All Activity

This stream auto-updates     

  1. Past hour
  2. I have 200,000 files that are encrypted ending with .sys via compromised RDP. The attackers were malicious and deleted a lot of files. It looks like it's a variant of the DLL Cryptomix ransomware: https://blog.watchpointdata.com/dll-cryptomix-exposes-ransomware-infection-method I reluctantly paid the ransom and they sent me a decryptor tool but it's not working. It worked on some files that were less than 2 GB then suddenly stopped working on everything. The criminals sent us a message demanding more ransom to decrypt anything over 2 GB. Since I have the decryptor tool they sent me and it worked for a little while on some files, is there any way to reverse engineer it to work with everything else? Ransom note: Hello! Attention! All Your data was encrypted! For specific informartion, please send us an email with Your ID number: [email protected] [email protected] [email protected] bi[email protected] [email protected] [email protected] [email protected] Please send Your email to our all email addresses! We will help You immediately! As faster You will contact us as cheaper will be the recovery price! IMPORTANT: DO NOT USE ANY PUBLIC SOFTWARE! IT MAY DAMAGE YOUR DATA FOREVER! DECRYPT-ID-XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXX number - I removed the ID number just in case. Any feedback or ideas would be much appreciated, I'm lost on what to do next.
  3. yes, me too. It's a real pain, especially if you're watching/monitoring a particular web page that's updating in real time. Hopefully someone from Emsisoft will provide an update on this now that you've bumped the thread.
  4. Today
  5. I've had this problem for months, hoping it would get resolved. Win7 Pro x64. After the notification disappears, a random window (not necessarily the last focus) will come forward.
  6. Yesterday
  7. This is almost certainly GlobeImposter 2.0, however you can verify that using ID Ransomware: https://id-ransomware.malwarehunterteam.com/ You can paste a link to the results into a reply if you would like for me to review them.
  8. We don't currently have a way to decrypt this version of JSWorm, however our analysts are still working on it.
  9. You'll be contacted if there's any news for you.
  10. The logs shows that everything was deleted OK. Would it be possible to run another scan with FRST and attach the new logs to a reply so that I can make sure the computer appears to be clean now?
  11. I've forwarded your ID and MAC addresses to the creator of STOPDecrypter so that he can archive them in case he is able to figure out your decryption key at some point in the future. All you have to do now is give us some time, and we'll do what we can for you. STOPDecrypter won't be able to decrypt your files yet. Please note that it will take some time to figure out that decryption key for you.
  12. Don't worry, you don't need to remind us. The process of figuring out your decryption key is automated, so the creator of STOPDecrypter will know when to contact you to let you know how to decrypt your files.
  13. I've forwarded your ID and MAC addresses to the creator of STOPDecrypter so that he can archive them in case he is able to figure out your decryption key at some point in the future. All you have to do now is give us some time, and we'll do what we can for you.
  14. Thread ClosedReason: Lack of ResponsePM either Kevin, Elise, or Arthur to have this thread reopened.The procedures contained in this thread are for this user and this user only. Attempting to use the instructions in this thread on a system, other than the one they were written for, could result in damaging the Operating System beyond repair. Do Not use any of the tools mentioned in this thread without the supervision of a Malware Removal Specialist.All posters requesting Malware Removal assistance are required to follow all procedures in the thread titled START HERE if you don't we are just going to send you back to this thread
  15. All users of the Emsisoft Support Forums who are in need of Malware Removal assistance are required to complete the procedures listed below: NOTE: You will want to print these instructions for reference, as you will perform all scans with all browsers closed. The majority of our support staff work Monday-Friday. We try very hard to answer all posts within 24-hours of the posting, but be aware that if you post anytime in the late afternoon or evening on Friday, or anytime on Saturday or Sunday, you will not receive an answer until Monday. Also, be aware that our support technicians may not be in the same time zone as you, therefore there could be several hours difference between when you post and the technician working