GT500

Emsisoft Employee
  • Content count

    8254
  • Joined

  • Last visited

  • Days Won

    222

GT500 last won the day on April 10

GT500 had the most liked content!

Community Reputation

442 Excellent

3 Followers

About GT500

  • Rank
    Emsisoft Support
  • Birthday 10/22/1984

Contact Methods

  • Website URL
    https://helpdesk.emsisoft.com/

Profile Information

  • Gender
    Male
  • Location
    Fortville, IN, USA
  • Interests
    Computers, security, amino acids, fructose malabsorption, liberty, firearms, John Calvin, etc.

Recent Profile Visitors

43929 profile views
  1. I found him

    The unauthorized access attempt to your GMail account may have been unrelated, however even if it was the criminal who made/distributed Cry36/CryptON then please keep in mind that these guys almost always use a VPN to hide their physical location. If they did not, then law enforcement would track them down by their IP address rather quickly, and they'd only have a few months before they were arrested while law enforcement gathered enough evidence to present at a trial.
  2. [email protected]

    That is possible, however keep in mind that Cry36 has been around for some time without any real progress being made in decryption, so please note that it may take a little while for security researchers and/or law enforcement to finally get their hands on the private keys to decrypt your files.
  3. The forum internally numbers posts, and the date/time at the top of each post acts as a link to the post with the post number in it. If you right-click on the date/time at the top of a post, and copy the link address, then you can paste it into a post. The forums should convert the link to the post into a sort of quote that someone can click on to view the full post. You can also link to the post using the link button in the toolbar above where you write your post, so you can have a link to a specific post just like that. And (for reference) this is what the forum does if you just paste the link directly into your post (it can take the forums a minute to respond when you do this):
  4. a2service.exe application error

    OK. Hopefully ProcDump will be able to save the memory dump for you, but if not then I can post instructions for setting up a way to force a BSoD and memory dump with a keyboard shortcut.
  5. EEK hangs system at specific file

    Is your SSD made my Intel or Toshiba? If not, then the update probably wouldn't have helped. https://www.bleepingcomputer.com/news/microsoft/microsoft-releases-kb4100403-to-fix-windows-10-intel-and-toshiba-ssd-issues/ In most cases Windows will automatically reboot the system after a crash, so you don't see the blue screen with the error message. Hold down the Windows logo key on your keyboard and tap R to open the Run dialog, enter the following, and then click OK: %windir%\system32\SystemPropertiesAdvanced.exe The Advanced System Properties should open. In the Startup and Recovery section, click on the Settings button. Under System failure, make sure that the option to Automatically restart is not turned on.
  6. Infected With [email protected]

    You can read the rest of the quoted post at the following link:
  7. [email protected]

