Warcraft II Forum

General => General Discussion => Topic started by: [TD]Medivh on May 18, 2015, 01:01:33 PM

Title: CryptoWall Virus
Post by: [TD]Medivh on May 18, 2015, 01:01:33 PM
Anyone knows anything about that virus?
My father's pc just got infected , and seems like theres no way to remove it or get back the crypted files without paying a ransom of like 800 USD through bitcoin to the virus maker.

Actually ive tried all traditional solutions, ComboFix itself failed.
Looks like 4/5 of italian ppl got infected by that virus.

Is there anyone in this community that can tell me what i can do?
Title: Re: CryptoWall Virus
Post by: Rit on May 18, 2015, 01:23:04 PM
1. Boot the computer into safe mode with networking.
2. Download, install, and update Malwarebytes.  Run a Threat Scan and remove whatever malware you detect.  Reboot into safe mode with networking again.
3. Download Microsoft Safety Scanner and run a Full Scan.  Remove threats.  Reboot into safe mode with networking again. Link: https://www.microsoft.com/security/scanner/en-us/default.aspx (https://www.microsoft.com/security/scanner/en-us/default.aspx)
4. Run a full anti-virus scan.  If he isn't using one already, here is a 90 day BitDefender trial: https://www.facebook.com/bitdefender/app_118554158281905 (https://www.facebook.com/bitdefender/app_118554158281905)
5. I'm sure the computer is probably riddled with adware too, so it probably wouldn't hurt to run AdwCleaner: https://toolslib.net/downloads/viewdownload/1-adwcleaner/ (https://toolslib.net/downloads/viewdownload/1-adwcleaner/)
6. Clean the registry with CCleaner (if you start getting registry errors after the removal): https://www.piriform.com/ccleaner (https://www.piriform.com/ccleaner) - Usually this will take care of any problems, but sometimes the registry entries will need to be deleted manually.

Keep me updated and I'll assist you to the best of my ability.
Title: Re: CryptoWall Virus
Post by: EviL~Ryu on May 18, 2015, 01:30:04 PM

Anyone knows anything about that virus?
My father's pc just got infected , and seems like theres no way to remove it or get back the crypted files without paying a ransom of like 800 USD through bitcoin to the virus maker.

Actually ive tried all traditional solutions, ComboFix itself failed.
Looks like 4/5 of italian ppl got infected by that virus.

Is there anyone in this community that can tell me what i can do?

All that porn huh? Well that's life.

It would probably be best to back up all your important files and just reinstall the OS....instead of downloading this anti virus and that anti spyware.


Sent from my Motorola DynaTAC 8000X using Tapatalk[/td][/tr][/table]
Title: Re: CryptoWall Virus
Post by: Howl on May 18, 2015, 01:32:36 PM
Generic advice from Rit is ok but it won't bring your files back.
forums.malwarebytes.org/index.php?/topic/150193-removal-instructions-for-cryptowall/

They use public/private key encryption, meaning you are pretty much fucked (unless there is some kind of bug in the malware, but i think trivial bypasses existed only in the early versions of cryptolocker/ cryptical).

Here are some descriptions that look legit (i checked them out only briefly)

scarybearsoftware.com/news/cryptowall/ (version 2)
deletemalware.blogspot.com/2015/01/how-to-remove-cryptowall-30-virus-and.html ( version 3)

thread about it on stack exchange security.stackexchange.com/questions/80861/cryptowall-3-how-to-prevent-and-how-to-decrypt
Title: Re: CryptoWall Virus
Post by: Rit on May 18, 2015, 01:49:17 PM
Generic advice from Rit is ok but it won't bring your files back.

Indeed.  I'm unfamiliar with this virus. 
Title: Re: CryptoWall Virus
Post by: Equinox on May 18, 2015, 02:09:17 PM
Terror-Gorefiend said you have to paid them Lol
Title: Re: CryptoWall Virus
Post by: EviL~Ryu on May 18, 2015, 02:12:07 PM
Are you still able to move your files out?


Sent from my Motorola DynaTAC 8000X using Tapatalk
Title: Re: CryptoWall Virus
Post by: Howl on May 18, 2015, 02:20:05 PM
the original files were removed and only encrypted copies are left (useless without the key).