your support case is available. The below guidelines are for the Help, my PC is infected! Support Forum. They are intended to help you provide the technician, working your thread, with enough information to start formulating a plan to clean your machine; and for you to leave the Emsisoft Support Forums with a safe, secure, functioning computer. Emsisoft does not condone the use of Pirated/Illegal software. If such software is found on your computer, the technician assisting you will insist that the Pirated/Illegal software be removed. We reserve the right to refuse help to anyone who is unwilling to uninstall Pirated/Illegal software. We insist that anyone receiving help, here at the Emsisoft Support Forums, install an Anti-Malware program at a minimum to protect their system. Start only one thread requesting help. Keep all questions in your thread. DO NOT start a new topic. DO NOT start multiple threads related to the same problem. If you don't know, stop and ask! Don't keep going on. Continue to respond until you are given "All Clear" (Just because you can't see a problem doesn't mean it isn't there) Once your case has been solved, the thread will be closed. Your thread will be closed after 72-hours of no activity. DO give your new thread a meaningful subject. NOT something like "HELP1!!!!11111!!!1!" and such. DO NOT use any form of Haxor, Leet speak, Netspeak, IM speak and the such in any postings on this forum. Use only proper spelling, grammar, punctuation, and capitalization. The more time the person helping you has to spend trying to figure out what you are saying, the longer it will take them to formulate a response. DO NOT post a request for help in someone else's thread. This can lead to confusion, and your post will be deleted with a message to start your own thread. DO NOT send private messages asking for help. DO NOT send emails asking for help. DO NOT reply to any thread, offering help or any comments of any type in a Malware Removal thread unless you have been given express permission by an Administrator or Moderator. DO NOT post advice until given permission to do so by an administrator or moderator. All replies made by unauthorized persons are subject to deletion without comment. DO NOT post any logs without first completing the steps in this guide, they will be deleted. DO NOT copy and paste logs into your threads. All logs are to be attached to your post. Download to your Desktop: - Emsisoft Emergency Kit - Farbar Recovery Scan Tool NOTE: You need to run the version compatible with your system. If you are not sure which version applies to your system download both of them and try to run them. Only one of them will run on your system, that will be the right version. NOTE: If you are unable to download the tools from the infected system, the tools can be saved to and run from a USB flash drive. All scans are to be run in Normal Mode. Do not run anything in "Safe Mode", unless you are instructed to do so by the Malware Removal Specialist handling your case. Do not force Safe Mode. Instructions on How to Boot to "Safe Mode" can be found at http://www.malwarete...kb/SafeMode.php Let's get started: Install and Run Emsisoft Emergency Kit (EEK): Double click EmergencyKitScanner.exe to install EEK When the installation of EEK is complete the Emergency Kit scanner will run. NOTE: Make sure to enable PUPs detection. Click "Yes" to Update Emsisoft Emergency Kit Under "Scan" click-on "Malware Scan". IMPORTANT: Do not quarantine or delete anything. We just want the scan log without anything being quarantined or deleted. Save the scan log somewhere that you can find it. Exit Emsisoft Emergency Kit. Run Farbar Recovery Scan Tool (FRST): Double-click to run it. When the tool opens click Yes to the disclaimer. NOTE: DO NOT change any of the default settings. If you do we will just close your logs and ask for new ones ran with FRST's default settings. Press Scan button. Farbar Recovery Scan Tool will produce the following logs: FRST.txt Addition.txt Create a new topic in our Help, my PC is infected! forum and attach the following logs to your post: Emsisoft Emergency Kit log (C:\EEK\Reports\) FRST.txt Addition.txt IMPORTANT NOTE: Any logs that are copied and pasted to a post will be removed from the post without being read. Do not alter or change the logs in any way. Once a Malware Removal Specialist has replied to your request for malware removal, they will handle your case from start to finish. You will have 72 hours to reply to any instructions given by the Malware Removal Specialist handling your case. Failure to comply with requests for information or instructions from the Malware Removal Specialist handling your case will result in the locking of your thread.
