What's new
Fantasy Football - Footballguys Forums

Welcome to Our Forums. Once you've registered and logged in, you're primed to talk football, among other topics, with the sharpest and most experienced fantasy players on the internet.

Cryptovirus/Windows 7 Question (1 Viewer)

Psychopav

Psychopav

Help us, Joebi-Wan Brynobi, you're our only ho
So I got hit by the Cryptovirus. Luckily, I back up anything I really need, so there will be no ransom payment from me.

My problem is that I got hit by the virus a long time before I realized it, so there are plenty of directories with combinations of encrypted and non-encrypted files.

I ran ListCWall from bleepingcomputer. com (More Information about the CryptoWall Ransomware can be found here:
http://www.bleepingcomputer.com/virus-removal/cryptowall-ransomware-information)and I now have a comprehensive list of every file on my machine which has been encrypted. The list is a text file which provides the path and filename of all 2058 encrypted files.

Is there a way to write a program which will delete all of these files along with any copies of the Cryptovirus files themselves (the ones it leaves to helpfully explain exactly how I can bend over to get my data unencrypted)? There are many directories with a text document, an html document, and a URL shortcut all entitled "DECRYPT_INSTRUCTION" which I woiuld also like to get rid of.

I have no idea how to write .bat files etc. so an explanation for dummies would be appreciated.

I'm hoping there are footballguys who have the brains and the compassion to help a brother footballguy in need...

TIA!

 
johnnyrock62000 said:
Since you have backups the best way IMO is to rebuild from scratch. Then you'll know you're clean for sure.
Click to expand...
Really, this is your best bet and what I'd recommend. Otherwise, I might be able to write a batch file to delete any file with the filename you listed and that is specified in that txt document. But, I'd still recommend a fresh install. Let me know if you'd like that batch file.

 
captain_amazing said:
johnnyrock62000 said:
Since you have backups the best way IMO is to rebuild from scratch. Then you'll know you're clean for sure.
Click to expand...
Really, this is your best bet and what I'd recommend. Otherwise, I might be able to write a batch file to delete any file with the filename you listed and that is specified in that txt document. But, I'd still recommend a fresh install.Let me know if you'd like that batch file.
Click to expand...
The thing is that I have created documents since the virus hit that are not encrypted, but are intertwined with the encrypted documents. I would prefer not to lose those documents.

I think I'd like the batch file. Send me a pm and let me know what you need from me. Or if you would prefer to teach me to fish, point me in the right direction online and I'll try to figure out how to write it myself. I don't have any experience with programming since high school but if I know the application I need to use and some basic commands I might be able to muddle my way through it.

Thanks!

 
Let me ask a question though...I use malwarebytes and zonealarm and both scans come up clean.

Am I at risk for anything other than more encrypted files if they are wrong? I mean, the Cryptowall virus itself doesn't do anything even more malicious like keylogging, id/password theft etc. does it? From what I could tell online, the only risk of not reinstalling everything would be that it would encrypt more files for ransom in the future. Is that right?

 
Psychopav said:
Let me ask a question though...I use malwarebytes and zonealarm and both scans come up clean.

Am I at risk for anything other than more encrypted files if they are wrong? I mean, the Cryptowall virus itself doesn't do anything even more malicious like keylogging, id/password theft etc. does it? From what I could tell online, the only risk of not reinstalling everything would be that it would encrypt more files for ransom in the future. Is that right?
Click to expand...
Not certain, but that's my understanding. I'm guessing you're in the clear if you have an updated version of malwarebytes and it's not picking anything up.

I just wrote a batch that'll work at deleting all of the files you have gathered (I'm assuming you have full filepaths for those files collected) - before you go ahead and do that, I just did some quick research and noted from this BBC article that some security firms have figured out how to decrypt the files and offer an online portal to decrypt them for free. I might give that a whirl first before deleting all of the other files.

If that doesn't work, let me know and I'll PM you the batch and instructions with it.

 
captain_amazing said:
Psychopav said:
Let me ask a question though...I use malwarebytes and zonealarm and both scans come up clean.

