Popular Content

Showing content with the highest reputation since 11/21/18 in Posts

  1. 3 points
    It means that the tests done by AV-C and AV-T have a clear image of how they think AV software should work. The problem arises when your product doesn't fit the mould. Then you get penalized for not doing what everyone else does, even though what everyone else does may not be in the best interest of the user, to begin with. Best example: Snooping around in your encrypted connections, which literally every AV vendor screwed up at least once in the past and probably will continue to happen, exposing users to potentially greater risks than most malware does. For starters, the test sets aren't nearly as representative anymore. When we participated in AV-T and AV-C both tested with less than 200 samples a month on average. 200 samples out of literally tens of millions. The exact selection isn't clear and not representative of what users deal with either. None of them tests with PUPs for example, even though a simple look at any tech support community will tell you, that it is probably by far the biggest problem users are dealing with. So no, neither of those test scores represents real-life performance and it becomes blatantly obvious when you go to places like Bleeping Computer, GeeksToGo, Trojaner Board, Malekal, and all those other communities where people infected by malware show up for help and look at what products these victims used at the time they became infected. Then you will notice that a lot of these products with perfect scores don't look nearly as perfect in real-life conditions. The reason for this discrepancy is quite simple: Most AV vendors will specifically optimise their products for these tests. The most severe cases are where vendors end up outright cheating and detecting the test environments which then results in a change of behaviour of the product (think Dieselgate, but with anti-virus). But there are many ways you can game these tests. For example: you can try to figure out the threat intel feeds the companies use, then just buy those same threat intel feeds so you have all samples in advance you can track their licenses and supply different signatures to them or use your cloud to treat those test systems differently some particularly shady organisations literally also sell you their sample and malicious URL feed, so you can just outright buy the samples and URLs your product will get tested on later What you end up with as a result is a product that is optimised really really well for the exact scenario they are being tested under using the exact type of URLs and samples these testers use, but that is utterly useless when it comes to anything else. We just really don't want to create this type of product. So when we were asked whether we wanted to continue to participate this year, we discussed the matter internally, looked at what we get out of these tests (meaning: whether these tests have a discernable impact on our revenue) and decided that they are simply not worth it and that the tens of thousands of Euros we spent on them every year would be better spent on extending our team and building new ways of keeping our customers safe.
  2. 1 point
    Offline keys almost always end in t1 with the only exceptions being a few early variants from roughly a year ago.
  3. 1 point
    This is a newer variant of STOP/Djvu. If you have an offline ID, then once we can find the decryption key for this variant and add it to our database you will be able to recover your files. However, if you have an online ID (which is more likely) then it will not be possible to recover your files. There is more information at the following link: https://support.emsisoft.com/topic/32045-about-the-stopdjvu-decrypter/
  4. 1 point
    На этот вопрос лучше ответить по-русски, т.к. некоторые словесные обороты будут неправильно переведены. Все софт-коммерсы жаждут продвинуться и развиться, поэтому наблюдение и отслеживание (в т.ч. шпионаж и слежка до кучи) у них стоят во главе угла. Эти действия, скорее всего, будут носить характер сбора информации о другом ПО и предпочтениях пользователя. Так повелось изначально, без этого им не выжить. Но у этого сбора инфы есть другая более опасная сторона. Скорее всего эти мелкие компашки будут кем-то взломаны и база данных о клиентах утечет со всеми вытекающими последствиями. Вам это надо? Нет, разумеется.
  5. 1 point
    The programs that computer manufacturers pre-install is based on corporate contracts. Not all of those programs are free from annoyances or other potentially unwanted behavior. Many technicians will remove OEM software from new computers when they set them up for a client for this reason.
  6. 1 point
    The GUI in EAM doesn't display how many days remain on your license key when you have a subscription license (this type of license key isn't considered to have an expiration date since it will auto-renew). You should be able to see when it will automatically renew in My.Emsisoft.
  7. 1 point
    It looks as if you have a subscription licence that will auto-renew when the licence expires, hence why it shows 'abonnement' under status. What does it show on the overview screen ? My licence is a fixed 1-year licence and the overview screen shows that my licence ends in 189 days. I don't know if you're able to do this, but if I hover the mouse over the '189 days' green text, the tooltip shows the licence end date - perhaps yours just shows 'abonnement' ? Failing that, as your licence is a subscription, maybe you can determine when it's due for renewal by checking the email that you would have received when you ordered it ?
