware then these are the steps that i would personally take.

1. Since you have all the data backed up i would remove all the profiles that are stored locally. LOTS of malware likes to hide in appdata and users' ntuser.dat files. Also remove all known locations where the encr

2. Do a full scan the workstation with kaspersky rescue disk. This will scan the computer while all files are inactive and remove the infected ones. Change the setting to do the deepest scan possible. I don't know off hand which setting. **This will take a very long time**

3. Boot into safe mode and do another full scan with Malwarebytes enable rootkit scan before the scan.

4. Do normal boot and scan again with malwarebytes and also kaspersky virus removal tool is very effective.

5. After all scans are complete and detect no malware then i would run SFC /SCANNOW from the administrative command prompt. This will repair any damaged system files. Then i would do a chkdsk /f

Hope this helps you out some.

Josef
0
Thomas Zucker-ScharffSolution GuideCommented:
I would have to say that if it is indeed ransomeware, you would have no choice but to restore from backups or do a clean install.
0
Josef Al-ChacarSystems AdministratorCommented:
I agree 100%. Although ransomware is not intended to destroy the operating system rather to get money for your data. As stated above, the computer cannot be trusted anymore. You may spend more time removing the malware than it would take to reinstall the OS and all the programs.
0
JimSillsAuthor Commented:
Dear thermoduric:

I will defer to your assessment, and therefore, concur with the award of points as you indicated.  I have been a Member of EE since 2003 but have only asked two questions, this one being the second.

In that regard, I am not familiar with the award process.  Since you have seen fit to intervene, I "assume" that you have awarded the points and that I need not take further action.

If that is incorrect, please so advise.

Thank you,

Jim
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Anti-Virus Apps

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.