I would strongly advise against moving any files to another computer with important data on it (if you don't know what you're doing), cause by accident you may infect other one as well.
Title: Re: CryptoWall Virus
Post by: EviL~Ryu on May 18, 2015, 02:31:50 PM

the original files were removed and only encrypted copies are left (useless without the key).

I would strongly advise against moving any files to another computer with important data on it (if you don't know what you're doing), cause by accident you may infect other one as well.


Only way to guarantee 100% that you are rid of the virus is to reformat and reinstall OS...what OS are you currently running?


Sent from my Motorola DynaTAC 8000X using Tapatalk
Title: Re: CryptoWall Virus
Post by: [TD]Medivh on May 19, 2015, 12:12:03 PM
Actually i have Windows 7 installed , i cant move files to anywhere , since if i plug in a USB it istantly gets infected , by now all my USB pens are infected , same thing for DVD's and CD's, ive never seen something like this.
I Cannot even run the backup program since this virus deleted all old images of the system , shadow images included. I didnt create any restore point with dvd's or anything.
Seems like the only way to get back my files is to pay the fucker, i won't do it tho.
Title: Re: CryptoWall Virus
Post by: EviL~Ryu on May 19, 2015, 01:02:04 PM

Actually i have Windows 7 installed , i cant move files to anywhere , since if i plug in a USB it istantly gets infected , by now all my USB pens are infected , same thing for DVD's and CD's, ive never seen something like this.
I Cannot even run the backup program since this virus deleted all old images of the system , shadow images included. I didnt create any restore point with dvd's or anything.
Seems like the only way to get back my files is to pay the fucker, i won't do it tho.

Just reformat.


Sent from my Motorola DynaTAC 8000X using Tapatalk[/td][/tr][/table]
Title: Re: CryptoWall Virus
Post by: [TD]Medivh on May 19, 2015, 03:06:25 PM
Ya , i think its the only solution ,but what about the files?
Lost forever?
Title: Re: CryptoWall Virus
Post by: I hate naggers on May 19, 2015, 03:40:18 PM
Ya , i think its the only solution ,but what about the files?
Lost forever?
have you even read howl's post dummy[/td][/tr][/table]
Title: Re: CryptoWall Virus
Post by: Certified MENSA Genius Brain (smart) on May 19, 2015, 04:58:17 PM
This virus sounds badass.
Title: Re: CryptoWall Virus
Post by: EviL~Ryu on May 19, 2015, 04:59:29 PM

Ya , i think its the only solution ,but what about the files?
Lost forever?

From what your telling me about the virus behavior, yes i would say so...


Sent from my Motorola DynaTAC 8000X using Tapatalk[/td][/tr][/table]
Title: Re: CryptoWall Virus
Post by: EviL~Ryu on May 19, 2015, 05:00:13 PM

This virus sounds badass.

Dimwit


Sent from my Motorola DynaTAC 8000X using Tapatalk
Title: Re: CryptoWall Virus
Post by: Teron-Gorefiend on May 20, 2015, 12:03:36 AM
Terror-Gorefiend said you have to paid them Lol


You are a dimwit fucking faggot. Howl said exactly what had to be said. His files have been encrypted and no amount of antivirus/malware cleanup will clean his shit up. He effectively needs to pay to get his files back.

@Medivh: You effectively need to pay. Nothing you can do about it.
Here are two excellent reads.
"and just as with CryptoWall, this TeslaCrypt variant's encryption scheme has yet to be cracked. Once files are encrypted, the only way to recover them at present is to pay the malware's masters. "
http://arstechnica.com/security/2015/03/cryptolocker-look-alike-searches-for-and-encrypts-pc-game-files/ (http://arstechnica.com/security/2015/03/cryptolocker-look-alike-searches-for-and-encrypts-pc-game-files/)
http://arstechnica.com/security/2014/06/we-will-be-paying-no-ransom-vows-town-hit-by-cryptowall-ransom-malware/ (http://arstechnica.com/security/2014/06/we-will-be-paying-no-ransom-vows-town-hit-by-cryptowall-ransom-malware/)

