Help! Got hit by something called Cryptowall 3.0!

Dear Experts, please help! I just got attacked by a virus called Cryptowall 3.0. There's a browser page showing  on my computer saying all my files have been encrypted, and it sure looks like they are,,, every file I open contains garbage. Can somebody help me please, I am freaking out here!!

Thank You
   Shawn
shawn857Asked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

cwstad2Commented:
Hi take a look at this article this will assist you with decrypting the files.

http://nabzsoftware.com/types-of-threats/cryptowall-3-0
shawn857Author Commented:
thank you cwstad... but I had System Restore restore turned off! I've basically always had it turned off.

Shawn
cwstad2Commented:
Hi Shawn, try this method

Crypto removal

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Cloud as a Security Delivery Platform for MSSPs

Every Managed Security Service Provider (MSSP) needs a platform to deliver effective and efficient security-as-a-service to their customers. Scale, elasticity and profitability are a few of the many features that a Cloud platform offers. View our on-demand webinar to learn more!

shawn857Author Commented:
Thanks, but that only discusses how to remove the virus. It doesn't say how/if I can get my files back.

Thanks
    Shawn
cwstad2Commented:
Without the system restore option available, you may need to resore from backup or use a professional data recovery service.
shawn857Author Commented:
Well, thankfully I do have a fairly recent backup. Not everything, but all the important stuff anyway. Do you have any knowledge about whether these crooks really DO give the key to restore the files if you pay them?
cwstad2Commented:
Dont do that mate, there is evidence to suggest that people have paid and havent had their files recoverd.

Personally i would remove the virus then restore.

It may be a good time to turn on the restore option that you disabled also
shawn857Author Commented:
OK, yeah you are right. There's no honor among thieves, is there.

In that site you recommended:

http://rescueyourcomputer.blogspot.co.uk/2015/01/remove-cryptowall-30-get-rid-of.html

... it gives a manual way to get rid of the virus and an automatic way. Which would you recommend? Do both? Automatic, then go through manually as a double-check?

Thanks
   Shawn
rindiCommented:
You need to check whether your PC is still infected (some versions of cryptowall remove themselves once they have done their "job". But in my opinion it is still best to do a clean OS installation. After that run all windows updates, install a good AV tool like Panda Free AV if this is a privately used PC. Make sure you create an Admin user, and also a standard user account which will be your main account. Never use an Admin account for day to day use.

Once that is done, all you need to do is restore your data from your backups.

If your backups are bad, or you foolishly didn't do any backups, your data is lost. You can't recover encrypted files without the key, and paying for the key is very foolish as that only encourages the crooks to keep on.
cwstad2Commented:
Its down to preference but to keep it simple use the automatic. You can always double check like you say after the event
shawn857Author Commented:
Thanks. And thanks Rindi - good advice.

I'm wondering about my EXE programs - apparently they get corrupted too by this. Is it as simple as restoring the clean EXE from my backup and it should run? Or has the Cryptowall corrupted the registry entries for the EXE's as well?
cwstad2Commented:
a restore will overwite any existing file. you may want to do a system image also as an extra layer of protection
shawn857Author Commented:
I'm not familiar with system image. What is that exactly?
cwstad2Commented:
its creates an exact copy of the OS and any other drives you specify. If you have windows vista or greater then its built into the OS. You can find this in control panel

SI
shawn857Author Commented:
I have Windows XP.  :-(

My backup is on an external HD and is a complete backup of my laptops's whole C: drive (Windows folder and everything). Should I just copy back everything from there back to my laptop? Or should I be doing it "piecemeal" - folder by folder?

Thanks
   Shawn
cwstad2Commented:
Try it bit by bit then when you are happy increase the number. You can use  this free software to create a system image

http://www.todo-backup.com/products/home/free-backup-software.htm
shawn857Author Commented:
OK, but how is a "system image" any different than just copying back all the files from my external HD backup, back to my laptop? I don't understand what the difference is.
cwstad2Commented:
The system image could be part of your future backup plan. It wont help you with your current issue
shawn857Author Commented:
OK, so I need to just copy back folder-by-folder then?

