GT500

Emsisoft Employee
  • Content Count

    10072
  • Joined

  • Days Won

    289

Everything posted by GT500

  1. That is more than likely a variant of the STOP/Djvu ransomware. You may verify that using ID Ransomware if you'd like to: https://id-ransomware.malwarehunterteam.com/ Important: STOP/Djvu now installs the Azorult trojan as well, which allows it to steal passwords. It is imperative that you change all passwords (for your computer and for online services you use) once your computer is clean. Also note: While most ransomwares will automatically delete themselves after they finish encrypting files, some are now leaving behind components on computers they infect that will encrypt any new files saved and will encrypt any files you manage to decrypt. It's best to check and make sure that no such components have been left behind, so I recommend following the instructions at the link below to get us logs from FRST so that one of our experts can make sure there is nothing malicious still on your computer (please attach the log files FRST saves to a reply to this topic on the forums): https://help.emsisoft.com/en/1738/how-do-i-run-a-scan-with-frst/ Note: If anything that appears suspicious is found in your logs, then your post will be moved into a new topic to facilitate better communication between you and whoever is assisting you. We'll also try to make sure that you are following the new topic so that you receive e-mail notifications when someone replies to it.
  2. Yes, once you give the criminals your e-mail address, they could continue to try to extort money from you. It's best to never contact them yourself.
  3. Yeah, somebody (who shall remain nameless) likes to use their lawyers similar to how armies use artillery...
  4. There's currently no decrypter for Phobos. Out of curiosity, were the files that were encrypted accessible via FTP or Windows Networking? It seems strange for both a Linux and Windows server to get hit by the same ransomware.
  5. There's nothing new to report thus far, however hopefully it won't be too much longer.
  6. The Behavior Blocker will only take action if the application attempts to do something potentially malicious.
  7. I checked our system real quick, and I don't see any e-mails from the address you signed up for the forums with. If you used a different e-mail account, then send me a private message on the forums with the e-mail address you used and I will see if I can find your e-mail in our system (feel free to add Claude to the private message conversation as well). Also note that right now Verizon, AOL, and Yahoo are blocking all e-mails that our forums and helpdesk are sending (they don't seem to like the service we use to send e-mails from those systems). We're attempting to get this resolved, however if you had contacted us with an e-mail address from one of those three service providers then it's possible that Claude sent you a reply and you didn't receive it due to this issue.
  8. The most important is a2service as it's what monitors other processes, opens hooks, and does just about everything else. That being said, here's a full list of executable files that can be found in the EAM folder (note that by default Windows will hide the .exe on the end of the file names). The ones in bold are the most likely to be running, and should probably be excluded. Proxy.exe - Update proxy, usually used in corporate networks to reduce update download bandwidth usage. EmDmp.exe - Handles collecting and reporting crash info. CommService.exe - Facilitates communication with Emsisoft Cloud Console (MyEmsisoft Workspaces). EmsiClean.exe - Used during uninstall to help ensure all EAM files are removed. a2start.exe - Main EAM interface. a2guard.exe - Handles EAM notifications and System Tray icon. a2service.exe - Backbone of EAM protection. a2cmd.exe - Optional commandline scanner (only runs when executed manually).
  9. Is this the same computer you're having the other notification issue on?
  10. I noticed that you're logged in as an administrator. Were you previously logged in under a different account that doesn't have administrator rights, or have you always been logged in as an administrator when you noticed this issue?
  11. We highly recommend that you don't share your e-mail address publicly. Criminals will contact you and attempt to extort money from you.
  12. That is more than likely a variant of the STOP/Djvu ransomware. You may verify that using ID Ransomware if you'd like to: https://id-ransomware.malwarehunterteam.com/ Important: STOP/Djvu now installs the Azorult trojan as well, which allows it to steal passwords. It is imperative that you change all passwords (for your computer and for online services you use) once your computer is clean. Also note: While most ransomwares will automatically delete themselves after they finish encrypting files, some are now leaving behind components on computers they infect that will encrypt any new files saved and will encrypt any files you manage to decrypt. It's best to check and make sure that no such components have been left behind, so I recommend following the instructions at the link below to get us logs from FRST so that one of our experts can make sure there is nothing malicious still on your computer (please attach the log files FRST saves to a reply to this topic on the forums): https://help.emsisoft.com/en/1738/how-do-i-run-a-scan-with-frst/ Note: If anything that appears suspicious is found in your logs, then your post will be moved into a new topic to facilitate better communication between you and whoever is assisting you. We'll also try to make sure that you are following the new topic so that you receive e-mail notifications when someone replies to it.
  13. I would believe it uses a form of RSA encryption, which requires knowledge of a private key in order to decrypt files (files are encrypted with a public key, which can be analyzed without revealing anything that could aid in decryption). The private key is usually kept safe on the servers operated by the criminals, and it's fairly common for ransomware to generate a new private key for each computer.
