All Activity

This stream auto-updates     

  1. Past hour
  2. @pmarty @xfifi What I notice is that none of the .exe files of the attacked drives/partitions were encrypted, and thus exe-files do not have the ‘.nampohyu’ extensions. They still are regular executable files and are not encrypted. I wonder if you could affirm this observation? Further, I have found the infected executables by a virus on very unexpected directories, including the recycle bin, as well as that not all executables were infected by a virus. There is no logic (to me) in the directories to search for. But when you use windows-explore you should be able to search all the sub-directories. You also could check if there were more drives/partitions infected. In my case they attacked 4 drives/partitions and leave 6 drives/partitions unchanged, I assume that they had no access to the other drives/partitions.
  3. Hi Charlie, yes, but that will be changed in a next EAM version. Yes, we will provide 2 easy ways to connect existing installs. One thing i need to stress is that a workspace must be seen as a customer area. That means that you can connect the devices of 1 customer to 1 workspace. You will have to contact our sales team to split your existing key into keys per customer. For security and permission related reasons, the architecture of the Cloud Console allows one license per workspace/customer. please note that Cloud Console is in beta stage, so bugs are expected. We will check and fix when needed. thanks ! Thanks
  4. For me, there is no .exe files for this virus. It's an intrusion from a remote script executed by the hackers. Samba server or FTP vulnerability via the Guest user in Synology.
  5. @Albert-S I can't find strange .exe files on My Synology NAS which where affected by .NamPoHyu virus Can you give some filenames or directories which I can search for with more accuracy? Thanks for your feedback about the Synology recovering possibility, what a pity...
  6. Today
  7. Hi @Razz Again thanks. I can add "MVPS HOSTS" in µBlock Origin without subscribing...
  8. Hi Marshall. Not sure, but I do know that I recognize the URL of "MVPS Hosts" and I recognize the list. I don't recognize the list attached to MVPS Hosts (Domains). To view the list, click the blue "Details", "View" & "Original" buttons - see image. Sorry I couldn't offer a better explanation.
  9. Hi @Razz Thanks for the explanations☺️ What is the difference between "MVPS HOSTS" and "MVPS Hosts (Domains)" ?
  10. It appears that the “.NamPoHyu” ransomware is often attacking Synology NAS systems. This comment therefore is only related to Synology NAS systems. 1. Regular data-recovery is a no go: decryption is the only way to restore data! As GT500 said the chances for regular data recovery are already very low, since it is more likely that the data is overwritten than it has been copied. However in this case regular data recovery software does not allow you to access the NAS drives directly. Therefore, the following has been suggested: I have contacted the Synology helpdesk and the bad news is that the disk format is ext4 or BTRFS which a regular PC can't read. Moreover, for the Synology system no data recovery software exist that can recover files or folders. 2. Block the guest - account I have good reasons to assume that the guest-account on the system is a potential problem. I therefore recommend the following: Enter the configuration screen, open Users, select Guest, edit, select: switch off this account immediately & do it directly (no delay). Basically I believe you don’t want unknown ‘guests’ on your NAS. If you have other accounts you working with and you are logged in by one of those accounts, I suggest you do the same with the admin account, too. For more info on NAS check this forum too.
  11. Yes. Therefore, I trust to Google the auto-translation of the text at my sites into English, because he knows more words and rules in English than I do. But I know more words, phrases, lexical rules, dialects and I have more vocabulary in Russian.
  12. TNX for this information Amigo
  13. Yesterday
  14. Phil, Download to your Desktop: Farbar Recovery Scan Tool NOTE: You need to run the version compatible with your system. If you are not sure which version applies to your system download both of them and try to run them. Only one of them will run on your system, that will be the right version. NOTE: If you are unable to download FRST from the infected system, FRST can be saved to and run from a USB flash drive. Run Farbar Recovery Scan Tool (FRST): Double-click to run it. When the tool opens click Yes to the disclaimer. NOTE: DO NOT change any of the default settings. If you do we will just close your logs and ask for new ones ran with FRST's default settings. Press the Scan button. Farbar Recovery Scan Tool will produce the following logs: FRST.txt Addition.txt Attach those logs to your reply.
  15. Hi Marshall. To add the MVPS Hosts list to uBlock Origin, perform the following steps (see images for more details): (1) Go to the following link: https://filterlists.com/ (2) Enter "130" in the page field. (3) Click the blue "Details" button on the "MVPS Hosts" line. (4) Click the blue "Subscribe" button. You're all done! The MVPS Hosts file should now be added to uBlock Origin in your browser. To check you can look at the uBlock Origin "Options" page by right-clicking the uBlock Origin icon in your browser, as per images. Hope this helps. Best Regards, Steen
  16. I did this and then rebooted but it didn't help. If I want to see the whole screen, I still have to drag the window around to see it all and I can't see it all at once then.
