Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.


Crypto Wall removal

  • This topic is locked This topic is locked
1 reply to this topic

#1 Vwalkerjr


  • Members
  • 1 posts

Posted 02 December 2015 - 06:19 PM

Hello all. I am new to this forum but just got hit with this new crypto wall 4.0 ransom virus. I believe it's 4.0 because 'Help Your File' came up is the ransom note that popped up.. This is my business computer and has Windows 7 on it.. I've tried to run maleware bytes & hit man pro 3.7 in safe mode but I believe the virus is still on my machine because the ransom note still pops up when we boot up n normal mode.. Also we have three jump drives attached to this computer and I know they have to be infected as well.. Is there a good Free anti-virus we can us that will remove CW 4.0? Thanks

BC AdBot (Login to Remove)


#2 quietman7


    Bleepin' Janitor

  • Global Moderator
  • 52,075 posts
  • Gender:Male
  • Location:Virginia, USA
  • Local time:05:09 PM

Posted 02 December 2015 - 09:41 PM

Welcome to Bleeping Computer.

CryptoWall 4.0 leaves ransom notes named HELP_YOUR_FILES.TXT, HELP_YOUR_FILES.HTML and HELP_YOUR_FILES.PNG and will encrypt the actual filename of an encrypted file as well as the data contained in it. Each encrypted file will have a unique name with random characters (0ausbffwh.p5, 72lcvn.iv6nn, x83o8x.ux7, etc). CryptoWall 4.0 uses a .JS file to download and execute a file from the %temp% folder. The initial installer injects the program that actually encrypts data into explorer.exe/svchost.exe. There is more information in this BC news article...Many crypto ransomware variants are typically programmed to automatically remove the malicious files responsible for the infection after the encrypting is done since they are no longer needed. However, if another piece of malware was responsible for installing it, then that could still be present if your antivirus did not detect and remove it.

What should you do when you discover your computer is infected with CryptoWall

f you discover that your computer is infected with CryptoWall you should immediately scan your computer with an anti-virus or anti-malware program. Unfortunately, most people do not realize CryptoWall is on their computer until it displays the ransom note and your files have already been encrypted. The scans, though, will at least detect and remove any other malware that may have been installed along with CryptoWall.

Scanning with Malwarebytes Anti-Malware in safe mode will work but removal functions are not as powerful in safe mode. Malwarebytes is designed to be at full power when malware is running so safe mode is not necessary when using it. In fact, Malwarebytes loses some effectiveness for detection and removal when used in safe mode because the program includes a special driver which does not work in safe mode. Further, scanning in safe mode prevents some types of malware from running so it may be missed during the detection process. Additionally, there are various types of malware infections which target the safeboot keyset so booting into safe mode is not always possible. For optimal removal, normal mode is recommended so it does not limit the abilities of Malwarebytes. Doing a safe mode scan should only be done when a regular mode scan fails or you cannot boot up normally. If that is the case, after completing a safe mode scan, rebooting normally, updating the database definitions and rescanning again is recommended.

If you need individual assistance with malware infection, follow the instructions in the Malware Removal and Log Section Preparation Guide. When you have done that, start a new topic and post your logs in the Virus, Trojan, Spyware, and Malware Removal Logs forum, NOT here, for assistance by the Malware Response Team.

There is also an ongoing discussion in this topic where you can ask questions and seek further assistance.Rather than have everyone start individual topics, it would be best (and more manageable for staff) if you posted any more questions, comments or requests for assistance in that topic discussion. Doing that will also ensure you receive proper assistance from our crypto malware experts since they may not see this thread. To avoid unnecessary confusion...this topic is closed.

The BC Staff
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users