In Progress Gandcrab encryption

Harisz

Thread Starter
Joined
Feb 28, 2019
Messages
12
Hello,

All of my files in the My Documents folder were encrypted with .wnbqgfciq extension, and I can not open them any more, according to https://id-ransomware.malwarehunterteam.com/ my files are encrypted with gandrcab.
I have tried running BitDefender gandcrab encryptor, but there was no success.

How can I decrypt my files?

I am attaching the reports from Farbar Recovery Scan Tool.
 

Attachments

iMacg3

Malware Specialist
Joined
Nov 3, 2018
Messages
850
Hi Harisz


Going over your logs I noticed that you have µTorrent and Popcorn Time installed.
  • Avoid gaming sites, pirated software, cracking tools, keygens, and peer-to-peer (P2P) file sharing programs.
  • They are a security risk which can make your computer susceptible to a wide variety of malware infections, remote attacks, exposure of personal information, and identity theft. Many malicious worms and Trojans spread across P2P file sharing networks, gaming and underground sites.
  • Users visiting such pages may see innocuous-looking banner ads containing code which can trigger pop-up ads and malicious Flash ads that install viruses, Trojans and spyware. Ads are a target for hackers because they offer a stealthy way to distribute malware to a wide range of Internet users.
  • The best way to reduce the risk of infection is to avoid these types of web sites and not use any P2P applications.
It is pretty much certain that if you continue to use P2P programs, you will get infected again.
I would recommend that you uninstall µTorrent and Popcorn Time, however that choice is up to you. If you choose to remove these programs, you can do so via Start > Settings icon > Apps

If you wish to keep it, please do not use it until your computer is cleaned.

=======================

I noticed you have ESET Security installed but disabled - I recommend you enable it and restart the computer.

=======================

Did you receive an error when running the BitDefender tool?

What extension are the encrypted files?

I recommend you create a backup of any encrypted files if you haven't already.

Please do the following


---------------------------------------------------
Uninstall a Program

  • Press the Windows Key + R.
  • Type appwiz.cpl in the Run box and click OK.
  • The Add/Remove Programs list will open. Locate the following program(s) on the list:
    Web Companion
  • Select the above program(s) and click Uninstall.
  • Restart the computer if prompted.
---------------------------------------------------
Farbar Recovery Scan Tool - Fix

