Popular Content

Showing content with the highest reputation since 03/29/19 in all areas

  1. 3 points
    Link to decrypter download page. Link to instructions for using the decrypter (PDF). Link to "file pair" submission form. Link to more information about the decrypter. <- Article at BleepingComputer.com Link to more detailed information about STOP ransomware (covers more than just STOP/Djvu). <- Forum post at BleepingComputer.com How do I remove the ransomware? The STOP/Djvu decrypter will stop the ransomware from running so that it can't continue encrypting your files, however it doesn't completely remove the ransomware. Most Anti-Virus software will detect STOP/Djvu if you run a scan for it, however if you don't have Anti-Virus software installed then you can run a Malware Scan with Emsisoft Emergency Kit (free for home/non-commercial use). Note that formatting the hard drive and reinstalling Windows will also remove the infection, however this ransomware is particularly easy to remove, so if a computer is only infected with STOP/Djvu then formatting the drive would be unnecessary. Will removing the infection unlock my files? No. Your files are encrypted. This encryption needs to be reversed (via a process called "decryption") before your files will be usable again. This encryption cannot be removed or undone simply by removing the STOP/Djvu ransomware infection. The decrypter can't decrypt my files? In most cases this means you have an online ID. It could also mean your files were encrypted by a newer variant of STOP/Djvu. See below for explanations. Why won't the decrypter run? The decrypter requires version 4.5.2 or newer of the Microsoft .NET Framework, so this could mean your version of the .NET Framework is out of date. We recommend installing the latest version of the .NET Framework (4.8 at the time of writing this), and then trying the decrypter again. Why is the decrypter stuck on "Starting"? When you run the decrypter, it looks for encrypted files. It will say "Starting" until it is able to find some. If the decrypter remains stuck on "Starting" for a long period of time, then this means it is unable to find any encrypted files. Offline ID. When the ransomware can't connect to its command and control servers while encrypting your files, it uses a built-in encryption key and a built-in ID. Offline ID's generally end in t1 and are usually easy to identify. Since the offline key and ID only change with each variant/extension, everyone who has had their files encrypted by the same variant will have the same ID and the files will be decryptable by the same key (or "private key" in the case of RSA encryption). Online ID. In most cases the ransomware is able to connect to its command and control servers when it encrypts files, and when this happens the servers respond by generating random keys for each infected computer. Since each computer has its own key, you can't use a key from another computer to decrypt your files. The decrypter is capable of working around this with older variants as long as it has some help, however for newer variants there is nothing that can be done to recover files. Old Variants. Old variants were those in distribution until near the end of August, 2019. Our decrypter supports offline ID's for almost all older variants, and can decrypt files for those with offline ID's without needing any help. For online ID's, it's necessary to supply file pairs to our online submission form so that the decrypter can be "trained" how to decrypt your files. A list of extensions from older variants can be found at the bottom of this post. New Variants. These use a more secure form of RSA encryption. Support for some offline ID's has been added to the decrypter for newer variants, and support for new offline ID's will be added as we are able to figure out decryption keys for them. As for online ID's, due to the new form of encryption, there's currently nothing the decrypter can do to help recover files. Will it ever be possible to decrypt new variants with online ID's? That depends on whether or not law enforcement is able to catch the criminals who are behind this ransomware. If law enforcement is able to catch them and release their database of keys, then we can add those to our database for decryption. If you would like to report this ransomware incident to law enforcement, then please click here for more information. The more reports law enforcement agencies receive, the more motivation they have to track down the criminals. What is a file pair? This refers to a pair of files that are identical (as in they are the exact same file), except one copy is encrypted and the other is not. Our decryption service can analyze the differences between an encrypted file and an original unencrypted copy of the same file, allowing it to determine how to decrypt that type of file. For most victims with an older variant of STOP/Djvu, submitting file pairs