  8. 1 point
    Malware scans look for files whose contents are known/suspected to indicate that they are malicious. On the other hand the Behaviour Blocker looks at what a program/file seems to be doing /once it is actually running/. A file can look innocent to a malware scan but once run do something that might be suspicious. In your case the BB is telling you that lots and lots of installs are being attempted. The BB alerts are all because a "hidden installation" is being attempted, that is, an "MSI" file (which is a standard Microsoft installer file) is being run. Maybe the file you downloaded was named "something.msi". If so, it is not itself executable, but is read and processed by the parts of Windows that understand MSI files. It looks as if either this particular .MSI file first unpacks itself to create many temporary files, named MSIxxxx.tmp, then uses those, or - as you say, maybe downloads a set of MSIxxxx.tmp file and uses them. Either way, the sheer quantity of them is - perhaps - dubious. If any program in Windows wants to create a temporary file - perhaps by unzipping or unpacking a container of files, (or by downloading some) - it is likely to put them in a folder whose purpose is to hold temporary files. Its name depends on the version of Windows you are running and your userid. It has a symbolic name TEMP (or %TEMP%) so that programs can refer to it without knowing what its full name is on your system. If you open a file explorer window, then put the caret in the file/folder-name area at the top (which looks a bit like a URL bar in a browser) and type %TEMP% and hit enter, the temporary files folder for your userid will be opened. On my W8.1 system, if my userid was Fred, it would be named: "C:\Users\Fred\AppData\Local\Temp" There are other temporary file folders in Windows... If an installer running under an Admin id (ie with UAC permission) creates temporary files they will probably be put in a different folder - a similar folder name but instead of the "Fred" but it'll be the Admin id's name there, eg "C:\Users\TheNameOfTheAdminId\AppData\Local\Temp". I am not sure that it's safe for you to try to exclude some folders from monitoring by the behaviour blocker; it might be a way to reduce or stop these alerts, but done incautiously it can also stop alerts coming from any malicious software that's also managed to come to roost in that folder - and it's a very likely folder for iffy things to end up in.
  9. 1 point
    the Ransomware need decryptor.... they removed shadow volume copy, so wont be able to restore and also encrypt the original file, so no point of using data recovery tool. Please suggest
  10. 1 point
    Здравствуйте, Попробуйте, пожалуйста, с включенным и отключенным брэндмауэром, если конечно вы это еще не пробовали. т.к. Я видела на скриншотах, что вы прислали включенный полностью брэндмауэр и частично включенный. Также нам понядобятся дебаг логи. 1. Откройте, пожалуйста, саму программу Emsisoft. 2. Слева в меню выберите "Настройки" 3. Перейдите на вкладку "Прочие" 4. Внизу данного блока найдите самую последнюю строку "Расширенное ведение отчётов". Выберите "Включить на 1 день". 5. Перейдите в главное меню, для этого слева в меню выберите "Обзор" (значок "Домик") или просто закройте окно Emsisoft. 6. Воспроизведите проблему, с которой Вы столкнулись, пару раз. Ошибка обязательно должна появиться, чтобы зафиксироваться в логах, иначе в них нет смысла. 6. После этого зайдите в папку c:\programdata\emsisoft\logs\, соберите все логи в этой папке и пришлите их мне в личные сообщения. 7. Поскольку расширенное ведение отчётов может замедлять работу приложения, то можно отключить его работу вручную сразу после сбора логов. Или через день программа сама отключит эту опцию (в случае, если Вы выбрали вариант "Включить на 1 день"). Также FRST логи будут крайне полезны: Вы можете загрузить программу Farbar Recovery Scan Tool (FRST) перейдя по следующей ссылке https://www.bleepingcomputer.com/download/farbar-recovery-scan-tool/ Примечание: Вам нужно загрузить версию, совместимую с Вашей операционной системой. 1. Загрузите совместимую версию FRST и запустите программу. 2. Когда она откроется, нажмите "Yes", чтобы продолжить работу. 3. Убедитесь, что внизу справа стоит галочка для "Addition.txt". 4. Нажмите кнопку "Scan". 5. Дождитесь завершения процесса. 6. Когда сканирование завершится, оно сохранит логи в текстовом документе под названием "FRST" в том же месте, откуда Вы запускали программу (если Вы сохранили FRST на своем Рабочем столе, то и лог "FRST" будет сохранен нам же). 7. Прикрепите файл лога "FRST" в ответ на это сообщение. 8. В той же папке будет лог "Addition". Прикрепите этот файл тожет и отправте мне в личные сообщения
  11. 1 point
    DrWeb can decrypt some files that STOP-Decrypter cannot decrypt, only in another way. Only .pdf encrypted files and all the Office documents .doc, xls, docx, xlsx, ppt, pps, etc … Unfortunatly with this way can't will decrypt photo, video, audio and many files with other extensions. If free test decrypt these files will successful, the fees requested by Dr.Web experts 150 EUR for Rescue Pack (Personal decryptor + 2-year DrWeb Security Space protection). There is no alternative to receiving this service. If the test-decrypt will fails, no payment will be required. Tell me, if this way suits you, I will let you know what files you need to collect for this. I do not participate in this process and do not provide any help except this information. I not having any financial benefit and is not involved in this decryption service at all.
