GT500

Emsisoft Employee
  • Content Count

    9426
  • Joined

  • Days Won

    271

Everything posted by GT500

  1. FYI: While most ransomwares will automatically delete themselves after they finish encrypting files, some are now leaving behind components on computers they infect that will encrypt any new files saved and will encrypt any files you manage to decrypt. It's best to check and make sure that no such components have been left behind, so I recommend following the instructions at the link below to get us logs from FRST so that one of our experts can make sure there is nothing malicious still on your computer (please attach the log files FRST saves to a reply to this topic on the forums): https://help.emsisoft.com/en/1738/how-do-i-run-a-scan-with-frst/ Note: If anything that appears suspicious is found in your logs, then your post will be moved into a new topic to facilitate better communication between you and whoever is assisting you. We'll also try to make sure that you are following the new topic so that you receive e-mail notifications when someone replies to it.
  2. FYI: While most ransomwares will automatically delete themselves after they finish encrypting files, some are now leaving behind components on computers they infect that will encrypt any new files saved and will encrypt any files you manage to decrypt. It's best to check and make sure that no such components have been left behind, so I recommend following the instructions at the link below to get us logs from FRST so that one of our experts can make sure there is nothing malicious still on your computer (please attach the log files FRST saves to a reply to this topic on the forums): https://help.emsisoft.com/en/1738/how-do-i-run-a-scan-with-frst/ Note: If anything that appears suspicious is found in your logs, then your post will be moved into a new topic to facilitate better communication between you and whoever is assisting you. We'll also try to make sure that you are following the new topic so that you receive e-mail notifications when someone replies to it.
  3. FYI: While most ransomwares will automatically delete themselves after they finish encrypting files, some are now leaving behind components on computers they infect that will encrypt any new files saved and will encrypt any files you manage to decrypt. It's best to check and make sure that no such components have been left behind, so I recommend following the instructions at the link below to get us logs from FRST so that one of our experts can make sure there is nothing malicious still on your computer (please attach the log files FRST saves to a reply to this topic on the forums): https://help.emsisoft.com/en/1738/how-do-i-run-a-scan-with-frst/ Note: If anything that appears suspicious is found in your logs, then your post will be moved into a new topic to facilitate better communication between you and whoever is assisting you. We'll also try to make sure that you are following the new topic so that you receive e-mail notifications when someone replies to it.
  4. FYI: While most ransomwares will automatically delete themselves after they finish encrypting files, some are now leaving behind components on computers they infect that will encrypt any new files saved and will encrypt any files you manage to decrypt. It's best to check and make sure that no such components have been left behind, so I recommend following the instructions at the link below to get us logs from FRST so that one of our experts can make sure there is nothing malicious still on your computer (please attach the log files FRST saves to a reply to this topic on the forums): https://help.emsisoft.com/en/1738/how-do-i-run-a-scan-with-frst/ Note: If anything that appears suspicious is found in your logs, then your post will be moved into a new topic to facilitate better communication between you and whoever is assisting you. We'll also try to make sure that you are following the new topic so that you receive e-mail notifications when someone replies to it.
  5. Yes, that was expected. First we need your ID and MAC addresses from the infected computer, and they there's a possibility that the creator of STOPDecrypter may be able to figure out your decryption key. Or you could get lucky and have an offline ID, so that when support for the variant of STOP/Djvu that encrypted your files is added to STOPDecrypter it will be able to decrypt them on its own. Attach a copy of the ransom note to a reply and I'll let you know if it looks like an offline ID. You can also follow the instructions at the link below for getting your ID and MAC addresses with STOPDecrypter, which may help in figuring out your decryption key if you don't have an offline ID: https://kb.gt500.org/stopdecrypter
  6. This is a variant of the STOP ransomware. STOPDecrypter more than likely won't be able to recover your files, however it can still be used to get information that may be able to help the creator of STOPDecrypter figure out your decryption key. Here's a link to instructions on how to get this information with STOPDecrypter: https://kb.gt500.org/stopdecrypter
  7. @Surya dinata when you look at your logs in EEK, there's an Export button in the lower-left that will allow you to save a copy of the log. Could you please save it somewhere easy to find, and then attach it to a reply for me?
  8. Let's get some logs from FRST and see if they show any signs of the ransomware (Demonslay335 still needs a copy of this variant of STOP/Djvu). You can find instructions for downloading and running FRST at the following link: https://help.emsisoft.com/en/1738/how-do-i-run-a-scan-with-frst/ Note: When FRST checks the Windows Firewall settings, Emsisoft Anti-Malware's Behavior Blocker will quarantine it automatically. This can be avoided by clicking "Wait, I think this is safe" in the notification that is displayed while FRST is scanning.
  9. That looks like an offline ID. If that's the case, then once the creator of STOPDecrypter gets his hands on a copy of this variant of STOP/Djvu, he'll be able to key the decryption key for it.
  10. You appear to also have Check Point SandBlast Agent installed, however the uninstall entry is hidden. Was this software supposed to have been removed at some point? At first glance I can't see anything else that might suggest a cause for this issue. It's possible that with the April Windows Update there's a problem between Check Point SandBlast Agent and Emsisoft Anti-Malware, however the only way to establish that is to uninstall Check Point's software and try the Windows Update again.