will be the only way they will get their files back. File pairs only work for one type of file. Due to the way encryption works in STOP/Djvu, file pairs can only help the decryption service figure out how to decrypt one type of file. For instance, if you submit a file pair for an MP3 file, then the decrypter will be able to decrypt all of your other MP3 files, however it won't be able to decrypt any other type of file. There are some exceptions to this, such as certain newer Microsoft Office documents (such as DOCX and XLSX) since those files are technically ZIP archives. The decrypter can't decrypt all of my pictures even though I submitted file pairs for them? JPEG/JPG images have a format oddity that causes file pairs to be specific to each source of pictures, rather than the file format in general. As an example, if you have pictures from two different cameras, and submit a file pair from the group of pictures from one of the cameras, then the decrypter will only be able to decrypt files from the camera that the file pair came from. In order to decrypt all JPEG/JPG images, you will need to submit file pairs from every source you've obtained those pictures from. What does "Remote name could not be resolved" mean? It's an indication of a DNS issue. Our first recommendation is to reset your HOSTS file back to default. Microsoft has an article about this at the following link: https://support.microsoft.com/en-us/help/972034/how-to-reset-the-hosts-file-back-to-the-default Is there anything I can do to help catch these criminals? The best thing you can do right now is file a report with your country's national law enforcement. There is more information available at the following link: https://www.nomoreransom.org/en/report-a-crime.html Extensions from older variants that the decrypter supports:
  2. 3 points
    It means that the tests done by AV-C and AV-T have a clear image of how they think AV software should work. The problem arises when your product doesn't fit the mould. Then you get penalized for not doing what everyone else does, even though what everyone else does may not be in the best interest of the user, to begin with. Best example: Snooping around in your encrypted connections, which literally every AV vendor screwed up at least once in the past and probably will continue to happen, exposing users to potentially greater risks than most malware does. For starters, the test sets aren't nearly as representative anymore. When we participated in AV-T and AV-C both tested with less than 200 samples a month on average. 200 samples out of literally tens of millions. The exact selection isn't clear and not representative of what users deal with either. None of them tests with PUPs for example, even though a simple look at any tech support community will tell you, that it is probably by far the biggest problem users are dealing with. So no, neither of those test scores represents real-life performance and it becomes blatantly obvious when you go to places like Bleeping Computer, GeeksToGo, Trojaner Board, Malekal, and all those other communities where people infected by malware show up for help and look at what products these victims used at the time they became infected. Then you will notice that a lot of these products with perfect scores don't look nearly as perfect in real-life conditions. The reason for this discrepancy is quite simple: Most AV vendors will specifically optimise their products for these tests. The most severe cases are where vendors end up outright cheating and detecting the test environments which then results in a change of behaviour of the product (think Dieselgate, but with anti-virus). But there are many ways you can game these tests. For example: you can try to figure out the threat intel feeds the companies use, then just buy those same threat intel feeds so you have all samples in advance you can track their licenses and supply different signatures to them or use your cloud to treat those test systems differently some particularly shady organisations literally also sell you their sample and malicious URL feed, so you can just outright buy the samples and URLs your product will get tested on later What you end up with as a result is a product that is optimised really really well for the exact scenario they are being tested under using the exact type of URLs and samples these testers use, but that is utterly useless when it comes to anything else. We just really don't want to create this type of product. So when we were asked whether we wanted to continue to participate this year, we discussed the matter internally, looked at what we get out of these tests (meaning: whether these tests have a discernable impact on our revenue) and decided that they are simply not worth it and that the tens of thousands of Euros we spent on them every year would be better spent on extending our team and building new ways of keeping our customers safe.