  12. 1 point
    Some info on this here andrey https://borncity.com/win/2019/08/14/windows-updates-kb4512506-kb4512486-drops-error-0x80092004/ Do you have KB4474419 and KB4490628 installed?
  13. 1 point
    Ach, so they are. I just c&p them out of the OP's report and looked them up separately. I wonder why the OP had two copies?
  14. 1 point
    Hello, The main causes of laptop random reboots, list in order, are: Heat Faulty hardware Faulty drivers Software crashes Malware You logs show no Malware. Also I see no crash dumps in the FRST logs. The Event log shows that Chrome is misbehaving and an Intel Driver is crashing. There is an Alternate Data Stream that should be removed. Copy the below code to Notepad; Save As fixlist.txt to your Desktop. Close Notepad. NOTE: It's important that both files, FRST64, and fixlist.txt are in the same location or the fix will not work. NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system Run FRST64 and press the Fix button just once and wait. If the tool needed a restart please make sure you let the system restart normally and let the tool complete its run after restart. The tool will make a log on the Desktop (Fixlog.txt). Attach it to your reply. NOTE: If the tool warns you about an outdated version please download and run the updated version.
  15. 1 point
    That's not encouraging... Hopefully someone from Emsi will come along and explain. It seems to me that there's three issues: first, whether or not with 'Paranoid' being set, files are being scanned as they are downloaded. I'd certainly have hoped so; if not we need an "even more Paranoid" setting... Secondly (if files are being scanned on download): why is a scan-on-download not making the same detection as a custom scan later on? Downloading files is surely the main way that most of us get potential malware, so a scan then should be as thorough/rigorous as possible. Thirdly, the Behaviour Blocker's behaviour. If all you've let the installer do is start & display its splash screen then it probably hasn't yet done anything that the blocker would think is suspicious, so no BB alert is fair enough. (I'm not suggesting you should let it do more if you think it is dodgy.) I don't think/know that the fact that the installer is running with Admin privilege is relevant. I /hope/ that malicious softare running under Admin auth is blocked when it actually does do something dodgy.
  16. 1 point
    Asdu374idfg68O9eTFDNbn8z2O956vweaL1v2GY5gvWBYMKcmt1 It looks like an online key with which decoding is not yet possible.
  17. 1 point
    I expect that's not possible, because EAM requires Windows to be running, and what's more it might need to be Windows on amd/intel cpus. What cpu and OS does the TV run?
  18. 1 point
    I have the same thing but instead of a .txt file its a HTML Application (.hta) here is the send space link https://www.sendspace.com/filegroup/sRHSwJySqZ3cXRFJlc5CJQ here is a few more files if you need to look at them https://www.sendspace.com/filegroup/hxqKfEGN6R7TeHM5QosANw4RRiK2jD1hr%2BCvM9fMngsru26QlocERasGfm6BgXzr0wo1k6OBXuOKTginvVxsBA
  19. 1 point
    All Emsisoft decrypters https://www.emsisoft.com/decrypter/ There will be a message in my article, if I lucky to live to such a significant event.
