GT500

Emsisoft Employee
  • Content Count

    11167
  • Joined

  • Days Won

    322

Everything posted by GT500

  1. This is a newer variant of STOP/Djvu. If you have an offline ID, then once we can find the decryption key for this variant and add it to our database you should be able to recover your files. However, if you have an online ID (which is more likely) then it will not be possible to recover your files. There is more information at the following link: https://support.emsisoft.com/topic/32045-about-the-stopdjvu-decrypter/
  2. It's not necessary to reinstall Windows, as most Anti-Virus software will remove the STOP/Djvu ransomware, including our free (for home/non-commercial use) Emsisoft Emergency Kit. Granted you can reinstall if you'd like to. I recommend making a backup of your encrypted files first, so that you can keep them somewhere safe in case they can be decrypted at some point in the future.
  3. You don't need to reformat your computer's hard drive. Most Anti-Virus software will remove the STOP/Djvu ransomware, including our free (for home/non-commercial use) Emsisoft Emergency Kit. Of course, removing the ransomware doesn't decrypt your files. Assuming your encrypted files have an online ID, there's nothing we can do to help with decryption since .domn is one of the newer variants that uses RSA keys.
  4. There's more information available at the following link: https://support.emsisoft.com/topic/32045-about-the-stopdjvu-decrypter/
  5. This is a newer variant of STOP/Djvu, and your ID is an online ID, so there is currently no way to decrypt your files. There is more information at the following link: https://support.emsisoft.com/topic/32045-about-the-stopdjvu-decrypter/
  6. @Sturm have you tried adding an exclusion for il-2.exe to see if that has any effect on the issue? I keep my entire Steam folder excluded, as there are some games that don't respond well to the hooks Emsisoft Anti-Malware opens (Garry's Mode for instance). If you'd like to try it, then here's how: Open Emsisoft Anti-Malware. Click on the little gear icon on the left side of the Emsisoft Anti-Malware window (roughly in the middle). Click on Exclusions in the menu at the top. The exclusions section contains two lists (Exclude from scanning and Exclude from monitoring). Look for the box right under where it says Exclude from scanning. Click on the Add File button right below the Exclude from scanning box. Navigate to the folder you would like to exclude, click on it once to select it, and then click OK. Scroll down to the box under Exclude from monitoring and click the Add File button right below that box. Navigate to the folder you would like to exclude, click on it once to select it, and then click OK. Close Emsisoft Anti-Malware. Note: If a program you have excluded is running, then you will need to close it and reopen it for the exclusion to take effect. In some cases you will need to restart your computer before this will happen.
  7. Full/complete memory dumps are always preferred when dealing with a BSoD. Sometimes minidumps are OK, however there are plenty of times where they don't contain enough information to be certain about what happened. Correct. When you do have a memory dump for us, I recommend encrypting it when you ZIP it (or RAR or 7z if you prefer), and send me the password in a private message. It will, after all, contain everything that was in memory when the computer crashed.
  8. Emsiclean doesn't look for this particular registry key. It's created by the Windows Security Center, and its presence probably means that there was some issue when the uninstaller tried to unregister Emsisoft Anti-Malware from Security Center monitoring. I would believe that FRST can remove registered Anti-Virus providers, however you can also try reinstalling Emsisoft Anti-Malware and uninstalling it (optionally you can disable the "Windows Security Center integration" in the advanced settings in EAM before uninstalling again). If you would rather try it with FRST, then you can find instructions for downloading and running FRST at the following link: https://help.emsisoft.com/en/1738/how-do-i-run-a-scan-with-frst/ Note: When FRST checks the Windows Firewall settings, Emsisoft Anti-Malware's Behavior Blocker will quarantine it automatically. This can be avoided by clicking "Wait, I think this is safe" in the notification that is displayed while FRST is scanning.
  9. Our decrypter does need to be connected to the Internet to work. Please note that this has nothing to do with whether or not an ID is "online" or "offline". ID's are generated when the ransomware infects a computer and starts encrypting files. Nothing can change that, and this has nothing to do with whether or not there is an Internet connection when decrypting files.
  10. This is a newer variant of STOP/Djvu, and your ID is an online ID, so there is currently no way to decrypt your files. There is more information at the following link: https://support.emsisoft.com/topic/32045-about-the-stopdjvu-decrypter/
  11. Your logs.db3 is pretty much empty. Did you clear the logs recently?
