My wife’s laptop was hit by the “paytordmbdekmizq” ransomware sometime last fall. I was able to successfully clean the virus off using Malwarebytes, and I thought everything was okay. All of her important files on the laptop are sync’d to the cloud using MS Onedrive. Shortly after the laptop was cleaned of the virus, she was having trouble opening files on the laptop. I was able to log into the Onedrive site, and open the files, and I just assumed that her laptop was displaying some residual effects of the infection, so assumed that the files were actually fine, but that the laptop wasn’t able to open them.

Now, it appears that everything on Onedrive is also corrupted. It looks like anything created before the files were corrupted by the virus can be restored to a prior version, but it will take forever to restore these one at a time. Also there are some files that must have been created while the computer was infected, so there are no previous versions to restore.

I ran the Emisoft Decrypter on the folders containing the files, and it didn’t seem to find anything that it says is corrupted, but every time I try to open a file, I get a message that says “The file XXXXXXXX cannot be opened because there are problems with the contents.” The Details show “The file is corrupt and cannot be opened.”

It looks like people have had success decrypting their files, so hopefully someone can help me.

There are “Decrypt Instruction” text files all over the hard drive, containing the following text:

What happened to your files ?
All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 2.0.
More information about the encryption keys using RSA-2048 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)

What does this mean ?
This means that the structure and data within your files have been irrevocably changed, you will not be able to work with them, read them or see them,
it is the same thing as losing them forever, but with our help, you can restore them.

How did this happen ?
Especially for you, on our server was generated the secret key pair RSA-2048 - public and private.
All your files were encrypted with the public key, which has been transferred to your computer via the Internet.
Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.

What do I do ?
Alas, if you do not take the necessary measures for the specified time then the conditions for obtaining the private key will be changed.
If you really value your data, then we suggest you do not waste valuable time searching for other solutions because they do not exist.

For more specific instructions, please visit your personal home page, there are a few different addresses pointing to your page below:
1.http://paytordmbdekmizq.torsona.com/Qsff9s
2.http://paytordmbdekmizq.poltornik.com/Qsff9s
3.http://paytordmbdekmizq.dogotor.com/Qsff9s
4.http://paytordmbdekmizq.torforlove.com/Qsff9s

If for some reasons the addresses are not available, follow these steps:
1.Download and install tor-browser: http://www.torproject.org/projects/torbrowser.html.en
2.After a successful installation, run the browser and wait for initialization.
3.Type in the address bar: paytordmbdekmizq.onion/Qsff9s
4.Follow the instructions on the site.

IMPORTANT INFORMATION:
Your personal page: http://paytordmbdekmizq.torsona.com/Qsff9s
Your personal page (using TOR): paytordmbdekmizq.onion/Qsff9s
Your personal identification number (if you open the site (or TOR 's) directly): Qsff9s

Thank you in advance for any help you can provide.

A little more information. Based on a lot of the posts here, I downloaded and ran FARBAR REcovery scan tool. Here is the FRST log file:

And here’s the Addition log file

Here’s the log file after running the Emisoft Emergency Kit.

Keep in mind that I was able to remove a lot of the problem back in November with Malwarebytes. I can pull those scan logs, if needed.

Thanks.

Unfortunately the ability to decrypt these files is not available

MBAM did not get it all I am afraid

CAUTION : This fix is only valid for this specific machine, using it on another may break your computer

Save the attached fixlist.txt, in the same location as FRST.exe

https://dl.dropboxusercontent.com/u/73555776/FRSTfix.JPG

Run FRST and press Fix
On completion a log will be generated please post that

THEN

Please download AdwCleaner by Xplode onto your desktop.

[*]Close all open programs and internet browsers.
[*]Double click on AdwCleaner.exe to run the tool.
[*]Click on Scan.
[*]After the scan is complete click on “Clean”
[*]Confirm each time with Ok.
[*]Your computer will be rebooted automatically. A text file will open after the restart.
[*]Please post the content of that logfile with your next answer.
[*]You can find the logfile at C:\AdwCleaner[S1].txt as well.

