Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Cryptowall 3.0 leftover - Outlook Signatrure


  • Please log in to reply
2 replies to this topic

#1 turbokafer

turbokafer

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:10:25 AM

Posted 22 April 2016 - 06:53 AM

Hello all,

 

Last summer/fall a friend of mine was infected with Cryptowall 3.0. At the time we found this link http://www.wintips.org/remove-cryptowall-virus-and-restore-cryptowall-files/ and followed the instructions for removal. After removal and restoring his files everything seemed fine, but periodically there is one odd thing left over that appears in Outlook.

 

What happens is when he replies to an email his signature is replaced with something that looks like this:

 

blz@) .. X-•huGCfStt.'Oc '£0)_YlN~ ii.t, Q/b+ Av¢<U:§'l:-Y'xg(:Sit!t M_uAaip{Uh>XY•O •j~'K.OU gJO 9UiiMVRt»J:n_

:a·*cO,(It_aOUceBil~lf.trmi , .. skOi pA lt>ottnxx!fAd)SOOf•J~> .. .H a ~~JOJUU"UCi.I~J.\L•f·yt'm:Ot{ USa•'.\ ·M !! •o •· rr:>¥fP "!!"fG• ..

;RiOdiriO-!fl>~

 

And when he clicks the 'Signature' dropdown in the Outlook ribbon it shows a signature named 'HELP_DECRYPT'. But when you close the message and go to options/signatures in Outlook, that signature isn't there to be removed.

 

When searching online for a solution I found others saying they'd seen this signature after an infection and removed it by going to options/signatures. As I said, his doesn't appear there, and doesn't always appear in the dropdown in the ribbon. And it only appears when replying to a message, never on a new or forwarded message.

 

Other than this nuisance the infection does appear to be gone and the computer is operating properly.

 

Any guidance would be greatly appreciated.

 

Thanks

 



BC AdBot (Login to Remove)

 


#2 SleepyDude

SleepyDude

  • Malware Response Team
  • 3,130 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Portugal
  • Local time:02:25 PM

Posted 22 April 2016 - 08:30 AM

Hi :welcome: to BleepingComputer

 

It seems Outlook is using some file that got encrypted during the infection!

 

Did you try searching for all the files named 'HELP_DECRYPT'? if you find some folder used by outlook it can provide some clue about where the damaged file is.

 

Check also the folder %APPDATA%\Microsoft\Signatures


Edited by SleepyDude, 22 April 2016 - 08:31 AM.

• Please do not PM me asking for support. Post on the forums instead it will increases the chances of getting help for your problem by one of us.
• Posts in the Malware section that are not replied to within 4 days will be closed. PM me or a moderator to reactivate.
• Please post your final results, good or bad. We like to know! Thank you!

 
Proud graduate of GeekU and member of UNITE
___
Rui

 
 


#3 turbokafer

turbokafer
  • Topic Starter

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:10:25 AM

Posted 23 April 2016 - 12:22 PM

Hi :welcome: to BleepingComputer

 

It seems Outlook is using some file that got encrypted during the infection!

 

Did you try searching for all the files named 'HELP_DECRYPT'? if you find some folder used by outlook it can provide some clue about where the damaged file is.

 

Check also the folder %APPDATA%\Microsoft\Signatures

 

Thanks for the suggestion. There were a couple of corrupt files in there I couldn't open so we deleted everything and he recreated his signature files.

 

Time will tell if that was the fix.

 

Thanks again!






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users