Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.


CryptoWall 3.0 XP Home Network

  • This topic is locked This topic is locked
1 reply to this topic

#1 Domputer


  • Members
  • 4 posts
  • Local time:06:39 PM

Posted 20 April 2015 - 03:35 PM

Home computer XP connected to home network now infected with CryptoWall 3.0


Unsure if CryptoWall 3.0 finished its job 100 % because I have taken the following steps before I discovered what I had.


Unknowingly suspected something was wrong when computer was slow, saw in task manager two programs running hogging cpu, eg. 2I.tmp and 3o.tmp and later 6o.tmp, which I cancelled from the task manager.


found the following entries in the windows startup, which I removed

- f2fd65c7.exe



Then disconnected computer from home network and internet, and restarted in safe mode.

have the following entries now in windows startup



Did start to delete the HELP_DECRYPT files, before discovering what I had.


Also deleted the f2fd65c7.exe file and other foreign random name folders and *.exe in the same folder, before discovering what I had.


Here are my questions :

Should I reinstate what I have deleted ?

Any backups I had were on the external hard drive which also seems to be encrypted.

I understand from research that the only solution is to pay the ransom, but is this solution 100 % reliable ?

Should this malware be removed before or after paying the ransom ?

Is there software than can list all my infected files ? ie. am I 100 % infected since I deleted the above programs ?

Now that I am in Safe Mode has the malware stopped running.

Can an Apple laptop be infected if connected to the network ?

Can Android phones using the home wife be infected ?

Apart from backups, what future steps can be taken to avoid this ransomware installing itself again ?


Appreciate your advice

BC AdBot (Login to Remove)


#2 quietman7


    Bleepin' Janitor

  • Global Moderator
  • 51,749 posts
  • Gender:Male
  • Location:Virginia, USA
  • Local time:03:39 AM

Posted 20 April 2015 - 04:30 PM

A repository of all current knowledge regarding CryptoWall, CryptoWall 2.0 & CryptoWall 3.0 is provided by Grinler (aka Lawrence Abrams), in this topic: CryptoWall and DECRYPT_INSTRUCTION Ransomware Information Guide and FAQ

Reading that Guide will help you understand what CryptoWall (including versions 2.0 & 3.0) does and provide information for how to deal with it. Cryptowall typically deletes all Shadow Volume Copies with vssadmin.exe so that you cannot restore your files via System Restore or using a program like Shadow Explorer...but it never hurts to try. At this time there is no fix tool and Decryption of any CryptoWall Files...is impossible since there is no way to retrieve the private key that can be used to decrypt your files without paying the ransom.

There are also lengthy ongoing discussion in these topics:

Rather than have everyone start individual topics, it would be best (and more manageable for staff) if you posted any questions, comments or requests for assistance in one of those topic discussions. To avoid unnecessary confusion...this topic is closed.

The BC Staff

Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users