You could try the following programmes to try and recover your files, but as it has been so long the chances are not high

http://i.imgur.com/y3MMIrs.png
Previous Versions

[*]Right-click the file/folder and click Properties.
[*]Click Previous Versions.
[*]This tab will list all copies of the file and the date they were backed up.
[*]To restore a particular version of the file, click Copy and select the directory you wish to restore the file to.
[*]If you wish to restore the selected file and replace the existing one, click Restore
[*]If you wish to view the contents of the file before restoring, click Open.

http://i.imgur.com/MzmiIl9.gif
ShadowExplorer

[*]Please download ShadowExplorer and save the file to your Desktop
[*]Right-Click ShadowExplorer-0.9-portable.zip and click Extract All. Select your Desktop and click Extract
[*]Right-Click ShadowExplorer.exe and select
http://Run as administrator to run the programme.
[*]You will see a drop-down menu with the shadow copies of all partitions and disks present.
[*]Click C:\ from the drop-down menu.
[*]To the right, pick a date prior to the infection from the drop-down menu.
[*]To restore a whole folder, right-click on your desired folder and click Export. You will then be prompted as to where you would like to restore the contents of the folder to.

[img]http://i.imgur.com/J8xQM97.png
File Recovery Software
File Recovery Software may be able to recover the original file deleted by the infection. Please bear in mind, the more you use the machine after the files are encrypted, the harder it will be for the recovery software to recover your files.

[]
http://i.imgur.com/fSA1TL4.png
R-Studio
[]
http://i.imgur.com/C08PZmH.png
Photorec
[*]
http://i.imgur.com/uc6sByo.png
Recuva

