Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

PClock Ransomware Support and Help Topic


  • Please log in to reply
131 replies to this topic

#121 GPekov

GPekov

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:09:13 AM

Posted 25 June 2017 - 07:08 AM

Good thing about using Linux OS is that you can mount hard drives manually.

So you can keep your important files to a drive separate from the OS one and mount it only when you need it.

Thus the ransomware wont affect the unmounted drives, I think?

This should be a safer options than Windows, where all the drives are mounted along with the OS drive.



BC AdBot (Login to Remove)

 


#122 chrisfox891

chrisfox891

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:11:13 PM

Posted 28 June 2017 - 05:58 AM

http://emsi.at/DecryptPClock

link not working



#123 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 49,578 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:02:13 AM

Posted 28 June 2017 - 06:02 AM

Emsisoft Decrypter for PClock

Be aware that newer PClock variants are not decryptable and there is no longer any way to provide decryption without paying the ransom. Fabian explains why in Post #987
.
.
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Microsoft MVP Reconnect 2016
Windows Insider MVP 2017
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#124 Emmanuel_ADC-Soft

Emmanuel_ADC-Soft

  • Members
  • 30 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:13 AM

Posted 25 July 2017 - 02:22 PM

Hello,

 

For helping 2 clients to decrypt their files infected by PCock, I am looking for the files gadsys.exe and wposys.exe

 

Can someone upload those files to https://www.sendspace.com/ and put the link here.

 

Thank you very much.

Best regards,

Emmanuel



#125 MishaZip

MishaZip

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:02:13 AM

Posted 25 July 2017 - 06:11 PM

How did you manage to decrypt the files?



#126 Emmanuel_ADC-Soft

Emmanuel_ADC-Soft

  • Members
  • 30 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:13 AM

Posted 26 July 2017 - 03:12 AM

Hello,

 

I try to decrypt the files with the help of Doctor Web but they need the files gadsys.exe and wposys.exe to go further.

My clients don't have anymore theese files so I would appreciate if one of you can send me theese files with a link on Sendspace.

Best regards,

 

Emmanuel



#127 MishaZip

MishaZip

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:02:13 AM

Posted 26 July 2017 - 05:28 PM

Had the same virus, submitted the file to doctor web and they say the decryption is impossible. It has been mention a few times in this topic that the files affected by this virus are uncurable for now. 



#128 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 49,578 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:02:13 AM

Posted 26 July 2017 - 06:39 PM

It has been mention a few times in this topic that the files affected by this virus are uncurable for now.

That is correct. Fabian explains why in Post #987. If possible, your best option is to restore from backups.
.
.
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Microsoft MVP Reconnect 2016
Windows Insider MVP 2017
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#129 Emmanuel_ADC-Soft

Emmanuel_ADC-Soft

  • Members
  • 30 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:13 AM

Posted 28 July 2017 - 04:03 AM

Hello,

 

Ok it is not decryptable at the moment but I think they are working on it.

How to explain they ask me to find the files gadsys.exe and wposys.exe ?

 

If you can send the link to download theese files here or use our own plateform (in French) https://adc-soft.com/decryptage/ransomware.php

 

Don't hesitate to let your own crypted files samples also to see what Doctor Web can do.

Kind regards,

Emanuel



#130 iamnoobareyounot

iamnoobareyounot

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:02:13 PM

Posted 28 July 2017 - 05:41 AM

Hello,

 

For helping 2 clients to decrypt their files infected by PCock, I am looking for the files gadsys.exe and wposys.exe

 

Can someone upload those files to https://www.sendspace.com/ and put the link here.

 

Thank you very much.

Best regards,

Emmanuel

here's the sample:

gadsys.exe:

https://virustotal.com/en/file/2d81eced5e889c0a8f670080bcb9ae67a2c9fc2d9de9b3b17f817de669d98019/analysis/

wposys.exe:

https://virustotal.com/en/file/7449d447245e010ed2acd1ee9891cc7a6e1f3c6e683c48da4262014cde44bd96/analysis/

 

You can download the sample in Virustotal. 



#131 Emmanuel_ADC-Soft

Emmanuel_ADC-Soft

  • Members
  • 30 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:13 AM

Posted 28 July 2017 - 11:37 AM

Hello iamnoobareyounot,

 

Thank you very much, I didn't know we can download compromised files from virustotal. How to do that ? Have to sign in ?

Thanks. Kind regards,

 

Emmanuel



#132 Emmanuel_ADC-Soft

Emmanuel_ADC-Soft

  • Members
  • 30 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:13 AM

Posted 31 July 2017 - 12:57 PM

Hello iamnoobareyounot,

I sent your Totalvirus links for gadsys.exe and wposys.exe to Doctor Web analysts. I hope it can be usefull to find a solution soon.

If you have the trojans themselves, you can also download them directly here for Doctor Web as I don't know how to download them from VirusTotal :

https://www.pixad.fr/drweb_ransomware/index.php#formulaire

Thank you again. Kind regards,

Emmanuel






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users