how to encode files after trojan 1024 cypher

October 22, 2010 at 07:56:09
Specs: Windows Vista, 2800/2gb
yesterday i downloaded a film from torrent. while sending a file to utorrent virus was installed to my computer. first i had a new messege on the desctop, then i found a txt file:

Attention!!!
All your personal files (photo, documents, texts, databases, certificates, kwm-files, video) have been encrypted by a very strong cypher RSA-1024. The original files are deleted. You can check for this yourself - just look for files in all folders.
There is no possibility to decrypt these files without a special decrypt program! Nobody can help you - even don't try to find another method or tell anybody. Also after 3 days all encrypted files will be completely deleted and you will have no chance to get it back.
We can help to solve this task for 120$ via wire transfer (bank transfer SWIFT/IBAN). And remember: any harmful or bad words in our side will be a reason for ingoring your message and nothing will be done.
For details you have to send your request on this e-mail (with full serial key shown below in this 'how to..' file on desktop): recoverdata@secure-mail.biz

all my docs, pics and even mp3s are coded with unknown code and i can't open them proper. all changed files are marked with ending *.ENCODED
what can i do now? win vista,SP2(((


See More: how to encode files after trojan 1024 cypher

Report •

#1
October 22, 2010 at 09:40:47
The best solution would be to do a clean install or system recovery and a restore of data from a current backup. I will assume that is not a viable option.
In a situation like this it is important to realize you cannot trust anything in that message. The files may be encrypted, or they may not. You must of course do a full scan with a good anti-malware product . Rename the extensions of a few files to what they should be and try to open them. If your edition of Vista supports NTFS encryption you should check if they are in the file properties and reset if they are.

If the files really are encrypted (aside from NTFS encryption) you have virtually no chance of recovering them. The files may also be overwritten with random data.

Files downloaded from torrents often contain viruses or other forms of malware. If you use torrents you should always have a current backup


Report •

#2
October 24, 2010 at 09:05:35
i have the same problem.and no solution :( help meeeeee

Report •

#3
October 24, 2010 at 10:34:09
"We can help to solve this task for 120$ via wire transfer (bank transfer SWIFT/IBAN). "

WOW..great way to sell a bogus program!!!

Try slaving your drive to another PC and see if the files are intact. Do a virus scan as well as malware scans on the infected HD.
Chances are, your files may only be encrypted on that particular PC...

Just a heads up: I use deefreeze on my PC when I'm downloading any torrent files, that way, if any are infected, a quick reboot and I'm back in shape again...it's a great protection tool I purchased many years ago after I discovered they use it in Central America in most of their internet cafes....I don't endorse it, I just use it ;-) For me it was and is a great investment for when I'm downloading torrents.

Some HELP in posting on Computing.net plus free progs and instructions Cheers


Report •

Related Solutions

#4
October 25, 2010 at 10:16:25
YURA did u find a solution?

Report •

#5
October 25, 2010 at 11:09:57
unfortunatly, no. i've restored some files from my flesh-drive, but the rest will wait for better times. i hope somewhere the decoding programm will be found. making hard drive slaved gave either nothing at all.

Report •

#6
October 29, 2010 at 03:25:53
i've just recieved a very interesting e-mail as a reply:

to get back your data you have to upload "how to decrypt".txt file from your desktop to sendspace.com (with delete-link) (or send a serial number) and pay 120$ on this bank-account:

COUNTRY : USA
BANK NAME : STANDARD CHARTERED BANK NEW YORK BRANCH
ACCOUNT : 3582021683001
CHIPS ABA: 0256
FED ABA: 026002561
SWIFT : SCBLUS33

CURRENCY TYPE: USA DOLLARS

After we received money - you will get the help.
___________________________________________________

is it possible to find a b---tard according to this information?


Report •

#7
November 25, 2010 at 10:57:47
I have the same problem as YURA and Hreni. I have no idea how I got it. I haven't downloaded anything... Please let us know if you have some solution to this nightmare, people!