And my EXE's, as I asked a few minutes ago, will copying those back be all I need to do? Or will their registry entries be corrupted as well?
cwstad2Commented:
Yes, but double check. im sure you will sonn find out if there are any issues
rindiCommented:
Stop using XP. It has been EOL and without support for over an year now. If you install XP again you'll be hit by malware again in no time.

Upgrade either to Windows 7, it should run fine on most PC's which run with XP. Or if you don't want to invest in buying a new OS for your old PC, install Linux.

Contrary to what many people believe, and also what you may get told by some on this site, there are many Linux distro's around that are very easy to use, even for Linux rookies. You practically never have to use the command line. I'd recommend the XFCE version of MakuluLinux, which has a very beautiful design, runs very fast, and also works fine on old hardware.

http://makululinux.com/downloads/
shawn857Author Commented:
What do I double check? I don't quite follow you.

Will I need to do something to fix my registry? Has that been corrupted too?
cwstad2Commented:
That you are happy with the restore. Once you run the automatic clean up the registry should be fine
shawn857Author Commented:
OK. Would running Malwarebytes after SpyHunter be a good idea also?

Rindi, I have a pretty old IBM Thinkpad laptop with only 30 gigs of HD space, and I already only have about 2 free gigs. I don't think I'd have the room to install Windows 7 on it. I think I have to stick with XP until I can afford to buy a new laptop...  :-(
cwstad2Commented:
entierly your choice. if it makes you feel at ease then do so
shawn857Author Commented:
OK thank you guys. I have SpyHunter running right now, So far it hasn't found anything explicitly named "Cryptowall", but it has found a lot of stuff concerning a "PC Cleaner Pro".

The odd thing about this Cryptowall virus was that I was running a program called "Robosoft" at the time - I'm a Windows Delphi software developer and I was using this rather popular program to submit my software to download and shareware sites. I wonder if Robosoft had anything to do with it, as it *does* access some Russian sites to try to submit to them... makes me wonder....
rindiCommented:
Windows 7 fits on a 30GB disk, although you can't add too many programs besides the OS. You could of course also get a larger disk...

MakuluLinux fits nicely to a disk of that size, and you'll have plenty of free space. You can also try the OS by just booting from the LiveDVD. From DVD it will be a bit slow, but once you have seen it you will want to install it anyway. The default installation includes software for most tasks you will ever need. If you do need other software, just start the Synaptic Package manager, which includes thousands of different software titles which can be selected and installed quickly. You practically never need to buy software, or manually download then install it.

Besides that it includes wine and playonlinux, which allows you to even easily install and run a lot of software that has been written for Windows, not Linux.
rindiCommented:
The most common ways of getting infected with Ransomware Viruses is via email attachments, or links to download something from other's dropboxes or similar places.
shawn857Author Commented:
cwstad - SpyHunter is not a free program, is it? It completed the scan, found threats, and I clicked the FIX THREATS button, and now it says I have to purchase the program. Is that correct?
shawn857Author Commented:
are you still with me cwstad??
cwstad2Commented:
most spyware / av programs that are of any vaule usually charge.
shawn857Author Commented:
jeez, I wasn't expecting $50
shawn857Author Commented:
this page recommends running Malwarebytes and HitmanPro... both of those are free:

http://malwaretips.com/blogs/remove-cryptowall-3-0-virus/
cwstad2Commented:
please do so both are very good.
shawn857Author Commented:
I knew something looked fishy about that page you recommended:

http://rescueyourcomputer.blogspot.co.uk/2015/01/remove-cryptowall-30-get-rid-of.html

It all looked like one big advertisement for that company's SpyHunter software,,, and it also pushed their RegCure Pro. You didn't notice that?
   And the other site:

http://nabzsoftware.com/types-of-threats/cryptowall-3-0

The button to "Cryptowall 3.0 free scanner", is just a direct download link to SpyHunter once again. Scammy looking pages...
cwstad2Commented:
Just trying to help you. There are several sources to indicate thats the best way of removal. You suggested earlier if it was worth paying the ransome.