Essexboy, your fixlist is corrupt…

CreateRestorePoint: 
਍䠀䬀唀尀匀ⴀ㄀ⴀ㔀ⴀ㈀㄀ⴀ㘀㐀㜀㌀㄀㠀㐀 ㌀ⴀ㈀㜀㠀㄀㄀㜀㘀  㐀ⴀ㘀㜀㠀 ㈀㔀㌀㌀㜀ⴀ㄀   尀⸀⸀⸀尀刀甀渀㨀 嬀戀挀椀欀洀愀漀崀 㴀㸀 爀甀渀搀氀氀㌀㈀ ∀䌀㨀尀唀猀攀爀猀尀䄀洀礀尀䄀瀀瀀䐀愀琀愀尀䰀漀挀愀氀尀戀挀椀欀洀愀漀⸀搀氀氀∀Ⰰ戀挀椀欀洀愀漀 㰀㴀㴀㴀㴀㴀 䄀吀吀䔀一吀䤀伀一ഀഀ
HKU\S-1-5-21-647318403-2781176004-678025337-1000\...A8F59079A8D5}\localserver32:  <==== ATTENTION!
਍䄀瀀瀀䤀渀椀琀开䐀䰀䰀猀㨀 䌀㨀尀倀刀伀䜀刀䄀縀㈀尀匀攀愀爀挀栀倀爀漀琀攀挀琀尀匀攀愀爀挀栀倀爀漀琀攀挀琀尀戀椀渀尀匀倀嘀䌀㘀㐀䰀漀愀搀攀爀⸀搀氀氀 㴀㸀 䌀㨀尀倀刀伀䜀刀䄀縀㈀尀匀攀愀爀挀栀倀爀漀琀攀挀琀尀匀攀愀爀挀栀倀爀漀琀攀挀琀尀戀椀渀尀匀倀嘀䌀㘀㐀䰀漀愀搀攀爀⸀搀氀氀 䘀椀氀攀 一漀琀 䘀漀甀渀搀ഀഀ
SearchScopes: HKLM -> {9BB47C17-9C68-4BB3-B188-DD9AF0FD2406} URL = http://dts.search-results.com/sr?src=ieb&gct=ds&appid=302&systemid=406&apn_dtid=BND406&apn_ptnrs=AG6&o=APN10645&apn_uid=5177583206234813&q={searchTerms}
਍吀漀漀氀戀愀爀㨀 䠀䬀唀尀匀ⴀ㄀ⴀ㔀ⴀ㈀㄀ⴀ㘀㐀㜀㌀㄀㠀㐀 ㌀ⴀ㈀㜀㠀㄀㄀㜀㘀  㐀ⴀ㘀㜀㠀 ㈀㔀㌀㌀㜀ⴀ㄀    ⴀ㸀 一漀 一愀洀攀 ⴀ 笀㈀㌀㄀㠀䌀㈀䈀㄀ⴀ㐀㤀㘀㔀ⴀ㄀㄀䐀㐀ⴀ㤀䈀㄀㠀ⴀ  㤀 ㈀㜀䄀㔀䌀䐀㐀䘀紀 ⴀ  一漀 䘀椀氀攀ഀഀ
FF user.js: detected! => C:\Users\Amy\AppData\Roaming\Mozilla\Firefox\Profiles\48khy07d.default\user.js
਍匀㄀ 栀眀挀欀礀昀愀琀㬀 尀㼀㼀尀䌀㨀尀圀椀渀搀漀眀猀尀猀礀猀琀攀洀㌀㈀尀搀爀椀瘀攀爀猀尀栀眀挀欀礀昀愀琀⸀猀礀猀 嬀堀崀ഀഀ
2015-01-24 15:24 - 2015-01-24 15:24 - 00000000 ____D () C:\Users\Amy\AppData\Local\{622F9705-ACD5-430D-BBDB-224FC8247580}
਍㈀ ㄀㔀ⴀ ㄀ⴀ㄀㠀 ㄀㐀㨀㄀㤀 ⴀ ㈀ ㄀㔀ⴀ ㄀ⴀ㄀㠀 ㄀㐀㨀㄀㤀 ⴀ          开开开开䐀 ⠀⤀ 䌀㨀尀唀猀攀爀猀尀䄀洀礀尀䄀瀀瀀䐀愀琀愀尀䰀漀挀愀氀尀笀䘀䈀䘀㄀㈀䄀㐀㌀ⴀ㘀 㤀䐀ⴀ㐀㤀㌀㈀ⴀ㠀䌀㐀㐀ⴀ㈀㤀㤀㄀㔀㠀㘀㈀㤀䌀䄀䈀紀ഀഀ
2014-11-09 18:41 - 2014-11-09 18:41 - 0000448 ____H () C:\Users\Amy\AppData\Roaming\麽鎒駓覜
਍䌀㨀尀␀刀攀挀礀挀氀攀⸀䈀椀渀尀匀ⴀ㄀ⴀ㔀ⴀ㈀㄀ⴀ㘀㐀㜀㌀㄀㠀㐀 ㌀ⴀ㈀㜀㠀㄀㄀㜀㘀  㐀ⴀ㘀㜀㠀 ㈀㔀㌀㌀㜀ⴀ㄀   尀␀㌀戀㤀㤀昀㠀㄀昀㌀㄀搀㔀搀戀愀戀㄀戀挀昀㠀㜀搀 ㄀ 㜀愀㈀㠀㔀愀ഀഀ
2014-11-09 18:41 - 2014-11-10 10:09 - 0000424 _____ () C:\ProgramData\@system.temp
