Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

CryptoWall & data recovery


  • Please log in to reply
14 replies to this topic

#1 WouldBePolymath

WouldBePolymath

  • Members
  • 98 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:12 PM

Posted 29 May 2016 - 11:02 AM

One of my old computers is infected with CryptoWall 4.0.
 
I understand that I should first remove the ransomware with Malwarebytes, and then try to recover as much of the deleted plaintext (unencrypted) data as possible.
 
At "How to remove CryptoWall 4.0 ransomware (Free Guide)", it says:
 
"We cannot help your recover your files, apart from suggesting to use ShadowExplorer or (free) File Recovery Software. This guide was written to help you remove the infection itself..."
 
I have two questions about what to do after I remove the ransomware:
 
• Is ShadowExplorer a more effective way to recover the deleted data than file recovery software?
 
• If not (or maybe even if so), what file recovery software is most effective?
 
Thanks for any help.

Edited by Queen-Evie, 29 May 2016 - 11:52 AM.
moved from Windows 7 to Am I Infected


BC AdBot (Login to Remove)

 


#2 dc3

dc3

    Bleeping Treehugger


  • Members
  • 30,595 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Sierra Foothills of Northern Ca.
  • Local time:03:12 PM

Posted 29 May 2016 - 11:48 AM

Please run Malwarebytes AntiMalware
 
Please download Malwarebytes Anti-Malware
 
1)  Double-click on mbam-setup.exe, then click on Run to install the application, follow the prompts through the installation.
 
2)  Malwarebytes will automatically open.  You will see an image like the one below, click on Update Now.  
 
mbam1_zps98e7fba9.png
 
3)  Click on Settings, you will see a image like the one below.
 
malware%20settings_zpsixkea5sd.png
 
When Settings opens click on Detection and Protection, then under Non-Malware Protection, click on the down arrow for PUP (Potentially Unwanted Programs) detections and select Treat detections as malware.
 
4)  Click on Scan (next to Settings), then click on Scan Now.  The scan will automatically run now.
 
5)  When the scan is complete the results will be displayed.  Click on Delete All.
 
malwarenew_zps34b58fdc.png
 
6)  Please post the Malwarebytes log.
 
To find your Malwarebytes log,download mbam-check.exe from here and save it to your desktop.
 
To open the log double click on mbam-check.exe on your desktop.  Copy and paste the log in your topic.
 
 
Restart your computer and do the following.
 
 

Please download Emsisoft Emergency Kit and save it to your desktop. 
 
Double click on Emsisoft Emergency Kit file on your desktop.  emsisoft%203_zpsoox6uxmj.png
 
When the installation starts you see a image like the one below, click on Install.
 
Emsisoft%207_zpsmbuolk9r.png
 
The first time you launch it, Emsisoft Emergency Kit will recommend that you allow it to download updates. Please click Yes so that it downloads the latest database updates.
 
When the update is complete, click on MALWARE SCAN under Scan.  When asked if you want the scanner to scan for Potentially Unwanted Programs, click Yes.
 
Emsisoft%20scan_zpsifqyozhf.png
 
Emsisoft Emergency Kit will start scanning.
 
When the scan is completed click on Quarantine.
 
When the threats have been quarantined, click the View report button in the lower-right corner, and the scan log will be opened in Notepad.  Copy the log and paste it in your topic.
 
 
 
ShadowExplorer is a good tool for this application.  You can download it here at Bleeping Computer.
 

Edited by dc3, 29 May 2016 - 11:53 AM.

Family and loved ones will always be a priority in my daily life.  You never know when one will leave you.

 

 

 

 


#3 WouldBePolymath

WouldBePolymath
  • Topic Starter

  • Members
  • 98 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:12 PM

Posted 29 May 2016 - 01:56 PM

Hi, Arachibutyrophobia, thanks for "taking my call", and I'm sorry to hear of your peanut butter-related phobia.

 

I had already run Malwarebytes before I read your reply.  Although by default Detection and Protection > Non-Malware Protection > PUP detections had been set to Warn user about detections rather than Treat detections as malware, upon finishing its scan Malwarebytes prompted me for a decision on what to do with the detected PUPs (there were two of them), so I quarantined them along with the 18 Trojan files found, so no problem there.

 

Note that a scan was not done for rootkits.  Would that be a good idea?

 

And I guess there's no reason not to delete everything from quarantine, right?

 

I downloaded and installed Emsisoft Emergency Kit.  However, it wouldn't run on that old WinXP machine.  No, I'm not gonna run that machine anymore, I just want my data that's on it.

