Recovering from Cryptowall 3.0 Ransomware virus....

stuzz78

posted Oct 7 '15 at 5:34 am

If you don't mind, I'd be curious to know (if you know) how you caught the virus. Was it simply user error, or were you let down by some other security system?

If you don't mind, I'd be curious to know (if you know) how you caught the virus. &nbsp;Was it simply user error, or were you let down by some other security system?

shawnhalf

posted Oct 4 '15 at 10:19 pm

Hello fellow Pegasus users... the other day I got hit with that cursed Cryptowall virus where your files get encrypted and the only way to decrypt them is to pay the $500 ransom. Fortunately, I have a pretty recent backup to restore my important stuff though and I can hold on to my $500. I am however, trying to get my Pegasus v4.6 back up to snuff (I use Windows XP). I can launch Pegasus, but during the launch it displays this error window:

" ---------------------------
SpamHalter
---------------------------
SpamHalter cannot initialize database!

Bayesian filtering cannot be used until you fix or delete your database!
For delete database remove all files in your mail directory with names
starting with "words4.db3" and "white4.db3".
Then you must start Pegasus Mail again.

Database error is:
Error executing SQL.
Error [26]: File opened that is not a database file.
"PRAGMA auto_vacuum": file is encrypted or is not a database"

Clicking OK on that proceeds with the Pegasus loading and it opens up successfully. Most things look alright - my new mail is still in the New Mail Folder and all my Saved Folders still appear to be there. However, when I click TOOLS|EXTENSIONS, "Extensions Manager" is now greyed out. I had 3 POP3 mailboxes set to in Pegasus to retrieve their mail and now they are gone.

I ran a handy utility that lists all the files that the CryptoWall virus encrypted... the Pegasus files that were affected were:

C:\PMAIL\MAIL\FOL03497.ZIP
C:\PMAIL\MAIL\Mainpmi.bak
C:\PMAIL\MAIL\Mainpmm.bak
C:\PMAIL\MAIL\words4.db3
C:\PMAIL\Programs\BearTLDs.txt
C:\PMAIL\Programs\FreeImage-license.txt
C:\PMAIL\Programs\IERenderer.fff
C:\PMAIL\Programs\RESOURCE\bpanel.txt
C:\PMAIL\Programs\RESOURCE\order32.fff
C:\PMAIL\Programs\RESOURCE\rasdial.zip
C:\PMAIL\Programs\RESOURCE\template.txt
C:\PMAIL\Programs\RESOURCE\winpmdde.txt
C:\PMAIL\Programs\bcard32.fff
C:\PMAIL\Programs\bearhtml_readme.txt
C:\PMAIL\Programs\bearwarn.txt
C:\PMAIL\Programs\finger32.fff
C:\PMAIL\Programs\hangup32.txt
C:\PMAIL\Programs\libiconv.txt
C:\PMAIL\Programs\manual.pdf
C:\PMAIL\Programs\mlmrge32.fff
C:\PMAIL\Programs\mltpop32.fff
C:\PMAIL\Programs\order32.fff
C:\PMAIL\Programs\ph32.fff
C:\PMAIL\Programs\ppass32.fff
C:\PMAIL\Programs\pr2dis.txt
C:\PMAIL\Programs\predis.txt
C:\PMAIL\Programs\readme.txt
C:\PMAIL\Programs\tphone32.fff
C:\PMAIL\Programs\wldap32.fff

I do have good backups of all of these. I'm wondering if I just restore these good files, will my POP3 mailbox extensions re-appear and all be well? Conversely (or additionally), should I just install a new clean copy of the new Pegasus Mail v4.7? If so, is it just a matter of installing v4.7 right over on top of my existing v4.6 installation?

Thank You!

