File extension changed to .datawait

Solved/Closed
hanif_99 Posts 3 Registration date Monday November 5, 2018 Status Member Last seen November 6, 2018 - Updated on Nov 5, 2018 at 06:16 PM
Jean-François Pillou Posts 18668 Registration date Monday February 15, 1999 Status Webmaster Last seen January 12, 2022 - Nov 26, 2018 at 11:53 AM
hi

my jpeg and cr2 file change extension like(sample.jpeg.datawait and sample cr2.datawait)

i already format and reinstall windows and make new partitions.

all jpeg and cr2 file in my external hard disk .and i recopy to desktop after reinstalling window but file cant open


uplode 3 file here: [XXXXXXX]



please give me a solution.
thank you

11 replies

Anonymous User
Nov 5, 2018 at 06:13 PM
Have you connected to a UNIX server over a local network or VPN.?

To help you and prescribe the remedy, I must make a diagnostic and to do so, I require a report.

1. Open this link and download ZHPDiag :
https://nicolascoolman.eu
(Don't be alarmed is the site is in French, it sometimes happens, the tool will take your system language and allow the download if you get a warning message, ignore it.) Click on the download button

2. Save the file on your Desktop.

3. Double click on ZHPDiag.exe and follow the installation instructions.

(For Vista, Win 7, 8 and 10 users, click right to ensure you run with admin right)

4. Double click on the short cut ZHPDiag on your Destktop.

5 Click on scan
Wait for the tool to finished (maybe a long time)

6. Close ZHPDiag.

7. To transmit the report, click on this link :

http://www.tinyupload.com/index.php

8. Search the directory where you installed ZHPDiag (usually C:\desktop\zhpdiag.txt).
9. Copy the url link obtained from tinyupload and paste it here in your reply.

CCM Community Manager and Virus/Security Contributor
2
http://s000.tinyupload.com/?file_id=21016285095519829337
0
Anonymous User > raj
Nov 12, 2018 at 05:36 PM
You are using a hacking tool for office software for that reason, we cannot help you remove any virus.

Sorry
0
lamalolipop Posts 2 Registration date Monday November 12, 2018 Status Member Last seen November 12, 2018
Nov 12, 2018 at 01:50 PM
0
Anonymous User > lamalolipop Posts 2 Registration date Monday November 12, 2018 Status Member Last seen November 12, 2018
Nov 12, 2018 at 05:31 PM
@lamalolipop

You are also using a hacking programme for that reason, we cannot help you remove any virus.
0
lamalolipop > Anonymous User
Nov 12, 2018 at 06:31 PM
what program?
Is that 'adblock'?
0
Jean-François Pillou Posts 18668 Registration date Monday February 15, 1999 Status Webmaster Last seen January 12, 2022
Nov 26, 2018 at 11:53 AM
Hello,

Datawait is a Ransomware, which means a malware that encrypts your file and ask for money in order to decrpyt them.

If, by chance, this ransomware did not corrupt your restore points, you can try to restore your system to a restore point before the computer was infected.
2
Blocked Profile
Nov 5, 2018 at 05:02 PM
upload a screenshot. I beleive another moderator has already explained that Datawait is a sign of a virus. If your files have changed formats, and you DID NOT INSTALL anything, IT IS A VIRUS!
0
hanif_99 Posts 3 Registration date Monday November 5, 2018 Status Member Last seen November 6, 2018
Updated on Nov 6, 2018 at 04:55 PM
hi

my jpeg and cr2 file change extension like(sample.jpeg.datawait and sample cr2.datawait)

i already format and reinstall windows and make new partitions.

all jpeg and crs file in my external hard disk and recopy to desktop.but file cant open


uplode 3 file here: [XXXXX removed. We cannot offer posible virus infected files to be distributed. We asked for a screen shot, not of the files. Thank you for understanding. Mark Moderator]

please give me a salution.
thank you
0
hanif_99 Posts 3 Registration date Monday November 5, 2018 Status Member Last seen November 6, 2018
Updated on Nov 7, 2018 at 02:44 PM
hi thank you for replay.

sir i am already format hardisk make new partition and reinstall window . i have avast pro and antimalawerbit. before format hardisk i save all jpeg and cr2 file in my external harddisk.than i recopy my jpeg and cr2 file on c: desktop. no virus found. here link of my files .for better you understand my problem.

<REMOVED as it links to an infected file]
0

Didn't find the answer you are looking for?

Ask a question
Anonymous User
Nov 6, 2018 at 05:41 PM
Just what I expected.

Your external hard disk is infected by a worm and as soon as you connect and open your external hard disk you also reinfect your computer with the same worm.

No antivirus software can prevent worm infections. Having two antivirus software will create conflicts, you should have only one.

