Jump to content

Trojan-Ransom.Win32.GpCode.ax

Dixie

By Dixie
in Resolved Malware Removal Logs

 Share

Recommended Posts

kahdah

kahdah

Posted
Posted

Hello Dixie

Welcome to Malwarebytes.

=====================

You will need access to a working computer, a CD and a USB to do the following:

Download GETxPUD.exe to the desktop of your clean computer

  • Run GETxPUD.exe
  • A new folder will appear on the desktop.
  • Open the GETxPUD folder and click on the get&burn.bat
  • The program will download xpud_0.9.2.iso, and when finished, it will open BurnCDCC which will be ready to burn the image.
  • Click on Start and follow the prompts to burn the image to a CD.

Now we need to prepare the USB, It doesnt necessarily need to be formatted, but might help if it is >

  • Insert your USB drive
  • Press Start > My Computer > right click your USB drive > choose Format > Quick format

  • Next download ransom.sh to your USB drive
  • Remove the USB and insert it into the infected computer
  • Boot the infected computer with the CD you just burned
  • The computer must be set to boot from the CD (varies from PC to PC > but generally F12, F11 or F9 will access the boot menu)
  • Follow the prompts
  • A Welcome to xPUD screen will appear > select your language
  • When xPUD opens > Click on File
  • Expand mnt
  • sda1 or sda2 will usually correspond to your HDD > sda1 and/or sda2 may not be visible with this infection, > this is typical
  • sdb1 is likely your USB
  • Expand your USB (sdb1)
  • Confirm that you see the file ransom.sh that you previously downloaded
  • Press Tool on the top menu bar
  • Choose Open Terminal
  • Type bash ransom.sh
  • You should see the message
    ransomware mbr code detected on /dev/sda
    repairing mbr on /dev/sda
    mbr code OK on /dev/sdb
  • A log file named log.txt will also be created on the USB
  • this should only take a brief moment to complete
  • Once completed > type exit to close the Terminal Window
  • Now go to Home > restart > remove the xPUD CD from the machine before it starts to reboot to allow the machine to reboot normally.
  • If the script was successful, your machine should now be booting normally

Link to post
Share on other sites
Dixie

Dixie

Posted
  • Author
Posted

Is there any way to recover the data encrypted by the malware ? Ransom.Win32.GpCode.ax

Thx

Hello Dixie

Welcome to Malwarebytes.

=====================

You will need access to a working computer, a CD and a USB to do the following:

Download GETxPUD.exe to the desktop of your clean computer

  • Run GETxPUD.exe
  • A new folder will appear on the desktop.
  • Open the GETxPUD folder and click on the get&burn.bat
  • The program will download xpud_0.9.2.iso, and when finished, it will open BurnCDCC which will be ready to burn the image.
  • Click on Start and follow the prompts to burn the image to a CD.

Now we need to prepare the USB, It doesnt necessarily need to be formatted, but might help if it is >

  • Insert your USB drive
  • Press Start > My Computer > right click your USB drive > choose Format > Quick format

  • Next download ransom.sh to your USB drive
  • Remove the USB and insert it into the infected computer
  • Boot the infected computer with the CD you just burned
  • The computer must be set to boot from the CD (varies from PC to PC > but generally F12, F11 or F9 will access the boot menu)
  • Follow the prompts
  • A Welcome to xPUD screen will appear > select your language
  • When xPUD opens > Click on File
  • Expand mnt
  • sda1 or sda2 will usually correspond to your HDD > sda1 and/or sda2 may not be visible with this infection, > this is typical
  • sdb1 is likely your USB
  • Expand your USB (sdb1)
  • Confirm that you see the file ransom.sh that you previously downloaded
  • Press Tool on the top menu bar
  • Choose Open Terminal
  • Type bash ransom.sh
  • You should see the message
  • A log file named log.txt will also be created on the USB
  • this should only take a brief moment to complete
  • Once completed > type exit to close the Terminal Window
  • Now go to Home > restart > remove the xPUD CD from the machine before it starts to reboot to allow the machine to reboot normally.
  • If the script was successful, your machine should now be booting normally

Link to post
Share on other sites
kahdah

kahdah

Posted
Posted

You will have to be a bit more specific than that what is happening with the system what do you see on the screen?

If you will read a bit more on the page there is another article that says that the encryption can be reversed by Kaspersky antivirus def's.

But if you want me to help you then you will have to tell me what is going on.

Link to post
Share on other sites
RaymondB

RaymondB

Posted
Posted

Hi there I also have this virus. I found this on google. I know AV vendors found about this virus on November 29, 2010. What GPcode.ac is doing encrypting files with a message seen here:

dliyht.jpg

So whats happened is most files on the computer have been "encrypted" renaming all files with .ENCODED as the file extension. What hes asking is if the files thats are "encrypted" can be recovered. I am also wondering this because the computer that got infected on mine was the server! So I really need a fix for this. I've been on the phone with Symantec for 3 hours now; they seem clueless!

In the decrypting text file on the desktop its just basically asking you to pay them $120 through wire transfer and they still send the key to decrypt the files.

Link to post
Share on other sites
  • 2 weeks later...
LDTate

LDTate

Posted
Posted

Due to the lack of feedback this topic is closed to prevent others from posting here. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

Link to post
Share on other sites
Guest
This topic is now closed to further replies.
 Share
Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.