In my book id rather spend a fraction of the cost for a legitimate product who safeguards against such programs

Just a thought
shawn857Author Commented:
didn't mean it like  that cwstad... but why are those sites so odd looking. I noticed that almost right away... just one big sales pitch for their software. Not the normal pages that offer proper advice.  Why does the button at the bottom of the site:

http://nabzsoftware.com/types-of-threats/cryptowall-3-0

"Download Crytpowall Free scanner and remover"

why does it say it's free... then when you get to the end of running it, it's asking your for $50?
shawn857Author Commented:
OK, just wasn't expecting to be hit up with a "Buy" screen after running what appeared all along to be a free download. I hate that kind of a sneaky sales approach. I may buy it, yes.

I am done running Malwarebytes and it's asking me to reboot. Will my computer still reboot successfully even with all those encrypted/corrupted files?
cwstad2Commented:
youll find that malware bytes and hitman are also chargeable
shawn857Author Commented:
please don't abandon me guys....
shawn857Author Commented:
cwstad, come on give me a bit of a break here - it's noon here, I've been up the whole night wrestling with this, I'm running on no sleep... nerves are frayed and I'm a liitle bit on edge here as you can well imagine. Didn't mean to ruffle your feathers with my rather blunt comment...

Shawn
rindiCommented:
I'm not a programmer, but I just checked online, and there seems to be the "Lazarus" project which runs on Linux and is available directly in the MakuluLinux repositories. It seems to be compatible with Delphi.

I really suggest you upgrade your PC to Linux and forget about XP, as I mentioned earlier, with that OS you are at high risk.
shawn857Author Commented:
Thanks Rindi, but I really cannt run Linux- I have to stick with Windows as my programming develop,emt is all in Windows Delphi. Lazarus is not 100% compayible with Delphi - a lot of porting of code would be required, it wouldn't be feasible.

Rindi, can I ask you - I just finished running Malwarebytes on the infected computer - it found 9 threats and deleted them and is now asking me to reboot. Will my infected computer reboot successfully even with all the encrypted/corrupted files?

Shawn
rindiCommented:
There is no reason why it should fail to reboot properly.
shawn857Author Commented:
OK, going to try....
cwstad2Commented:
Sorry have been out. Reboot should be ok.
shawn857Author Commented:
rebooted OK, running HitmanPro now...

Thanks
    Shawn
shawn857Author Commented:
cwstad - you're right, HitManPro needs to be registered too. $33 for it as opposed to $48 for SpyHunter. Is either alright, or would SpyHunter be preferable?
cwstad2Commented:
They all are downloadble for free and scan, but when it comes to the crunch you will have to pay something.  Hitman is pretty good and so is spyhunter. It all depends really on your budget, although spyhunter does get better reviews

http://www.free-uninstall.org/our-top-5s/top-5-anti-malware-programs/
shawn857Author Commented:
OK, I guess I'll bite the bullet and buy SpyHunter.
  ALthough I noticed during the SPyHunter run, it seemed to be only flagging the HELP_DECRYPT.HTML, PNG and TXT files. Seems to me that deleting just those is not going to really get rid of the virus...
shawn857Author Commented:
See, it's things like this that give me second thoughts about SpyHunter:

http://ccm.net/faq/31535-spyhunter-fake-security-blogs
shawn857Author Commented:
and here:

http://ccm.net/faq/31535-spyhunter-fake-security-blogs

Seems like it's "fakeware".
rindiCommented:
You can probably get a 2nd hand disk that is larger than the current one for less than $20.--, then install Windows 7. You then don't need to pay for any removal tools and will be more secure.

