Emsisoft Employee
  • Content count

  • Joined

  • Last visited

  • Days Won


GT500 last won the day on September 15

GT500 had the most liked content!

Community Reputation

366 Excellent

1 Follower

About GT500

  • Rank
    Emsisoft Support
  • Birthday 10/22/84

Contact Methods

  • Website URL

Profile Information

  • Gender
  • Location
    Fortville, IN, USA
  • Interests
    Computers, security, amino acids, fructose malabsorption, liberty, firearms, John Calvin, etc.

Recent Profile Visitors

41678 profile views
  1. Not updated

    Can you download our diagnostic tool at the following link?
  2. You should be OK then. Once the infected copy of CCleaner is gone, the infection is gone. So far there's no evidence that a second-stage payload was ever delivered to non-corporate victims.
  3. The log shows it was the Behavior Blocker that took action. If the file in question was not digitally signed and did not have enough of a reputation for an automatic decision to be made, then the Behavior Blocker would have quarantined it for performing any behavior that is monitored for. The file could be legitimate, and simply not be well known enough to have established a solid reputation. You can try restoring the file from the Quarantine, and then uploading it to VirusTotal to get an analysis of it. You can post the link to the analysis here for me to take a look at.
  4. According to the analysis done by Cisco's Talos team, the malicious code was not only not present in the 64-bit version of CCleaner, but wouldn't execute on 64-bit editions of Windows even if you ran the 32-bit version of CCleaner on a 64-bit OS. Because the malicious code was in the CCleaner executable, so either removing it or replacing it with a clean copy is all that is needed to get rid of the infection. That being said, Cisco's Talos team has identified a second-stage payload was indeed installed on at least 20 computers. It appeared to specifically target corporate systems, however the data from the C&C server from before September 12th was missing (presumably deleted to keep it out of the hands of researchers), so they don't know what happened before September 12th. The scope could have been far larger, and there could have been far more targets than what has thus far been discovered. Obviously, if you had the effected version of CCleaner installed, then take the common precautions of changing passwords just in case.
  5. Ransomware .MIXI extension

    We have a few articles on ransomware, including where it comes from, how it works, and how to prevent it: Spotlight on ransomware: Ransomware encryption methods Spotlight on Ransomware: How ransomware works How to remove ransomware the right way: A step-by-step guide How to identify your ransomware infection to find the right decrypter tool The big ‘R’: Ransomware. Why businesses and institutions are at risk and what to do about it Ransomware for Hire: 3 Steps to Keeping Your Data Safe It's important to keep in mind that different ransomwares are different, however here are some common ways this sort of infection spreads: Through e-mail. It's very common to receive e-mails that have malicious attachments, and with certain ransomwares (especially Locky) they like to send an e-mail pretending to be information (such as an invoice) from a shipping company or something similar. In the case of Locky the malicious file is inside a ZIP archive, so you don't know what it is before you download it and extract it. Online advertisements. It is not abnormal for people with malicious intent to abuse advertisements on legitimate websites in order to spread infections. One of the worst cases of this happened several years ago where a ransomware (I would believe CryptoWall) was being spread through advertisements on several of Yahoo!'s websites in advertisements. The criminal behind CryptoWall had paid to put advertisements on Yahoo!'s websites, and the advertising company that Yahoo! uses didn't notice that the advertisements contained malicious code that I would believe was from an exploit kit (exploit kits allow automated installation of infections when people visit a webpage where the exploit kit is present). Direct hacking. While I often hesitate to use the word "hack" here, it is how most people would understand it. What happens is that scripts being run by criminals scan the Internet looking for computers with certain open ports in firewalls that allow them access to vulnerable services. When the script finds computers with vulnerable ports, the information is logged, and an actual person will select computers from the list of potentially vulnerable systems that were found and begin trying to gain access to them. A particular favorite, since it usually means they found a business they can extort for money, is Microsoft's Remote Desktop (RDP), which if they find an open port for they will try to brute force the password for administrator accounts and see if they can get in. If they manage to get in, they will then manually disable any security software and manually execute their ransomware on the victim's computer. Obviously there are other ways you can run in to ransomware as well. Downloading files from unsafe websites and/or file sharing networks for instance. As for online advertisements, we usually recommend uBlock Origin to block those. You can get uBlock Origin for Mozilla Firefox and Microsoft Edge. For Google Chrome and Vivaldi I recommend both uBlock Origin and uBlock Origin Extra to help avoid advertisements that would otherwise circumvent uBlock Origin's protection. I also highly recommend uninstalling or disabling the Adobe Flash Player, as well as uninstalling or disabling Java (if you need Java for some sort of application or game that does not run in your web browser, then disabling the Java plugin is enough to protect your web browser). Yes, ID Ransomware is maintained by Michael Gillespie, who works closely with our team and with on ransomware analysis, as well as creation of free decryption tools.
  6. Without more information, it sounds like it might be a variant of BTCWare. I recommend checking with ID Ransomware at the following link to verify that: You can copy and paste the link to the results into a reply for me to review as well.
  7. Maybe a service or driver entry in the registry was not being removed completely after the uninstall, and needed to be deleted manually. Our diagnostic tool can actually check for that, but since you've already fixed it then there's no need to run that tool. Regardless, I'm glad to hear that the issue has been resolved.
  8. CCleaner hack