Do you wish to know how to get rid of the worm virus?

P.S. It's not replay by reply.:-)
0
i have this problem how can I fi it please help
0
Pduke Posts 1 Registration date Friday November 9, 2018 Status Member Last seen November 9, 2018
Updated on Nov 9, 2018 at 10:54 AM
Same here, any help?
0
mahdi97 Posts 1 Registration date Friday November 9, 2018 Status Member Last seen November 9, 2018
Updated on Nov 13, 2018 at 08:45 AM
help me ,virus in my pc , message virus
==================================!ATTENTION PLEASE!===========================================

Your databases, files, photos, documents and other important files are encrypted and have the extension: .DATAWAIT
The only method of recovering files is to purchase an decrypt software and unique private key.
After purchase you will start decrypt software, enter your unique private key and it will decrypt all your data.
Only we can give you this key and only we can recover your files.
You need to contact us by e-mail BM-2cXonzj9ovn5qdX2MrwMK4j3qCquXBKo4h@bitmessage.ch send us your personal ID and wait for further instructions.
For you to be sure, that we can decrypt your files - you can send us a 1-3 any not very big encrypted files and we will send you back it in a original form FREE.
Discount 50% avaliable if you contact us first 72 hours.

===============================================================================================

E-mail address to contact us:
BM-2cXonzj9ovn5qdX2MrwMK4j3qCquXBKo4h@bitmessage.ch

Reserve e-mail address to contact us:
XXXXXXX

Your personal id:
XXXXXXX
0
and my pc infected by virus , this message from virus


==================================!ATTENTION PLEASE!===========================================

Your databases, files, photos, documents and other important files are encrypted and have the extension: .DATAWAIT
The only method of recovering files is to purchase an decrypt software and unique private key.
After purchase you will start decrypt software, enter your unique private key and it will decrypt all your data.
Only we can give you this key and only we can recover your files.
You need to contact us by e-mail ***@*** send us your personal ID and wait for further instructions.
For you to be sure, that we can decrypt your files - you can send us a 1-3 any not very big encrypted files and we will send you back it in a original form FREE.
Discount 50% avaliable if you contact us first 72 hours.

===============================================================================================

E-mail address to contact us:
***@***

Reserve e-mail address to contact us:
***@***

Your personal id:
003zS4VZvMkabFnY14Vkdq6lt6m9L2x0DtGR9XJ1zuV




any help
0
Blocked Profile
Nov 9, 2018 at 05:56 PM
Looks like we have one in the wild!
0
Anonymous User > Blocked Profile
Nov 9, 2018 at 06:11 PM
Yes indeed. Very interesting however. Files extensions are changed to .jpeg.datawait. Microsoft can't find a solution and is referring people here which is flattering.

It could be ransomware. In which case there is always a way to decrypt the files. I have asked the top expert in the matter on the French site. I am waiting for his reply.

If usb fix doesn't work, but find the solution, we will have a party, kind of a wiener roast with tall cool refreshing beverages. For I don't know of any man, woman or child who doesn't enjoy a cool refreshing beverage.
0
renegard Posts 6 Registration date Friday November 9, 2018 Status Member Last seen November 10, 2018 > Anonymous User
Nov 10, 2018 at 02:32 PM
Someone has deleted my message to the answer from the .datawait blackmailer (E-Mail mentioned before)! Therefore here again the dirty statement:

Hello!

Your test decrypted files attached to the letter.

You need to purchase an decrypt software and unique private key.
After you will get software, start it and decrypt all your data.

Price of private key and decrypt software is 0.05 bitcoin.
0.05 bitcoin ~ 290 usd.

Before paying you can send to us up to 3 files for free decryption.
Send us your personal ID too.
Please note that files must NOT contain valuable information.

After payment we answer all your questions about server safety.
Now strictly recommend close internet connection on server.

The easiest way to buy bitcoin is LocalBitcoins site.
You have to register, click Buy bitcoins and select the seller by payment method and price.
Video manual:
1 - You need register localbitcoins account:
https://www.youtube.com/watch?v=6Lx-W8Kxlq4

2 - Buy bitcoins in localbitcoins video:
https://www.youtube.com/watch?v=hzHLeeU1tFE

3 - Send your bitcoins to our wallet video manual:
https://www.youtube.com/watch?v=u6CTDz7SXEU


Any bitcoin exchangers:
https://www.bitstamp.net/ - Big BTC exchanger
https://www.coinbase.com/ - Other big BTC exchanger
https://btcdirect.eu/ - Best for Europe
https://coincafe.com/ - Recommended for fast, many payment methods
https://bittylicious.com/ - Good service for Europe and World
https://www.247exchange.com/ - Other exchanger
https://paxful.com/buy-bitcoin/ - Other exchanger


Attention!
Do not rename encrypted files.
Do not try to decrypt your data using third party software, it may cause permanent data loss.
0
renegard Posts 6 Registration date Friday November 9, 2018 Status Member Last seen November 10, 2018
Nov 9, 2018 at 06:57 PM
Basic question: Is now a solution in sight? My computer is infected as well with this stupid .datawait extension!
Help is necessary. Please do your best. Thanks
0
Anonymous User > renegard Posts 6 Registration date Friday November 9, 2018 Status Member Last seen November 10, 2018
Nov 9, 2018 at 07:18 PM
I will publish a solution on this thread here tomorrow. Just stay tune.