  14. @Richard please download the following fixlist.txt file and save it to the Desktop: https://www.gt500.org/emsisoft/fixlist/2019-09September-13/Richard/fixlist.txt NOTE: It's important that both files, the FRST download from earlier and the fixlist file, are in the same location or the fix will not work. If you need to, please copy the files from your Downloads folder to your desktop. Run the FRST download from earlier, and press the Fix button just once and wait. If for some reason the tool needs to restart your computer, please make sure you let the computer restart normally. After that let the tool complete anything it still needs to do. When finished FRST will generate a log on the Desktop (Fixlog). Please attach it to a reply.
  15. I recommend uploading a copy of the ransom note along with an encrypted file to ID Ransomware so that you can verify which ransomware you are dealing with: https://id-ransomware.malwarehunterteam.com/ You can paste a link to the results into a reply if you would like for me to review them.
  16. @Didi Please download the following fixlist.txt file and save it to the Desktop: https://www.gt500.org/emsisoft/fixlist/2019-09September-13/Didi/fixlist.txt NOTE: It's important that both files, the FRST download from earlier and the fixlist file, are in the same location or the fix will not work. If you need to, please copy the files from your Downloads folder to your desktop. Run the FRST download from earlier, and press the Fix button just once and wait. If for some reason the tool needs to restart your computer, please make sure you let the computer restart normally. After that let the tool complete anything it still needs to do. When finished FRST will generate a log on the Desktop (Fixlog). Please attach it to a reply.
  17. It's not safe to publish your e-mail address publicly, especially when asking for help for a ransomware infection. Criminals who make ransomware do monitor our forums, and they may try to contact you to extort you for money. As for the ransomware your computer was infected with, .gero is usually associated with a newer variant of STOP/Djvu, and is a bit different from files that have .gerosan added to their names. The encryption has changed recently, and decryption of files that have had .gero added to the end of their name is not currently possible.
  18. I recommend uploading a copy of the ransom note along with an encrypted file to ID Ransomware so that you can verify which ransomware you are dealing with: https://id-ransomware.malwarehunterteam.com/ You can paste a link to the results into a reply if you would like for me to review them.
  19. Then it's not actually being blocked. Something else is happening. Let's try getting a log from FRST, and see if it shows the cause of the issue. You can find instructions for downloading and running FRST at the following link: https://help.emsisoft.com/en/1738/how-do-i-run-a-scan-with-frst/ Note: When FRST checks the Windows Firewall settings, Emsisoft Anti-Malware's Behavior Blocker will quarantine it automatically. This can be avoided by clicking "Wait, I think this is safe" in the notification that is displayed while FRST is scanning.
  20. Let's try getting a diagnostic log. The instructions and download are available at the following link: https://help.emsisoft.com/en/1735/how-do-i-use-the-emsisoft-diagnostic-tool/
  21. It could be the Quarantine re-scan that is automatically performed after new updates are installed. Can you check and see how many files are in your Quarantine? Also, if you'd like to try turning off the Quarantine re-scan to see if that helps, then you can find the option in the settings in the Advanced category (I would believe the default option is Always).
  22. That is more than likely a variant of the STOP/Djvu ransomware. You may verify that using ID Ransomware if you'd like to: https://id-ransomware.malwarehunterteam.com/ Important: STOP/Djvu now installs the Azorult trojan as well, which allows it to steal passwords. It is imperative that you change all passwords (for your computer and for online services you use) once your computer is clean. While most ransomwares will automatically delete themselves after they finish encrypting files, some are now leaving behind components on computers they infect that will encrypt any new files saved and will encrypt any files you manage to decrypt. It's best to check and make sure that no such components have been left behind, so I recommend following the instructions at the link below to get us logs from FRST so that one of our experts can make sure there is nothing malicious still on your computer (please attach the log files FRST saves to a reply to this topic on the forums): https://help.emsisoft.com/en/1738/how-do-i-run-a-scan-with-frst/ Note: If anything that appears suspicious is found in your logs, then your post will be moved into a new topic to facilitate better communication between you and whoever is assisting you. We'll also try to make sure that you are following the new topic so that you receive e-mail notifications when someone replies to it.
  23. Is Emsisoft Anti-Malware displaying a notification that it is blocking something when you visit these forums? Here's how you editing existing Host Rules, or delete custom Host Rules: Open Emsisoft Anti-Malware. Click on Protection. Click on Surf Protection in the menu at the top. Make sure that the option Hide built in list is not selected (located to the right of the search field). Search for the website that is being blocked. If you find it and it's a custom rule (these say "My own" under "Category"), then you can click on it once to select it, and then click the Remove rule button in the lower-right. If you want to edit the rule to change whether or not it is blocked, then just double-click on the website address in the list you want to edit, change the Implemented action to Don't block, and click OK to save it.
  24. It should be shown if you move your mouse pointer over the notification.
  25. The page seems to work for me (see screenshot below). May I ask what web browser you're using? Also, do you have the Emsisoft Browser Security extension installed, or only Emsisoft Anti-Malware?