Or do a clean installation of the current OS, in which case you wouldn't need any removal tools either. But running all the updates will take a long time of course. You really should stop using XP.
shawn857Author Commented:
I think I will look into getting a 2nd hand disk, a bigger disk. It's just that I'm not familiar with changing hard drives in laptops... it's different than changing a hard drive on a desktop.

Anyway Rindi, I just had another question: after I run my malware removal and remove the Cryptowall virus and start restoring my good files from my backup - should I first *delete* the encrypted versions of the files on my laptop and THEN copy the backups over.... or is it okay to just overwrite the encrypted files with the good backup-files ?

Thanks
  Shawn
rindiCommented:
You should delete the files. Overwriting them won't help as the encrypted files have a different extension from the original. So if you just copy over the good files from your backups you'd end up with two sets of files which only is a waste of space.

On most laptops changing disks is simple. Thinkpads usually have a kind of caddy which after you remove a cover with some screws, you can just pull out of the case. Your laptop is probably pretty old, so it will most likely take 2.5" IDE disks (not SATA which is the standard today). You'd have to get those 2nd hand, maybe via ebay or similar, as those old disks are probably hard to get new.
shawn857Author Commented:
OK, thanks for advice about the hard drive.

The encrypted files appear to have the very same file extensions as what they originally were...

Thanks
   Shawn
shawn857Author Commented:
are you still there guys?

Rindi - The encrypted files appear to have the very same file extensions as what they originally were...they don't have a different extension.


I see on some free forums that they provide some very detailed assistance with this. For instance:

https://forums.malwarebytes.org/index.php?/topic/164331-please-help-me-remove-cryptowall-30-before-it-corrupts-any-more-files/


Can someone here help me like that?

Shawn
rindiCommented:
That as far as I can see are instructions for that case when the encryption hasn't finished yet and is still being done.

But you already received the ransom note, which means the task has finished. Many of the ransomware is then also automatically removed from your system. Anyway, once the encryption has finished you get the message to pay up, all the damage has been done and it's too late to do anything except cleanup and restore from backups.
shawn857Author Commented:
Yes, that's what I need instruction on please - getting rid of the virus from my computer completely. I have a backup, so I'm not concerned with trying to "salvage" my files.

Thanks
   Shawn
rindiCommented:
As I mentioned already, a fresh installation is always the best option. Although the Ransomware virus is likely to have removed itself, it is highly probable that there are other viruses and malware on your system. Without a fresh installation you can never be sure everything has really been cleaned, and the viruses / malware / cleanup process will often leave the system in an unstable state, as they change things in many places and those changes often can't be completely reversed.
cwstad2Commented:
As above the best way to safeguard that all has been removed, is to reimage the laptop.
hulseboschSystem administratorCommented:
I cannot agree more that still running XP is asking for trouble.
As well as the majority of anti malware software is more ore less bogus.
(Having sayd that, every kind of software works somehow, but doesnt detect / delete everything.)
One I have good experiences with is Trend micro's housecall. (free)

Here's only one advice I have for your encrypted documents.
Kaspersky has build a decryptor, based on known and succesfully decrypted attacks.
(Which doesnt nessesarely mean it will work for your attack, but worth a try.)

Ransomware decryptor by Kaspersky

Good luck.
shawn857Author Commented:
Thanks guys.

Hulsebosch, will that Ransomware Decryptor work for the CryptoWall 3.0 virus... or only for the "Coinvault" variation?

Thanks
   Shawn
rindiCommented:
It won't work for that. But anyway, you have backups, so that shouldn't bother you anyway.
hulseboschSystem administratorCommented:
I do believe Rindi to be very short in his answer.
Chances of the decryptor, working for you, are slimm, but present.

The bad guys, creating the encrypting, change the code by default.
Having said so, cases are known, where identical encription has been used,
giving the site i mentioned a reason for existing.

In fact, the site has been helpfull for me in two different occasions.
(Against several more where it didnt work out)
 
Encription in both viruses are (kind of) identical.