    As a followup to everyone who read about the Dr.Web affiliate selling decryption services, they have confirmed that Dr.Web is not capable of decrypting files that have been encrypted by this ransomware. Currently the only known way to decrypt the files is to obtain the private key from the criminals who made the ransomware. Obviously our recommendation is to make a backup copy of the encrypted files, and store them somewhere safe. Sometimes law enforcement is able to work with Anti-Virus software companies and other security analysis companies to gain access to the servers used by such criminals and obtain their database of private keys, allowing for the creation of a free decryption tool (and hopefully also leading to the prosecution of the miscreants responsible making/distributing the ransomware). Please also note that it has been confirmed that CryptON is being spread by attackers who compromise remote access software (usually Microsoft Remote Desktop, often referred to as "RDP") to directly log in to victims' computers and manually infect them with the ransomware. It is absolutely vital that you take steps to prevent this sort of security breach moving forward. Here's a link to an explanation of what I'm talking about, and some basic recommendations for how to deal with it: https://blog.emsisoft.com/en/28622/rdp-brute-force-attack/ I'll also paste some steps for getting started securing your network below so that it's more difficult for something like this to happen again: First I recommend temporarily disabling all port rules in your firewall (closing all open ports) until you can do a full audit of your firewall configuration and determine which ports need to remain open. There are some basic recommendations below to help get you started with the port audit. If you are managing a company network, then some form of IPS/IDS is highly recommended to monitor the network for intrusions. If you already have such a system in place, then I recommend a full audit of any rules you have configured to make sure that the device is providing adequate monitoring. It is also recommended to have someone with penetration testing experience verify that the IPS/IDS is properly alerting when there are intrusion attempts. Also, quickly change all passwords on any workstations and/or servers that are connected to the same network as the compromised system. Also be sure to change passwords on any online accounts, as well as any routers or switches (or other devices that have network-accessible administration functions). I recommend that every account have a different password, that passwords be no shorter than 25 characters and be made up of a random combination of uppercase letters, lowercase letters, numbers, and symbols. Obviously passwords like that are difficult (if not impossible) to remember, so a password manager may be required in order to aid in managing passwords. KeePass is probably the simplest password manager, and stores password databases locally instead of on some "cloud" server. If something capable of automatically filling in passwords (or sharing passwords between multiple devices/users) is necessary then there are reasonable passwords managers from LastPass, bitwarden, 1Password, Dashlane, etc. Note that unlike KeePass, these password managers work as extensions added to web browsers (or apps on mobile phones), and they store password databases online. When auditing your firewall configuration and preparing to reopen ports, I recommend never opening ports globally unless absolutely necessary. I also recommend requiring anyone who needs access to sensitive services (RDP, Windows Networking, etc) to connect to the network via a VPN so that you don't have to open ports for those services in the firewall, and then only open the VPN port in the firewall for IP addresses that need access to it. If someone who needs access has a dynamic IP, then many firewalls these days support something like Single Packet Authorization or Port Knocking to dynamically open ports for unknown IP addresses.
  8. [email protected]

    You are correct, there is no known way to decrypt files encrypted by this ransomware (CryptON/Cry36/Nemesis) without first obtaining the private key from the criminals who made/distributed the ransomware.
  9. EEK hangs system at specific file

    Are you using the default scan options, or did you enable the option for DDA (Direct Disk Access)? Does the crash happen regardless of the scan options you use?
  10. a2service.exe application error

    ProcDump needs to be run before the crash happens, so if you just go ahead and start it using the command I posted above and leave it running, it will save its memory dump when the crash happens. If you want to you can just make a batch file with the command in it, put it in the same folder as procdump64, and then run the batch file as an Administrator and minimize the window so that you don't have to manually run ProcDump via the Command Prompt every time you want to start it.
  11. Our Support Manager took a quick look at your debug logs, and while he isn't as familiar with how to interpret them as our developers he thinks that a2start didn't actually crash, and that the scan actually completed. He's not certain why the window closed and reopened, so anything further will have to wait for developers to look over the logs.
  12. I'm made sure that our team is aware of your debug logs, and someone will take a look at them as soon as possible. Is it possible to let us know what you were scanning, just in case this is actually a different issue than the one discussed here?
  13. Interesting how the official press release from Malwarebytes seems to have been taken offline (at least at the moment). How fortunate for us that Google records everything that happens on the Internet, huh? https://webcache.googleusercontent.com/search?q=cache:hG-F5UbGYWIJ:https://press.malwarebytes.com/2018/05/22/malwarebytes-acquires-binisoft/
  14. a2service.exe application error

    If you can't use Process Hacker to get the memory dump, then ProcDump can be used to automatically save a memory dump when a process terminates. You have to run it from an elevated (run as Administrator) Command Prompt, and execute the following command after using the "CD" command to navigate to the folder where procdump64 is located: procdump64.exe -ma -t a2service.exe If I remember right, it automatically saves the memory dump in the same folder that procdump64 runs out of, and it gives it the same name as the process it was monitoring.
  15. When the crash happened, were you automatically asked if you would like to submit a report?