  • Highlight the contents of the below code box and press Ctrl + C on your keyboard:
    Code:
    Start::
    CreateRestorePoint:
    CloseProcesses:
    SearchScopes: HKU\S-1-5-21-3368600606-4280318338-2388961727-1001 -> DefaultScope {ielnksrch} URL = hxxps://%66%65%65%64.%73%6F%6E%69%63-%73%65%61%72%63%68.%63%6F%6D/?p=mKO_AwFzXIpYRaHdGKBRGNclVS1AC6sNoHUhpAx0HGzgUxhH_nKd_dPAKyCFgC4ICtU3EmdP4lx9cw0nYo5IymrDJZNQPQyiBrUx6JS7BrvH3Ygf0_Jil0-gkCHXKG-ZzLtXDqVK8VKFcEdC55W0Bcg-ovsUrlRZ19Yppesx9HufdAy6K7YnIFMTkX4lnbY4joUJyiL54Xdm&q={searchTerms}
    SearchScopes: HKU\S-1-5-21-3368600606-4280318338-2388961727-1001 -> {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = 
    SearchScopes: HKU\S-1-5-21-3368600606-4280318338-2388961727-1001 -> {BDF61FAE-9D19-40F0-8F34-688DEB334CA9} URL = hxxp://securedsearch.lavasoft.com/results.php?pr=vmn&id=webcompa&ent=ch_WCYID10454__181117&q={searchTerms}
    SearchScopes: HKU\S-1-5-21-3368600606-4280318338-2388961727-1001 -> {ielnksrch} URL = hxxps://%66%65%65%64.%73%6F%6E%69%63-%73%65%61%72%63%68.%63%6F%6D/?p=mKO_AwFzXIpYRaHdGKBRGNclVS1AC6sNoHUhpAx0HGzgUxhH_nKd_dPAKyCFgC4ICtU3EmdP4lx9cw0nYo5IymrDJZNQPQyiBrUx6JS7BrvH3Ygf0_Jil0-gkCHXKG-ZzLtXDqVK8VKFcEdC55W0Bcg-ovsUrlRZ19Yppesx9HufdAy6K7YnIFMTkX4lnbY4joUJyiL54Xdm&q={searchTerms}
    CHR StartupUrls: Default -> "hxxp://www.google.com","hxxp://www.google.com/","hxxp://search.babylon.com/?affID=112185&tt=120912_cpc_3712_5&babsrc=HP_ss&mntrId=6487ab040000000000003859f9e181fb","hxxp://www.dosearches.com/?utm_source=b&utm_medium=epom2&utm_campaign=eXQ&utm_content=hp&from=epom2&uid=WDCXWD3200BEVT-08A23T1_WD-WXG1A81L1355L1355&ts=1381754682"
    S3 MyWiFiDHCPDNS; "C:\Program Files\Intel\WiFi\bin\PanDhcpDns.exe" [X]
    ContextMenuHandlers1: [7-Zip] -> {23170F69-40C1-278A-1000-000100020000} =>  -> No File
    ContextMenuHandlers1: [BriefcaseMenu] -> {85BBD920-42A0-1069-A2E4-08002B30309D} =>  -> No File
    ContextMenuHandlers3: [{4A7C4306-57E0-4C0C-83A9-78C1528F618C}] -> {4A7C4306-57E0-4C0C-83A9-78C1528F618C} =>  -> No File
    ContextMenuHandlers4: [7-Zip] -> {23170F69-40C1-278A-1000-000100020000} =>  -> No File
    ContextMenuHandlers5: [igfxcui] -> {3AB1675A-CCFF-11D2-8B20-00A0C93CB1F4} =>  -> No File
    ContextMenuHandlers6: [BriefcaseMenu] -> {85BBD920-42A0-1069-A2E4-08002B30309D} =>  -> No File
    IE trusted site: HKU\S-1-5-21-3368600606-4280318338-2388961727-1001\...\webcompanion.com -> hxxp://webcompanion.com
    FirewallRules: [{7B46005D-9823-4DF5-8B9D-3B585E43DC5B}] => (Allow) %systemroot%\system32\alg.exe No File
    FirewallRules: [{9C963F16-75A2-4E70-AB2E-62508987F1BA}] => (Allow) %systemroot%\system32\alg.exe No File
    FirewallRules: [{228C5F9D-C011-4E54-9C75-56027F8BE91C}] => (Allow) C:\Program Files\Intel\WiFi\bin\PanDhcpDns.exe No File
    FirewallRules: [{C9068482-5D84-4903-9277-F3CD26DDABE5}] => (Allow) C:\Program Files (x86)\Common Files\Mcafee\MMSSHost\MMSSHost.exe No File
    FirewallRules: [{88DC8082-A941-447D-ACB6-EE26509BEACF}] => (Allow) C:\Program Files\Common Files\McAfee\MMSSHost\MMSSHost.exe No File
    FirewallRules: [{D0782E21-56DC-4C55-BEBD-96F5002C4887}] => (Allow) C:\Program Files (x86)\Steam\bin\cef\cef.win7\steamwebhelper.exe No File
    FirewallRules: [{C66E743A-B100-417A-9146-D3846696E76B}] => (Allow) C:\Program Files (x86)\Steam\bin\cef\cef.win7\steamwebhelper.exe No File
    End::
NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system
  • Double-click FRST.exe/FRST64.exe to run it.
  • Press the Fix button just once and wait.
    Note: No need to paste the script into FRST.
  • Restart the computer if prompted.
  • When the fix is complete FRST will generate a log in the same location it was run from (Fixlog.txt)
  • Please copy and paste its contents into your reply.
 

Harisz

Thread Starter
Joined
Feb 28, 2019
Messages
12
Hi iMacg3

Each and every file is encrypted with .wnbqgfciq extension. Running BitDefender gives an output that there is No ransom note found.
Also, I have made a couple of backup copies already, and all the sensitive data is deleted from the computer, in case this virus does some more damage.