  20. 1 point
    Hi Damaxx, can you share the decryptor. Wanted try it will work for my files or not.....
  21. 1 point
    Do the following: Copy the below code to Notepad; Save As fixlist.txt to your Desktop. 2019-06-25 15:25 - 2019-06-25 15:25 - 000000000 _D C:\Users\klime\Desktop\umowy 2019-06-24 19:00 - 2019-06-24 19:27 - 000000000 __D C:\Users\klime\AppData\Roaming\vrguqgoqzs 2019-06-24 15:59 - 2019-06-24 15:59 - 000000000 ____D C:\WINDOWS\SysWOW64\tmumh 2019-06-24 15:59 - 2019-06-24 15:59 - 000000000 ____D C:\WINDOWS\system32\tmumh 2019-06-20 22:15 - 2019-06-20 22:15 - 000000048 ____H C:\Program Files (x86)\k5wlusm0mk.dat 2019-06-18 11:55 - 2019-06-18 11:55 - 000001024 C:\WINDOWS\SysWOW64\%TMP% ContextMenuHandlers1: [7-Zip] -> {23170F69-40C1-278A-1000-000100020000} => -> Brak pliku ContextMenuHandlers1: [BriefcaseMenu] -> {85BBD920-42A0-1069-A2E4-08002B30309D} => -> Brak pliku ContextMenuHandlers3: [{4A7C4306-57E0-4C0C-83A9-78C1528F618C}] -> {4A7C4306-57E0-4C0C-83A9-78C1528F618C} => -> Brak pliku ContextMenuHandlers4: [7-Zip] -> {23170F69-40C1-278A-1000-000100020000} => -> Brak pliku ContextMenuHandlers6: [BriefcaseMenu] -> {85BBD920-42A0-1069-A2E4-08002B30309D} => -> Brak plikuClose Notepad.NOTE: It's important that both files, FRST64, and fixlist.txt are in the same location or the fix will not work.NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating systemRun FRST64 and press the Fix button just once and wait.If the tool needed a restart please make sure you let the system restart normally and let the tool complete its run after restart.The tool will make a log on the Desktop (Fixlog.txt). Attach it to your reply.NOTE: If the tool warns you about an outdated version please download and run the updated version.
  22. 1 point
  23. 1 point
  24. 1 point
    EAM doesn't work on XP or Vista now. System requirements are :- For Windows 7/8.1/10, 32 & 64 bit
  25. 1 point
    Hallo und danke für die Anfrage. Vielen Dank auch für die Unterstützung @eric cartman Eventuell noch als Nachtrag ein Verweis zur Übersicht der Produkt-Updates: https://blog.emsisoft.com/de/category/emsisoft-neuigkeiten/produkt-updates/
  26. 1 point
  27. 1 point
    [!] No keys were found for the following IDs:[*] ID: kdKoug7mCqSlGVQyBnLCBiCVzGFqKASgYnaVFcph (.roldat )Please archive these IDs and the following MAC addresses in case of future decryption:[*] MAC: 8C:16:45:3D:C1:B6[*] MAC: B2:FC:36:27:0F:23[*] MAC: B0:FC:36:27:0F:23[*] MAC: B0:FC:36:27:0F:23[*] MAC: B0:FC:36:27:0F:24This info has also been logged to STOPDecrypter-log.txt
  28. 1 point
    mario.rossi Today the STOPDecrypter has been updated with the support of the .dutan extension https://download.bleepingcomputer.com/demonslay335/STOPDecrypter.zip Try decrypting some files first by making a copy of them for test.
  29. 1 point
    Some of them may be recoverable. I've asked the creator of STOPDecrypter whether or not he's already seen your post here. If he has, I imagine he's already contacted you. If he hasn't, then he may still contact you once he has a chance to look over your information. His screen name on our forums is Demonslay335.
  30. 1 point
    You are dealing with two different ransomware. ID Ransomware picked up on the "second layer" of STOP Djvu with the .adobe extension. No way to determine what the first ransomware was without the malware or ransom note from it. Support topic for STOP Djvu: https://www.bleepingcomputer.com/forums/t/671473/stop-ransomware-tro-djvu-rumba-openmetxt-support-topic/
  31. 1 point
    OK. Let us know if you're able to recover anything, that way we know whether or not to continue recommending trying file recovery software.