    Avast owns Piriform, so all Piriform software and property is now owned by Avast.
  9. Yes, that's normal, in cases where the file the rule is for no longer appears to exist. Since it's in the TEMP folder, chances are it was deleted or moved, and so the rule was deleted after the file was no longer present at that path. That indicates that your account was the one that was logged in at the time the event was recorded.
  10. I recommend uninstalling EIS, restarting your computer twice, and then following the instructions below to remove our packet filter driver from your network adapter: Hold down the Windows key on the keyboard (the one with the Windows logo on it, usually between the Ctrl and Alt keys) and tap R to open the Run dialog. Type in control netconnections and click OK. Right-click on the network adapter, and select Properties. Look for the Emsisoft Network Filter or Emsisoft NDIS packet filter in the list. If you find one of them, click on it to select it, and click on the Uninstall button (if both are there, then do this one at a time for each of them). Once the Emsisoft entry you uninstalled has disappeared from the list, it has finished uninstalling, and you can close the network connection properties. After that you should be able to reinstall EIS.
  11. CCleaner hack

    Emsisoft Anti-Malware and Emsisoft Internet Security will detect and block the compromised version of CCleaner, however please note that the malicious code was not in the 64-bit version of CCleaner, and if the 32-bit version of CCleaner was executed on a 64-bit edition of Windows then it wouldn't work. So only 32-bit editions of Windows were effected by this. If your computer has been effected by this compromised version of CCleaner, then all you have to do is install the latest version of CCleaner in order to get rid of the infected version (no infection will be left behind after that): Alternatively you can uninstall CCleaner if you don't want to keep it, and no infected files should be left behind after uninstalling. For more information, I recommend the following article, as it quickly covers everything that is currently known and explains what you should do if you were effected by this: Avast has released some information about how they believe this happened, and there is a short timeline detailing when everything happened at the following link: Also one of the original stories about the issue, which goes into more detail, can be found at the following link:
  12. Were you able to configure the network as Private, or did it keep changing back to Public? Please note that we will be merging Emsisoft Internet Security with Emsisoft Anti-Malware on October 1st, at which point your installation of Emsisoft Internet Security will automatically be converted to Emsisoft Anti-Malware. There is more information at the following links: There are also Frequently Asked Questions about the process at the following link: If you have any questions, then please let me know.
  13. There's a quick rundown of most of what's known about the infected version of CCleaner at the following link: Keep in mind that this only effected computers that were running 32-bit editions of Windows. The 64-bit version of CCleaner was not effected, and the malicious code would not run on 64-bit versions of Windows.
  14. It should. None of EAM's binaries are outside of its folder, and the only third-party dependencies that we don't bundle with EAM are system services/drivers/DLL's that should all be in the Windows folder. As long as EAM can access C:\ProgramData\Emsisoft to write logs/updates to, the TEMP folders, and its registry keys/values then it should be OK.