਍㈀ ㄀㐀ⴀ㄀㄀ⴀ 㤀 ㄀㠀㨀㐀㄀ ⴀ ㈀ ㄀㐀ⴀ㄀㄀ⴀ㄀  ㄀ 㨀㄀  ⴀ     ㄀㘀  开开开开䠀 ⠀⤀ 䌀㨀尀倀爀漀最爀愀洀䐀愀琀愀尀䀀猀礀猀琀攀洀㌀⸀愀琀琀ഀഀ
C:\Windows\system32\drivers\hwckyfat.sys
਍㈀ ㄀㈀ⴀ ㄀ⴀ㈀㄀ ㄀ 㨀 㠀 ⴀ ㈀ ㄀㈀ⴀ ㄀ⴀ㈀㄀ ㄀ 㨀 㠀 ⴀ         开开开开开 ⠀⤀ 䌀㨀尀唀猀攀爀猀尀䄀洀礀尀䄀瀀瀀䐀愀琀愀尀䰀漀挀愀氀尀笀㄀㐀㤀䌀㠀㄀䄀㜀ⴀ䐀㤀䐀㜀ⴀ㐀㐀㔀㜀ⴀ䄀㔀㤀㜀ⴀ㄀ 㠀䈀㐀㈀㔀㄀䔀㐀䄀䈀紀ഀഀ
2011-11-02 16:56 - 2011-11-02 16:56 - 0000000 _____ () C:\Users\Amy\AppData\Local\{169F26E5-C244-45B1-A7AE-99B0FFB53F4D}
਍㈀ ㄀㄀ⴀ㄀㄀ⴀ ㈀ ㄀㘀㨀㔀㠀 ⴀ ㈀ ㄀㄀ⴀ㄀㄀ⴀ ㈀ ㄀㘀㨀㔀㠀 ⴀ         开开开开开 ⠀⤀ 䌀㨀尀唀猀攀爀猀尀䄀洀礀尀䄀瀀瀀䐀愀琀愀尀䰀漀挀愀氀尀笀㌀㈀ 䈀㌀㄀䘀㜀ⴀ䌀㄀䐀㠀ⴀ㐀㜀㐀㜀ⴀ㤀䐀䐀㠀ⴀ㈀䌀㘀㘀㤀䐀䘀㘀㄀䘀㄀㤀紀ഀഀ
2012-01-18 20:09 - 2012-01-18 20:09 - 0000000 _____ () C:\Users\Amy\AppData\Local\{99D65A07-D8F7-471A-B3CE-BC405167195A}
਍㈀ ㄀㄀ⴀ㄀㄀ⴀ㄀㤀 ㄀㌀㨀㔀㠀 ⴀ ㈀ ㄀㄀ⴀ㄀㄀ⴀ㄀㤀 ㄀㌀㨀㔀㠀 ⴀ         开开开开开 ⠀⤀ 䌀㨀尀唀猀攀爀猀尀䄀洀礀尀䄀瀀瀀䐀愀琀愀尀䰀漀挀愀氀尀笀䘀㠀㠀䄀㔀㘀㄀䘀ⴀ䈀㄀㠀㈀ⴀ㐀䔀㐀㌀ⴀ㤀㈀㈀䐀ⴀ䄀䔀㤀㔀䘀䘀䄀 ㈀䔀 㘀紀ഀഀ
2011-11-18 17:56 - 2011-11-18 17:56 - 0000000 _____ () C:\Users\Amy\AppData\Local\{FFDFBAD4-44A0-4808-8D45-81432DBD3AA0}
਍䌀㨀尀唀猀攀爀猀尀䄀洀礀尀䄀瀀瀀䐀愀琀愀尀䰀漀挀愀氀尀戀挀椀欀洀愀漀⸀搀氀氀ഀഀ
CustomCLSID: HKU\S-1-5-21-647318403-2781176004-678025337-1000_Classes\CLSID\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}\localserver32 -> No File Path
਍吀愀猀欀㨀 笀  ㌀䌀䐀䈀㘀䔀ⴀ㌀䘀㄀㐀ⴀ㐀䘀䘀㄀ⴀ㠀㌀㜀䐀ⴀ㄀㌀㌀㤀䐀㈀㤀䌀䘀䌀䐀㌀紀 ⴀ 匀礀猀琀攀洀㌀㈀尀吀愀猀欀猀尀唀瀀搀愀琀攀爀䔀堀 㴀㸀 䌀㨀尀唀猀攀爀猀尀䄀洀礀尀䄀瀀瀀䐀愀琀愀尀刀漀愀洀椀渀最尀唀倀䐀䄀吀䔀縀㄀尀唀倀䐀䄀吀䔀縀㄀尀唀倀䐀䄀吀䔀縀㄀⸀䔀堀䔀 㰀㴀㴀㴀㴀 䄀吀吀䔀一吀䤀伀一ഀഀ
Task: C:\Windows\Tasks\UpdaterEX.job => C:\Users\Amy\AppData\Roaming\UPDATE~1\UPDATE~1\UPDATE~1.EXE <==== ATTENTION
਍䌀䴀䐀㨀 搀攀氀 ⼀䘀 ⼀儀 ⼀匀 ∀䌀㨀尀䐀䔀䌀刀夀倀吀开䤀一匀吀刀唀䌀吀䤀伀一⸀吀堀吀∀ഀഀ
CMD: del /F /Q /S "C:\DECRYPT_INSTRUCTION.TXT"
਍䌀䴀䐀㨀 搀攀氀 ⼀䘀 ⼀儀 ⼀匀 ∀䌀㨀尀䐀䔀䌀刀夀倀吀开䤀一匀吀刀唀䌀吀䤀伀一⸀唀刀䰀∀ഀഀ
EmptyTemp: 
਍䌀䴀䐀㨀 戀椀琀猀愀搀洀椀渀 ⼀爀攀猀攀琀 ⼀愀氀氀甀猀攀爀猀ഀഀ