  32. 1 point
    The cheapest option for you would be the 3-PC license key, even if you only have 2 computers. You're not required to have a 3-PC license key though, so if you prefer to buy two 1-PC license keys (one for each computer) then feel free to do so, however note that the total cost of doing so is usually more than a 3-PC license key.
  33. 1 point
    Hi Gawg Thanks for your comments. I'll try a reboot first when future problems arise.
  34. 1 point
    You can technically just remove all entries from your hosts file using Notepad. Just delete everything except the " localhost" entry if there is any. Lines starting with "#" are comments by the way. Pretty much. We are not an ad blocker, no. You use uBlock Origin which is pretty much the best adblocker you can get. So you are well covered in that area already. Correct. When you try to click the link, it will block access to the site. But I do understand that a lot of people would like to know before they click, which is why we consider adding it. Interestingly enough WOT got in trouble for the very same thing that some AVs are doing with their extension. You can always set up your own DNS server locally or in a cheap VPS box online. DNS also can be tunneled via various secure protocols (DNS-over-HTTPS for example). Those use methods that provide k-anonymity. Firefox in addition also sends "fake" requests if I remember correctly so the hoster of the block list does not know whether that was a website you actually surfed to or a random request. If you are so concerned, just host your own VPN. Get a cheap VPS with bitcoin at njal.la for example, host OpenVPN and your own DNS server on it and there will be no link between you and the VPS. It's serious overkill though.
  35. 1 point
    The Behavior Blocker will catch the payload. While it does have some exploit protection, it isn't intended to provide a full range of exploit protection, and thus will only catch certain exploits.
  36. 1 point
    Siehe hier.. https://support.emsisoft.com/topic/30508-build-9204/?tab=comments#comment-190523
  37. 1 point
    With notification turned in in EAM setting I was offered the option to install it via clicking on the slide info. (No need to have a Microsoft account to get this from the store in case anyone is wondering) Installed and running
  38. 1 point
    Hallo Wolfgang, vielen Dank dass Sie unseren Support kontaktiert haben. Eine Infektion durch die offizielle Version vom VLC Player bei der Installation oder beim Update sollte sich ausschließen lassen. Sie haben Chip erwähnt, Ihrem Beitrag entnehmen ich aber dass Sie den Chip Installer nicht verwendet haben als Sie VLC Player installiert haben? Wie Sie bereits festgestellt haben könnte man sagen es wird einem damit einfach gemacht auch andere Dinge als das Programm zu installieren welches man eigentlich herunterladen wollte. Daher sollten Programme immer direkt vom Hersteller bezogen werden, damit sollten sich dann auch Zwischenfälle ausschließen lassen, wird in einer offiziellen Software einmal eine Infektion gefunden sollten vertrauenswürdige Hersteller auch dafür sorgen dass alle Nutzer informiert werden. Wenn eine Plattform wie Chip.de verwendet werden soll um Software zu beziehen, würde ich persönlich empfehlen Ausschau nach einem Link "Manuelle Installation" zu halten; damit wird dann der Installer des Herstellers heruntergeladen, und nicht der Chip Installer über den dann wiederum z.B. VLC Player heruntergeladen und am System installiert werden soll. Ein einfaches Rezept zur Säuberung eines Systems welche für Jedermann und in alle Fälle gut funktioniert lässt sich vermutlich nicht finden. Etwa ist die Anleitung welche @onegasee59 freundlicherweise erwähnt hat schon in ein sehr brauchbares Format gebracht worden. Gerne sind wir Ihnen bei der manuellen Bereinigung behilflich, lassen Sie mich bitte wissen wenn Sie gerne eine Anleitung zum Erstellen der benötigten Log-Dateien haben würden die wir benötigen damit wir Sie damit unterstützen können. Wenn Software vom Hersteller des eigenen Vertrauens bezogen wurde sollte man davon ausgehen können dass Update-Aufforderungen legitim sind wenn diese eindeutig von diesem Programm stammen. Verhaltensverstöße bzw. Aktionen die auf einmal von einem Programm am System durchgeführt werden sollen können schon von Sicherheitssoftware aufgespürt werden - etwa mit einer Technologie wie unserer Verhaltensanalyse; vorausgesetzt es wurde keine Ausnahme-Regel für das Programm erstellt. Man sollte sich da System genauer ansehen, wir helfen Ihnen gerne dabei, mit eine Anleitung die dann für Jedermann funktionieren würde können wir aber leider nicht dienen. Darauf lässt sich leider keine Antwort finden wenn man nicht vorher einen genaueren Blick auf das System geworfen hat. Dazu werden wiederum diverse Tools verwendet die detaillierte Informationen über den Systemzustand und verschiedene wichtige Bereiche im System auflisten. Entweder muss dann wiederum mit anderen Werkzeugen nachgesehen werden bzw. werden die Informationen dazu genutzt um dann Malware die am System gefunden wird gezielt zu entfernen. Es tut mir Leid dass meine Antworten für Sie nicht genauer ausfallen können oder ich mit einer Anleitung dienen kann die dann vielen Nutzern sofort auf einfache Weise helfen könnte. Für Ihre Fragen und Anliegen stehe ich gerne weiter zur Verfügung.