  3. 3 points
    Ransomware infections are unique in many ways. Most importantly, a lot of the natural instincts which are usually correct when dealing with malware infections can make things worse when dealing with ransomware. Please see the following steps as a guideline when dealing with your ransomware infection. Do not delete the ransomware infection The natural instinct of most users is first to remove the infection as quickly as possible. This instinct is, unfortunately, wrong. In most cases, we will require the ransomware executable to figure out what exactly the ransomware did to your files. Finding the right ransomware sample becomes infinitely more challenging when you deleted the infection and can't provide us with the ransomware. It is okay to disable the infection by disabling any autorun entries pointing to it or by quarantining the infection. However, it is important not to delete it from quarantine or to remove the malicious files right away without a backup. Disable any system optimisation and cleanup software immediately A lot of ransomware will store either itself or necessary files in your temporary files folder. If you do use system cleanup or optimisation tools like CCleaner, BleachBit, Glary Utilities, Clean Master, Advanced SystemCare, Wise Disk/Registry Cleaner, Wise Care, Auslogics BoostSpeed, System Mechanic, or anything comparable, disable those tools immediately and make sure there are no automatic runs scheduled. Otherwise, these applications may remove the infection or necessary ransomware files from your system, which may be required to recover your data. Create a backup of your encrypted files Some ransomware has hidden payloads that will delete and overwrite encrypted files after a certain amount of time. Decrypters may also not be one hundred percent accurate, as ransomware is often updated or simply buggy and may damage files in the recovery process. In those cases, an encrypted backup is better than having no backup at all. So we urge you to create a backup of your encrypted files first, before doing anything else. Server victims: Figure out the point of entry and close it Especially recently we have seen a lot of compromises of servers. The usual way in is by brute-forcing user passwords via RDP/Remote Desktop. We firmly suggest you check your event logs for a large number of login attempts. If you find such entries or if you find your event log to be empty, your server was hacked via RDP. It is crucial that you change all user account passwords immediately. We also suggest to disable RDP if at all possible or at least change the port. Also, it is important to check all the user accounts on the server, to make sure the attackers didn't create any backdoor accounts on their own that would allow them to access the system later. Figure out what ransomware infected you Last but not least it is important to determine what ransomware infected you. Services like VirusTotal, which allows you to scan malicious files, and ID Ransomware, which lets you upload your ransom note and encrypted files to identify the ransomware family, are incredibly useful and we will probably end up asking you for the results of either of these services. So by providing them right away, you can speed up the process of getting back your files. If you struggle with any of these points, please feel free to ask for help. Our ransomware first aid service comes with no-strings-attached and is free for both customers and non-customers.
  4. 2 points
    I am running decrypter in every 2 days. I hope...! I will have my files decrypted one day soon. I hope...! :) Thank you
  5. 2 points
    If you want to make sure the Behavior Blocker is working, there's a batch file in the ZIP archive at the following link that should trigger a detection when you run it: https://www.gt500.org/emsisoft/bb_test.zip Just extract it somewhere, double-click on the batch file, and let Emsisoft Anti-Malware quarantine it. If you don't allow it to be quarantined, then it won't work as an effective test anymore.
  6. 2 points
    @Kevin Zoll @GT500 Just tried using STOP djvu decryptor a while ago and my files were successfully decrypted. Thank you so much Emsisoft Team. ­čśş
  7. 2 points
    @m2413 and @Juroan24 private keys for offline ID's are added to our database once we are able to find them. Just run the decrypter once every week or two in order to see when we've added the private key for your variant.
  8. 2 points
    We just added the private key for .reha offline ID's on Thursday, which is why it suddenly was able to decrypt your files. Thanks for letting us know that it worked. ­čĹŹ
  9. 2 points
    As the FAQ clearly states, you have an online ID, and it is not decryptable. Only the criminals have your key.
  10. 2 points
    Hello @SalasKafa, Thank you for contacting Emsisoft Support. TOPI is a newer variant of the STOP/DJVU family of ransomware and is not supported by our decryption tool. Any ID ending in t1 is an Offline ID anything else is an Online ID. This is important as it tells us how the encryption key was generated. There may be multiple Ids, especially if communication between the target system and the command & control server is interrupted for any reason, or because the file encryption was done in stages to avoid detection. An Offline ID means that the encryption key pair was generated locally and the encryption key is encoded in a file. An Online ID means the encryption key pair was generated and stored on a remote command & control server under the control of the ransomware gang responsible for encrypting your files. Why is this important? The ID of the file(s) is how private encryption keys are identified. If we have a private encryption key matching the ID for a file(s) then that can be used to decrypt the file(s). However, this is all contingent on us having a matching private encryption key in our database. The downside of all this is that we are not currently in possession of private encryption keys for the TOPI variant of STOP/DJVU.
