Cryptowall virus. Restore files from volume shadow...

February 8, 2015 at 11:32:22
Specs: Windows 7, AMD Turion 2.4GHz/4GB RAM
I have recently been infected with the Cryptowall virus which has encrypted most of my files. I have already done a little research on tis virus and short of paying the ransom to decrypt my files there isn'y much more I can do to restore them. One option I found was to use the Volume Shadow copies of the files (right click a file-> previous versions-> copy). I read that the virus usually disables/encrypts these 'backups" also but luckily in my case, a few I have already tested on restored successfully. So my questions are:

1) How do I completely remove this virus so I stops encrypting files as I restore them? I am fine with a complete format/reinstall but that brings up question 2...

2) is there any way to "backup" the Volume Shadow? For example, is it a single large file somewhere on my drive that I can just copy to an external drive while I reformat?

3) If number 2 above IS possible, how do I copy back over this "backup" to the newly installed OS to be able to restore the files? I read in my research that there is a tool that would allow me to restore entire folders at a time from the Volume Shadow,

I have already scanned with MBAM and it showed a few results but nothing specifically stating "Cryptowall", so I am uncertain if it actually removed it or not.


See More: Cryptowall virus. Restore files from volume shadow...

Report •

#1
February 8, 2015 at 13:58:08

Report •

#2
February 8, 2015 at 14:03:38
Have you read this?

CryptoWall and DECRYPT_INSTRUCTION Ransomware Information Guide and FAQ
http://www.bleepingcomputer.com/vir...


Report •

#3
February 8, 2015 at 14:07:51
"I am fine with a complete format/reinstall"
You must delete all partitions & then format.

W7 - Click on > Drive options (advanced) Then highlight each partition & hit > Delete.
http://www.blackviper.com/os-instal...
http://www.blackviper.com/os-instal...


Report •

Related Solutions

#4
February 8, 2015 at 15:12:34
Thanks all for the quick replies. I have already read through those exact links with info about crypto wall prior to posting here. That is where I got the idea of using volume shadow to restore my files. However the question at hand is still unanswered. If I preform the reformat route, is there any way to "backup" the volume shadow prior and then restore my files from that backup after reinstall? Also I didn't notice those links state detailed info about "how" to actually remove the virus.

Report •

#5
February 8, 2015 at 15:25:59
" I have already read through those exact links with info about crypto wall prior to posting here"
Ok, just had to make sure you had a good understanding of the hopelessness of the situation.

"However the question at hand is still unanswered. If I preform the reformat route, is there any way to "backup" the volume shadow prior and then restore my files from that backup after reinstall?"

You can, but I doubt if they will be of any use. Here is my info if you want to have a play with them.

Cobian Backup
http://www.softpedia.com/get/System...
http://www.freewarefiles.com/Cobian...
http://www.freewarefiles.com/screen...
http://www.educ.umu.se/~cobian/cobi...
Portable
http://www.softpedia.com/get/PORTAB...
* Support for Volume Shadow Copies (VSS).

Macrium Reflect FREE Edition
http://www.softpedia.com/get/System...
http://www.macrium.com/reflectfree.asp
User's tutorial
http://is.gd/M2TV51 ( W7 )
http://www.sevenforums.com/backup-r...
http://www.tipsfor.us/2008/10/17/gh...
http://www.tipsfor.us/articles/ghos...
http://www.tipsfor.us/2007/06/05/gh...
ยท Create a disk image whilst running Windows using Microsoft Volume Shadow copy Service (VSS).

FBackup
http://www.softpedia.com/get/System...
http://www.freewarefiles.com/FBacku...
http://www.freewarefiles.com/screen...
http://www.techsupportalert.com/bes...
http://www.fbackup.com/screenshots.php
http://www.fbackup.com/
If a file is in use by another program at the time of the backup, FBackup will still be able to back up that file, because it uses the Volume Shadow Service that Windows provides.

Windows Volume Shadow Copy Service (VSS)
http://social.technet.microsoft.com...
System Reserved Partition must have 40MB free space, or the Windows Volume Shadow Copy Service (VSS) will fail.

Automating Backup (Windows)
http://paulski.com/zpages.php?id=1920
Error Messages
Volume Shadow Copy Service (VSS) Troubleshooting
http://www.tomahawkbackup.com/faq/c...
Microsoft VSS Troubleshooting
http://support.novastor.com/custome...
How to troubleshoot Microsoft Volume Shadow copy Service errors
http://kb.macrium.com/Knowledgebase...
BackupChain Volume Shadow Copy Service (VSS) Troubleshooting Guide
http://backupchain.com/hyper-v-back...


Report •

#6
February 9, 2015 at 14:52:49
There is a glimmer of hope. I was reading this a couple of months ago:

http://mobile.pcauthority.com.au/Ar...


Report •

Ask Question