GT500

There are many ways to boot a computer from a USB flash drive. Linux boot disks can be converted and saved to a USB flash drive for instance. Just keep in mind that it will wipe out all data on the USB flash drive, so please make a copy of anything on the drive that you'd like to keep. If you get the computer booted from your USB flash drive, then all you need to do is find the Emsisoft Anti-Malware folder on the hard drive and rename it. Once renamed, Windows won't be able to find the files, and EAM won't be able to run. You can then change the name back and uninstall it from within Windows if you're able to get the computer to boot normally. As for what boot disk to use, you can try one of the variations of Fedora (Cinnamon, LXQt, or LXDE may be the easiest to use) or one of the different "flavors" of Ubuntu. You can also try vanilla Fedora or vanilla Ubuntu. If you need something that comes in a smaller download, then there's also Puppy Linux. There's also Knoppix if you need something with at least some forensics tools for data recovery, however the download is 4.3 GB. Note that in many of the desktop managers for Linux, they will mount hard drives in read-only mode, and you may need to right-click on a hard drive in the file manager and change it to read/write mode before you can save/edit/rename files and folders. As for getting a Linux boot disk onto a USB flash drive, there's a popular free software called Rufus that can do this. I recommend keeping the "Target system" set for "BIOS or UEFI" and keeping the "Partition scheme" set to "MBR" for the best compatibility. Note that it will need to format your USB flash drive (which is why it will wipe out any data already on it), and it's often best to allow it to use a FAT32 filesystem (again for best compatibility).

Let's try getting a diagnostic log. The instructions and download are available at the following link: https://help.emsisoft.com/en/1735/how-do-i-use-the-emsisoft-diagnostic-tool/ It might also be useful to get logs from FRST. You can find instructions for downloading and running FRST at the following link: https://help.emsisoft.com/en/1738/how-do-i-run-a-scan-with-frst/ Note: When FRST checks the Windows Firewall settings, Emsisoft Anti-Malware's Behavior Blocker will quarantine it automatically. This can be avoided by clicking "Wait, I think this is safe" in the notification that is displayed while FRST is scanning.

There is no official way to accomplish what you want when an account has administrator rights. That being said, you could use various tricks to prevent uninstall. For instance, install EAM using the old InnoSetup-based installer and then delete the uninstaller that's in the EAM folder. Or simply delete the uninstall entry for EAM from the registry after you install it. You could also change the permissions on the EAM folder to prevent deletion of the folder and any files inside, however this may prevent EAM from being able to update, and if any mistakes are made in permissions then EAM may not run correctly and you may not be able to fix it. Needless to say, this method is not really recommended, especially since the drivers and service could still be unregistered leaving EAM completely useless. I'll submit it as a feature request. For now, it should be possible to tell that logging has stopped on a specific workstation, and it should be possible to check the Last Update time/date.

In most cases, those features should work without the need to keep most of the software that computer manufacturers pre-install. If you're not certain about what software should be kept or removed, then there are third-party softwares that can help (Decrapifier for instance, and for a while there was a ridiculous batch file that techs were using that could do it).

Edit the rules and change them to "Monitored". Although, feel free to follow Amigo-A's advise, and keep PowerShell blocked if you'd like.

It looks like it's still on the list of dialogs that need to migrated to sciter. Hopefully it won't take too much longer.

FYI: I've split our posts into a new topic so that we are no longer hijacking someone else's topic with an unrelated discussion.

As I keep saying, there is absolutely nothing you can do to stop someone who has administrator access to a computer from removing security software. I don't care if the Anti-Virus can't be "uninstalled" without a password, I could remove it with a batch file. I could also just terminate its running processes, then delete its files, and unregister its drivers and services. It takes very little actual work to remove an Anti-Virus software, even if you don't have permission to do so. We used to have it as well. I think it was removed when we changed how our permissions system works.