  11. 2 points
    @Amigo-A All variants of ChernoLocker do not leave a ransom note. It is a Python compiled script that just displays a message box when done, and opens a URL in the browser. url = f.decrypt('gAAAAABd5uHecSzXalJbhS48cQlhKynkcDotLAv8c3TD0jBkUvDQb-Z5snS7XgONHXqiNd5Czd94vCQix280kyHSjNnAwzgl66vYj_-YyTtPnNxTN3YjP-tZdQtd1bqe1WyRwrD-2m0xvruurd37CbHVSf2cTy-yCDCTN-MadttLITlVisEFMcKstpwHOUi-KV6YZ-7MmWcz2aaB1WmgSDNs_SN2buoKTg==') # url = 'https://platinumdatasolutionsltd.co.ke/wp-content/uploads/2018/11/landing-screenshot-img-9-768.jpg' webbrowser.open_new_tab(url) win32ui.MessageBox("All Your Files have now been encrypted with the strongest encryption\nYou need to purchase the encryption key otherwise\nyou won't recover your files\nRead the Browser tab on ways to recover your files\nMake Sure you dont loose this Email as you it will be loosing it will be fatal \nWrite it in a notepad and keep it safe \nEmail: [email protected]", 'YOUR FILES HAVE BEEN ENCRYPTED') @Ra├║l Try re-downloading the decryptor for v1.0.0.2 now. I've added support for your variant.
  12. 2 points
    @ferko85 LetÔÇÖs deal with the active malware infection before attempting to recover your files. Download to your Desktop: Farbar Recovery Scan Tool NOTE: You need to run the version compatible with your system. If you are not sure which version applies to your system download both of them and try to run them. Only one of them will run on your system, that will be the right version. NOTE: If you are unable to download FRST from the infected system, FRST can be saved to and run from a USB flash drive. Run Farbar Recovery Scan Tool (FRST): Double-click to run it. When the tool opens click Yes to the disclaimer. NOTE: DO NOT change any of the default settings. If you do we will just close your logs and ask for new ones ran with FRST's default settings. Press the Scan button. Farbar Recovery Scan Tool will produce the following logs: FRST.txt Addition.txt
  13. 2 points
    Yes, that should be an offline ID. Make a backup of your files, and try running the decrypter once every week or two to see if we've been able to add the private key for this variant to our database. Once it's added to the database, the decrypter should be able to decrypt your files.
  14. 2 points
    Emsisoft Anti-Malware earns VB100 in December 2019 tests by certification body Virus Bulletin. The post Emsisoft earns VB100 in December 2019 tests appeared first on Emsisoft | Security Blog. View the full article
  15. 2 points
    In most cases, those features should work without the need to keep most of the software that computer manufacturers pre-install. If you're not certain about what software should be kept or removed, then there are third-party softwares that can help (Decrapifier for instance, and for a while there was a ridiculous batch file that techs were using that could do it).
  16. 2 points
    I've forwarded your ID and MAC addresses to the creator of STOPDecrypter so that he can archive them in case he is able to figure out your decryption key at some point in the future. All you have to do now is give us some time, and we'll do what we can for you.
  17. 2 points
    That's an offline ID. Support for it should be added to STOPDecrypter soon, and once that happens it should be possible for you to decrypt your files.
  18. 2 points
    I've been told that the time window for being able to figure out keys for .kiratos has ended, however I will go ahead and pass this on to the developer of STOPDecrypter so that he can archive it just in case he's able to figure out the decryption key at some point in the future.
  19. 2 points
    Hi Marshall. Not sure, but I do know that I recognize the URL of "MVPS Hosts" and I recognize the list. I don't recognize the list attached to MVPS Hosts (Domains). To view the list, click the blue "Details", "View" & "Original" buttons - see image. Sorry I couldn't offer a better explanation.