  12. Try the following, and let me know if that helps: Open Emsisoft Anti-Malware. Click on Settings. Click on Advanced in the menu at the top. Disable the option that says Start on Windows startup. Re-enable the option that says Start on Windows startup. That will re-create the startup entry for the part of Emsisoft Anti-Malware that draws the Notification Area icon.
  13. It's not possible to know for certain what caused it without a memory dump. It may be safe to assume that the issue more than likely originated in another driver, which caused a fault in tcpip.sys and thus a BSoD, however there's no way to say for certain. I would believe the assumption that Anti-Virus causes such BSoD's is based on the fact that most of them use some sort of network filter driver, however Anti-Virus is not the only software that loads drivers related to networking, and it could be an issue with any such software. Keep in mind that tcpip.sys is a vital part of the Windows Operating System, and has been for a long time. If a build of Emsisoft Anti-Malware had such a serious compatibility issue, it would never pass through QA.
  14. End of support for Windows 7 should have no effect on whether or not your files can be decrypted. You could make a backup of your encrypted files and upgrade to a Windows 10 computer, and if a method for decrypting your files were to be released then it should still work.
  15. Unfortunately that's a question that only Tesorion could answer, since no one else knows how their decrypter works.
  16. No private keys for newer variants of STOP/Djvu have been released yet, so there's nothing new to report.
  17. Offline means the ransomware couldn't connect to its command and control servers when it encrypted your files. It doesn't have anything to do with the version of Windows that's installed.
  18. You can add files and folders to an archive by right-clicking on them, going to Send to, and selecting Compressed (zipped) folder. You can also use something like 7-Zip or WinRAR if you prefer.
  19. This is a newer variant of STOP/Djvu, and your ID is an online ID, so there is currently no way to decrypt your files. There is more information at the following link: https://support.emsisoft.com/topic/32045-about-the-stopdjvu-decrypter/ It's normal for the ID's in encrypted files to be shorter than the ID's in the _readme.txt file. The ID's in the ransom note have extra characters appended to them.
  20. @Tahir Moeen the decrypter should now be able to decrypt all PDF files and Office documents for you. Unfortunately the JPG image wasn't a valid file pair (the data at the end of the files didn't match), so we weren't able to use it.
  21. Not that I'm aware of, however if you can start the computer from a bootable disk you can try renaming eppwfp.sys in the Emsisoft Anti-Malware folder, and see if the computer can boot after that. Do not rename or delete the entire Emsisoft Anti-Malware folder. Your computer will fail to boot if it can't load the EPPDISK driver (although it would show a different exception on the BSoD).
  22. Except that users don't see the alert dialog that you're referring to. They see a smaller notification on the right side of the screen. Windows Explorer loads information about the file when you click on it. I would believe the same would happen if you hovered the mouse pointer over a file long enough for Windows Explorer to display a tooltip with file properties. Windows Explorer displays information in the "Details" tab that cmd.exe's dir command doesn't. Some of that information is stored in the file itself, and not in the filesystem.
  23. I haven't been following this topic since Elise has been replying to it (she actually knows our File Guard and Behavior Blocker technologies better than I do), so I may be missing something here. That behavior is normal for Thorough scan level. EAM would only alert for the RAR file if there are signatures for it, as it doesn't automatically unpack the archive to scan the contents. You'll see no alerts when File Guard is set to Default scan level while using software that doesn't support IOfficeAntiVirus or AMSI, and I would believe that 7-Zip has yet to implement these technologies. In your example that I quoted above you were extracting files from a RAR archive. When EAM's File Guard is configured for Thorough scan level, it scans every newly written file, so while you're extracting files from an archive EAM is scanning each file. If a file being extracted from the archive is detected as malicious, the File Guard responds to that just like it would for any other file. The program writing the file doesn't generally matter. The Behavior Blocker is a bit different, since it's monitoring processes and it needs to be aware of cases where a process opens (for instance) a script for processing. A good example is a batch file, executed by cmd.exe, since EAM would be monitoring cmd.exe but would show the name of the batch file in the alert. EAM was monitoring file system access, and detected the files were accessed. As for whether or not it's possible to tell the difference between execution and reading file properties by just monitoring I/O I'm not certain. As you suspect, something had a file handle open to it. EAM doesn't like to fight for file access so it can delete things, as it's easier and less problematic to just delete on reboot.