PowerShell has a built-in permissions system these days that automatically prevents execution of downloaded scripts. This of course does not prevent an application (or a batch file) from executing PowerShell commands from the command line, so it does not negate all of the dangers of PowerShell, however I don't think this is quite as common as it was when we made that recommendation and it certainly is better understood and detected now than it was back then.

The programs that computer manufacturers pre-install is based on corporate contracts. Not all of those programs are free from annoyances or other potentially unwanted behavior. Many technicians will remove OEM software from new computers when they set them up for a client for this reason.

It's not updated on any sort of regular basis. It would only be updated if there were more keys to add. The database is on our servers. In theory it should never be necessary to update the decrypter.

The e-mail address was previously used by the Scarab ransomware, however sometimes more than one ransomware will use the same e-mail address. If you can attach copies of the ransom note and an encrypted file to a reply, then we can tell you more. You can also check with ID Ransomware to see if they are able to identify it: https://id-ransomware.malwarehunterteam.com/ You can paste a link to the results into a reply if you would like for me to review them.

That's because STOP/Djvu was able to connect to its command and control server when it encrypted your files, meaning the server generated a new encryption key for your files, and STOPDecrypter has no way of knowing what that key is. Work is progressing on something that may help. Please give us some time, and we'll see what we can do for you.

I'm fairly certain that the password isn't required for an administrator (it's intended to grant admin rights for limited users). This, of course, would depend on how the permissions in EAM are configured (you can configure them so specific users or groups have limited permissions, regardless of the permissions they have in Windows). As for uninstalling, that's a matter of permissions in Windows. An administrator can remove anything they want to. If you try to block the uninstall, then they can just manually remove the software. You literally can not prevent it. Is it not possible to teach them how to add exclusions?

There's currently no solution, however if you were lucky enough for your files to have been encrypted by an offline key then once the decrypter Amigo-A linked to is updated for .reco then you might be able to recover your files.

I'm glad to hear that you got the decrypter working. If you need anything else, then let us know.

Limited user accounts in Windows can't install or uninstall software. If you don't want someone to be able to uninstall your security software, then you should keep a single account with administrator rights that is protected by a reasonably secure password, and then all other accounts (including the one you normally log in with) should be limited accounts.

I don't think it is, however I have asked our malware analysts to be certain.

Either the decrypter is crashing, or something is preventing it from opening. Let's try getting a log from FRST, and see if it shows the cause of the issue. You can find instructions for downloading and running FRST at the following link (try to run the decrypter again before doing this so FRST's logs will include any Event Logs errors if the decrypter is crashing) : https://help.emsisoft.com/en/1738/how-do-i-run-a-scan-with-frst/ Note: If you have Emsisoft Anti-Malware installed, when FRST checks the Windows Firewall settings Emsisoft Anti-Malware's Behavior Blocker will quarantine it automatically. This can be avoided by clicking "Wait, I think this is safe" in the notification that is displayed while FRST is scanning.

When you say it "does nothing", do you mean there's no visible indication that it's doing anything, or does it display some sort of message about failing to decrypt the files?

That depends on whether or not you want to be able to monitor logs, scans, etc. and be able to change settings remotely via the web interface. Granted you will also need access to your e-mail account from anywhere you intend on logging in to My.Emsisoft from (the Two-Factor Authentication is currently handled via e-mail), so it's only really useful anywhere you also have access to your e-mail account. BTW: Here's a video demonstrating some of the things that can be done in the "Cloud Console" at My.Emsisoft:

That was the Muhstik randomware. If anyone else is curious, there's more information at the following link: https://www.bleepingcomputer.com/news/security/muhstik-ransomware-victim-hacks-back-releases-decryption-keys/

That's an online ID, so there won't be an immediate solution, however there is work on a way to recover your files that's ongoing. Just make sure to keep a backup of all of your encrypted files.

Work is still progressing on you case. Hopefully it won't be too much longer.

We currently have a promotional deal with CactusVPN. I'll ask our sales team if they have more information about it for you.