  20. 2 points
    Hi Marshall. To add the MVPS Hosts list to uBlock Origin, perform the following steps (see images for more details): (1) Go to the following link: https://filterlists.com/ (2) Enter "130" in the page field. (3) Click the blue "Details" button on the "MVPS Hosts" line. (4) Click the blue "Subscribe" button. You're all done! The MVPS Hosts file should now be added to uBlock Origin in your browser. To check you can look at the uBlock Origin "Options" page by right-clicking the uBlock Origin icon in your browser, as per images. Hope this helps. Best Regards, Steen
  21. 2 points
    Personally I think following the tests is a waste of time. If you are really concerned then you will need to make the effort to do your own testing. that is what I did. Also the tests don't tell you a thing about the nature of the company. I will stick with Emsisoft because I think it's the best
  22. 1 point
    Thanks a lot, I'm re-installing windows asap
  23. 1 point
    The only thing that we (everyone infected with an offline ID) can do is wait. Your information is clear: You have been infected. The good news is that it's an Offline ID witch might me possible to decrypt some day in the future. This depends on the team getting that ID decrypted. That day (if it comes) it will be uploaded to their servers so the only thing you will need to do is to run the software again. It's recommended to run it once per week to see if your ID was decrypted. (Of course, I'm running it 2 times per day, xD) Patience is the key. Be sure to save your encrypted files for now.
  24. 1 point
    Thank you Amigo-A, here is the ransom note as well Decrypt Instructions.txt
  25. 1 point
    t1 - This is a good sign. It is possible that in the future it will be possible to decrypt some of the files. This is a new version of STOP Ransomware. Decryption specialists have not yet received the decryption key. You not need do nothing with the files. Wait answer of specialists Emsisoft support. The malware may still be in the system. You need to do a check Windows and attach the logs to the message.
  26. 1 point
    Hello @Xinfected, Welcome to the Emsisoft Support Forums. Do not start multiple threads for the same issue. Keep all replies in the same thread. I have merged your support threads. I see no malware in your logs.
  27. 1 point
    Hallo Oli, Ich benutze Google Translate und meine Muttersprache ist Englisch. M├Âglicherweise wurde der vorl├Ąufige Termin f├╝r das Ende des Windows 7-Supports f├╝r 2021 verpasst. Wir werden es dann neu bewerten und wenn es m├Âglich ist, die Unterst├╝tzung f├╝r Windows 7 zu erweitern, werden wir es tun. Andere Antiviren-Unternehmen verwenden ein Datum von 2022, enthalten jedoch Formulierungen, mit denen sie den Support vorzeitig beenden k├Ânnen. Wir haben diesen Wortlaut nicht aufgenommen und sie zu gleichwertigen Aussagen gemacht. Stapp, Claude, bitte kl├Ąre, ob mein Wortlaut verwirrend ist. Google.
  28. 1 point
    @jrozasv The Emsisoft Decryptor has been updated to your version with .alka extension. Try the Decryptor again https://www.emsisoft.com/ransomware-decryption-tools/stop-djvu If you still have an early version in your downloads, then delete it so as not to confuse the files. Report the results.
  29. 1 point
    @athul Your personal ID: 0198nTsddS3wnrGHb25jELGAwoOjfGDAONcPEMy6oijuyR0a5 This is an online ID and as such our decryption tool cannot decrypt files that were encrypted using an online ID.
  30. 1 point
    @MrSalazar Screenshots are of no use to us when it comes to extracting the data necessary to form a fix. Please attach the EEK scan report to your reply.
  31. 1 point
    Only authorized helpers can download and view the logs. They are in plain text format, and can't spread infections.
  32. 1 point
    for all The instruction for everyone is general. Reports need to be attached to your new post. Kevin Zoll or GT500 will look at the reports and say what to do.
  33. 1 point
    @Jana519 We have published version of the STOPdjvu decrypter that resolves the issue of it not running. You can download the new decrypter from https://www.emsisoft.com/ransomware-decryption-tools/download/stop-djvu
  34. 1 point
    .access is an older variant, so you should be able to use our decrypter to recover your files. If you have an online ID (which is most likely) then you'll need to submit file pairs via our online form. All of the information you need should be in the topic that Amigo-A linked to.