Shawn

Hello fellow Pegasus users... the other day I got hit with that cursed Cryptowall virus where your files get encrypted and the only way to decrypt them is to pay the $500 ransom. Fortunately, I have a pretty recent backup to restore my important stuff though and I can hold on to my $500. I am however, trying to get my Pegasus v4.6 back up to snuff (I use Windows XP). I can launch Pegasus, but during the launch it displays this error window:" --------------------------- SpamHalter --------------------------- SpamHalter cannot initialize database! Bayesian filtering cannot be used until you fix or delete your database! For delete database remove all files in your mail directory with names starting with "words4.db3" and "white4.db3". Then you must start Pegasus Mail again. Database error is: Error executing SQL. Error [26]: File opened that is not a database file. "PRAGMA auto_vacuum": file is encrypted or is not a database" &nbsp;Clicking OK on that proceeds with the Pegasus loading and it opens up successfully. Most things look alright - my new mail is still in the New Mail Folder and all my Saved Folders still appear to be there. However, when I click TOOLS|EXTENSIONS, "Extensions Manager" is now greyed out. I had 3 POP3 mailboxes set to in Pegasus to retrieve their mail and now they are gone. &nbsp;&nbsp; I ran a handy utility that lists all the files that the CryptoWall virus encrypted... the Pegasus files that were affected were: C:\PMAIL\MAIL\FOL03497.ZIP C:\PMAIL\MAIL\Mainpmi.bak C:\PMAIL\MAIL\Mainpmm.bak C:\PMAIL\MAIL\words4.db3 C:\PMAIL\Programs\BearTLDs.txt C:\PMAIL\Programs\FreeImage-license.txt C:\PMAIL\Programs\IERenderer.fff C:\PMAIL\Programs\RESOURCE\bpanel.txt C:\PMAIL\Programs\RESOURCE\order32.fff C:\PMAIL\Programs\RESOURCE\rasdial.zip C:\PMAIL\Programs\RESOURCE\template.txt C:\PMAIL\Programs\RESOURCE\winpmdde.txt C:\PMAIL\Programs\bcard32.fff C:\PMAIL\Programs\bearhtml_readme.txt C:\PMAIL\Programs\bearwarn.txt C:\PMAIL\Programs\finger32.fff C:\PMAIL\Programs\hangup32.txt C:\PMAIL\Programs\libiconv.txt C:\PMAIL\Programs\manual.pdf C:\PMAIL\Programs\mlmrge32.fff C:\PMAIL\Programs\mltpop32.fff C:\PMAIL\Programs\order32.fff C:\PMAIL\Programs\ph32.fff C:\PMAIL\Programs\ppass32.fff C:\PMAIL\Programs\pr2dis.txt C:\PMAIL\Programs\predis.txt C:\PMAIL\Programs\readme.txt C:\PMAIL\Programs\tphone32.fff C:\PMAIL\Programs\wldap32.fff &nbsp;I do have good backups of all of these. I'm wondering if I just restore these good files, will my POP3 mailbox extensions re-appear and all be well? Conversely (or additionally), should I just install a new clean copy of the new Pegasus Mail v4.7? If so, is it just a matter of installing v4.7 right over on top of my existing v4.6 installation?&nbsp;Thank You!&nbsp;&nbsp; Shawn&nbsp;&nbsp;

Brian Fluet

posted Oct 5 '15 at 2:04 am

The files in C:\PMAIL\MAIL are odd. The words4.db3 should be in a mailbox directory. If it is the one Spamhalter is using then you may need to copy a good one from a mailbox directory to this location and then retrain Spamhalter. The other files look like backups you made during past troubleshooting so probably are not important. I would move them all four of these files out of there with the ultimate intent of deleting them.

As for the files in C:\PMAIL\Programs, they are program file so either a restore from backup or a reinstall will fix them. I suggest a restore from backup. I don't think an install of a new version is wise until you get it functioning properly again, unless you want to start from scratch and then restore the data from the old mailboxe(s) to new the one(s).

If the encrypted file list is accurate you have dodged a bullet by not having any mailbox files affected. This means that the POP3 configuration files should be intact though I can't explain why they aren't visible. Restore the program files and then test to see what happens. Keep your backup safe as you may need to recover additional files from it.

&nbsp; The files in C:\PMAIL\MAIL are odd.&nbsp; The words4.db3 should be in a mailbox directory.&nbsp; If it is the one Spamhalter is using then you may need to copy a good one from a mailbox directory to this location and then retrain Spamhalter.&nbsp; The other files look like backups you made during past troubleshooting so probably are not important.&nbsp; I would move them all four of these files out of there with the ultimate intent of deleting them. As for the files in C:\PMAIL\Programs, they are program file so either a restore from backup or a reinstall will fix them.&nbsp; I suggest a restore from backup.&nbsp; I don't think an install of a new version is wise until you get it functioning properly again, unless you want to start from scratch and then restore the data from the old mailboxe(s) to new the one(s). If the encrypted file list is accurate you have dodged a bullet by not having any mailbox files affected.&nbsp; This means that the POP3 configuration files should be intact though I can't explain why they aren't visible.&nbsp; Restore the program files and then test to see what happens.&nbsp; Keep your backup safe as you may need to recover additional files from it.

shawnhalf

posted Oct 5 '15 at 5:19 am

SUCCESS!!! Thank you so much Brian... everything works perfect now, and I did not lose one thing!

I copied back the words4.db3 file from my backup and it immediately solved that particular problem! Then as I began copying back the files from the PMAIL/PROGRAMS folder a few at a time, and I'd re-enter Pegasus Mail each time to see what effect they were having. Here's something interesting I learned - those little files ending with ".fff" - each one of those correspond to a menu entry in the EXTENSIONS drop-down menu. When I restored the MLTPOP32.FFF file, bango, my "MultiPOP" menu item returned... with all my POP box definitions and parameters intact!

So everything is great now - right back to how I was without missing a beat. Thank you so much Brian!

Cheers

Shawn

SUCCESS!!! Thank you so much Brian... everything works perfect now, and I did not lose one thing!&nbsp;I copied back the words4.db3 file from my backup and it immediately solved that particular problem! Then as I began copying back the files from the PMAIL/PROGRAMS folder a few at a time, and I'd re-enter Pegasus Mail each time to see what effect they were having. Here's something interesting I learned - those little files ending with ".fff" - each one of those correspond to a menu entry in the EXTENSIONS drop-down menu. When I restored the MLTPOP32.FFF file, bango, my "MultiPOP" menu item returned... with all my POP box definitions and parameters intact! &nbsp;So everything is great now - right back to how I was without missing a beat. Thank you so much Brian!&nbsp;Cheers&nbsp; &nbsp; Shawn&nbsp;

Related Topics

Pending draft

Confirm move posts

Insufficient permissions

Select a different topic

Edit history