To put EQ's advice of running anti malware software into context, this moron told koorb to install graphic drivers in Windows when Koorb was having problem to detect his card on POST/boot. (Answer: Change setting in BIOS so that it detects the card first instead of looking for onboard graphics (PCI-E) )
LOLOLOL. What a stupid 'computer engineer' that faggot is.
Title: Re: CryptoWall Virus
Post by: EviL~Ryu on May 20, 2015, 12:27:36 AM

Terror-Gorefiend said you have to paid them Lol


You are a dimwit fucking faggot. Howl said exactly what had to be said. His files have been encrypted and no amount of antivirus/malware cleanup will clean his shit up. He effectively needs to pay to get his files back.

@Medivh: You effectively need to pay. Nothing you can do about it.
Here are two excellent reads.
"and just as with CryptoWall, this TeslaCrypt variant's encryption scheme has yet to be cracked. Once files are encrypted, the only way to recover them at present is to pay the malware's masters. "
[url]http://arstechnica.com/security/2015/03/cryptolocker-look-alike-searches-for-and-encrypts-pc-game-files/[/url] ([url]http://arstechnica.com/security/2015/03/cryptolocker-look-alike-searches-for-and-encrypts-pc-game-files/[/url])
[url]http://arstechnica.com/security/2014/06/we-will-be-paying-no-ransom-vows-town-hit-by-cryptowall-ransom-malware/[/url] ([url]http://arstechnica.com/security/2014/06/we-will-be-paying-no-ransom-vows-town-hit-by-cryptowall-ransom-malware/[/url])

To put EQ's advice of running anti malware software into context, this moron told koorb to install graphic drivers in Windows when Koorb was having problem to detect his card on POST/boot. (Answer: Change setting in BIOS so that it detects the card first instead of looking for onboard graphics (PCI-E) )
LOLOLOL. What a stupid 'computer engineer' that faggot is.


EQ is a gambling engineer



Sent from my Motorola DynaTAC 8000X using Tapatalk
Title: Re: CryptoWall Virus
Post by: SmurfKinG on May 20, 2015, 12:47:35 AM
im just gonna say this once


theres not a virus or a computer problem that i couldnt solve in my 20 years of experience, by goggling.

goggle shit up and if it doesnt work, try again tomorrow. im 200% sure someone has fucked those virus makers already with a good solution.


or, id fix the thing for you, id virus myself if need be to find the solution, id charge you $100 paypal. i have a reputation here. have fixed other people's shit before. 82[is] paypalled me $60usd to fix his video card problem about 3 years ago... you can ask :P


but, i can think of something that may work that you can try. i stumbled into an encrypting virus once.

all i had to do was, download a linux distro, boot with it, and all the files were readable and copyable. (were in a diff folder tho)

you could try with a small short linux like "Damn Small Linux" which is about 50megs but its somewhat limited, and unfriendly

 i recommend, WIFIWAY or KALI LINUX

for making the usb bootable, again.. use goggle.... kali linux usb etc..

or use a program called, UNETBOOTIN to make the usb from the images
Title: Re: CryptoWall Virus
Post by: SmurfKinG on May 20, 2015, 12:54:51 AM

- Dad, what have you done to the computer ? Why is it this slow and full of viruses?"

- Look son, the important thing is that I won an ipad, we travelling to the bahamas and my dick's gonna grow 7"

 8)
Title: Re: CryptoWall Virus
Post by: Teron-Gorefiend on May 20, 2015, 05:17:02 AM
Smurf king  im absolutely positive you can't fix that. Big security companies have tried and failed so far.  Go ahead,  infect yourself and then try to u  encrypt your data...
Title: Re: CryptoWall Virus
Post by: [TD]Medivh on May 20, 2015, 08:16:52 AM
If the encrypted files arent the original ones, then were are they?
Title: Re: CryptoWall Virus
Post by: [TD]Medivh on May 20, 2015, 08:22:56 AM
Ok i could send you an "infected folder" through email,
100 USD is still better than 800 USD lol
But the questio nis , do i have to pay u even if u cant solve the problem ? haha
Title: Re: CryptoWall Virus
Post by: Certified MENSA Genius Brain (smart) on May 20, 2015, 09:18:44 AM
lol do it, send smurfking your virus and if he fixes it he gets $100.  and if he doesn't fix it, well he probably got infected too lol
Title: Re: CryptoWall Virus
Post by: I hate naggers on May 20, 2015, 09:51:15 AM
If the encrypted files arent the original ones, then were are they?

