CryptoWall 3 - how to prevent and how to decrypt?
First: there's no known way to decrypt files attacked by CryptoWall. Unless you pay to get the key, they are lost forever. If you don't have offline backups, your files are lost.
One way to prevent the execution of those kind of viruses is to use whitelisting on your Windows. This can be frustrating if your father does not know how to include applications on the whitelist, and will demand a lot of time to do right, but will deny execution of any application not known.
Is there a way to decrypt the files?
SensorsTechForum suggests to try Kaspersky’s RectorDecryptor.exe and RakhniDecryptor.exe.
However, I would not hold out much hope.
As CryptoWall is very similar to CryptoDefense, you may be able to decrypt using the method here. Unfortunately, this only really applies if you were infected before April 1st 2014.
You may also be able to get your files back from Windows Volume Shadow Copy.
What is the best way to prevent these kind of virus to infect our computers?
Install AntiVirus and keep it up to date. Microsoft Security Essentials is free, although others are available. Although this will not fully protect the system, but would be a good basic step to take.
You haven't said how this infection happened, however you should set the computer to install updates automatically. Remind users of the computer not to run things that they are not expecting to be sent to them (even those that appear to be from trusted contacts), although this can be easier said than done.
The main protection from these type of attacks should come from backup. Tools such as Dropbox can sync your important files into the cloud and if the worst should happen you would have 30 days to rollback to known good versions of files (even the free version allows this). So far there are no known attacks that attempt to clear out the version history from cloud based backup services.
Are there any way to prevent execution of unknown files? I was thinking about only allow execution permission on known files
Although Windows itself supports the notion of execute permissions, this is enabled by default on new executables. Microsoft's AppLocker can be utilised to enable whitelisting of applications. Whether this will make the computer too unusable for your average user is another question.
Another thing you could do is to use normal accounts rather than administrator accounts for using the computer. The malware tries to execute the following command:
vssadmin.exe Delete Shadows /All /Quiet
However, if the user account it is ran under does not have administrative permissions this will fail and volume shadow copies may be restorable.
I might have found a way to recover your files. My laptop was infected with Crypto 3.0 last week. I removed it with SpyHunter, but I thought I lost all my files after reading all the stories on the net. I didn't have a recent back-up. And all my tries to recover the files as recommended "restore old version" and ShadowExplorer faileduntil now. I went on "Search program and files" and searched for all the files from Crypto "Help_decrypt". It will list you all the "Help_decrypt" files, which I deleted then. You have to run it thoroughly, so you really remove all the files from your computer. Afterwards I was able to recover all my files (as I can see so far) with the ShadowExplore. Easily. I am not sure, whether this was a coincidence or a solution, but it did definitely helped me. Good luck.