Tech Tips for Techs: Little-known, extra steps for CryptoWall and Cryptolocker cleanup



Hello all! Today I would like to contribute some information to something we had previously put out when talking about CryptoWall and CryptoLocker. The previous blog posts talked about the virus itself and what actions to take if you become infected with it. In addition to that, I would like to provide instructions on what further actions to take.

Today I received a call from a client, on whose system I had recently cleaned up an infection and restored their data from a backup. She told me that the computer that had been the original culprit was popping up once again with the decrypt instructions, and she was concerned that it was infected again. She took the actions I told her to take, to disconnect the network drive so it wouldn’t spread. I jumped on that machine and, sure enough, the web page had returned.

I scanned the computer with a malware removal tool, but, to my surprise, nothing showed up. Then I started rifling through the “My Documents” directory. Voila! I found the three “decrypt instructions” that get put in every directory that gets infected. (These are files that Crypto loads on to infected machines and servers, telling victims where to send their money, etc. But they are text files — not harmful in and of themselves.) At this point, I just shook my head.

When I’d performed the original cleanup, and every cleanup I have done since then, I did NOT remove these files. When I’d done the scans for the malware and deleted the malware itself, I’d assumed that those files were part of it and would get removed, as well. With the scan coming back clean and the data restored, I’d sent them on their merry way. But those files are not malware and obviously would not show up on the scans.

Moral of the story, ALL those files need to be deleted or they will pop up from time to time, with 1 of the 3 being an HTML file. Once you have scanned and cleaned up the malware, do a search of the C drive and every other data drive for *decrypt and find/delete all the decrypt instruction files. In this case I made a wrongful assumption that caused widespread panic.

However, sometimes you just have to learn as you go. ;)

If you need help from truly experienced techs, give us a call at 888-244-1748. We treat your technology as though it’s our own.

Related posts: