Author Topic: Gandcrab v.5.0.4 _Infection removed?! What to do the next ?  (Read 1605 times)

0 Members and 1 Guest are viewing this topic.

Offline Hadi5

  • Newbie
  • *
  • Posts: 5
Gandcrab v.5.0.4 _Infection removed?! What to do the next ?
« on: December 25, 2018, 01:53:56 PM »
On my PC I have:
C:Windows 7
D:Windows xp
Avast Internet Security

hello everybody, I don't know IT, but I'm glad, I can ask friends for help!

On Dec.14.2018 around 13:10 PM, a few minutes after I turned on the PC, I got black screen and there was Gandcrab v.5.0.4  with his note... saying all my files are encrypted and so on...and only after a while I realized the DISASTER...The first since I have computer.
Unfortunately I don't have any backup of my other partitions (except S: system, C: win.7 and D: win.xp), so I have to wait until "Angels" have success with a Decryption Tool against this version of Gandcrab.

I ran Smart Scan 2-3 times the day after, but nothing found. Although Avast  firewall had alerted 3 or 4 times the day before, when I was stupidly downloading freeware’s like iShare, wondershare, iTools and such crazy things for some reason...

I started searching in internet and found out that Malwarebytes could be the right one, so installed (last version premium Trial for two weeks) and scanned the PC....it found many files and some Malware, and PuPs and recommend to remove them and restart...so I did. Scanned again...everything was fine !!

So I took Malwarebytes away and reinstalled my Avast Internet Security again and since no more black screen, nothing.. Although in whole PC no file opens, except the ones in Avast File Shield.

My problems now:
         1) I'm not sure if my PC is clean now?
                     _ because when I was going through instruction’s steps (report when infected), the adwCleaner found some 4 or 5 PuP's  that some I had not seen before, which then, it had to remove them and restart the computer!
         2) if I can start Restoring my systems ?
                      _ Using system restore points, or restore from AOMEI backups, (unfortunately both are on the same hdd, only different partition).

These are probably very primitive questions, but an old retired person can and is allowed to be a little scary though !
I don't really know what to do now.
Thanks for any help in advance.

PS: I have 3 more files to attach, where should I put them?

Offline Pondus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 35857
Re: Gandcrab v.5.0.4 _Infection removed?! What to do the next ?
« Reply #1 on: December 25, 2018, 02:01:22 PM »
Quote
PS: I have 3 more files to attach, where should I put them?
Reply to your post and attach in reply   ;)


Malware expert @Sass Drake is notified. It may take hours before he is online


« Last Edit: December 25, 2018, 02:03:00 PM by Pondus »
Chief Wiggum: Uh, no, you got the wrong number. This is 9-1…2.


Offline Hadi5

  • Newbie
  • *
  • Posts: 5
Re: Gandcrab v.5.0.4 _Infection removed?! What to do the next ?
« Reply #2 on: December 25, 2018, 03:17:58 PM »
Thanks a lot Pondus..
here are three rest attachments:
_aswMBR.txt  and_DelFix.txt
 
By the way, DelFix deleted all recent restore points I had, even the ones before infection !!
I think I had to uncheck the box for deleting them. the Restore Point of the day before infection was my hope. I mean WHY did you put DelFix there
 and WHAT is so important about its log, and a system which has to be restored anyway??
 One could uninstall and delete all these stuff manually...
THANKS again...and waiting for your HELP, FRIENDS...

Offline Pondus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 35857
Re: Gandcrab v.5.0.4 _Infection removed?! What to do the next ?
« Reply #3 on: December 25, 2018, 04:10:25 PM »
why did you use DelFix? 

It is a program that malware expert will tell you to run after he is finish with his cleanup work.
Delfix will then remove all the tools he used including itselfe



« Last Edit: December 25, 2018, 07:45:06 PM by Pondus »
Chief Wiggum: Uh, no, you got the wrong number. This is 9-1…2.


Offline Sass Drake

  • MyCity AMF R2
  • Avast Evangelist
  • Advanced Poster
  • ***
  • Posts: 705
Re: Gandcrab v.5.0.4 _Infection removed?! What to do the next ?
« Reply #4 on: December 25, 2018, 09:10:19 PM »
  • Open Notepad (click Start button -> type notepad.exe -> press Enter)
  • Copy text from code block below and paste it into Notepad
Code: [Select]
ShortcutWithArgument: C:\Users\Parvaneh\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Launch Internet Explorer Browser.lnk -> C:\Program Files\Internet Explorer\iexplore.exe (Microsoft Corporation) -> %SNP%
ShortcutWithArgument: C:\Users\Parvaneh\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\Internet Explorer.lnk -> C:\Program Files\Internet Explorer\iexplore.exe (Microsoft Corporation) -> %SNP%
AlternateDataStreams: C:\ProgramData\Microsoft:a2sO1Wx35cCsrkETFL [2556]
AlternateDataStreams: C:\ProgramData\TEMP:1CE11B51 [152]
AlternateDataStreams: C:\ProgramData\TEMP:85E5F208 [147]
  • Go to File -> Save As
  • Make sure that  UTF-8 is selected as Encoding (left side of Save button)
  • Save it as fixlist.txt on Desktop
  • Open again FRST and click on button Fix
  • Wait until FRST finishes
  • fixlog.txt should be genereted and opened. Attach it your post and wait further instructions.

Offline Hadi5

  • Newbie
  • *
  • Posts: 5
Re: Gandcrab v.5.0.4 _Infection removed?! What to do the next ?
« Reply #5 on: January 04, 2019, 03:56:06 PM »
Happy New Year 2019 AVAST TEAM,
and thanks to Sass Drake to get involved. And sorry being late to answer,

here the requested log.text in attach,

PS: I could not sen my reply from win.7, many send tries ends with " error in verification typing",
so I'm trying with my XP (which I found an old AOMEI backup  of it somewhere and aplied). it works somehow better.
hope this time will be POSTED!

HEY, I just found out thrt the YEAR in verification area is still 2018, so attention please submiting post !!
« Last Edit: January 04, 2019, 04:17:59 PM by Hadi5 »

Offline Sass Drake

  • MyCity AMF R2
  • Avast Evangelist
  • Advanced Poster
  • ***
  • Posts: 705
Re: Gandcrab v.5.0.4 _Infection removed?! What to do the next ?
« Reply #6 on: January 04, 2019, 09:37:10 PM »
Please post new FRST.txt and Addition.txt logs.

Offline Hadi5

  • Newbie
  • *
  • Posts: 5
Re: Gandcrab v.5.0.4 _Infection removed?! What to do the next ?
« Reply #7 on: January 05, 2019, 05:21:54 PM »
Hi, Here the two FRST txt logs in attach.
Thanks for your time..

Offline Sass Drake

  • MyCity AMF R2
  • Avast Evangelist
  • Advanced Poster
  • ***
  • Posts: 705
Re: Gandcrab v.5.0.4 _Infection removed?! What to do the next ?
« Reply #8 on: January 05, 2019, 08:34:38 PM »
You don't have active infection. As for lost files, you have to wait until someone make decryption tool.

Please rename FRST64.exe to uninstall.exe and run it. That should uninstall FRST.

Offline Hadi5

  • Newbie
  • *
  • Posts: 5
Re: Gandcrab v.5.0.4 _Infection removed?! What to do the next ?
« Reply #9 on: January 05, 2019, 11:45:49 PM »
Alright sir, thank you,
I have to be patient like many others.