8 replies to this topic

[Dr Bonz]

I am running Windows 7.  Just tonight, I noticed that if I try to view any e-mail in my inbox, my sent folder, my drafts, or even my deleted folder, the e-mail shows up as jibberish (thousands and thousands of random letters, numbers, symbols).  This is the case in the preview pane and when I open the e-mail up.  The strange thing is, any e-mails I receive NOW all seem to work and look normal.  For example, I sent myself an e-mail from one of my accounts to another and it looks normal in my sent folder and in the inbox it was sent to.  Also, any new e-mail I get, seems normal.  It is only all the other e-mail from more than about 2-3 hours ago that is effected. 

 

Also, probably related is the fact that about half of my photos on my hard drive will not show up.  They appear as the standard Windows thumbnail and I cannot open them with any program.  I have a folder with probably 50,000 photos in it, in various subfolders that are arranged in alphabetical order.  Every image in a folder from A to I is effected.  All after I seem to be normal.  When I tried to open these same photos that I have in an external hard drive, I find the exact same thing. 

 

Any help would be appreciated .

 

Thanks so much!

[paws]

Have a look here:

http://answers.micro...b7-25c96cceb10f

and see if this helps with the email issue..

Regards

paws

[Dr Bonz]

_{Thank you Paws.  It appears that I should be in UT-8 but when I change the encoding to this, I just get a DIFFERENT FORM of garbled jibberish.  I tried all of the English ones and it simply changes to different jibberish.  This is SO bizarre!  All e-mails I send and receive now are completely normal but everything (thousands) of e-mails before yesterday night are garbled and I don't know what to do.  I REALLY need help here as I need to access my old e-mails!}

 

_{As for the pictures, I am baffled.  I just e-mailed myself a picture from my cell phone and it came in normally on e-mail (no jibberish) and the picture opens completely normally.  This is the same picture that I previously had on my computer (I had e-mailed it a few days ago) that I can not open with Windows Live Photo Gallery when I click on the same picture that was already on my computer.} 

 

_{PLEASE HELP!}

[Dr Bonz]

I just took a look at one of the e-mails that just came in and was normal (the one from this website telling me that I had a reply in this forum).  When I right click on it, then look at properties, details, Message source, It says this:

 