Not really as it has Unicode in it hence the downloadable fixlist

Fixlog attached. FRST ran all night, and I finally killed it off this morning, and restarted it. This time it finished in 5-10 minutes.

Bet you have a lot more space on your drive though.

EmptyTemp: => Removed 12.1 GB temporary data.

I hate this forum software and the way it distorts my texts

CAUTION : This fix is only valid for this specific machine, using it on another may break your computer

Open notepad and copy/paste the text in the quotebox below into it:

CreateRestorePoint: 
HKU\S-1-5-21-647318403-2781176004-678025337-1000\...\Run: [bcikmao] => rundll32 "C:\Users\Amy\AppData\Local\bcikmao.dll",bcikmao <===== ATTENTION
C:\Users\Amy\AppData\Local\bcikmao.dll
HKU\S-1-5-21-647318403-2781176004-678025337-1000\...A8F59079A8D5}\localserver32:  <==== ATTENTION!
AppInit_DLLs: C:\PROGRA~2\SearchProtect\SearchProtect\bin\SPVC64Loader.dll => C:\PROGRA~2\SearchProtect\SearchProtect\bin\SPVC64Loader.dll File Not Found
SearchScopes: HKLM -> {9BB47C17-9C68-4BB3-B188-DD9AF0FD2406} URL = http://dts.search-results.com/sr?src=ieb&gct=ds&appid=302&systemid=406&apn_dtid=BND406&apn_ptnrs=AG6&o=APN10645&apn_uid=5177583206234813&q={searchTerms}
SearchScopes: HKLM-x32 -> {9BB47C17-9C68-4BB3-B188-DD9AF0FD2406} URL = http://dts.search-results.com/sr?src=ieb&gct=ds&appid=302&systemid=406&apn_dtid=BND406&apn_ptnrs=AG6&o=APN10645&apn_uid=5177583206234813&q={searchTerms}
Toolbar: HKU\S-1-5-21-647318403-2781176004-678025337-1000 -> No Name - {2318C2B1-4965-11D4-9B18-009027A5CD4F} -  No File
2015-01-24 15:24 - 2015-01-24 15:24 - 00000000 ____D () C:\Users\Amy\AppData\Local\{622F9705-ACD5-430D-BBDB-224FC8247580}
2015-01-18 14:19 - 2015-01-18 14:19 - 00000000 ____D () C:\Users\Amy\AppData\Local\{FBF12A43-609D-4932-8C44-299158629CAB}
2012-01-21 10:08 - 2012-01-21 10:08 - 0000000 _____ () C:\Users\Amy\AppData\Local\{149C81A7-D9D7-4457-A597-108B4251E4AB}
2011-11-02 16:56 - 2011-11-02 16:56 - 0000000 _____ () C:\Users\Amy\AppData\Local\{169F26E5-C244-45B1-A7AE-99B0FFB53F4D}
2011-11-02 16:58 - 2011-11-02 16:58 - 0000000 _____ () C:\Users\Amy\AppData\Local\{320B31F7-C1D8-4747-9DD8-2C669DF61F19}
2012-01-18 20:09 - 2012-01-18 20:09 - 0000000 _____ () C:\Users\Amy\AppData\Local\{99D65A07-D8F7-471A-B3CE-BC405167195A}
2011-11-19 13:58 - 2011-11-19 13:58 - 0000000 _____ () C:\Users\Amy\AppData\Local\{F88A561F-B182-4E43-922D-AE95FFA02E06}
2011-11-18 17:56 - 2011-11-18 17:56 - 0000000 _____ () C:\Users\Amy\AppData\Local\{FFDFBAD4-44A0-4808-8D45-81432DBD3AA0}
2014-11-09 18:41 - 2014-11-10 10:09 - 0000424 _____ () C:\ProgramData\@system.temp
2014-11-09 18:41 - 2014-11-10 10:10 - 0000160 ____H () C:\ProgramData\@system3.att
C:\$Recycle.Bin\S-1-5-21-647318403-2781176004-678025337-1000\$3b99f81f31d5dbab1bcf87d0107a285a
Task: C:\Windows\Tasks\UpdaterEX.job => C:\Users\Amy\AppData\Roaming\UPDATE~1\UPDATE~1\UPDATE~1.EXE <==== ATTENTION
Task: {003CDB6E-3F14-4FF1-837D-1339D29CFCD3} - System32\Tasks\UpdaterEX => C:\Users\Amy\AppData\Roaming\UPDATE~1\UPDATE~1\UPDATE~1.EXE <==== ATTENTION
CMD: del /F /Q /S "C:\DECRYPT_INSTRUCTION.TXT"
CMD: del /F /Q /S "C:\DECRYPT_INSTRUCTION.URL"
2014-11-09 18:41 - 2014-11-09 18:41 - 0000448 ____H () C:\Users\Amy\AppData\Roaming\麽鎒駓覜
EmptyTemp: 
CMD: bitsadmin /reset /allusers

Save this as fixlist.txt, in the same location as FRST.exe

https://dl.dropboxusercontent.com/u/73555776/FRSTfix.JPG

Run FRST and press Fix
On completion a log will be generated please post that

Updated FRST log

AdwCleaner Log

How is the computer behaving now ?

Haven’t really been using the computer. I downloaded at ran Recuva to see if it would help restore the corrupted files. It’s been running for 2 days, and isn’t done, yet. I’ll post again once that scan is finished.
Thanks for all of the help. I’m really hoping that there’s a way to recover the corrupted files without restoring each one from the OneDrive file history. SOme of the files were created during or after the phase where the computer got hit, so there’s no previous version that isn’t corrupted to restore.

I would recommend that you install the following programme on all computers as this will reduce the ability of ransomware to run

CryptoPrevent install this programme to lock down and prevent crypto ransome ware

https://dl.dropboxusercontent.com/u/73555776/CryptoPrevent.JPG