Emsisoft Employee
  • Content count

  • Joined

  • Last visited

  • Days Won


GT500 last won the day on March 14

GT500 had the most liked content!

Community Reputation

430 Excellent


About GT500

  • Rank
    Emsisoft Support
  • Birthday 10/22/1984

Contact Methods

  • Website URL

Profile Information

  • Gender
  • Location
    Fortville, IN, USA
  • Interests
    Computers, security, amino acids, fructose malabsorption, liberty, firearms, John Calvin, etc.

Recent Profile Visitors

43483 profile views
  1. Identifying Ransomware

    BleepingComputer now has an article about this ransomware, however note that a full analysis is still pending: That's a cryptocurrency miner. "Nanopool" is a popular mining pool, and the part after the "-u" (with the e-mail address) identifies the wallet and account to credit. Does the fake svchost.exe that it executes exist? Normally such a program would have deleted itself after encrypting files. Right now we're just looking for anything out of the ordinary and checking to see what it is, however based on available information it looks like it has already deleted itself. Have any copies of those files? That may be the trojan that installed the ransomware: Most ransomware uses vssadmin.exe to delete Volume Shadow Copies (including Zenis), so that's probably why you can't see them. That's recommended for another reason. Since ransomware usually uses vssadmin.exe to delete the Volume Shadow Copies, they don't get overwritten write away, meaning that file undelete/recovery software might be able to recover them. However, you can't access the SystemVolumeInformation folder like that while Windows is running normally, so you need to either use a boot disk or connect the hard drive to another computer in order to gain read/write access to the SystemVolumeInformation folder and be able to recover deleted files there.
  2. If that were the case, then it would certainly be welcome news. Keep an eye on BleepingComputer's new feed just in case, as they'll almost certainly write an article about a decrypter for Cry36:
  3. Scheduled Scan Problem

    You should be able top check the logs in Emsisoft Anti-Malware. There will be a search field where you can search for "scan" or "scheduled scan".
  4. EAM technically has protection against certain exploits as part of its Behavior Blocker, so MBAE is a bit redundant.
  5. Attachments

    It could be the browser cache. Try opening a Private/Incognito window in your browser and then check the post there. That's added by a plugin for the forums that allows you to see screenshots that you've attached to your posts. In some sections of the forums we've completely disabled the ability for normal users to view or download attachments, so this plug-in is the only way for you to see screenshots attached to forum posts in those sections of the forums. The plugin has no option to get rid of the download button.
  6. Identifying Ransomware

    Any idea what these files are? C:\Documents and Settings\miles\handle.exe C:\WINDOWS\PanelH.exe C:\WINDOWS\start.bat C:\WINDOWS\setup.bat C:\WINDOWS\HelpPane.exe C:\WINDOWS\start.vbs C:\WINDOWS\install.vbs C:\WINDOWS\nssm.exe If not, then ZIP them, and attach the ZIP file to a reply. Or send them to me in a Private Message. Also, do you know how the server was infected? Was it due to an RDP compromise, or something else?
  7. Decrypt this file

    Those already exist (although I won't name them here, since they're general password/decryption key brute forcing tools). There's no point in it though. You're talking hundreds if not thousands of years to brute force the decryption key (depending on the key length), even using the most powerful super computers available today. My GTX 1080 Ti would take a decade to brute force a 10-character password, even running at its maximum stable clock speed. Even a 128-bit key would be out of the question with 4-way SLI.
  8. Scheduled Scan Problem

    Is it possible that it missed the 10:00 AM scan? If so, it may have run the scan later if that was the first opportunity it had to start it.
  9. BSOD query

    We don't release on an exact schedule, but it's not abnormal for us to have a beta somewhere near the end or beginning of a month, so it might not be too much longer.
  10. Identifying Ransomware

    It looks like analysts are still looking for a copy of the ransomware itself. There have been a few victims who have reported infections, but no one has had a copy of the malicious file that encrypted the files thus far. Let's try getting a log from FRST, and see if it shows any sign of the ransomware on your computer. You can find instructions for downloading and running FRST at the following link:
  11. I've heard nothing about a decrypter for Cry36. It's more likely that the service provider they were abusing shut down their service, or perhaps (hopefully) law enforcement finally caught up with them. If it's the latter, then we may see a decryption tool some time in the future, as law enforcement will often partner with an anti-virus software company when going after such criminals and share the private keys with them so that they can make a decryption tool.
  12. Decrypt this file

    I don't think this is the Damage ransomware. Based on what ID Ransomware returned, I think it's Cry36 (the sample bytes is an almost certain way to identify it), and there's no way to decrypt files that have been encrypted by Cry36 without getting the private key from the criminals who made the ransomware. In the case of ransomware like this, which uses secure encryption and generates new public/private keys for every computer it infects, usually there is no way to decrypt the files without getting the private key from the criminals who made the ransomware. You can try a tool such as ShadowExplorer, however ransomware like this usually deletes Volume Shadow Copies, so ShadowExplorer will usually find nothing. Even if the Volume Shadow Copies were not deleted, the odds of finding backup copies of files in them is pretty slim, since Windows would normally only leave backup copies of files in the Volume Shadow Copies if you were using Microsoft's own backup software for data backups (although sometimes the System Restore will save copies of files in the Volume Shadow Copies). In cases where the Volume Shadow Copies are deleted, then note that ransomware doesn't generally delete them securely, so it might be possible to use a file undelete utility to undelete the old Volume Shadow Copies, and then use ShadowExplorer to recover files, however this isn't necessarily straightforward to do (the computer will need to be running from a bootable disk to have write access to the "System Volume Information" folder, or the hard drive will need to be connected to another computer), and even if you can recover the old Volume Shadow Copies, as mentioned above the odds of there being backup copies of important files in them are low to begin with. Note that you may need to find a local computer technician who can assist you with this if you do want to try it. Here's a link to a list of file recovery tools at Wikipedia:
  13. BSOD query

    I think we have enough debug info for now. Lets wait until we have a beta, and then collect more debug information if there are more BSoD's with the beta installed.
  14. Payment Question

    Just an FYI: Most debit cards that have the Visa or MasterCard name on them can be run as credit with any retailer that accepts Visa or MasterCard (which includes online purchases).
  15. I recommend uploading a copy of the ransom note along with an encrypted file to ID Ransomware so that they can verify which ransomware you're dealing with: You can paste the link to the results here if you'd like for me to review them as well.