 

So instead I did what was recommended at this point by the link I referenced above: I downloaded, Installed and ran Hitman Pro.  It didn't find anything but cookies, though.

 

I had already downloaded ShadowExplorer from Bleeping Computer.

 

Here's the log file for the Malwarebytes scan.  Note that the scan date is wrong, simply because the clock on the computer is wrong.  This scan was actually done just now.

 

********************************************

 

Malwarebytes Anti-Malware
www.malwarebytes.org

Scan Date: 3/24/2013
Scan Time: 11:03:54 AM
Logfile: Cryptowall MB 05-29-16.txt
Administrator: Yes

Version: 2.2.1.1043
Malware Database: v2016.02.16.06
Rootkit Database: v2016.02.08.01
License: Free
Malware Protection: Disabled
Malicious Website Protection: Disabled
Self-protection: Disabled

OS: Windows XP Service Pack 3
CPU: x86
File System: NTFS
User: user

Scan Type: Threat Scan
Result: Completed
Objects Scanned: 439858
Time Elapsed: 30 min, 39 sec

Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Disabled
Heuristics: Enabled
PUP: Warn
PUM: Enabled

Processes: 0
(No malicious items detected)

Modules: 0
(No malicious items detected)

Registry Keys: 0
(No malicious items detected)

Registry Values: 0
(No malicious items detected)

Registry Data: 2
PUP.Optional.DogPile, HKU\S-1-5-21-746137067-329068152-1801674531-1003\SOFTWARE\MICROSOFT\INTERNET EXPLORER\MAIN|Start Page, http://www.dogpile.com/, Good:

(www.google.com), Bad: (http://www.dogpile.com/),,[a6c0ea774d4ccd69570d08df45bf15eb]
PUP.Optional.DogPile, HKU\S-1-5-21-746137067-329068152-1801674531-1004\SOFTWARE\MICROSOFT\INTERNET EXPLORER\MAIN|Start Page, http://www.dogpile.com/, Good:

(www.google.com), Bad: (http://www.dogpile.com/),,[2541560ba4f52d096bf936b17490e41c]

Folders: 0
(No malicious items detected)

Files: 18
Trojan.Injector.AutoIt, C:\Documents and Settings\user\Desktop\HELP_YOUR_FILES.HTML, , [c0a65a072f6a92a46d1d9bb8aa5a7090],
Trojan.Injector.AutoIt, C:\Documents and Settings\user\Desktop\HELP_YOUR_FILES.PNG, , [b7af154c0891e74f3a5065ee54b03ec2],
Trojan.Injector.AutoIt, C:\Documents and Settings\user\Desktop\HELP_YOUR_FILES.TXT, , [a8be372a16830036c9c12330bd4719e7],
Trojan.Injector.AutoIt, C:\Documents and Settings\admin\Local Settings\Application Data\HELP_YOUR_FILES.PNG, , [9bcb3e23bbde8aac315a30239f658977],
Trojan.Injector.AutoIt, C:\Documents and Settings\Administrator\Local Settings\Application Data\HELP_YOUR_FILES.PNG, , [53136bf6afea979f7f0c242fb54ff808],
Trojan.Injector.AutoIt, C:\Documents and Settings\Default User\Local Settings\Application Data\HELP_YOUR_FILES.PNG, , [b5b10d54ff9aef4714770152986cc63a],
Trojan.Injector.AutoIt, C:\Documents and Settings\NetworkService\Local Settings\Application Data\HELP_YOUR_FILES.PNG, , [de884918a3f662d4197232217b89c937],
Trojan.Injector.AutoIt, C:\Documents and Settings\test_login\Local Settings\Application Data\HELP_YOUR_FILES.PNG, , [b0b6e77a6c2dea4cc4c7163d50b434cc],
Trojan.Injector.AutoIt, C:\Documents and Settings\user\Local Settings\Application Data\HELP_YOUR_FILES.PNG, , [5d095d046d2c50e6216a3e154cb8f10f],
Trojan.Injector.AutoIt, C:\Documents and Settings\user\Start Menu\Programs\Startup\HELP_YOUR_FILES.HTML, , [95d13a27bbdee353ccc0fb58f80c7987],
Trojan.Injector.AutoIt, C:\Documents and Settings\user\Start Menu\Programs\Startup\HELP_YOUR_FILES.TXT, , [1551d68b1e7bca6c573555fe12f211ef],
Trojan.Injector, C:\Documents and Settings\admin\Application Data\HELP_YOUR_FILES.PNG, , [0d59df8256435bdb3f6482d151b305fb],
Trojan.Injector, C:\Documents and Settings\Administrator\Application Data\HELP_YOUR_FILES.PNG, , [c6a0bea35940cb6b6e357fd49d678a76],
Trojan.Injector, C:\Documents and Settings\All Users\Application Data\HELP_YOUR_FILES.PNG, , [da8ca7bae6b3e84ef4afaaa96f950df3],
Trojan.Injector, C:\Documents and Settings\Default User\Application Data\HELP_YOUR_FILES.PNG, , [20464021fe9b01355a492f247f85629e],
Trojan.Injector, C:\Documents and Settings\test_login\Application Data\HELP_YOUR_FILES.PNG, , [3a2cc998c4d5a591fea5381b0103a55b],
Trojan.Injector, C:\Documents and Settings\user\Application Data\HELP_YOUR_FILES.PNG, , [f47228390b8e3df9b3f0c98ac1431ee2],
Trojan.Injector, C:\MSOCache\HELP_YOUR_FILES.PNG, , [9cca96cb2e6b181ea4011142a460aa56],

