Popular Content

Showing content with the highest reputation since 10/14/19 in Posts

  1. 2 points
    In most cases, those features should work without the need to keep most of the software that computer manufacturers pre-install. If you're not certain about what software should be kept or removed, then there are third-party softwares that can help (Decrapifier for instance, and for a while there was a ridiculous batch file that techs were using that could do it).
  2. 1 point
    @manjunath and @Baliitsolutions this is a newer variant of STOP/Djvu, and both of you have online ID's, which means that there is currently no way to recover your files. We recommend making a backup of any encrypted files and waiting, as it is possible that law enforcement may catch the criminals at some point and release their database of keys for use in decrypters. There is more information at the following link: https://support.emsisoft.com/topic/32045-about-the-stopdjvu-decrypter/
  3. 1 point
    I have read the following article : Based on that article , I understand that we have to make an encrypted backup on a CLOUD storage driver for our safety. Then , we have to wait for new solutions and updates for removing and decrypting the .derp files.
  4. 1 point
    Your files were encrypted by a newer variant of STOP/Djvu that uses a more secure form of encryption. Since your ID isn't an offline ID, it won't be possible for the decrypter to decrypt your files. It may be possible that law enforcement will catch the criminals some day, and release the private keys so that we can add them to our database to allow decryption of everyone's files, so we recommend making a backup of all of your encrypted files in case this happens some day.
  5. 1 point
    Hallo, Ziemlich sicher ein falscher Alarm, da Tor nicht signiert ist. Daher verlassen wir uns auf die Verhaltensanalyse. Wir können nur analysieren und kategorisieren wenn wir Feedback erhalten. Ich schlage vor dass Emsisoft Anti-Malware es in die Quranatäne tut und dann können Sie den Falsche Fund Knopf anklicken, dann geht das an unsere Entwickler. Dann klicken Sie auf die Datei und wählen Sie wiederherstellen. Tun Sie die Datei in die Ausnahmen, dann können Sie es neu nachher installieren. Claude
  6. 1 point
    That's one of the newer variants of STOP/Djvu, and you have an online ID, which means your files won't be decryptable.
  7. 1 point
    Hallo, sieht nach falschem Alarm aus, gehe dem aber noch weiter nach. Claude
  8. 1 point
    Hallo, bins immer noch am abklären. Claude
  9. 1 point
    Hello! On a computer, HP AdAwareCleaner and Hitman Pro find a large number of pre-installed programs (screen) This is understandable - because the computer is made by HP-Company) But the question is - are these pre-installed programs potentially unwanted, spyware (why)? Because they collect information about the user computer? Do you need these programs on your computer? However, for example, HP Support Assistent checks and offers driver and software updates on your computer! So are these applications needed on a PC?☹️ HitmanPro scan.zip
  10. 1 point
  11. 1 point
    Hello all! The EmsiSoft blog https://blog.emsisoft.com/2017/11/17/fileless-malware-attacks/ informs about fileless Malvare. And that more often in the Windows registry they hit Windows PowerShell and WMI. It is recommended that you turn off PowerShell. But I do not understand how to do this? From the above instructions, it is unclear ... In my computer(Windows 7x64), I do not find the ability to disable this application Just launch it as a command line! Please tell us more about the disable PowerShell!
  12. 1 point
    There is no official way to accomplish what you want when an account has administrator rights. That being said, you could use various tricks to prevent uninstall. For instance, install EAM using the old InnoSetup-based installer and then delete the uninstaller that's in the EAM folder. Or simply delete the uninstall entry for EAM from the registry after you install it. You could also change the permissions on the EAM folder to prevent deletion of the folder and any files inside, however this may prevent EAM from being able to update, and if any mistakes are made in permissions then EAM may not run correctly and you may not be able to fix it. Needless to say, this method is not really recommended, especially since the drivers and service could still be unregistered leaving EAM completely useless. I'll submit it as a feature request. For now, it should be possible to tell that logging has stopped on a specific workstation, and it should be possible to check the Last Update time/date.
  13. 1 point
    Edit the rules and change them to "Monitored". Although, feel free to follow Amigo-A's advise, and keep PowerShell blocked if you'd like.
  14. 1 point
    The .Adame extension has been used by both Phobos and a Scarab variant. Files encrypted by Phobos will have an <ID>-<id> with 8 random hexadecimal characters>.[<email>] followed by the .Adame extension as explained here by Amigo-A (Andrew Ivanov). <filename>.<extension>.id[F6593DDC-2275].[[email protected]].Adame <filename>.<extension>.id[70C80B9F-1127].[[email protected]].Adame <filename>.<extension>.id[AE9AE1C0-2275].[[email protected]].Adame If it does not have the <ID>-<id> with 8 random hexadecimal characters>.[<email>] pattern followed by the .Adame extension, then it is a Scarab variant. Based on infection rates, you are most likely infected with Phobos which leaves files (ransom notes) named Phobos.hta, Encrypted.txt, Data.hta, info.hta and info.txt.