Report •

#8
November 25, 2010 at 11:04:05
S.W.I.F.T: SCBLUS33. Standard Chartered Bank. One Madison Avenue. New York NY 10010

As per your data that's the bank (here's the link http://bit.ly/ehFgBL )
It's not big of a deal to get the telephone and email inquiry to the bank and inform them about the type of the activities on that account...


Report •

#9
November 26, 2010 at 05:57:11
Hi All. I've had the exact same attack!

I've tried to rename and open the files but I can't open them – the files are really encrypted. I managed to stop the process of encryption, using Task Manager to stop a suspicious process, so "only" about half my files are encrypted. The attack started 9:49PM yesterday and I noticed and stopped the process 10:38PM. The process deletes the original files and replaces them with encrypted files.

I use XP, SP 3. - Suspect that XP is a reason for the attack (old system). I suppose that a system restore don't help since the virus-program has changed my files - system restore only restores the system as I recall.

They've added a key that they want me to send to an email address (datafinder@fastmail.fm), plus money to a bank account, claiming that they will then send a decryption key and instructions. - I'm off course not going to do that, I just thought it might help with a little info on the attack.

If someone can help it’s much appreciated, but I guess the only thing is to reinstall everything on the computer.


Report •

#10
November 27, 2010 at 08:51:28
Hi All. Our computer also infected on 26th november before 13.39 MET. We do not have any idea how it happened. There is only one (nearly) dead mail account who was not used and the internet history shows no suspicious sites. No downloads at all.
What are your experiences?
Best regards
Hartmut

Report •

#11
November 27, 2010 at 19:16:04
I got hit on Nov. 25th 6pm around. but definitely at that night.
It seems really encrypted. NO download. it is online that time.

Report •

#12
November 28, 2010 at 09:02:26
I only can read txt file that was encoded. I found out the virus only wrote the beginning of the file. the rest of file is untouched. so I can read out txt file and edit
to erase the beginning part of file. so you can recover it.

I am not expert to PDF files and DOC files format and JPG also. but I am sure the only the beginning part of file infected but not the whole file. the problem is you cannot use
PDF reader to read out. I think you have to use special tool to erase beginning part of file in order to read it. could you have suggestion?


Report •

#13
November 28, 2010 at 16:07:18
Hi Thelle

do you still remember the name of the process?

thanks


Report •

#14
November 28, 2010 at 16:32:02
No I don't remember the exact name of the process, but it was very strange containing random numbers and characters. Like 9j2oj2o4i5j...

The reason I know the process deletes and replace the files is because I use Dropbox and in the log it states "deleted" with all original files, and "added" about all the encrypted files.


Report •

#15
November 28, 2010 at 16:42:52
Hi,All

I'm a programmer,I'm glad to help you with the problem.

As fighter found out the virus only wrote the beginning of the file.

So please send me some example files to my email,I will try to write a free tool to encode the file.
(at least 3 files,less than 200Kb)

My email is egomoo#gmail.com (replace # with @)


Report •

#16
November 28, 2010 at 19:09:36
Hi egomoo

Thank you for helping out

I sent you three files as PDF as you request.

I appreciate your effort so much.

I don't know why my previous post get deleted.


Report •

#17
November 28, 2010 at 19:20:23
Hey I got the same infection and same "ransom note" two hours ago.
Has there been any progress with a possible solution for decrypting these encrypted files as yet? If so please let me know.

Report •

#18
November 29, 2010 at 04:30:03
ive got the same problem as you guys!! encripted files telling me to pay $120 i got it 28th november 2010 at 1:23pm i had to do a factory reset to get rid of this good job i had not had any pics or documents that were inportant!! these b*****ds are scum!! i wont pay them a penny, but i dont now where ive got it from? is there no way as to report these con-artists???

Report •

#19
November 30, 2010 at 09:40:52
BEWARE OF THE LINK IN THIS MESSAGE A-B WROTE:

A-B November 25, 2010 at 11:04:05 Pacific
S.W.I.F.T: SCBLUS33. Standard Chartered Bank. One Madison Avenue. New York NY 10010
As per your data that's the bank (here's the link http://bit.ly/ehFgBL )
It's not big of a deal to get the telephone and email inquiry to the bank and inform them about the type of the activities on that account...

