MAT4170

Ok, so not surprisingly, the verdict is my computer has ebola-- no shadow copies, nothing infected recoverable. I am going to reformat the drive and rewind my business to 2008. Question, Some files are definitely NOT encrypted because they just happen to be non-targeted extensions (the only thing that saved them). Can I just stick a thumb drive in while in safe mode with no networking enabled and copy the uncompromised files off? Or do I have to remove the virus first, I'm thinking? The experts today said that once the virus has run its course there's no harm in copying off data but I have been told conflicting things in this regard and would like a second opinion... everyone seems to have a different level of understanding regarding what's permissible /possible. The last thing I want to do is a) screw up what little CAN be saved and b) have a recurrence once I have started over. When I scan with MWB, it comes back clean using the most current database as of today. But my Windows environment is still jacked and the desktop is still black, also the Windows dialog boxes have obviously been tampered with-- for instance I went to check it with mcafee after mwb and couldn't can't scan anything despite consistently no results in mwb or cc cleaner I need to know how to safely get the few scraps of uncorrupted data off, and then any programs or utilities I should cross check that data with. There's not much left but the little that's there is important. Assuming I can get it on a thumb drive, can I then stick that drive into another computer to check it without risking that box? Thanks again.

Ok, thanks. I appreciate your replies very much, thanks for taking time with my to help me when my problem. For anyone following, I'll post back any final resolution.

And @Salmon lady again, I appreciate your point on the warning, thanks, I didn't mean to blew by that.. The risk associated with attempting to pay the extortion is understood, I'm sorry you didn't get your stuff back. I probably am not going to do it out of principle, but I also don't have a read on how bad the damage is yet. I appreciate you letting know that it didn't work for you, that's a strong vote 'against'.

Thanks, again. Mr. C, I made the mistake of going by the info in the blue box at the top of the page and the stated date reference the Torrent Locker, then linked to that page, sorry. The link you provided was valid, I read it wrong. Is there any way to ascertain which 'version' of this problem I am dealing with? I've decided that this probably exceeds my own technical capability, so I am planning on retaining a local shop / IT company to image the drive, remove the virus, and then (presumably), reformat the drive. I am not overly optimistic about data recovery, but I have read that some of the copy cats may use "less powerful" encryption methods, leaving some possibility of data recovery remaining, however slim. Accordingly, i'd like to know what I'm up against, with precision, so as to get a qualified firm. My thinking is also partly that having an image of the hard drive in its current state would then keep open the option of attempting to pay the ransom, once I see for sure how bad the loss is. As noted above, whether because I interrupted the virus, or through some internal fault, it appears to have skipped or not had time to corrupt some data; also my prior point that no ransom note has ever 'displayed'or been purposefully opened on my computer, although the referenced files are definitely there. If none of this matters or my thinking is off base in how I have described my plan to deal with, I'd appreciate whatever comments. Then, I will be buying the biggest external backup drive I can find, and it will never again be connected to the box while it's online. Learned that lesson, I think. :-) Thanks!

@salmonlady, you have my sympathy. @ Mr. C, Thank you for replying. I don't mean to be dense, but the link you provided was to a thread on 'torrent locker', which I read in full. Are you saying, then, that this isn't cryptpwall, and instead you think this is Torrent Locker I'm dealing with? Again, I am sorry if that's a dense question, this is all pretty new to me. I only concluded my problem was cryptowall on the basis of the ransom notes, and I only found that attribution in one article... the thread on torrent locker seemed to suggest that there is some hope of recovery from shadow copies? Thanks again for the assist.