Am I at risk for anything other than more encrypted files if they are wrong? I mean, the Cryptowall virus itself doesn't do anything even more malicious like keylogging, id/password theft etc. does it? From what I could tell online, the only risk of not reinstalling everything would be that it would encrypt more files for ransom in the future. Is that right?
Click to expand...
Not certain, but that's my understanding. I'm guessing you're in the clear if you have an updated version of malwarebytes and it's not picking anything up.

I just wrote a batch that'll work at deleting all of the files you have gathered (I'm assuming you have full filepaths for those files collected) - before you go ahead and do that, I just did some quick research and noted from this BBC article that some security firms have figured out how to decrypt the files and offer an online portal to decrypt them for free. I might give that a whirl first before deleting all of the other files.

If that doesn't work, let me know and I'll PM you the batch and instructions with it.
Click to expand...
That's awesome, thanks!

I'll report back with results proabably tomorrow (right now, time to do the taxes...I do respect a deadline :) ).

Thanks for the really quick responses and links with help!! :thumbup:

 
Is CryptoLocker different from CryptoWall?

The link doesn't work - every file I try to upload results in a message "this file doesn't seem to be encrypted by CryptoLocker".

I have the CryptoWall crabs, not the CryptoLocker crabs. :(

 
Psychopav said:
Is CryptoLocker different from CryptoWall?

The link doesn't work - every file I try to upload results in a message "this file doesn't seem to be encrypted by CryptoLocker".

I have the CryptoWall crabs, not the CryptoLocker crabs. :(
Click to expand...
Yea, I did some more reading on the history of the Crypto ransomware, and it has gone through many iterations (CryptoWall 3.0 being the latest). CyprtoLocker (one of the first iterations) was decrypted, but the later ones have not been.

I'll simply post the instructions here for what you're looking for, as it could be helpful to others (and if any others are more efficient/effective batch writers, please feel free to improve upon this):

This is assuming you have the full filepath and name of each file you want to delete and that these filepaths are on separate lines. This will also search for a find any files with a filename containing "DECRYPT_INSTRUCTION" and delete those as well. This also assumes that you have some sort of spreadsheet application (e.g. Excel).

One quick note: anyone using this uses it at their own discretion. Also, files will be permanent deleted doing this (they won't go in the recycle bin).

  1. Run a backup on your system (just in case!).
  2. Download the batch file and excel spreadsheet (this will help prep the the filenames for the batch) - choose slow download. Unzip them.
  3. Run the batch file (double-click on it).
  • This is going to search through the drive your batch is in (I'm assuming your "C:" drive) and display all of the files it picks up containing "DECRYPT_INSTRUCTIONS" - it will not delete the files, yet. Check to see if the resulting output is correct. If it picks up a file that shouldn't be deleted, don't proceed further (let me know).
  • If everything looks good, move on to the next set of steps.
  1. Open up the spreadsheet you just downloaded and open up your text file containing the filepaths of the already identified files to delete.
  2. In the text file, select all and copy all of the filepaths.
  3. In the spreadsheet, at the top of the second column, paste all of the filepaths you just copied. They should copy one file path per row. Note the last row with text in it.
  4. Copy the data in the first, third, and fourth columns in those columns' rows so that they reach the last row in the second column.
  5. Select all of the cells in the fourth column that have text in them and copy them .
  6. Go to the folder your batch file was downloaded in, right-click on the batch file, and click "edit".
  7. Look for the text that says "REM SECOND PART" and paste right below that text.
  8. Go to the top of the batch file and look for the text that begins with "for /r %%a in" and change "do echo del" to "do del." This will not just display the files it finds on your screen - it will now actually delete them.
  9. Save the file (File > Save).
  10. Run the batch file (double-click on it).
Let me know if you have any questions!

 
Take off and nuke the site from orbit, it's the only way to be sure.

Seriously, if you don't reformat you're begging for reinfection. Reformat/reinstall. I do it at even the whiff of a virus. Plus a fresh Windows install always runs faster.

 
You must log in or register to reply here.

Similar threads

L
Work Efficiency & Organization
Replies
15
Views
572
MAC_32
MAC_32
Peak
TaxGuys: Anyone ever experience an employer not update a W4?
Replies
5
Views
364
Rattle and Hum
Rattle and Hum
C
Credit Rating Question
Replies
8
Views
446
Juxtatarot
Juxtatarot

Users who are viewing this thread

Total: 2 (members: 0, guests: 2)
Top