Jump to content

gottfried ransomeware?

Recommended Posts

I've just got hit with this identical problem a couple hours ago.

My symptoms and malware files are identical to the first poster, including the .exe that causes the popup and the popup text.

I updated Malwarebytes, turned of wifi, went into safe mode, scanned and deleted the 3 threats, namely the malware.

Then using another flash drive onto which I downloaded everything Maurice Naggar suggested, and followed the instructions.

It seems .rar files were no encrypted, but every other doc or pdf file is .crypt.

After Malwarebytes updated just now cleaned the computer, restarting once, tdskiller found nothing and no processes were terminated after I ran the other utilities in the order suggested in this thread.

All signs of the Malware are gone, and since that was my internet computer. I simpy formatted it and re-installed windows; after all, I hadn't done that in a while and I buy things online.

There were only some files that I wanted, and they are clean, but still ending in ".crypt", e.g., ___.pdf.crypt and renaming the file on the absolutely clean laptop does not permit me to open it.

What I am wondering is how to decrypt my files. Malwarebytes nails the malware itself, and all the other utilities have afterwards clean logs, but it leaves the encrypted files. This is my first ransomware that I have been hit with (and by browsing Google for youtube links of all things!)

Nod32 did not catch this new threat and so now I have my clean computer, Windows 7 Ultimate, with mozilla firefox, malwarebytes, wod, acrobat, outlook, nod32, and spybot, irfanview, paint.net, and nothing else (as before the infection), and several folders of files that I do not know how to decrypt. (Outlook files and anything that was in program files is fine, not touched by the malware)

As far as logs, everything is identical to the above poster. What do people normally use to decrypt ransomware'd files, after the threat is removed?

P.S. Malwarebytes is simply awesome antivirus, cleaning new threats so easily. I saved me once before about a year ago.

Link to post
Share on other sites


First, I had to split off your posts. Forum rules prohibit your tacking on your issue onto the thread of another member. Please remember that.

IF you did a clean (new) install by doing a reformat and new install, you should have no traces of the infection.

MBAM is an anti-malware program. It is -not- an antivirus program. You must have an antivirus program installed / up-to-date/ and active. Always.

Otherwise, you fill get infected in a heartbeat if on the internet, or even if using a USB-thumb-flash drive that is infected.

Link to post
Share on other sites

I use nod32 for my anti-virus, but it misses things from time to time (but less than other anti-virus programs in my experience).

I reformat periodically to be on the safe side or after I get hit with something particularly nasty (with not too much effort, since its my internet computer, which exists soley for this purpose ... )

I wondering though if you knew how to also decrypt ransomwared files, namely, the "vsdsrv32" crypto virus, after malwarebytes cleans the computer?

Link to post
Share on other sites

Is there usually any way to decrypt crypto viruses, in cases like this where they get past the antivirus and then get cleaned? Given how common (apparently) this sort of thing is, are there any resources on the web on how to get back the ransomware'd files, or it is in practice the end of any files on that system the moment a cryptovirus gets through and installs itself.

The encryption could not have been very significant, given how fast it spread through so many files. Must be some small change in the file structure that invalidates the file unless removed (while virus is active, I suppose the main problem is to get back to the files in the first place?)


Link to post
Share on other sites

This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.