youre a fucking retard and an idiot, how many times will you ask for things included in howls post

no wonder why youre so bad at war2![/td][/tr][/table]
Title: Re: CryptoWall Virus
Post by: EviL~Ryu on May 20, 2015, 10:20:26 AM
Haha


Sent from my Motorola DynaTAC 8000X using Tapatalk
Title: Re: CryptoWall Virus
Post by: [TD]Medivh on May 20, 2015, 11:41:47 AM
Oh lol ok i didnt see it

p.s. Claw ur a scrub!
Title: Re: CryptoWall Virus
Post by: SmurfKinG on May 20, 2015, 01:24:48 PM
k im reading bout this crpyocrap

msg me in game chat, my aka is "ciosed"

theres some thing i need to ask....
Title: Re: CryptoWall Virus
Post by: tupac on May 20, 2015, 02:01:50 PM
Dude I will try to fix it for free. Don't waste a penny.
Title: Re: CryptoWall Virus
Post by: SmurfKinG on May 20, 2015, 03:42:21 PM
yeah i just gave him some tips and some tools to use.
i goggled around and read that basically his only options are :

- recovering the files using file recovery tools
(since what cryptowall does is, make a copy of the files with encryption then deleting the original files),
Spoiler
the factor here is wether cryptowall did a secure delete or a standard delete, i read that cryptowall 2.0 and below use standard delete, its unknown wether 3.0 does secure delete or standard, but even if its secure delete they are still recoverable but require more thorough method, it is more time consuming, and the filenames would be lost.. you would be recovering files based on extensions, but recoverable :P)
told me its a 1tb hard drive, he told me he downloaded 2 spyware apps onto hard drive which may have decreased his chance of recovering but has  900megs free so its chances of recovering are high in my opinion.


 - or recovering from system restore points


he told me system restore points were apparently deleted.
told him , that cryptowall may have only deleted the registry entries for the system restore points but the actual system restore points may  still be there. (may be those are still there on the system volume info folder)..
and if they are thats the the best and easier way to go on recover the files.(using shadow explorer)

but he didnt have access to the infected computer at the moment.


so, getting access to system volume info folder is about giving permisions, if u get stuck pm me when ur at the computer ill teamview and enable its readability, no prob.


Title: Re: CryptoWall Virus
Post by: tupac on May 20, 2015, 07:10:15 PM
Dude just link him wtf....
http://deletemalware.blogspot.com/2015/01/how-to-remove-cryptowall-30-virus-and.html?m=1 (http://deletemalware.blogspot.com/2015/01/how-to-remove-cryptowall-30-virus-and.html?m=1)
Title: Re: CryptoWall Virus
Post by: [TD]Medivh on May 21, 2015, 10:25:22 AM
Hey Ciosed , i tried all ways to get back the encrypted files , seems like its impossible, i an " R-studio "in the miniwindows when booted with the program u told me to download.
Unluckly there are no deleted files that can be recovered , also checked for old windowes images from there , or backup's.

At the end of all this , he told me he is interested in only 2 folders , like 480 kb that he would like to get back , (infected ofc)
I dont know but i could send it to you through email if u want , mayube you can examine it and tell me if theres any possibility.
if you're ok with that give me ur email , i will .zip it and instantly send.
Title: Re: CryptoWall Virus
Post by: [TD]Medivh on May 21, 2015, 10:26:16 AM
He doesn't really care about any other folder or file in this infected computer , so i'd just format it after recovering the two interested folders.
Title: Re: CryptoWall Virus
Post by: EviL~Ryu on May 21, 2015, 10:28:01 AM

yeah i just gave him some tips and some tools to use.
i goggled around and read that basically his only options are :

- recovering the files using file recovery tools
(since what cryptowall does is, make a copy of the files with encryption then deleting the original files),
Spoiler
the factor here is wether cryptowall did a secure delete or a standard delete, i read that cryptowall 2.0 and below use standard delete, its unknown wether 3.0 does secure delete or standard, but even if its secure delete they are still recoverable but require more thorough method, it is more time consuming, and the filenames would be lost.. you would be recovering files based on extensions, but recoverable :P)
told me its a 1tb hard drive, he told me he downloaded 2 spyware apps onto hard drive which may have decreased his chance of recovering but has  900megs free so its chances of recovering are high in my opinion.


