Avast WEBforum

Other => Viruses and worms => Topic started by: Hadi5 on December 25, 2018, 01:53:56 PM

Title: Gandcrab v.5.0.4 _Infection removed?! What to do the next ?
Post by: Hadi5 on December 25, 2018, 01:53:56 PM
On my PC I have:
C:Windows 7
D:Windows xp
Avast Internet Security

hello everybody, I don't know IT, but I'm glad, I can ask friends for help!

On Dec.14.2018 around 13:10 PM, a few minutes after I turned on the PC, I got black screen and there was Gandcrab v.5.0.4  with his note... saying all my files are encrypted and so on...and only after a while I realized the DISASTER...The first since I have computer.
Unfortunately I don't have any backup of my other partitions (except S: system, C: win.7 and D: win.xp), so I have to wait until "Angels" have success with a Decryption Tool against this version of Gandcrab.

I ran Smart Scan 2-3 times the day after, but nothing found. Although Avast  firewall had alerted 3 or 4 times the day before, when I was stupidly downloading freeware’s like iShare, wondershare, iTools and such crazy things for some reason...

I started searching in internet and found out that Malwarebytes could be the right one, so installed (last version premium Trial for two weeks) and scanned the PC....it found many files and some Malware, and PuPs and recommend to remove them and restart...so I did. Scanned again...everything was fine !!

So I took Malwarebytes away and reinstalled my Avast Internet Security again and since no more black screen, nothing.. Although in whole PC no file opens, except the ones in Avast File Shield.

My problems now:
         1) I'm not sure if my PC is clean now?
                     _ because when I was going through instruction’s steps (report when infected), the adwCleaner found some 4 or 5 PuP's  that some I had not seen before, which then, it had to remove them and restart the computer!
         2) if I can start Restoring my systems ?
                      _ Using system restore points, or restore from AOMEI backups, (unfortunately both are on the same hdd, only different partition).

These are probably very primitive questions, but an old retired person can and is allowed to be a little scary though !
I don't really know what to do now.
Thanks for any help in advance.

PS: I have 3 more files to attach, where should I put them?
Title: Re: Gandcrab v.5.0.4 _Infection removed?! What to do the next ?
Post by: Pondus on December 25, 2018, 02:01:22 PM
Quote
PS: I have 3 more files to attach, where should I put them?
Reply to your post and attach in reply   ;)


Malware expert @Sass Drake is notified. It may take hours before he is online


Title: Re: Gandcrab v.5.0.4 _Infection removed?! What to do the next ?
Post by: Hadi5 on December 25, 2018, 03:17:58 PM
Thanks a lot Pondus..
here are three rest attachments:
_aswMBR.txt  and_DelFix.txt
 
By the way, DelFix deleted all recent restore points I had, even the ones before infection !!
I think I had to uncheck the box for deleting them. the Restore Point of the day before infection was my hope. I mean WHY did you put DelFix there
 and WHAT is so important about its log, and a system which has to be restored anyway??
 One could uninstall and delete all these stuff manually...
THANKS again...and waiting for your HELP, FRIENDS...
Title: Re: Gandcrab v.5.0.4 _Infection removed?! What to do the next ?
Post by: Pondus on December 25, 2018, 04:10:25 PM
why did you use DelFix? 

It is a program that malware expert will tell you to run after he is finish with his cleanup work.
Delfix will then remove all the tools he used including itselfe



Title: Re: Gandcrab v.5.0.4 _Infection removed?! What to do the next ?
Post by: Sass Drake on December 25, 2018, 09:10:19 PM
Code: [Select]
ShortcutWithArgument: C:\Users\Parvaneh\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Launch Internet Explorer Browser.lnk -> C:\Program Files\Internet Explorer\iexplore.exe (Microsoft Corporation) -> %SNP%
ShortcutWithArgument: C:\Users\Parvaneh\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\Internet Explorer.lnk -> C:\Program Files\Internet Explorer\iexplore.exe (Microsoft Corporation) -> %SNP%
AlternateDataStreams: C:\ProgramData\Microsoft:a2sO1Wx35cCsrkETFL [2556]
AlternateDataStreams: C:\ProgramData\TEMP:1CE11B51 [152]
AlternateDataStreams: C:\ProgramData\TEMP:85E5F208 [147]
Title: Re: Gandcrab v.5.0.4 _Infection removed?! What to do the next ?
Post by: Hadi5 on January 04, 2019, 03:56:06 PM
Happy New Year 2019 AVAST TEAM,
and thanks to Sass Drake to get involved. And sorry being late to answer,

here the requested log.text in attach,

PS: I could not sen my reply from win.7, many send tries ends with " error in verification typing",
so I'm trying with my XP (which I found an old AOMEI backup  of it somewhere and aplied). it works somehow better.
hope this time will be POSTED!

HEY, I just found out thrt the YEAR in verification area is still 2018, so attention please submiting post !!
Title: Re: Gandcrab v.5.0.4 _Infection removed?! What to do the next ?
Post by: Sass Drake on January 04, 2019, 09:37:10 PM
Please post new FRST.txt and Addition.txt logs.
Title: Re: Gandcrab v.5.0.4 _Infection removed?! What to do the next ?
Post by: Hadi5 on January 05, 2019, 05:21:54 PM
Hi, Here the two FRST txt logs in attach.
Thanks for your time..
Title: Re: Gandcrab v.5.0.4 _Infection removed?! What to do the next ?
Post by: Sass Drake on January 05, 2019, 08:34:38 PM
You don't have active infection. As for lost files, you have to wait until someone make decryption tool.

Please rename FRST64.exe to uninstall.exe and run it. That should uninstall FRST.
Title: Re: Gandcrab v.5.0.4 _Infection removed?! What to do the next ?
Post by: Hadi5 on January 05, 2019, 11:45:49 PM
Alright sir, thank you,
I have to be patient like many others.
Title: Re: Gandcrab v.5.0.4 _Infection removed?! What to do the next ?
Post by: jperl13 on January 07, 2019, 01:00:19 AM
check with Sass Drake and Pondus if this is possible:

https://www.nomoreransom.org/

https://www.nomoreransom.org/en/index.html

https://losvirus.es/ransomware-gandcrab-5-0-4/

https://translate.google.es/translate?hl=es&tab=wT&sl=es&tl=en&u=https%3A%2F%2Flosvirus.es%2Fransomware-gandcrab-5-0-4%2F