  35. 1 point
    We're always glad to hear that. Please be sure to invest in a good Anti-Virus software to help keep this from happening again. @xminh @Leela and @babister this is a newer variant of STOP/Djvu, and all of you have online ID's, so there is currently no way to decrypt your files. There is more information at the following link: https://support.emsisoft.com/topic/32045-about-the-stopdjvu-decrypter/
  36. 1 point
    Only if law enforcement is able to catch the criminals behind this ransomware and release their database of private keys. Most Anti-Virus will detect STOP/Djvu, and should prevent this particular ransomware. The Behavior Blocker in Emsisoft Anti-Malware is fairly good at detecting most ransomware, even if they aren't detected by the Anti-Virus signatures. Most ransomware these days will ensure file recovery is not possible.
  37. 1 point
    It depends on the algorithm of actions used by the malware. Data recovery programs can read information from sectors on the hard disk and restore the deleted file even if the recycle bin has been emptied. Yes, it is possible, but only immediately after deleting the file and emptying the recycle bin. They will not be able to recover information if the sector where the deleted file, later was entirely overwritten or the remaining information was overwritten with zeros or garbage. They will not be able to recover information if the deleted file was first modified or damaged, and then deleted. In this case, the program will restore the latest (modified or deleted) version of the file. They will not be able to recover information if the deleted original file was moved to a temporary directory, and then this place was overwritten many times by other temporary files. In this case, the program will restore only the some latest of the file or several small files.
  38. 1 point
    That's one of the newer variants of STOP/Djvu, and you have an online ID, which means your files won't be decryptable.
  39. 1 point
    PowerShell has a built-in permissions system these days that automatically prevents execution of downloaded scripts. This of course does not prevent an application (or a batch file) from executing PowerShell commands from the command line, so it does not negate all of the dangers of PowerShell, however I don't think this is quite as common as it was when we made that recommendation and it certainly is better understood and detected now than it was back then.
  40. 1 point
    Mahlzeit! Ist die Beteiligung von Emsisoft im deutschsprachigem Teil dieses Forums eingestellt worden? Es gibt keine qualifizierten Antworten mehr. Wo ist @Thomas Ott abgeblieben? Erstklassiger Support sah mal anders aus.. ­čśó
  41. 1 point
    DrWeb can decrypt when a offline key was used in new versions (should be 't1' at the end of ID). This is in the ID of @KUW77
  42. 1 point
    Hi Frank, first it looks really good, i will switch all stuff to Cloud now ..... Same things missing hope it will come back later: 1) OS Information , EAM Version , Reset to default rule if user have edited 2) License is not showing correct i have not used all 60, also it would be good to see where all the license are used like the old user account list 3) Security Question: All stuff from the Cloud are only options for configuration, there is now and really no way to get data from client or data to clients right ? Same german translation issues 1) Scan Days 2) Berechtigungen und Schutzrichtlinien Frank thank You my Friend i will be report all Stuff i see in the next few weeks in use Regards Christian
  43. 1 point
    Hallo darktwilight, vielen Dank f├╝r die R├╝ckmeldung. Sehr gerne. Alles klar, ich melde mich dann auch gleich noch einmal via privater Nachricht.
  44. 1 point
    Hallo Icewolf, Mittlerweile l├Ąsst sich sagen dass es sich um eine falsche Erkennung handelt. Der Eintrag wird berichtigt und die ├änderung bald in einem Update ver├Âffentlicht werden. Vielen Dank f├╝r die Unterst├╝tzung. Ich w├╝nsche einen sch├Ânen Tag!