Return-Path: <bounce-md_30104042.544e01eb.v1-bf416112a20e4dc89ddc7721beb22567@mandrillapp.com>
X-Original-To: my e-mail
Delivered-To: my e-mail
Received: from ewin04.consolidated.net (ewin04.consolidated.net [206.123.242.135])
 by inbound02.nauticom.net (Postfix) with ESMTP id A671D2618C
 for <my e-mail>; Mon, 27 Oct 2014 04:27:31 -0400 (EDT)
Received: from mail1.us4.mandrillapp.com ([205.201.136.1])
          by ewin04.consolidated.net ({bbc45fbb-4b54-4538-ae92-6897db62211d})
          via TCP (inbound) with ESMTPS id 20141027082729351
          for <my e-mail>;
          Mon, 27 Oct 2014 08:27:29 +0000
X-RC-FROM: <bounce-md_30104042.544e01eb.v1-bf416112a20e4dc89ddc7721beb22567@mandrillapp.com>
X-RC-RCPT: <my e-mail>
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/relaxed; s=mandrill; d=whatthetech.com;
 h=From:Subject:To:List-Unsubscribe:Message-Id:Date:MIME-Version:Content-Type; i=no_reply@whatthetech.com;
 bh=ywabeQkJW7KGI4+D/TZWO1sl2K4=;
 b=mPtZ/s6HLJZrQ0B6g7LGAbS8KPrALLkSOndq1tpaB7VuM1lSC5qneyR0chrKRxffel06jradq/aA
   yUolUY3ZWK87BYe9rOFSpqax86Ig9ytGx/iQQdo16EXY4bYpUaykfQf2MuCbRGvSICLRL/nlHwoH
   M4Jpikgv1mvPF+m64SE=
DomainKey-Signature: a=rsa-sha1; c=nofws; q=dns; s=mandrill; d=whatthetech.com;
 b=eAu5am1lPnC0IjH7K0bqMrJ7Z+htwLt+EExKtiQIV+O3WcCFV4Oj3fmigz0YN8TToExoyeeIj0dH
   p4V0++RKj+7BnDZ8J4pKZzJFB3fd8/a2FwOWGfxWj49aglryAIX4IzxXK00mKV5H7NU6DumX3vvl
   ydAUNTJlbTNrtaiD8nU=;
Received: from pmta03.dal05.mailchimp.com (127.0.0.1) by mail1.us4.mandrillapp.com id h9o0v2174nog for <my e-mail>; Mon, 27 Oct 2014 08:27:23 +0000 (envelope-from <bounce-md_30104042.544e01eb.v1-bf416112a20e4dc89ddc7721beb22567@mandrillapp.com>)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=mandrillapp.com;
 i=@mandrillapp.com; q=dns/txt; s=mandrill; t=1414398443; h=From :
 Subject : To : List-Unsubscribe : Message-Id : Date : MIME-Version :
 Content-Type : From : Subject : Date : X-Mandrill-User :
 List-Unsubscribe; bh=PQXAzEhiQMXhVbVCYI8UwIQWDsJ5VIuozMmQzyvCIGA=;
 b=KsmcebbjntEasOW1StwVc6+nDUUOT08KinyL4D9F/ChKAICJJDbN2Qwkx6fvIrXn95+2lZ
 jKWPsbB0nTcakuajPmlJs10jKYwRpOwvdRikj0I44uR0S4xR2ueWFiQoFT+Uz560RrljdoTq
 4xGfv3tBsh5Im2KpjXsu2psHVYtwU=
From: What the Tech <no_reply@whatthetech.com>
Subject: New reply to Windows Live Mail Issue
X-Priority: 3
X-Mailer: IPS PHP Mailer
To: <my e-mail>
List-Unsubscribe: <mailto:unsubscribe-md_30104042.544e01eb.v1-bf416112a20e4dc89ddc7721beb22567@mailin1.us2.mcsv.net?subject=unsub>
Received: from [108.60.139.200] by mandrillapp.com id bf416112a20e4dc89ddc7721beb22567; Mon, 27 Oct 2014 08:27:23 +0000
X-Report-Abuse: Please forward a copy of this message, including all headers, to abuse@mandrill.com
X-Report-Abuse: You can also report abuse here: http://mandrillapp.c...ddc7721beb22567
X-Mandrill-User: md_30104042
Message-Id: <30104042.20141027082723.544e01eb59fee5.96009581@mail1.us4.mandrillapp.com>
Date: Mon, 27 Oct 2014 08:27:23 +0000
MIME-Version: 1.0
Content-Type: multipart/alternative; boundary="_av-m0_gfTng1OK6li3UeX1CJg"
X-ClamAV: clean

--_av-m0_gfTng1OK6li3UeX1CJg
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: 7bit

 

 

Edited by Dr Bonz, 27 October 2014 - 09:44 AM.

[Dr Bonz]

When I do the same thing in one of my old e-mails, this is all garbled jibberish

[paws]

This is all very strange....

Before we go too far I recommend you edit out your email address from your post....( too many spammers and bad guys around)

 

Here's three things you can try:

1 Run

chkdsk /r

from a command prompt with elevated privileges type chkdsk /r

note the space it needs to be there,.accept the warning, press Y press Enter type exit, press enter and reboot

do not interrupt chkdsk whilst its running...it may take several hours to complete all 5 passes... it will try and fix any disc inconsistencies if it can and when its finished it will restart your computer

 

2 The next command is:

sfc /scannow and press enter

( you should still run this from a command prompt with elevated privileges)

note the space etc.