  16. I have been hit 3 days back, literally destroyed everything
  17. Arquivos encriptografados pelo novo jsworm 3.0 Nota de resgate em .hta controle e movimentação de pneus.xlsx.[ID-713693837][[email protected]].JSWORM JSWORM-DECRYPT.hta
  18. Sir any update from stopdcrypt
  19. All my files are encrypted as .DOCM . A .txt file in every folder as below: All your files are Encrypted! For data recovery needs decryptor. How to buy decryptor: ---------------------------------------------------------------------------------------- | 1. Download Tor browser - https://www.torproject.org/ and install it. | 2. Open link in TOR browser - http://decrmbgpvh6kvmti.onion/ | 3. Follow the instructions on this page ---------------------------------------------------------------------------------------- Note! This link is available via "Tor Browser" only. ------------------------------------------------------------ Free decryption as guarantee. Before paying you can send us 1 file for free decryption. ------------------------------------------------------------ alternate address - http://helpinfh6vj47ift.onion/ DO NOT CHANGE DATA BELOW ###s6dlsnhtjwbhr### 72 CD C2 A7 7E 03 B0 D8 27 39 1E CB 00 4A A9 77 F3 CA B0 59 8F 77 26 6F 14 8B A5 B0 A0 ED 5C A9 17 2A 67 66 8E EB C8 CC 95 51 2A 3B AB 19 BB 6F C3 D4 13 E3 90 F3 B4 2E 13 5E 4C 45 71 0D 79 F3 E4 65 11 71 6B 14 8D 0A 60 F5 EF 37 5F 7B 33 C8 A5 83 69 F7 3E 6D DD 3E 39 6E 55 7D 23 8B C2 A2 B4 FD 33 47 AD E2 17 C7 27 3A DC 20 EC CE E8 4B 45 5A EA CF 4C 76 56 6F B1 D9 B0 AB 4F FF D5 5A 72 85 60 92 48 B9 E1 83 29 2E C2 9B 55 2C 34 84 A3 6D 63 2C 60 17 21 5A F6 E7 4D D8 C4 DB 83 35 CC F0 DC C1 E3 4E 1B CF E4 94 F3 D6 10 A4 38 4E 4A 97 3A C6 AD BC 35 62 F1 79 E4 38 D2 5B 93 CE FD 68 18 14 CD 79 08 47 C1 6E B1 B2 2E E3 25 5A 7B 57 4C 1D 38 88 27 51 44 49 92 25 B3 9E 37 97 3F 10 81 9B 69 86 CE 66 8A B0 F8 84 DF C8 47 2D 8B F9 B4 DE 90 3D 67 87 7D 7D EC 0D 05 A3 A3 91 ###
  20. @ahmed kotb This is the result of the STOP Ransomware attack. I have been tracking the malicious work of this program since December 2017. Now on the forum a lot of victims from different variants of this Ransomware. In some cases, the files can be decrypted. This is possible only in case where the files were encrypted with offline keys and an instance of the malware was detected. Demonslay335 (the developer of the STOPDecrypter) collects information from the victims, writes data and tries to update the STOP Decrypter. After that, victims can try to decrypt the files. A positive result and a lucky chance are not always possible. Download STOP Decrypter >>> First try to decrypt a small group of files, only make copies of them before this. If STOPDecrypter won't be able to recover your files yet, it can still be used to get information that may be able to help the creator of STOPDecrypter figure out your decryption key. Here's a link to instructions on how to get this information with STOPDecrypter: https://kb.gt500.org/stopdecrypter While most ransomwares will automatically delete themselves after they finish encrypting files, some are now leaving behind components on computers, which infect and will encrypt any new files saved and will encrypt any files you manage to decrypt. It's best to check PC and make sure that no such components have been left behind, so I recommend following the instructions at the link below to get us logs from FRST so that one of our experts can make sure there is nothing malicious still on your computer (please attach the log files FRST saves to a reply to this topic on the forums): https://help.emsisoft.com/en/1738/how-do-i-run-a-scan-with-frst/
  21. readme.txt is a very common name for all ransom notes. You can also upload to here this note and several encrypted files if you want me to confirm the identification or provide details.
  22. I keep in contact with Michael when this happens, from the beginning of multilingual version IDR.
  23. It is a pity, I said above, that every time these extortionists change something. Very changeable Ransomware. The previous versions they could decipher. It was also with Scarab Ransomware, decrypted easily, then it became difficult, and later decrypt could not feasible. Impossible now - maybe in the future. No need to delete files if they are valuable to you.
  24. i know it that's why i deleted all my encrypted files
  25. Hello guys My files are encrypted, and I really need my data base, but when I run stop decrypter I got this message. [+] Loaded 44 offline keys Please archive the following info in case of future decryption: [*] ID: Mnzu5JDUeJIYz2PeJ4U98MWbvy9facb1VuzehJAK [*] MACs: 00:40:A7:27:6B:AD This info has also been logged to STOPDecrypter-log.txt Selected directory: C:\Users\Thays\Documents Starting decryption... [+] File: C:\Users\Thays\Documents\SISGER.FDB.gerosan [-] No key for ID: Mnzu5JDUeJIYz2PeJ4U98MWbvy9facb1VuzehJAK (.gerosan ) [-] Fatal Error: (5) Acesso negado: [C:\Users\Thays\Documents\Meus Vídeos] [-] Aborting Decrypted 0 files! Skipped 1 files. [!] No keys were found for the following IDs: [*] ID: Mnzu5JDUeJIYz2PeJ4U98MWbvy9facb1VuzehJAK (.gerosan ) Please archive these IDs and the following MAC addresses in case of future decryption: [*] MACs: 00:40:A7:27:6B:AD This info has also been logged to STOPDecrypter-log.txt Can someone help me. I dont't care my other files, but I really need this one.
  1. Load more activity
  • Newsletter

    Want to keep up to date with all our latest news and information?
    Sign Up