  15. 1 point
    @JeremyNicoll Hello Here can add ... "... - delete all pre-installed programs without a doubt, which are not related to devices drivers and auxiliary software for these devices". So it will be more correct.
  16. 1 point
    @andrey Есть немало шифровальщиков, которые используют Windows PowerShell для атаки и успешно осуществляют её в массовом порядке. В том числе до сих пор живо целое их поколение, которое или так и называется PowerShell Locker Ransomware или приобретает новые имена (типа этого) и ЭТО до сих периодические распространяется, когда у криптонариков набрутенные баксы перестают им петь романсы. Если бы этой функции не было в составе Windows, то им пришлось бы внедрять что-то подобное, чтобы осуществить эту атаку, вот тут поведенческий анализ и дал бы им жару. Если вы сами никогда не пользуетесь Windows PowerShell то отключите эту горе-фичу от греха подальше.
  17. 1 point
    I agree with you and with Amigo-A, and with GT500! Obviously (I repeat) each user decides what to do.
  18. 1 point
    На этот вопрос лучше ответить по-русски, т.к. некоторые словесные обороты будут неправильно переведены. Все софт-коммерсы жаждут продвинуться и развиться, поэтому наблюдение и отслеживание (в т.ч. шпионаж и слежка до кучи) у них стоят во главе угла. Эти действия, скорее всего, будут носить характер сбора информации о другом ПО и предпочтениях пользователя. Так повелось изначально, без этого им не выжить. Но у этого сбора инфы есть другая более опасная сторона. Скорее всего эти мелкие компашки будут кем-то взломаны и база данных о клиентах утечет со всеми вытекающими последствиями. Вам это надо? Нет, разумеется.
  19. 1 point
    Hello @andrey Your new computer must have the latest software and is trusted protected. This is the best solution. When done in parts is expensive, then buying a PC with a preinstalled OS manufacturer is more economical. At the same time, if us compare a PC with a house and a protected private territory, then you should know all the equipment that is used: for water supply, for electricity metering, reliable door locks, video surveillance, etc. It is unlikely that you will use for all this what is lying in the garbage dump. At the same time, you invite external specialists to whom you trust or do everything yourself to install the purchased equipment. You will not entrust this work to unknown people who have an unknown reputation and you will not leave a stranger in your house without observing him. Also should be with software. If the pre-installed programs were set by the PC manufacturer or its partners, then these are not your partners, these are completely alien people with their intentions and commercial purpose. You do not know what they set and what goals they pursued. Therefore, the verdict should be unambiguous - delete all pre-installed programs without a doubt. Your PC is your property, your fortress, your territory, there is no place for a strangers here! /// Ваш новый ПК должен иметь актуальное ПО и надежно защищен. Это наилучшее решение. Когда все по частям собирать дорого, то покупка ПК с предустановленной производителем ОС экономичнее. При этом, если сравнить ПК с домом и охраняемой частной территорией, то вы должны знать все оборудование, которое используется: для водоснабжения, для учета электричества, надежные замки на дверях, видеонаблюдение и прочее. Вряд ли вы будете использовать для всего этого то, что валяется на мусорной свалке. При этом вы приглашаете для установки купленного оборудования внешних специалистов, которым вы доверяете или делаете все самостоятельно. Вы не доверите эту работу неизвестным людям, у которых неизвестная репутация и вы не оставите чужого человека в вашем доме без наблюдения за ним. Также должно быть с программным обеспечением. Если предустановленные программы поставил производитель ПК или его партнеры, то это не ваши партнеры, это совершенно чужие люди со своими намерениями и коммерческой целью. Вы не знаете, что они установили и какие цели они преследовали. Поэтому, вердикт должен быть однозначен — удалять все предустановленные программы без сомнения. Ваш ПК - ваша собственность, ваша крепость, ваша территория, чужим здесь не место!
  20. 1 point
    FYI: I've split our posts into a new topic so that we are no longer hijacking someone else's topic with an unrelated discussion.
  21. 1 point
    As I keep saying, there is absolutely nothing you can do to stop someone who has administrator access to a computer from removing security software. I don't care if the Anti-Virus can't be "uninstalled" without a password, I could remove it with a batch file. I could also just terminate its running processes, then delete its files, and unregister its drivers and services. It takes very little actual work to remove an Anti-Virus software, even if you don't have permission to do so. We used to have it as well. I think it was removed when we changed how our permissions system works.
  22. 1 point
    @GT500 From the information provided, it can be seen that this applies to Estemani Ransomware, which I discovered and described back in August. Several updates are known, but not all published. Here are a few samples... https://www.virustotal.com/gui/file/c2203c894ed7f4daa70a40ceefb4a3a05f16baed2f7a7fbd4d1f922bd6b859aa/detection https://www.virustotal.com/gui/file/c2203c894ed7f4daa70a40ceefb4a3a05f16baed2f7a7fbd4d1f922bd6b859aa/detection https://www.virustotal.com/gui/file/3d60014bcc1e20033ade8dcd41336b2a8c353104e474b6e27bb9f05d31cce485/detection https://www.virustotal.com/gui/file/97f15370088409941f8e7fcf2fe80364ee244874a98151e58c0d273ebcf9397a/detection
  23. 1 point
    PowerShell has a built-in permissions system these days that automatically prevents execution of downloaded scripts. This of course does not prevent an application (or a batch file) from executing PowerShell commands from the command line, so it does not negate all of the dangers of PowerShell, however I don't think this is quite as common as it was when we made that recommendation and it certainly is better understood and detected now than it was back then.
