Pages

Friday, April 24, 2015

Cryptolocker removed

A friend of mine brought in his PC that had, according to him, some issues. I'm not an IT security expert but I'm the guy that family and friends turn to if they have problems with their computer. These problems can vary from malware, adware, slow computer and so on. I decided to boot the PC and take a look. After start-up it was clear that his PC (generic ASUS laptop with Windows 7 installed) had been infected with CryptoLocker.

I've red about it but had never seen in the 'wild'. My normal strategy when I encounter malware/adware is to run MalwareBytes first and then AdwCleaner. Just to be save I also run DrWeb Cureit!. However in this case, because of the severity of the problem, I started with Kaspersky Rescue Disk 10. I created a bootable CD (on a Mac) with the Rescue Disk iso file. I booted the PC with the CD and a full day of scanning the Rescue Disk only found a few infected files (see image below). After I rebooted the PC with Windows 7 CryptoLocker was still very alive.

So I decided to return to my regular Malwarebytes/AdwCleaner strategy. Malwarebytes came up with hundreds of infected files but was not able to remove CryptoLocker. Next I tried booting in Windows Save Mode. Normally this is F8  but somehow the PC didn't respond to that (due to CryptoLocker?). A bit desperate I interrupted the next boot process. This gave me the option to Launch Startup Repair (from the Error Recovery Window). This brought me in the Advanced Boot Options Window and from there I could start Windows Save Mode with Networking.

Next I ran Malwarebytes (update first) and Adwcleaner. This time Malwarebytes did detect CryptoLocker and could remove it. From then on it was simple to remove the other unwanted programs. With CCleaner I fixed issues e.g. with the registry. The PC is clean again however all document (jpg, docs etc) are encrypted. Luckily my friend had a back-up disk of the documents. I scanned with Malwarebytes and McAfee (which was on his PC).

Cryptolocker in the wild.

Results Malwarebytes with Windows 7 in Normal Mode already gives 326 infections.

Malwarebytes in Safe Mode finally nails CryptoLocker.

All documents on the PC are encrypted.

No comments:

Post a Comment