Like some other recent posters I believe I have also picked up Cryptowall this week... I concluded 'crypotWALL' after Googling the Ransom file DECRYPT_INSTRUCTIONS.html and finding an article indicating this was the likely candidate. I believe I may have caught the malware early: At least, it only appears to have encrypted *some* files (only some folders have the consistent ransom notes). Some files indicate they are 'corrupted' without having had their dates changed when I try to open them in safemode, and some seem to be untouched and open normally. HOW I GOT IT: I think I got it while browsing a news aggregator site, or links therefrom. At least that's where I was when I noted my browser start to go haywire. WHAT I DID BEFORE I figured out what I was facing: a) My browser went haywire and I recognized some sort of hijack attempt so I immediately closed all and shut down. b) First tried safemode, but I was locked out. Noticed when it started normally that my Mcafee had been turned off. Tried launching McAfee manually and found it was "blocked by group policy". Tried to System restore an noted System Restore options were disabled. c) Not knowing what I was dealing with I researched the group policy/ Mcafee issue. Their forum suggested this might be because of a corrupted Windows security update, and suggested I try Windows update. This was also blocked by group Policy. Started to get concerned. Shut down again. d) Got the box into safemode by first F2'ing into Bios and then exiting without saving. Once in safemode, I downloaded and ran McAffe Getsubs and Stinger, both of which were recommended in their forum. Both found issues, but I was unable to delete all files because some were marked as "in use by another program". e) Downloaded and updated / ran Malwarebytes with the rootkits option enabled, this also found Trojans 0Access, Vawtrak and Babylon. I can post whatever necessary logs (presently on another machine) but FYI I tried to open the Stinger logs and they are password protected. f) After I ran Malwarebytes, I thought the thing was Ok, as it appeared to be operating 'normally' in safemode. I ran a full Mcafee AV scan and it came back with no results. Thinking this would be beneficial, I also installed thewaiting Windows security update thinking I was 'good'. So I logged on normally and I think this is where I screwed myself. At least, this is when I tried, the Av was still disabled, stuff was still running in the background, and when I tried (in the short time I was on) to access data this is when I first noticed the above mentioned ransom notes in SOME folders. This led me to research more and conclude that I was dealing with 'some' kind of crypto virus (had never heard of them prior), I didn't know which. I didn't click on the ransom notes to be sure which kind, because I figured this would probably start whatever timer I read these things run on and /or make things worse. So, no ransom 'message' has been displayed on my system, other than the appearance of the aforementioned .html files. WHAT I DID AFTER I figured out I was dealing with a crypto virus yesterday: a) I first tried a system restore back to *before* the date that appears to be the infection date. This did not seem to work... I tried logging on again normally and could not get data, also stuff seemed to be running in the background so I immediately exited. Back to safemode and I rolled it back to the updated windows version because this seemed to be better. Ran MWB again and it again found more stuff. About this time last night realized how bad it was and that I was probably just making things worse and that I needed help. b) I have been mostly afraid to touch it since then, except to pick around a bit to see what appears to be infected and what not. The additional MWB scans allowed me to get my Outlook running, which offers some glimmer of file recovery as at least SOME of the encrypted files are attachments to emails. I have not tried to copy anything off the machine, nor open any of these files. I am guessing the more I work on that machine, the worse it will likely be but want to save any data I can. c) Spent most of today looking for help: I talked to McAfee, they tell me this is not a virus (?!?), nor is it a covered service, despite the fact that I have a valid subscription (thanks!). That said, they say they can "definitely" get rid of the virus, just not guarantee any data. d) I also talked to Dell. That said they can get rid of the virus, but not guarantee any data. So does Iyogi, which I accidentally called after Googling Dell's customer support number and that one coming up. I have never worked with them and they have mixed reviews on line. e) I have called a couple of data recovery companies. One was too busy to touch it, but told me to run, in order: Kapersky Bootable CD, then Rogue Killer, then Hitman Pro, then Malwarebytes, each until it comes back empty I have not yet tried this (see questions). f) right now the box is sitting there in safemode. My Outlook is running again but I am afraid to use it. And of course... no backups. I was literally in the middle of evaluating backup data services when this hit. I figured that having my data on a separate drive and a current AV subscription would be 'good' in the meantime... Needless to say I feel 'somewhat naieve' at the moment. I think I have my Windows set to back up to an external hardrive but I don't want to mess with it to find out without advice. QUESTIONS: 1. What do people think is my 'best' option? Does anyone have any experience with Cryptowall specifically as far as if you pay(at the ransom, it definitely will it un-encrypt? I would normally not consider that, but this targeted my small business files specifically (at the apparent exclusion of other files, and including my backups on a separate hardrive); also, I have ten years of family pictures on this drive... one of the reasons I was 'evaluating' backups is my backup hardrive was full. Also, I don't want to click on the ransom file to make sure what I have, because presumably this will let the virus do further work? 2. Some files appear undamaged. Can I/ do I remove the virus prior to trying to save the data or the other way around? 3. How do I get rid of the virus? Would people recommend paying Mcafee / Dell or trying to DIY? Are their data recover people who could do this? Most of the stuff I read about Crypto LOCKER, prior to possibly identifying this as Crypto WALL say that hope is slim. I am hoping because I appear to have partly caught it, however, that there may be some hope. 4. Meanwhile, I have a business to run, and I obviously don't want to infect anyone I correspond with. Am I making the matter worse by even running Outlook in safemode? That appears to be operational but I am worried about passing the virus /data. This hack seems specifically targeted at my business files as it bypassed others, but attacked my business backups. Almost like someone went after it with manual judgement but maybe that is my imagination. I find it curious that it attacked primarily business files on three separate drives. I am happy to run whatever scans are needed and post whatever logs if that will not damage the machine further. I am in no way a computer expert but am capable of running basic scans and the like with instruction. Any assistance, whatsoever, is greatly appreciated. Will check back later this evening and 8:30 AM Eastern tomorrow. Regards, MAT Windows Vista 32 bit