Cryptowall 4.0 Infection

My older online computer has just come down with a Cryptowall 4.0 infection. I was backing up from my C drive to another internal hard drive (E), so naturally that got encrypted too.

This computer is:

System:
Processor: Pentium 4 1.80 GHz
RAM: 1.25 GB
System type: 32-bit

Windows edition:
Windows XP Professional
Version: 2002
Service Pack 3

Browswer:
Internet Explorer 8
Version: 8.0.6001.18702
Update versions: 0

Any chance this can be fixed? Thanks for any help.

 

So I've lost all my data?

 

Absolutely agreed. I put off doing it because I have been using that computer only rarely recently. I think what happened was, I still have Avast on that computer instead of Avira, and it wouldn't let me go to gmail unless I turned off the web shield, which the few times I did it I was always conscientious about turning it back on afterwards, but I must have forgotten this one time, and this happened. But I still had a firewall, and I wasn't even online. But of course you're ALWAYS online even if your browser is closed, unless you're using dialup, and who does that anymore?

So, by any crazy chance does anybody know how much the ransom is (I don't want to ask them because I don't want any contact with them until I know as much as possible), and whether or not they actualy supply the key if you pay?

 

I'd like to read the HELP_YOUR_FILES.txt ransom note, but I didn't want to have the infected computer on any longer than necessary (for fear that the malware might conceivably do more damage), so I tried to find a copy of it online at malware removal forums, but didn't find it with a quick search. So I opened the file in Notepad, copied and pasted the contents to another .txt file in Notepad, and saved that on a thumb drive (and then immediately shut down the computer). Now I can scan it for malware on another computer, and if no malware is found, I can then open it. So: could any of the gurus comment on whether this could possibly be dangerous?

 

That's what I figured, but malware seems to be getting so sophisticated, that I wasn't sure. Thanks very much for your help. I'll wait a few hours just to see if anybody tenders a dissenting opinion, then if I don't hear anything else, I'll do it.

 

OK, as I described above, I copied the HELP_YOUR_FILES.txt file text to another text file, saving it to a thumb drive (giving it the same filename), and scanned it with MB, Avira and Wise Care. They found no malware. And I'm uploading it herewith. If anyone has any help, comments or suggestions, I'd love to hear them. Because it seems to be the lesser of two evils, I'm seriously considering paying the ransom, but I don't know how much it is until I follow the instructions in HELP_YOUR_FILES.txt. Maybe the gurus will consider this to be dangerous in itself, but I'm not sure that any more damage could be done than has already occurred, since I could always reformat the disk or install a new one.

 

Well, I think what I may do is simply get rid of that computer. But I would really like to recover the data first. As for how long I have to pay the ransom, HELP_YOUR_FILES.txt says "...on average you have about 2 weeks after reading the instructions to restore your files.", and I got the malware infection in the early morning hours of Friday, January 8, so I have a little time to think at least. But I wonder if I'm risking worse problems somehow if I install their so-called "TorBrowser". If anybody has any thoughts on this, please share them with me. I also want to do a little research on whether these crooks actually furnish the key when they're paid the ransom.

 

On MY computer (the still uninfected online one), Internet Explorer 11 didn't react to the file when I viewed it from a thumb drive. Any comments would be appreciated.

I didn't copy it at least, I just had it on a thumb drive which is now removed. I'll run Avira, MB and Wise Care again right now, then check back in with you guys for any further instructions you may have.

I guess what you're saying is for the best. This malware, and the party who sent it, are just too dangerous to get anywhere near.

By the way, this is what I now think is the vector by which my other computer got infected: A friend had forwarded to me an email she had received that was supposedly from a lawyer who was looking for heirs to an estate, and she asked me if I thought it was bogus. I told her "yes". But in reading the email, I tried to highlight (in order to copy) its text. It turns out it WASN'T text, it was a .png image file displayed inline rather than shown as the attachment it really was. So I was tricked into clicking on an attachment. So beware, everybody.

By the way, I had also opted to look at the original message. It appeared to have been encrypted by RSA encryption and sent through a chain of three anonymous remailers. At what stage along that chain the subject line was decrypted is anybody's guess, but remailers can be set up for that to happen by the user, who provides the remailer with the appropriate key, which is supposedly not even scrutinized by the remailer's operators.

Maybe it would be a good idea to prominently display a warning about this on MG's website, and for that matter, get the word out in any way possible, to delete this email without opening it. I intend to email a warning to everybody I know about this. Just a thought. By the way, the fake lawyer who sent it was named something like "Hilbrant", with a single syllable first name. (I can't check it now because I deleted the message.) Anyway, I googled the name, and the only hit I got on it said it was one of dozens of aliases of some party who was connected to a variety of scams.

And I think it would be a great idea for everybody to do backups to a cloud-based service such as iDrive (there are several such services), unless of course you work for a defense contractor or something like that, in which case I think you should be offline for such work.

I'll check back in after running Avira, MB and Wise Care, which will take a while.

 

Well, I did a thorough scan with all of the above, and nothing was found. Should I download CCleaner again and scan with that?

 

I'm sorry, I didn't make myself clear. Of course I will do a reinstall on my infected computer. What I just ran Avira, MB and Wise Care on was my OTHER computer, the one from which I opened the text file I had made by copying the text of the HELP_YOUR_FILES.txt file on the infected computer and saving it on a thumb drive. I never copied that new text file to the uninfected computer, and that computer is showing no signs of infection. Are you saying that THAT computer is also now infected?