You mentioned that you have Win7 Pro. In case you haven't already, I would suggest enabling Software Restriction Policies to help prevent this from happening again (built into Win7 Pro). And EMET to be on the safe side.
-Aakash Shah From: [email protected] [mailto:[email protected]] On Behalf Of Jon Harris Sent: Sunday, November 2, 2014 11:59 AM To: [email protected] Subject: RE: [NTSysADM] Security question from a non-security person Just my luck it appears to be a crypto wall infection. Thanks at least I have another tool. Unfortunately the PST is too large and the several documents I just tried just in case said it was not a crypto locker. Joy upon joy my wife loaded up the system I had just disinfected twice and re-infected her profile again. Once I get it done this time I am killing the profile! I have 4 copies of it anyway. Jon ________________________________ From: [email protected]<mailto:[email protected]> To: [email protected]<mailto:[email protected]> Subject: Re: [NTSysADM] Security question from a non-security person Date: Sun, 2 Nov 2014 13:20:34 +0000 The one scenario where I've found shadow copies useful with CryptoWall is recovering a share that was infected, since the PC can't delete shadow copies on a server. Of course, it's a sever and should have backups already, but that is besides the point if you're dealing with the infection. Sent from my Verizon Wireless 4G LTE DROID Susan Bradley <[email protected]<mailto:[email protected]>> wrote: Certain vintages of Cryptolocker actually has a means to get the files back without paying. https://www.decryptcryptolocker.com/ Try that. Cryptowall /not so lucky. Crypto wall and locker both prove a really really hard lesson - have a backup. The shadowcopy trick is something the attackers realized they left behind and later variants started nuking the shadow copies. Susan Bradley http://blogs.msmvps.com/bradley http://www.runasradio.com/default.aspx?showNum=390 On 11/1/2014 9:50 PM, Jon Harris wrote: > I just confirmed all shadow copies were deleted from when the > infection started. Thanks at least I have another trick in case I > have this happen again. > > Jon > > ------------------------------------------------------------------------ > From: [email protected]<mailto:[email protected]> > To: [email protected]<mailto:[email protected]> > Subject: RE: [NTSysADM] Security question from a non-security person > Date: Sat, 1 Nov 2014 23:31:25 -0500 > > There is a hidden, and I mean well hidden, My Documents folder in the > root and then there is the available Users folder. It sounds like the > same one. I have only been able to see the My Documents folder using > a Linux distro and that is where previously I was able to pull copies > for the user (not my wife). I only found it then because I was doing > a scan using the Linux distro to look for bugs. The user did not have > any copies of some of the software on the system so a rebuild was not > possible. > > Jon > > ------------------------------------------------------------------------ > From: [email protected]<mailto:[email protected]> > To: [email protected]<mailto:[email protected]> > Subject: RE: [NTSysADM] Security question from a non-security person > Date: Sun, 2 Nov 2014 03:23:00 +0000 > > Out of curiosity, what is the path you're referring to as a second > profile? > > The only thing I can think of that looks anything like a second copy > is the "Documents and Settings" junction point on Windows Vista+ > > Matthew Topper > > *From:*[email protected] > [mailto:[email protected]] *On Behalf Of *Jon Harris > *Sent:* Sunday, November 02, 2014 12:15 AM > *To:* [email protected]<mailto:[email protected]> > *Subject:* RE: [NTSysADM] Security question from a non-security person > > Windows 7 Pro x64, no domain, and I don't think the shadow copies are > on. I looked but did not see a restore from shadow copy available. I > will look again. > > Jon > > ------------------------------------------------------------------------ > > From: [email protected]<mailto:[email protected]> > <mailto:[email protected]> > To: [email protected]<mailto:[email protected]> > <mailto:[email protected]> > Subject: RE: [NTSysADM] Security question from a non-security person > Date: Sun, 2 Nov 2014 03:04:49 +0000 > > The only method anyone has had success with aside from paying the > ransom or restoring from backup is pulling the data from a shadow copy. > > Shadow Explorer seems to work well for browsing them, though newer > instances of the crypto viruses are clearing restore points as part of > infection. > > Matthew Topper > > *From:*[email protected] > <mailto:[email protected]> > [mailto:[email protected]] *On Behalf Of *Jon Harris > *Sent:* Sunday, November 02, 2014 12:01 AM > *To:* [email protected]<mailto:[email protected]> > <mailto:[email protected]> > *Subject:* [NTSysADM] Security question from a non-security person > > I am really hoping someone has an idea of how to go about this. > Before I start let me say I have only gotten started on this but it is > outside my normal area of expertise so I will be looking on the web. > > Issue > > Wife (yes my wife) ignored me about doing backups, not blocking > updates, and being more careful about her browsing habits. She > managed to get bit by a crypto virus which I can get the name of if > necessary. All of her files have been encrypted including a 5.3 GB > PST. Her email is Gmail and I set her up to use POP, more than that > is just too hard for her. She is not dumb by any stretch just very > stubborn, and in some computer areas extremely smart. Security is > just not one of those areas. While I know enough to be able to do > some simple security work I don't pretend to be a Security person. > Anyway I have removed the bugs, all were specific to her profile only > (thank God she is only a user). I have used a Linux distro to archive > the two copies of her profile, you do know there are two copies > right? Well anyway on a previous virus infection I got luck (to bad > not this time) and only one of the copies was damaged. I am still > doing some clean-up but at the moment it appears both copies were > encrypted. Normally I would just tell the user, so sorry/to bad and > blow the machine away and start over. That will not be possible as > this is my wife and for those with a SO and like to keep peace in the > house you would know that is not happening unless there is no other way. > > Question > > Has anyone found a way OTHER than paying these creeps off to get these > files de-encrypted? Like I said I am still in the cleanup and getting > the machine ready for use again and have not yet done any web > searches. Oh and paying them off is not even is the room with the table! > > Side note > > Why is it the IT person is the one blamed when a user ignores what we > tell them and gets bit by a bug? > > Thanks for any ideas or suggestions, > > Jon >