I did as you told, and here is the fixlog.txt output:

Fix result of Farbar Recovery Scan Tool (x64) Version: 22-04-2020
Ran by elion (24-04-2020 12:38:40) Run:1
Running from C:\Users\elion\Desktop
Loaded Profiles: elion (Available Profiles: elion)
Boot Mode: Normal
==============================================

fixlist content:
*****************
CreateRestorePoint:
CloseProcesses:
SearchScopes: HKU\S-1-5-21-3368600606-4280318338-2388961727-1001 -> DefaultScope {ielnksrch} URL = hxxps://%66%65%65%64.%73%6F%6E%69%63-%73%65%61%72%63%68.%63%6F%6D/?p=mKO_AwFzXIpYRaHdGKBRGNclVS1AC6sNoHUhpAx0HGzgUxhH_nKd_dPAKyCFgC4ICtU3EmdP4lx9cw0nYo5IymrDJZNQPQyiBrUx6JS7BrvH3Ygf0_Jil0-gkCHXKG-ZzLtXDqVK8VKFcEdC55W0Bcg-ovsUrlRZ19Yppesx9HufdAy6K7YnIFMTkX4lnbY4joUJyiL54Xdm&q={searchTerms}
SearchScopes: HKU\S-1-5-21-3368600606-4280318338-2388961727-1001 -> {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKU\S-1-5-21-3368600606-4280318338-2388961727-1001 -> {BDF61FAE-9D19-40F0-8F34-688DEB334CA9} URL = hxxp://securedsearch.lavasoft.com/results.php?pr=vmn&id=webcompa&ent=ch_WCYID10454__181117&q={searchTerms}
SearchScopes: HKU\S-1-5-21-3368600606-4280318338-2388961727-1001 -> {ielnksrch} URL = hxxps://%66%65%65%64.%73%6F%6E%69%63-%73%65%61%72%63%68.%63%6F%6D/?p=mKO_AwFzXIpYRaHdGKBRGNclVS1AC6sNoHUhpAx0HGzgUxhH_nKd_dPAKyCFgC4ICtU3EmdP4lx9cw0nYo5IymrDJZNQPQyiBrUx6JS7BrvH3Ygf0_Jil0-gkCHXKG-ZzLtXDqVK8VKFcEdC55W0Bcg-ovsUrlRZ19Yppesx9HufdAy6K7YnIFMTkX4lnbY4joUJyiL54Xdm&q={searchTerms}
CHR StartupUrls: Default -> "hxxp://www.google.com","hxxp://www.google.com/","hxxp://search.babylon.com/?affID=112185&tt=120912_cpc_3712_5&babsrc=HP_ss&mntrId=6487ab040000000000003859f9e181fb","hxxp://www.dosearches.com/?utm_source=b&utm_medium=epom2&utm_campaign=eXQ&utm_content=hp&from=epom2&uid=WDCXWD3200BEVT-08A23T1_WD-WXG1A81L1355L1355&ts=1381754682"
S3 MyWiFiDHCPDNS; "C:\Program Files\Intel\WiFi\bin\PanDhcpDns.exe" [X]
ContextMenuHandlers1: [7-Zip] -> {23170F69-40C1-278A-1000-000100020000} => -> No File
ContextMenuHandlers1: [BriefcaseMenu] -> {85BBD920-42A0-1069-A2E4-08002B30309D} => -> No File
ContextMenuHandlers3: [{4A7C4306-57E0-4C0C-83A9-78C1528F618C}] -> {4A7C4306-57E0-4C0C-83A9-78C1528F618C} => -> No File
ContextMenuHandlers4: [7-Zip] -> {23170F69-40C1-278A-1000-000100020000} => -> No File
ContextMenuHandlers5: [igfxcui] -> {3AB1675A-CCFF-11D2-8B20-00A0C93CB1F4} => -> No File
ContextMenuHandlers6: [BriefcaseMenu] -> {85BBD920-42A0-1069-A2E4-08002B30309D} => -> No File
IE trusted site: HKU\S-1-5-21-3368600606-4280318338-2388961727-1001\...\webcompanion.com -> hxxp://webcompanion.com
FirewallRules: [{7B46005D-9823-4DF5-8B9D-3B585E43DC5B}] => (Allow) %systemroot%\system32\alg.exe No File
FirewallRules: [{9C963F16-75A2-4E70-AB2E-62508987F1BA}] => (Allow) %systemroot%\system32\alg.exe No File
FirewallRules: [{228C5F9D-C011-4E54-9C75-56027F8BE91C}] => (Allow) C:\Program Files\Intel\WiFi\bin\PanDhcpDns.exe No File
FirewallRules: [{C9068482-5D84-4903-9277-F3CD26DDABE5}] => (Allow) C:\Program Files (x86)\Common Files\Mcafee\MMSSHost\MMSSHost.exe No File
FirewallRules: [{88DC8082-A941-447D-ACB6-EE26509BEACF}] => (Allow) C:\Program Files\Common Files\McAfee\MMSSHost\MMSSHost.exe No File
FirewallRules: [{D0782E21-56DC-4C55-BEBD-96F5002C4887}] => (Allow) C:\Program Files (x86)\Steam\bin\cef\cef.win7\steamwebhelper.exe No File
FirewallRules: [{C66E743A-B100-417A-9146-D3846696E76B}] => (Allow) C:\Program Files (x86)\Steam\bin\cef\cef.win7\steamwebhelper.exe No File