  39. 1 point
    Hello Jonathan. It looks like a translation file didn't update itself properly, and the restart reloaded it. Thank you for following up!
  40. 1 point
    I have received 2 phone calls regarding this issue. Is this legitimate?
  41. 1 point
    I just got this also. Windows 10 Pro. Pale Moon,Firefox & Chrome installed. Chrome default
  42. 1 point
    My computer was also infected by .udjvu and all files were encrypted. My wife is a Teacher and all her documents are now encrypted by .udjvu My only option is to install a new Hard Disc on the computer and make a fresh start. I will keep the encrypted Hard Drive in case someone in the future manages to decrypt .udjvu Please let us know if something comes up. Thanks, Andreas. _openme.txt DSC01680.JPG.udjvu DSC01682.JPG.udjvu
  43. 1 point
    Well, it has happened, though not at start-up. This morning, I was using my EliteBook, which has the current stable version 2018.11.0.9073 (it was never switched to the beta feed), and around 10:40 CET decided it was time for a break. On returning, noted that the screen was black. First assumption was that it was in sleep but the power button was illuminated constantly, not blinking. Couldn't get any response so invoked a BSOD at about 11:08. On restarting, saw (as expected) that a2service.exe had bombed at 10:58:11. So, should I send the dump? Sadly, there are no debug logs. Ironically, the morning's work was documenting a UI problem and I had temporarily turned off debugging to be able to copy the logs after my break. I still have a dump taken when using 2018.11.0.9073 beta on my Dell stationary. It occurred (2018-12-05) when I set my printer preferences to 'duplex' to print a document. Would that be of any use, or can I delete it?
  44. 1 point
    Please upload an encrypted file or ransom note to ID-Ransomware and copy/paste the results here for one of the experts to look at. https://id-ransomware.malwarehunterteam.com
  45. 1 point
    In this case I don't think VirusTotal would have shown us detecting it if you did the URL scan, but if you did a search for the domain then you'd get to see a list of scanned files at that domain (among other things): https://www.virustotal.com/#/domain/img1.wsimg.com VirusTotal doesn't always show us detecting a malicious URL, even when it's in our database and EAM detects it. Our malware analysts have noticed this as well, however we're not sure why it happens.
  46. 1 point
    Then you should already know how to get them.
  47. 1 point
    I would believe our developers are still looking in to it, however thus far we have been assuming it is an issue with Windows 10 since certain Windows tools still read the firewall status correctly.
  48. 1 point
    We're aware of the issue. Some parts of Windows 10 seem to detect that Emsisoft Internet Security's firewall is active, and some do not.
  49. -1 points
    I would rather have "broken sites" than trackers. Easy to allow them, if needed. Only reason I stay with EAM is "SURF-PROTECTION" Can't use your extension. Will not upgrade to the latest Firefox, and will never use Chrome or Edge browsers.
  50. -1 points
    "We are hiding the build-in hosts for the same reason as we hide signatures. This is internal stuff and has no added value for users." No value for dummies, is this what you think your users are?😒 I remember when OS Armor was bought out by you, the owner said it would be the greatest piece of software, WRONG! Man, how can you wreck a piece of software. Sorry, but that's the truth.
  • Newsletter

    Want to keep up to date with all our latest news and information?
    Sign Up