P.S. Did you ever open an email from an unknown source or attachment thereof ?
0
gobang80 Posts 1 Registration date Saturday November 10, 2018 Status Member Last seen November 10, 2018
Nov 10, 2018 at 01:00 PM
i have a same problem, DATAWAIT... n malware too .
i already try to clean it, but it not works.
i found File virus with name qlscxb.ex* n try to delete it with cmd promt nbut it cant .
i hope someone can help me to fix the problem
ty
0
renegard Posts 6 Registration date Friday November 9, 2018 Status Member Last seen November 10, 2018
Updated on Nov 12, 2018 at 04:38 PM
Here is the statement you'll receive from the gangsters (savefiles@india.com) if you ask, to get the decrypt software to restore the infacted .datawait files:

Hello!

Your test decrypted files attached to the letter.

You need to purchase an decrypt software and unique private key.
After you will get software, start it and decrypt all your data.

Price of private key and decrypt software is 0.05 bitcoin.
0.05 bitcoin ~ 290 usd.

Before paying you can send to us up to 3 files for free decryption.
Send us your personal ID too.
Please note that files must NOT contain valuable information.

After payment we answer all your questions about server safety.
Now strictly recommend close internet connection on server.

The easiest way to buy bitcoin is LocalBitcoins site.
You have to register, click Buy bitcoins and select the seller by payment method and price.
Video manual:

1 - You need register localbitcoins account:
REMOVED

2 - Buy bitcoins in localbitcoins video:
REMOVED

3 - Send your bitcoins to our wallet video manual:
REMOVED

Any bitcoin exchangers:
REMOVED

Attention!
Do not rename encrypted files.
Do not try to decrypt your data using third party software, it may cause permanent data loss.
0
Greetings to you all

.datawait is a ransomware which encrypts files. Those of you who became the victims probably have done so by downloading and opening an email attachment or a malicious website.

Changing the file extension is useless. Restoring your system is also useless. There is no third party software able to decrypt the files. The malware can be removed from your computer but the files will remain encrypted do not waste your money with a 3rd party software.

Now paying the pirates will encourage them to continue their evil deed, develop more ransomware even to infect your computer again. Keep in mind that the pirates are dishonest thieves, they have no honour. Suppose you send them money there is no guarantee that they will send you the decryption formula (if there is one) especially that the same formula could be distributed on all forum such as this one for free.

According to our experience, pirates know how to encrypt but don't know the solution to decrypt or clean their own dirt.

Nowadays, most ransomware and scam call centres seems to origin from India.

In order to find if there is an existing decrypting tool, we must identify the variant of the ransomware.

I would appreciate if any two of you members would go to the following site fill the form and report the results here.

Here is the site

https://id-ransomware.malwarehunterteam.com/

Also, could one of you go to #3 above and produce a ZHP Diag log, which may help me to identify all the systems files which were infected or malware.

Good luck

Jules
Community Manager and Virus/Security Contributor
0
I will go and report but however I sent email to the pirates and they decrypted samples
they asked for 290 dollars this is craziness
plz can we get our fles back or is it permanent??
0
by the way I have already uploaded all requested information to that link yasterday
0
This ransomware has no known way of decrypting data at this time.

It is recommended to backup your encrypted files, and hope for a solution in the future.
Identified by

ransomnote_email: ***@***
ransomnote_bitmessage: BM-2cXonzj9ovn5qdX2MrwMK4j3qCquXBKo4h
Click here for more information about STOP

Would you like to be notified if there is any development regarding this ransomware? Click here.
0
Anonymous User > loly
Nov 10, 2018 at 06:13 PM
Thank you loly,

Obviously this is new variant. I suggest you be very careful communicating with those scoundrels, they may have remote access to your computer. Most ransomware install Trojan horses.

Of course they will charge a lot of money as for many some files are precious.

It may still be able to recover all or some of your files however we must first rid of the malware on your computer otherwise, files will again get encrypted.

ZHP Diag?
0
I did not do the ZHP diag yet ...I will do it now
thank u for ur concern and help
much appreciated
0