*****************

Restore point was successfully created.
Processes closed successfully.
"HKU\S-1-5-21-3368600606-4280318338-2388961727-1001\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\\DefaultScope" => removed successfully
HKU\S-1-5-21-3368600606-4280318338-2388961727-1001\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A} => removed successfully
HKU\S-1-5-21-3368600606-4280318338-2388961727-1001\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{BDF61FAE-9D19-40F0-8F34-688DEB334CA9} => removed successfully
HKU\S-1-5-21-3368600606-4280318338-2388961727-1001\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{ielnksrch} => removed successfully
"Chrome StartupUrls" => removed successfully
HKLM\System\CurrentControlSet\Services\MyWiFiDHCPDNS => removed successfully
MyWiFiDHCPDNS => service removed successfully
HKLM\Software\Classes\*\ShellEx\ContextMenuHandlers\7-Zip => removed successfully
HKLM\Software\Classes\*\ShellEx\ContextMenuHandlers\BriefcaseMenu => removed successfully
"HKLM\Software\Classes\CLSID\{85BBD920-42A0-1069-A2E4-08002B30309D}" => removed successfully
HKLM\Software\Classes\AllFileSystemObjects\ShellEx\ContextMenuHandlers\{4A7C4306-57E0-4C0C-83A9-78C1528F618C} => removed successfully
HKLM\Software\Classes\Directory\ShellEx\ContextMenuHandlers\7-Zip => removed successfully
HKLM\Software\Classes\Directory\Background\ShellEx\ContextMenuHandlers\igfxcui => removed successfully
HKLM\Software\Classes\Folder\ShellEx\ContextMenuHandlers\BriefcaseMenu => removed successfully
HKU\S-1-5-21-3368600606-4280318338-2388961727-1001\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\webcompanion.com => removed successfully
"HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\{7B46005D-9823-4DF5-8B9D-3B585E43DC5B}" => removed successfully
"HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\{9C963F16-75A2-4E70-AB2E-62508987F1BA}" => removed successfully
"HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\{228C5F9D-C011-4E54-9C75-56027F8BE91C}" => removed successfully
"HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\{C9068482-5D84-4903-9277-F3CD26DDABE5}" => removed successfully
"HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\{88DC8082-A941-447D-ACB6-EE26509BEACF}" => removed successfully
"HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\{D0782E21-56DC-4C55-BEBD-96F5002C4887}" => removed successfully
"HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\{C66E743A-B100-417A-9146-D3846696E76B}" => removed successfully


The system needed a reboot.

==== End of Fixlog 12:39:10 ====
I have tried running BitDefender tool once again after the rebooting the computer - no success.
 

iMacg3

Malware Specialist
Joined
Nov 3, 2018
Messages
850
My apologies for the delay

At this point, I am not sure what could be the problem. It may be that this variant of ransomware cannot be decrypted. Once we have finished checking for malware I will refer you to a forum with assistance for ransomware.