  45. 1 point
    I just started playing around with the new "My Emsisoft Cloud Console". My first experiences have been quite positive. ­čÖé Two little things that I would like to suggest for improvement: 1) I use only one policy for the whole network (i.e. workspace). This is why I delete all computer groups except "New Computers" (which cannot be deleted). I then set all required policy settings/options on the highest possible level, which is the "root" group called "Workspace". These settings are then of course inherited by the "New Computers" group (and possibly some other groups that I might add later). The problem is that whenever you re-visit the "Protection Policies" section by clicking in the navigation bar on the left hand side, the view defaults to the "New Computers" group. So if I'm not very careful, I'll change settings in this group instead of the root group "Workspace". It would be nice if the selection could default to "Workspace" whenever you re-visit the Protection Policies section. 2) Using the Enterprise Console, it was easy to see at a glance if the settings on some client PCs deviated from the original policy setting (the overview in EEC then shows a little round arrow next to the policy name in the "Computer Policy" column). In the cloud console, you must have a detailed look at the settings of each client PC to see if there is anything different to the original policy. It would be very helpful to be able to see policy vs. current client settings differences directly on the overview dashboard. (please bring back the round arrow ­čśë) Furthermore, there are some minor cosmetic issues: - When clicking on the menu of the root protection group "Workspace", the menu item "Clone" is not greyed out. It is clickable, but (as expected) nothing happens. It should be greyed out like the rest of this group's menu items. - Some German translations don't fit into the UI (mostly on buttons) - When using browser zoom (I use 120% by default) some lines around some UI fields get cut off And two final questions: - I was wondering what the setting "Detect registry policy settings" in the Scanner Settings section does (see attached screenshot). -Why does my license vanish from the "Licenses --> Personal Licenses" section after assigning it to a workspace ? Is this by design? This seems confusing to me... What happens if I delete a workspace - will the license be returned to the "Personal Licenses" section? What about client PCs that are NOT associated with the workspace - will they have licensing problems (I don't want to add all my PCs to the workspace)? Thanks for the great job so far! Raynor
  46. 1 point
    @Albert-S and @borstibo there is a possibility that if you remove the drives from the effected NAS, and connect them to a computer that is capable of reading them (if they are formatted with either that FAT32 or NTFS filesystems then Windows computers should be able to read them), that you may be able to use file recovery/undelete software to recover some of the files. Please note that this is based on an assumption, and may not be correct. The assumption is that the device is not actually infected, and that an attacker was able to gain access through a service on the NAS such as FTP or SMB, copy the files to their system, encrypt them, and then copy them back to the NAS. There's also the possibility that the files may simply have been renamed rather than being encrypted. If you want more information about the possibility of using file recovery software, then look over some of the messages that I and Amigo-A posted for Mr_Ohrberg further up in this topic.
  47. 1 point
    Hallo Moreau, vielen Dank f├╝r Ihre positive R├╝ckmeldung. Immer wieder gerne und vielen Dank f├╝r die freundliche Kommunikation. Ich w├╝nsche Ihnen einen guten Start in die (noch fast) neue Woche!
  48. 1 point
    uBlock is exceptionally good at removing duplicate filter rules. So if you enable the MVPS filter list there, it will only enable it for stuff that isn't covered by other lists. That's also why in the rules list it says "x used out of y". Because it tells you how many rules it actually used out of that filter list. The rest was already covered by other lists. uBlock is also a lot more efficient as parsing and applying these filter rules than the DNS API in Windows is, which is the component that parses the "hosts" file. Depending on the browser you use, the "hosts" file may actually get ignored entirely. Some browsers like Chrome, for example, implemented their own, faster DNS client as the Windows DNS API isn't the fastest. So in the worst case scenario, you were having this huge hosts file, slowing down every program that does remotely something with networking, while at the same time your browser completely ignored it. Yeah, most people aren't aware of it and it is the main reason why we decided to create our own browser extension. The worst part is, that it is completely unnecessary from a technical point of view as well. But yeah, as it is often the case: If something a free, you pay with your data. Unfortunately not. If you find one, let me know which one and I can check how intrusive it is for you though. We are also considering adding search indicators in our extension. So you may want to wait for that. There is no ETA though.
  49. 1 point
    Then you should already know how to get them.
  50. 1 point
    It's not abnormal for Windows to say that when a program update for Emsisoft Internet Security gets installed. When that happens, Emsisoft Internet Security has to restart itself in order to update itself, and during that brief period of time Windows will report that Emsisoft Internet Security is turned off. I would believe we made some changes recently so that Windows doesn't do that anymore, however I have not tested to verify that (I would have checked before posting, but there's currently no beta version for me to install in order to test).
  • Who's Online   0 Members, 0 Anonymous, 58 Guests (See full list)

    There are no registered users currently online

  • Newsletter

    Want to keep up to date with all our latest news and information?
    Sign Up