THIS LINK LOOKS VERY SUSPICIOUS AND IS NOT THE LINK TO THIS BANK!!!

The REAL link to Standard Chartered Bank is:
www.standardchartered.com


Report •

#20
November 30, 2010 at 10:47:28
Good catch SacramentoKing

Some HELP in posting on Computing.net plus free progs and instructions Cheers


Report •

#21
December 6, 2010 at 14:39:56
The following solution albeit time consuming works with Windows Vista.
Firstly, delete the .ENCODED frome the file name. This will change the icon back to the original application associated with the file.
Next, right click on the file, choose PROPERTIES, then the PREVIOUS VERSIONS tab. This will display any older version of the file found in shadow copy. You can then restore the unencrypted version over the encrypted version and it will open as usual.

CAUTION: So far this is working well with JPG and DOT files which are normally static and don't change. You need to exercise caution with DOC, XLS etc as these files often change and you need to ensure you don't overwrite the encrypted file with one which is way out of date. As a precaution, you should probably copy all *.ENCODED files to an alternate directory before proceeding. That way if a better solution becomes available you will still have the original file to work with.


Report •

#22
December 12, 2010 at 00:52:32
Hi all, same deal.
Win XP pro SP2
The machine I was using at the time is virtualy only a Jukebox as I do some Karaoke and use Media player and iTunes, was online but not downloading anything.
(No firewall no nothing)
Don't even think about the Ransom as whatever you get probably won't work.
The desktop Icons where all grayed out so right click and in the bin,(I call mine the s**t can,changed the attrib.in the reg.)
What I did was go to the start menu and drag new icons to the desktop and to all programs and try and get them on the desktop. Some worked some didn't.
I guess I got about 70% back again.
With a bit of manipulation most things where back on track.
Programs lost were...Office...Adobe...Printer drivers....and a few others, nothing that could not be reinstalled
I got back Outlook (Email) My Documents with folders and others.
My documents had saved files from office and they were there.
What is still encoded on this machine dont matter.
Forget the Format or new install till you have a play with it as appears to have not affected the OS.
I also doubt that it is encrypted @ 1024
cheers, Max


Report •

#23
December 16, 2010 at 13:12:47
iam having same problem did any one find soultions?
i don't have The txt file in My desktop I will pay 120$ but i can't send email to any one becouse I don't have the Serial and email also ...

Report •

#24
December 19, 2010 at 17:18:13
At the end of November in a Starbucks one day I was online when a Java applet quickly kicked on and off, a PDF notice appeared and I got a BSOD. Would not boot after just a flashing cursor. Had Win 7 at the time. Had to reinstall OS and put on Vista with latest SP and copied back some files I had rescued from a DOS prompt file save after the initial crash.

Today same Starbucks. Online I know where, academic site in one tab and my online vita in another. I had reinstalled Java yesterday. All of a sudden I got a Java dialogue box open then close then a PDF with a .ru extension asked to download since they must prompt for me. I said no then saw my desktop had the ransom pic text. My icons were changed and files given the .ENCODED extension. I deleted the file it asked me to read without reading it. McAfee popped up a window saying it cleaned four files but on a scan it found 11. Ad Aware hanged and would not run. Task manager showed the rogue executable which I stopped and deleted. Hope that helps.


Report •

#25
March 27, 2011 at 01:29:18
I took the following steps to remove trojan RSA 1024. It is a screen message.

1.Right click on monitor screen, click on properties, select desktop
2.New screen program appear under 'select item'
3.Click on browse to see the program. Right click on all the items and select delete.
Delete all the items. Done! Removed!


Report •

#26
March 28, 2011 at 18:21:29
Hi,

I am working on a second cmoputer now. But, has anyone tried the @Skyline Traveller's method?


Report •

#27
June 2, 2011 at 18:31:37
My computer has the same virus. I found someone to get rid of it but I can't open my open my pictures. Each one of my pictures has a crypted file on them and I can't open them. Can someone help with this?

Report •

#28
June 2, 2011 at 19:20:22
coolmom4,
That is an old post...you would be better off starting a new one so others could help you.

Some HELP in posting on Computing.net plus free progs and instructions Cheers


Report •

Ask Question