---------------------------------------------------
ESET Online Scanner

Download ESET Online Scanner and save it to your desktop.
  • Right-click on esetonlinescanner_enu.exe and select Run as Administrator.
  • When the tool opens, click Get Started.
  • Read and accept the license agreement.
  • At the Welcome to ESET Online Scanner window, click Get Started.
  • Select whether you would like to send anonymous data to ESET.
  • Note: if you see the "Welcome Back to ESET Online Scanner" screen, click Computer Scan > Full Scan.
  • Click on the Full Scan option.
  • Select Enable ESET to detect and remove potentially unwanted applications, then click Start scan.
  • ESET will now begin scanning your computer. This may take some time.
  • When the scan is finished and if threats have been detected, select Save scan log. Save it to your desktop as eset.txt. Click on Continue.
  • ESET Online Scanner may ask if you'd like to turn on the Periodic Scan feature. Click on Continue.
  • On the next screen, you can leave feedback about the program if you wish. Check the box for Delete application data on closing. If you left feedback, click Submit and continue. If not, Close without feedback.
  • Open the scan log on your desktop (eset.txt) and copy and paste its contents into your next reply.
 

Harisz

Thread Starter
Joined
Feb 28, 2019
Messages
12
No problem, sorry I have been gone - I had no access to the encrypted laptop.
However, I am running the scan right now, and will upload the results soon.
 

iMacg3

Malware Specialist
Joined
Nov 3, 2018
Messages
850
Let me know if you have any issues running the scan.
 

Harisz

Thread Starter
Joined
Feb 28, 2019
Messages
12
Hi,

Here is the log after completing the scan of the computer:
6/1/2020 23:57:20 PM
Files scanned: 508834
Detected files: 0
Cleaned files: 0
Total scan time: 01:36:18
Scan status: Finished
 

iMacg3

Malware Specialist
Joined
Nov 3, 2018
Messages
850
My recommendation would be to post here at the BleepingComputer Ransomware Support forum for assistance with the decrypter.

Please let me know if you have any questions before I post instructions to remove the tools used as well as advice to keep your computer safe in the future.
 

Harisz

Thread Starter
Joined
Feb 28, 2019
Messages
12
My recommendation would be to post here at the BleepingComputer Ransomware Support forum for assistance with the decrypter.

Please let me know if you have any questions before I post instructions to remove the tools used as well as advice to keep your computer safe in the future.
Hello,

You can remove it, thank you for your assitance.
 

iMacg3

Malware Specialist
Joined
Nov 3, 2018
Messages
850
Your logs are clean of malware. The following will remove the tools we used as well as reset system restore points:

---------------------------------------------------
KpRm

Download KpRm by kernel-panik and save it to your desktop.
  • Right-click kprm_(version).exe and select Run as Administrator.
  • Read and accept the disclaimer.
  • When the tool opens, ensure all boxes under Actions are checked.
  • Under Delete Quarantines select Delete Now, then click Run.
  • Once complete, click OK.
  • A log will open in Notepad titled kprm-(date).txt.
  • Please copy and paste its contents in your next reply.
----------------------------------------------------
Some tips to keep your computer safe on the Internet

Make sure to use strong passwords. There are password managers (for example, Bitwarden) that can help you use secure passwords, and keep track of them.

How to create a strong password
----------------------------------------------------
Keeping software up-to-date is important as well. Programs such as UCheck, Heimdal Free, or PatchMyPC can help keep software on your computer up-to-date.

To keep your operating system up-to-date, make sure that Windows Update is enabled on your computer.
----------------------------------------------------
I recommend backing up your PC regularly. There are several ways to back up your computer, such as using a cloud-based service online, external hard drive, or CD/DVD.

The following articles have more information about methods to back up your computer:

What's the Best Way to Back Up My Computer?

5 Ways to Back up Your Data
----------------------------------------------------
Here are some articles about how to keep your computer safe on the Internet -

Simple and easy ways to keep your computer safe and secure on the Internet - by Lawrence Abrams

Answers to common security questions - Best Practices - by quietman7

COMPUTER SECURITY - a short guide to staying safer online - Malware Removal

PC Safety and Security - What Do I Need? - Tech Support Forum
----------------------------------------------------

Safe surfing :)
 

Users Who Are Viewing This Thread (Users: 0, Guests: 1)

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 807,865 other people just like you!

Latest posts

Staff online

Top