  11. Most components of Emsisoft Anti-Malware don't run in Safe Mode, however if the systems boots and our disk filter driver isn't running then it will BSoD on startup. I haven't heard any other reports of issues since this update was released. It's possible that there's a third factor on the system beyond just Emsisoft Anti-Malware and the Windows Update in question. Let's try getting a log from FRST, and see if it shows anything relevant. You can find instructions for downloading and running FRST at the following link: https://help.emsisoft.com/en/1738/how-do-i-run-a-scan-with-frst/ Note: When FRST checks the Windows Firewall settings, Emsisoft Anti-Malware's Behavior Blocker will quarantine it automatically. This can be avoided by clicking "Wait, I think this is safe" in the notification that is displayed while FRST is scanning.
  12. Would you happen to know where the infection came from? If you can send us a copy of the source for the infection, we can take a look at it. If we can get our hands on this variant of the ransomware and forward it to the guy who makes STOPDecrypter, then he'd be able to take a look at it as well. If I'm right about your ID being an offline ID, then your files would be decryptable.
  13. As Amigo-A said, that is more than likely a variant of the STOP ransomware. ID Ransomware can confirm that, and can let you know if STOPDecrypter can recover your files. Here's a link to ID Ransomware: https://id-ransomware.malwarehunterteam.com/ If STOPDecrypter can't recover your files, then note that it can still be used to get information that may be able to help the creator of STOPDecrypter figure out your decryption key. Here's a link to instructions on how to get this information with STOPDecrypter: https://kb.gt500.org/stopdecrypter Also, while most ransomwares will automatically delete themselves after they finish encrypting files, some are now leaving behind components on computers they infect that will encrypt any new files saved and will encrypt any files you manage to decrypt. It's best to check and make sure that no such components have been left behind, so I recommend following the instructions at the link below to get us logs from FRST so that one of our experts can make sure there is nothing malicious still on your computer (please attach the log files FRST saves to a reply to this topic on the forums): https://help.emsisoft.com/en/1738/how-do-i-run-a-scan-with-frst/ Note: If anything that appears suspicious is found in your logs, then your post will be split into a new topic to facilitate better communication between you and whoever is assisting you. We'll also try to make sure that you are following the new topic so that you receive e-mail notifications when someone replies to it.
  14. We'll need the ID from one of the ransom notes as well. They should have a name like _readme (or something similar to this).
  15. While most ransomwares will automatically delete themselves after they finish encrypting files, some are now leaving behind components on computers they infect that will encrypt any new files saved and will encrypt any files you manage to decrypt. It's best to check and make sure that no such components have been left behind, so I recommend following the instructions at the link below to get us logs from FRST so that one of our experts can make sure there is nothing malicious still on your computer (please attach the log files FRST saves to a reply to this topic on the forums): https://help.emsisoft.com/en/1738/how-do-i-run-a-scan-with-frst/ Note: If anything that appears suspicious is found in your logs, then your post will be split into a new topic to facilitate better communication between you and whoever is assisting you. We'll also try to make sure that you are following the new topic so that you receive e-mail notifications when someone replies to it.
  16. The screen name he uses here is Demonslay335, and he'll more than likely contact you directly if he's able to figure out your decryption key.
  17. Nothing at the moment. The creator of STOPDecrypter is hard at work trying to help people get keys to decrypt their files. We just need to give him enough time to work out solutions for everyone.
  18. We don't have an ETA on this. Hopefully it'll be soon, however it's not possible for us to know for certain yet.
  19. That log shows that it is safe to use Emsiclean to remove Emsisoft Anti-Malware. Please run Emsiclean again, making sure to select everything in the list, and then click the button to remove selected items. Please be sure to allow your computer to be restarted after doing this. Note that since Emsisoft Anti-Malware could not be uninstalled normally before running Emsiclean, that it may not be able to completely remove everything on the first attempt. After your computer restarts, be sure to run Emsiclean again and if it finds anything that wasn't removed then allow it to remove them and restart your computer again. Do this as many times as necessary, until Emsiclean reports that no traces have been found. After your computer has restarted, you may download and reinstall Emsisoft Anti-Malware from the link below: https://www.emsisoft.com/en/software/antimalware/download/
  20. That is more than likely a variant of the STOP ransomware. ID Ransomware can confirm that, and can let you know if STOPDecrypter can recover your files. Here's a link to ID Ransomware: https://id-ransomware.malwarehunterteam.com/ If STOPDecrypter can't recover your files, then note that it can still be used to get information that may be able to help the creator of STOPDecrypter figure out your decryption key. Here's a link to instructions on how to get this information with STOPDecrypter: https://kb.gt500.org/stopdecrypter
  21. There is no free decrypter for this variant of Dharma. Anything claiming to decrypt files encrypted by Dharma for free is either intended for another variant, or is a fraud. Also note that if you feel you absolutely have to pay the ransom, it's best not to contact the criminals yourself. Find someone experienced in negotiating with criminals like this to assist you (Coveware for instance).
  22. I've forwarded your information to the creator of STOPDecrypter so that he can archive it in case he is able to figure out your decryption key at some future point.
  23. He told me he hasn't been able to get his hands on a copy of this variant of STOP/Djvu yet, but as soon as he does he'll be able to pull the offline ID and key from it and add them to STOPDecrypter.
  24. At first glance, that looks like an offline ID. It's possible that support for it hasn't been added to STOPDecrypter yet. I'll ask the creator of STOPDecrypter about it.