Just give it a try, its free after all.
if you wont try, you will never know.
Thomas Zucker-ScharffSolution GuideCommented:
I have said this before but will reiterate,  once a machine is hit with ransomware,  the ONLY sure way to know the machine is free from malware is to nuke the Jardine with something like DBAN and then reinstall the OS. NEVER pay for the key,  it may or may not decrypt your files and it may come worth it's own payload. I can send you some links to keys that have been taken from some of the crooks.
Thomas Zucker-ScharffSolution GuideCommented:
Sorry for the misspellings - I was answering from my phone on the bus.  Check out Kaspersky's No Ransom site.
btanExec ConsultantCommented:
really a hassle to go through the recovery as in short once machine is confirmed infected with ransomware, your best trusted data is your recent backup and your best work environment are a clean new workstation and new external media that is wiped and rebuilt.

Even your network shares mapped have to be re-examined before you re-mapped into your clean device and connected. CryptoLocker only encrypts data stored on network shares if the shared folders are mapped as a drive letter on the infected computer.

The bleedingcomputer may open some option aggregated as a whole to guide us (as end user) better helped and at least that convince my internal to certain extent ... even though it did not state v3 or in future iteration of such family... http://www.bleepingcomputer.com/virus-removal/cryptolocker-ransomware-information

I know it is easier said than done but do not trust the same machine to recover any more is the safest bet. Also look into prevent such recurrence otherwise it wasted all your past  "biting the bullet" and hassle to recover and rebuild. http://www.bleepingcomputer.com/virus-removal/cryptolocker-ransomware-information#cryptoprevent
rindiCommented:
New versions of ransomware can also encrypt data on unmapped shares to which the user is allowed access to. So unmapping a drive doesn't necessarily help. More effective is to limit access to certain users if there are more users on a LAN, which reduces the data that can affected to that data to which the infected user has access. Also, shutdown servers when not being used, and also disconnect/power off external disks when they aren't used. Once backups are done, remove the destination. Besides that, backups should be stored away from PC's anyway in a safe for example.
btanExec ConsultantCommented:
yap reinfection can be confirmed as I will take the risk averse mindset (pardon me for being "paranoid").  Worst case perspective is taken for crisis planning since we are no worst off when already infected. We will always (and can) be infected, so (i see) no point keep the effort to always rebuilt esp for critical services. It probably need to look at maintaining a clean slate in every of its reboot of machine or VM like using the Deepfreeze or running virtual desktop VDI image etc...

Definitely the backup regime has to also be verified as well and not be a "go through motion" like assuming those contigency or withdrawal backup plan may work on that day you most needed or can be activated them timely when the time bomb start ticking. Most of the time it can failed us too -  and your user significantly because of the data loss and not the infected machine.

We need to always review in context of the changing threat landscape  ...
sj77Commented:
Shawn -

I would suggest to use MWBytes and allow it to do its job. Once it removes the threat, then, you can remove all the erroneous file extensions that the crypto software adds. This should bring all your files back.

I agree with the other users that you need to consider upgrading your OS.
shawn857Author Commented:
Thanks guys, I agree that I am still running an old dinosaur with XP and an older laptop. Money's  is tight for me right now, but when I make a bit I'm getting a nice new laptop with Windows 10. For now though, I have to make the best of what I got.

I had a good backup of my files, so I should be alright. If these is one or two files that I don't have backup to, and that I need de-crypted, I may well give Hulsebosch's suggestion a try.

Thanks
   Shawn
Thomas Zucker-ScharffSolution GuideCommented:
Okay. Glad you have a good backup. Hope all goes well. Once you have restored, don't forget to use some prevention tools. See this article  (http://www.experts-exchange.com/articles/18086/Ransomware-Prevention-is-the-only-solution.html).
shawn857Author Commented:
Good advice Thomas, thank you.
Thomas Zucker-ScharffSolution GuideCommented:
Anytime
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Anti-Virus Apps

From novice to tech pro — start learning today.