 

3 Now try using a System Restore Point created about a week or so before the problem started..... do not interrupt system restore whilst its running, it will restart your computer when its finished...... now try your Windows Live Mail again.... any better?

 

Post back with  your findings.

Presumably you have a back up of all your important stuff, emails, photos etc kept safe on removable media offsite.....?

 

Can you obtain access to another computer running vista,  or 7 ? and do you have a note of your Windows Live Mail user name and password..( dont post them ... I just need to know if you have them handy!

Regards

paws

 

 

[Dr Bonz]

Well, I now see what has happened.  I went to my Carbonite offsite storage (at your recommendation) and viewed one of my photo files.  In it, all of the photos were safe, however there was a new file I never saw before.  I opened it and this is what it said:

 

What happened to your files ?
All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 2.0.
More information about the encryption keys using RSA-2048 can be found here: http://en.wikipedia....A_(cryptosystem)

What does this mean ?
This means that the structure and data within your files have been irrevocably changed, you will not be able to work with them, read them or see them,
it is the same thing as losing them forever, but with our help, you can restore them.

How did this happen ?
Especially for you, on our server was generated the secret key pair RSA-2048 - public and private.
All your files were encrypted with the public key, which has been transferred to your computer via the Internet.
Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.

What do I do ?
Alas, if you do not take the necessary measures for the specified time then the conditions for obtaining the private key will be changed.
If you really value your data, then we suggest you do not waste valuable time searching for other solutions because they do not exist.

For more specific instructions, please visit your personal home page, there are a few different addresses pointing to your page below:
1.https://paytordmbdek...usd.com/1ws6Qpm
2.https://paytordmbdek...eur.com/1ws6Qpm
3.https://paytordmbdek...cnf.com/1ws6Qpm
4.https://paytordmbdek...ash.com/1ws6Qpm

If for some reasons the addresses are not available, follow these steps:
1.Download and install tor-browser: http://www.torprojec...browser.html.en
2.After a successful installation, run the browser and wait for initialization.
3.Type in the address bar: paytordmbdekmizq.onion/1ws6Qpm
4.Follow the instructions on the site.

IMPORTANT INFORMATION:
Your personal page: https://paytordmbdek...usd.com/1ws6Qpm
Your personal page (using TOR): paytordmbdekmizq.onion/1ws6Qpm
Your personal identification number (if you open the site (or TOR 's) directly): 1ws6Qpm

 

Looks like I have been hit with some sort of Ransom virus/Trojan.  I'm obviously not going to visit this site as they recommend.

 

Any suggestions or recommendations?   dayam!

[Dr Bonz]

Since I last wrote, it now wiped out all of my pictures.  Not just the files in alphabetical order A to I.  I guess it was still working on stealing those at that time.  We are talking about thousands and thousands of photos.  And my e-mails are all still garbled. 

 

Is there anything anyone knows about this virus?  Can I get rid of it and get my stuff back or do I have to invest about a weeks worth of time downloading all back from Carbonite?

 

BASTARDS!

[Ztruker]

There is a good article on the Cryptowall virus here: http://www.bleepingc...are-information

 

 

Is it possible to decrypt files encrypted by CryptoWall?

Unfortunately at this time there is no way to retrieve the private key that can be used to decrypt your files without paying the ransom on the CryptoWall Decryption Service. Brute forcing the decryption key is not realistic due to the length of time required to break an RSA encryption key. Also any decryption tools that have been released by various companies will not work with this infection. The only methods you have of restoring your files is from a backup, file recovery tools, or if your lucky from Shadow Volume Copies.

 

Looks like the only recovery is to clean up the system then download all your Carbonite backups. I would strongly recommend doing a Clean Install Windows 7 to make absolutely sure the virus is gone then restore your data.

 

Good thing you have Carbonite or pics and mail would all be permanently gone.