@narou21 can you tell us if this work out and if it is solved ???
So we can close this thread then
Otherwise when it is NOT working do the next steps:
Any files that are encrypted with
GandCrab V5.0.4/5.0.5 will have a
random 5-9 character extension (i.e. .XMMFA, .LUKIZQW, .TKKLKM) appended to the end of the encrypted data filename and leave files (ransom notes) named [random uppercased extension]-DECRYPT.html (i.e. LUKIZQW-DECRYPT, TKKLKM-DECRYPT). Most ransomware will drop a ransom note in every directory/affected folder where data has been encrypted. These notes are often created in multiple file formats (.txt, .html, .png, .bmp, .url) to ensure that the victim can open them and read the ransom demands/instructions.
Unfortunately, files encrypted by
GandCrab V5.0.4/5.0.5 are
not decryptable at this time without paying the ransom since these versions have been reported by Marcelo Rivero (Malware Intelligence Analyst) to break the BitDefender decryption tool so it will not work....
RansomNoteCleaner created by Demonslay335 (aka Michael Gillespie) can be used to search for (and remove) ransom notes dropped by the malware. Other options include Duplicate File Removers such as SearchMyFiles, Duplicate Cleaner Free, CloneSpy and CCleaner’s Duplicate File Finder.
CryptoSearch created by Demonslay335 (aka Michael Gillespie) and powered by his
ID Ransomware (IDR) service can help find files encrypted by a particular ransomware. It will then allow you to copy/move the files to another location for archiving in the event of a possible solution for future decryption. CryptoSearch
does not decrypt data. The
encrypted files do not contain malicious code so they are safe.
These are some common folder variable locations malicious executables and .dlls hide:
- %SystemDrive%\ (C:\)
- %SystemRoot%\ (C:\Windows, %WinDir%\)
- %UserProfile%\
- %UserProfile%\AppData\Roaming\
- %AppData%\
- %LocalAppData%\
- %ProgramData%\ / %AllUserProfile%\
- %Temp%\ / %AppData%\Local\Temp\
Note: Some folders like %AppData% are hidden by the operating system so you may need to configure Windows to show hidden files & folders.
If you need individual assistance
only with removing the malware infection, follow the instructions in the
Malware Removal and Log Section Preparation Guide...
For the
Maleware Removal and Log Section Preparation Guide :
type this in Google and you will find it