Physical Sectors: 0
(No malicious items detected)

(end)



#4 dc3

dc3

    Bleeping Treehugger


  • Members
  • 30,595 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Sierra Foothills of Northern Ca.
  • Local time:03:12 PM

Posted 29 May 2016 - 02:55 PM

By restarting the computer the quarantined items should have been deleted.  Just to be sure, run Malwarebytes one more time to make sure those items are gone.


Family and loved ones will always be a priority in my daily life.  You never know when one will leave you.

 

 

 

 


#5 WouldBePolymath

WouldBePolymath
  • Topic Starter

  • Members
  • 98 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:12 PM

Posted 29 May 2016 - 06:20 PM

How do I upload a screenshot here?  When I click on Image, it wants a URL, not a file location on disk.



#6 WouldBePolymath

WouldBePolymath
  • Topic Starter

  • Members
  • 98 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:12 PM

Posted 30 May 2016 - 07:03 AM

When I restarted the computer, the quarantined items were still there.  I deleted them and ran Malwarebytes again, and as expected, these items were no longer there.

 

The screenshots I want to upload are of the error messages I'm getting in tryting to run ShadowExplorer.

 

I downloaded and attempted to install ShadowExplorer Portable, but got two error messages.

 

Nothing I could do would correct this problem, so I tried again with the installable version.  That resulted in six error messages.

 

What am I doing wrong?



#7 dc3

dc3

    Bleeping Treehugger


  • Members
  • 30,595 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Sierra Foothills of Northern Ca.
  • Local time:03:12 PM

Posted 30 May 2016 - 08:02 AM

You can post a picture in your next post as an attachment.  
 
Just below the area where you write text in a post there is the Post button, to the right of this is More Reply Options
 
Post2_zpsf05c0430.png
 
When you click on More Relpy Options  you will see Attach Files and Browse, click on Browse, this will open Pictures on your computer, click on the image you want to post, then click on Attach This File, then Add Reply.
 
attachment_zps9v6amtri.png

Family and loved ones will always be a priority in my daily life.  You never know when one will leave you.

 

 

 

 


#8 WouldBePolymath

WouldBePolymath
  • Topic Starter

  • Members
  • 98 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:12 PM

Posted 30 May 2016 - 08:38 AM

I'm sorry, I didn't see that control before, maybe I'm just going blind in my old age, but now when I click on it, it doesn't work, but instead so far has exhibited 3 different odd behaviors, which unfortunately I don't have time to describe right now, but I will do so when I return in a few hours.



#9 WouldBePolymath

WouldBePolymath
  • Topic Starter

  • Members
  • 98 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:12 PM

Posted 30 May 2016 - 12:45 PM

Hi, Arachibutyrophobia -

 

You have posted an image of the Attach Files control that you have described.  The image file that you have posted is named "attachment_zps9v6amtri.png".  I can see this image clearly.

 

And when I click on the More Reply Options button, I do get taken to a webpage that has a large data field in which to write a message.

 

But on that webpage, the actual control depicted in your image is simply not there.

 

If you say that it is there for everyone else, I believe you, but it is not there for me.

 

Do you, or does anyone, know what could be causing this problem, and how to rectify it?