  17. It's not doing it now but when it did, it was doing it after several restarts. I was like you, I thought maybe restarting it would help it but it didn't. It's still working as it should now. Maybe it will keep it up.
  18. @GT500 Thank you for your concern and the good work. However, I did not post the file on the forum, because I thought it is not a good habit to spread a potential virus on this platform So I have attached it in an email to: [email protected] // subject: referring to ransom message of Albert-S (including some typo's) I have mentioned my concerns regarding this executable on the forum at Tuesday 3:30 PM, EUROPE. Hope it finds well now, did not ment to confuse ... Since you mentioned only autherized persons can download, I tried to add the file to this post. But I can't: my virus-scanner does not allow me
  19. Hello, We have a large number of clients currently connected to an on-prem EEC instance. We've done a small pilot and are seriously looking at moving all of them to ECC in the near future. I have a couple of topics to discuss: 1. We have discovered that on existing clients, if the user navigates to Settings and clicks on "Connect to MyEmsisoft", they are automatically connected and show up in the Workspace almost immediately. Neat! I assume it knows to connect to the workspace because the license key in their software is attached to that workspace. Can I get confirmation on that? We have command line access to almost all of the computers and they are using that same key. Is there a command that we can push to the computers en masse that will disconnect them from EEC and connect them to ECC basically to simulate them pressing the "Connect to MyEmsisoft" button? 2. It seems that the "Alternative message or URL for news section" policy in ECC isn't applying to clients put into that policy group. All the other policies appear to be applying properly. Wondering if there are some character or length limitations or maybe a bug? Thanks!
  20. Some of your posts have been edited, so I'm not sure if you posted it here and then removed the links later, or if you sent them via e-mail. Regardless, I didn't download any files from this topic in the last week. I must have missed that in your original post. Would it be possible for you to send those to me? You can do so in a private message, or by attaching the files to a post here (only authorized personnel can download file attachments, unless they are pictures/images).
  21. Yeah, that sounds about par for the course (assuming that means the same in Russian that it would in English).
  22. This may have been fixed by some changes we made to our licensing system, however it's also possible that a simple restart of the computer resolved it. If you ever encounter the problem again, then try restarting the computer again, and let me know if that helps.
  23. Try the following, and let me know if that helps: Open Emsisoft Anti-Malware. Click on the little gear icon on the left side of the Emsisoft Anti-Malware window (roughly in the middle). Click on Advanced in the menu at the top. Scroll down to the bottom of the Advanced section, and look for Factory defaults on the left. Click the Revert button to the right of where it says Factory defaults. A dialog box will open that allows you to select what settings to restore. You only need to select the General software settings option at the top before clicking OK.
  24. Yes. In this case there is only a small light at the end of the tunnel. At first there was only one my article MegaLocker Ransomware with several variants, then a topic on the BC forum, then a topic on this forum, now an article on the BC website. Victims should somehow unite in this matter, connect the right-guards, because Without technical specialists and equipment technical support services, this question cannot be solved. This vulnerability will continue miss to attacks and Ransomware will continue encrypt information on yours NAS-devices. With forces only of freelancers and AVers do not stop it.
  25. The .NamPoHuy is indeed terrible. Just to be sure of the symptoms: Pmarty/Xfifi: do you also have found some modified executables on your NAS (as I have described above), or was it an additional infection? Typically you would find these files when you search in explorer on ‘*.exe’ on the NAS and when you looking at the creation date of those files. When those creation-dates/times are very similar, quite recent and not matching with your installation, probably the executables were modified by the attacker. DO NOT USE/EXECUTE these files, it might be the trigger of the ransomware. What I did is, I changed the extension and stored the files on a USB stick. Doing so, my anti-virus program keeps alerting on those files. ADDED INFO: DO NOT erase the infected executables: You might need it as input at a later moment in time when someone is succeeding preparing a decryption tool to this virus. The best you could do is saving these files on a empty USB stick. Mind you that this type of ransomware is new on the market and we don’t know yet what will be required to put an end to the ransom. GT500 did you receive that file I had submitted on Sunday, and is it helpful for your analysis? Can I help with something more?
  26. mahmo A pair of files (encrypted and original) for new versions of STOP Ransomware are not needed.
  1. Load more activity
  • Newsletter

    Want to keep up to date with all our latest news and information?

    Sign Up