 - or recovering from system restore points


he told me system restore points were apparently deleted.
told him , that cryptowall may have only deleted the registry entries for the system restore points but the actual system restore points may  still be there. (may be those are still there on the system volume info folder)..
and if they are thats the the best and easier way to go on recover the files.(using shadow explorer)

but he didnt have access to the infected computer at the moment.


so, getting access to system volume info folder is about giving permisions, if u get stuck pm me when ur at the computer ill teamview and enable its readability, no prob.

And the plague begins


Sent from my Motorola DynaTAC 8000X using Tapatalk
Title: Re: CryptoWall Virus
Post by: SmurfKinG on May 21, 2015, 12:04:02 PM
cuz that virus probably secure-deleted the files.
theres 2 types of file recovery...

the fast one

and the more thorough one.


whatever recovery software your using u need to look for the most advanced type, all apps have it differently

for instance, in recuva u have to go to actions and checkbox everything,
scan for nondeleted files (for recovery from damaged disks)
a deep scan etc..

or , try ontrack easy recovery, and do a recovery from formated media.
heres link for it http://katproxy.com/ontrack-easy-recovery-10-professional-hajrullah-t7899081.html (http://katproxy.com/ontrack-easy-recovery-10-professional-hajrullah-t7899081.html)

note that these scans take roughly 1-3 hours each or maybe more.


also, did check the system volume information folder? and see how many big files it has?
if it has more than 2 big files, its most likely the restore points werent deleted and were just deleted from showing in the application.
Title: Re: CryptoWall Virus
Post by: SmurfKinG on May 21, 2015, 12:06:06 PM
remember, not to look just in one folder. need a thorough search on all hard drive.
and the results wont show by location, or name, that information is lost.
all you will see in the scan results of a thorough check are files named like


?1908129083.dwg
1283190283.dwg
etc.. etc..
Title: CryptoWall Virus
Post by: USA~Archer on May 26, 2015, 12:42:58 AM
Yeah, my girlfriends laptop got crypto 2 last october, ive researched it extensively, youre pretty screwed as you probably know by now. This is a great warning to everyone to have a solid backup solution in place.

As has already been said, theres no "fix" its all encrypted and youre files are toast.

Interesting suggestion to try to do some forensic file recovery tho, i will look into that, its an interesting possibility, but the virus is so sophisticated, im sure the authors would not have left a work around like that.

One thing i would like to add to this thread tho, i am keeping all the encrypted files, stored on an extra hard drive, in the hope that someday law enforcement or another hacker group seizes the server that these hackers are operating from and releases the keys. The keys to open these files are out there, its just a matter of time before someone catches these guys and releases them (hopefully) and then you can unlock your files





Sent from my iPhone using Tapatalk
Title: Re: CryptoWall Virus
Post by: Teron-Gorefiend on May 26, 2015, 12:45:47 AM
Now does that not make EQ stupid as I told MEdivh from second ONE that he either had to pay or forget his data...
Title: Re: CryptoWall Virus
Post by: Every Billionaire is a Policy Failure on May 26, 2015, 10:32:17 AM
why would he pay hundreds of dollars to get back a 500kb folder you retarded crippled faggot shut tbe fuck up. not to mention this shady character has no guarantees to give you anything back if he does get paid. stop tellng himhe has to pay retard, u must be the faggot that infected him.
Title: Re: CryptoWall Virus
Post by: I hate naggers on May 26, 2015, 12:54:59 PM
looks like medivh was pwned by viruz!
Title: Re: CryptoWall Virus
Post by: EviL~Ryu on May 26, 2015, 09:24:44 PM

looks like medivh was pwned by viruz!

Lmao


Sent from my Motorola DynaTAC 8000X using Tapatalk