#10 dc3

dc3

    Bleeping Treehugger


  • Members
  • 30,595 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Sierra Foothills of Northern Ca.
  • Local time:03:12 PM

Posted 30 May 2016 - 01:27 PM

I had forgotten that this topic had been moved to the Am I Infected forum.  You can't post images here unless it is hosted by another website, then you could post a link to the image and it would post the image.  Sorry about that.


Family and loved ones will always be a priority in my daily life.  You never know when one will leave you.

 

 

 

 


#11 WouldBePolymath

WouldBePolymath
  • Topic Starter

  • Members
  • 98 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:12 PM

Posted 30 May 2016 - 05:09 PM

I was having a problem with the installation of ShadowExplorer.  It said it was necessary to first install .NET Framework 3.5 SP1, which it said it would do, but it never worked right, so ShadowExplorer kept crashing.  So I installed .NET myself, and then I reinstalled ShadowExplorer.  It then ran, but said it wasn't designed for the OS (WinXP).  It does run, however.  Now I have to learn how to use it.  I have to run out now, but I'll check in later tonight or tomorrow with a progress report on that.  If you can direct me to a good tutorial on ShadowExplorer, that would be much appreciated, but regardless, I'll get up to speed on it.



#12 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,473 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:06:12 PM

Posted 02 June 2016 - 07:20 AM

Most crypto malware will typically delete (though not always) all shadow copy snapshots (created if System Restore was enabled) with vssadmin.exe so that you cannot restore your files from before they had been encrypted using Windows Previous Versions or Shadow Explorer...but it never hurts to try in case the infection did not do what it was supposed to do. It is not uncommon for these infections to sometimes fail to properly delete Shadow Volume Copies.

ShadowExplorer is a free replacement for the Previous Versions feature of Windows 7, Windows 8 and Vista. Your Malwarebytes log indicates you are using Windows XP.


.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#13 WouldBePolymath

WouldBePolymath
  • Topic Starter

  • Members
  • 98 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:12 PM

Posted 24 July 2016 - 12:09 PM

OK, sorry, but I was busy with a number of other things for quite a while, and now I have some time to devote to this problem.

 

I ask the following purely to expedite matters; I'm not adverse to doing whatever it takes.

 

From what I infer from the above discussion, it seems that people are of the opinion that Cryptowall has definitely secure-deleted my "regular" plaintext files (files not in VSS), and that it may or may not have also secure-deleted my plaintext files in VSS. Is that an accurate statement?

 

I can't help but wonder if there is any possibility that Cryptowall may have simply deleted my plaintext files in the conventional way, rather than secure-deleted them. Because if so, I could just undelete them with a "regular" file recovery program that doesn't require getting into VSS.

 

(The files have definitely not been overwritten, since I stopped using that computer immediately upon it getting infected. Except, of course, to run the above-referenced antimalware to get rid of the malware.)

 

I'm pretty sure y'all will tell me "no such luck" with the "regular delete" possibility, but I gotta ask.



#14 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,473 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:06:12 PM

Posted 24 July 2016 - 01:30 PM

CryptoWall Ransomware encrypts data using RSA encryption. RSA uses asymmetric encryption which utilizes a key pair system (two different keys)...a public and a private key. Encryption with the public key can only be dencrypted by the private key generated and stored on the command-and-control server used by the malware creators. Since the private key cannot be calculated from the public key, these properties make decryption impossible. For a more detailed explanation see Post #1008 by Nathan (DecrypterFixer).A repository of all current knowledge regarding CryptoWall, CryptoWall 2.0, CryptoWall 3.0 & CryptoWall 4.0 is provided by Grinler (aka Lawrence Abrams), in this topic: CryptoWall and DECRYPT_INSTRUCTION Ransomware Information Guide and FAQ
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#15 WouldBePolymath

WouldBePolymath
  • Topic Starter

  • Members
  • 98 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:12 PM

Posted 24 July 2016 - 01:53 PM

I understand that the cyphertext (encrypted) files can't be decrypted.

 

I was asking if it is possible that Cryptowall had merely deleted my plaintext (unencrypted) files in the conventional way, rather than secure-deleted them.

 

By "deleted in the conventional way", I mean by stripped off just one byte (or a few bytes) from the file headers, leaving the rest of each file intact.

 

By "secure-deleted", I mean overwritten with zeroes perhaps up to 35 (or more) times, to ensure that no magnetic trace of the data remains on disk.

 

And I was asking this with respect to "regular" storage, as opposed to Virtual Shadow Storage.

 

Thanks very much for Grinler's link; I'll check it out immediately.






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users