  24. 1 point
    The programs that computer manufacturers pre-install is based on corporate contracts. Not all of those programs are free from annoyances or other potentially unwanted behavior. Many technicians will remove OEM software from new computers when they set them up for a client for this reason.
  25. 1 point
    I'm fairly certain that the password isn't required for an administrator (it's intended to grant admin rights for limited users). This, of course, would depend on how the permissions in EAM are configured (you can configure them so specific users or groups have limited permissions, regardless of the permissions they have in Windows). As for uninstalling, that's a matter of permissions in Windows. An administrator can remove anything they want to. If you try to block the uninstall, then they can just manually remove the software. You literally can not prevent it. Is it not possible to teach them how to add exclusions?
  26. 1 point
    Limited user accounts in Windows can't install or uninstall software. If you don't want someone to be able to uninstall your security software, then you should keep a single account with administrator rights that is protected by a reasonably secure password, and then all other accounts (including the one you normally log in with) should be limited accounts.
  27. 1 point
    My PC also getting infected by this same .reco extension just before... did u get any solution? pls share if any
  28. 1 point
    It's supposed to be that way when Windows is running in Safe Mode (after all, if you forget your password, you need to have a way to regain control). I'll ask if we've changed this functionality.
  29. 1 point
    It's physically impossible to prevent an attacker from removing security software. Once they're in the system, and have admin rights, they have full control. They can terminate any process, delete any file, disable any startup entry, etc. This is one of the reasons why it is imperative to prevent an attacker from getting in to the system in the first place. EAM does have self-protection that can prevent automated removal of its components, however this will only stop an infection, and won't stop someone who's remotely accessing the system. BTW: If you configure an admin password for Emsisoft Anti-Malware, it won't allow someone to uninstall it without the password while Windows is running normally.
  30. 1 point
    Ransomware infections are unique in many ways. Most importantly, a lot of the natural instincts which are usually correct when dealing with malware infections can make things worse when dealing with ransomware. Please see the following steps as a guideline when dealing with your ransomware infection. Do not delete the ransomware infection The natural instinct of most users is first to remove the infection as quickly as possible. This instinct is, unfortunately, wrong. In most cases, we will require the ransomware executable to figure out what exactly the ransomware did to your files. Finding the right ransomware sample becomes infinitely more challenging when you deleted the infection and can't provide us with the ransomware. It is okay to disable the infection by disabling any autorun entries pointing to it or by quarantining the infection. However, it is important not to delete it from quarantine or to remove the malicious files right away without a backup. Disable any system optimisation and cleanup software immediately A lot of ransomware will store either itself or necessary files in your temporary files folder. If you do use system cleanup or optimisation tools like CCleaner, BleachBit, Glary Utilities, Clean Master, Advanced SystemCare, Wise Disk/Registry Cleaner, Wise Care, Auslogics BoostSpeed, System Mechanic, or anything comparable, disable those tools immediately and make sure there are no automatic runs scheduled. Otherwise, these applications may remove the infection or necessary ransomware files from your system, which may be required to recover your data. Create a backup of your encrypted files Some ransomware has hidden payloads that will delete and overwrite encrypted files after a certain amount of time. Decrypters may also not be one hundred percent accurate, as ransomware is often updated or simply buggy and may damage files in the recovery process. In those cases, an encrypted backup is better than having no backup at all. So we urge you to create a backup of your encrypted files first, before doing anything else. Server victims: Figure out the point of entry and close it Especially recently we have seen a lot of compromises of servers. The usual way in is by brute-forcing user passwords via RDP/Remote Desktop. We firmly suggest you check your event logs for a large number of login attempts. If you find such entries or if you find your event log to be empty, your server was hacked via RDP. It is crucial that you change all user account passwords immediately. We also suggest to disable RDP if at all possible or at least change the port. Also, it is important to check all the user accounts on the server, to make sure the attackers didn't create any backdoor accounts on their own that would allow them to access the system later. Figure out what ransomware infected you Last but not least it is important to determine what ransomware infected you. Services like VirusTotal, which allows you to scan malicious files, and ID Ransomware, which lets you upload your ransom note and encrypted files to identify the ransomware family, are incredibly useful and we will probably end up asking you for the results of either of these services. So by providing them right away, you can speed up the process of getting back your files. If you struggle with any of these points, please feel free to ask for help. Our ransomware first aid service comes with no-strings-attached and is free for both customers and non-customers.
  31. 1 point
    Hi! You mean this is it? components of Windows? But there is no PowerShell
  • Newsletter

    Want to keep up to date with all our latest news and information?
    Sign Up