GT500

Emsisoft Employee
  • Content Count

    10159
  • Joined

  • Days Won

    289

Everything posted by GT500

  1. I would believe that you'll need to contact Dr.Web for this. Note that they do charge for this service, however I would believe that they will take a look at your files and let you know whether or not they can help you recover them before charging you anything.
  2. By "actual" I think he means "legitimate" or "genuine" (a warning not to rely on pirated software).
  3. Let's try getting a log from FRST, and see if it shows the cause of the issue. You can find instructions for downloading and running FRST at the following link: https://help.emsisoft.com/en/1738/how-do-i-run-a-scan-with-frst/ Note: When FRST checks the Windows Firewall settings, Emsisoft Anti-Malware's Behavior Blocker will quarantine it automatically. This can be avoided by clicking "Wait, I think this is safe" in the notification that is displayed while FRST is scanning.
  4. One place to keep track of everything sounds nice, however it does unfortunately lead to rather cluttered bug reports when all of QA's testing information ends up there. I think it's fairly normal for BTS these days to have most of those features. The system we use can be a bit complicated, although the developers seem to like it. Granted I don't think they're usually made with QA in mind, so I think most companies use separate systems for bug reports and QA testing.
  5. The files are more than likely encrypted, and not infected. Regardless, any modern Anti-Virus software should be able to detect a ransomware from 2014 (especially one with a behavior monitoring component, like Emsisoft Anti-Malware's Behavior Blocker). Do you know what ransomware it was? If not, then ID Ransomware may be able to help you identify it: https://id-ransomware.malwarehunterteam.com/
  6. First we'll need to know what ransomware you're dealing with. I recommend uploading a copy of the ransom note along with an encrypted file to ID Ransomware so that you can verify which ransomware it is: https://id-ransomware.malwarehunterteam.com/ You can paste a link to the results into a reply if you would like for me to review them.
  7. From the extension it does appear to be Phobos. If that's the case, then note that there's currently no known way to decrypt files without getting the private key from the criminals who made the ransomware.
  8. Things aren't necessarily added to the system when they're reported. Especially with bug reports, since QA may have to check into them before a bug report is created. Actually, Emsisoft is far better than others. The last company I worked for, no one would talk to the support team at all. They often wouldn't even listen when the support team tried to report bugs, and they didn't allow the support team access to their BTS. At least here the support team has someone to discuss bugs with and report bugs to. The lack of communication may seem strange, but most companies don't seem to feel that the support team should have anything to do with QA and that they don't need to know what QA or the developers are doing, so the fact that the support team here has access to the company BTS and can discuss bug reports and feature requests at all is (in my experience) far better than the norm.
  9. a2start.exe is the main user interface for Emsisoft Anti-Malware. It's pre-loaded by a2guard.exe during login to improve performance, which is why it's always running. If you can open the Emsisoft Anti-Malware window and interact with it without issues, then everything should be fine. BTW: Are you seeing "Disabled" in the "UAC virtualization" column of the Task Manager's details tab? If so, then this doesn't mean the process is disabled, and it's normal for a2start.exe and a2guard.exe to say "Disabled" in that column.
  10. I have access, however I don't generally know the issue numbers of bug reports and feature requests, which can make them difficult to find. Developers and QA do record notes on testing and fixes. That being said, we don't generally share internal information, and since the BTS is an internal system we don't usually share information recorded there. We also don't generally share information about changes to our products until there is a beta available for testing. This is why my answers tend to be so vague when asked about the status of bug reports or feature requests.
  11. Claude is out this week, however I asked @Sebastian about it, and he confirmed that we haven't received an e-mail from you in any of our mailboxes (sales, partners, and support) that are managed by our helpdesk system. May I ask what address you sent the e-mail to? Anyway, Sebastian should be contacting you privately to discuss this. Hopefully he'll be able to get this taken care.
  12. Strange, I don't see anything in our system from the e-mail address you sent. Hopefully Claude will be able to confirm if he did receive a message from you.
  13. That is more than likely a variant of the STOP/Djvu ransomware. You may verify that using ID Ransomware if you'd like to: https://id-ransomware.malwarehunterteam.com/ Important: STOP/Djvu now installs the Azorult trojan as well, which allows it to steal passwords. It is imperative that you change all passwords (for your computer and for online services you use) once your computer is clean. Also note: While most ransomwares will automatically delete themselves after they finish encrypting files, some are now leaving behind components on computers they infect that will encrypt any new files saved and will encrypt any files you manage to decrypt. It's best to check and make sure that no such components have been left behind, so I recommend following the instructions at the link below to get us logs from FRST so that one of our experts can make sure there is nothing malicious still on your computer (please attach the log files FRST saves to a reply to this topic on the forums): https://help.emsisoft.com/en/1738/how-do-i-run-a-scan-with-frst/ Note: If anything that appears suspicious is found in your logs, then your post will be moved into a new topic to facilitate better communication between you and whoever is assisting you. We'll also try to make sure that you are following the new topic so that you receive e-mail notifications when someone replies to it.
  14. Restart your computer, then run another scan with FRST and attach the logs to a reply. I want to see if the Event Logs show any indication as to why the firewall service isn't starting.
  15. I haven't heard anything new about it, however I normally wouldn't unless there was either a fix that needed testing or we needed more information.
  16. I recommend uploading a copy of the ransom note along with an encrypted file to ID Ransomware so that you can verify which ransomware you are dealing with: https://id-ransomware.malwarehunterteam.com/ You can paste a link to the results into a reply if you would like for me to review them.
  17. All you really need to do is run the following command in an elevated Command Prompt, and then restart the computer: sc delete epp After that the epp.sys file can be deleted.
  18. Have you tried changing the performance impact in the scanner settings? To get to the scanner settings, open EEK, click on the Scan tile, and click on the Scanner settings button in the lower-right. If you change it to scan with reduced priority, then it shouldn't drive your CPU temperatures up as high (especially on processors that have 4 or more cores).
  19. Emsisoft Anti-Malware has reasonable protection against ransomware, and a Behavior Blocker that's particularly good at it. Backups are still recommended, regardless of what security solution you decide to go with, and I highly recommend that you save backups on removable media (USB hard drives or SSD's for instance) and leave them disconnected from the computer when not backup up data to them. Ransomware will encrypt data on any connected drive, and often on network shares as well, so the backup media can not remain accessible to the computer all of the time, as this will give the ransomware the opportunity to encrypt it.
  20. With this variant of STOP/Djvu it would more than likely be necessary to get the decryption keys from the criminals who made/distributed the ransomware. In theory law enforcement may track him down at some point in the future, however they may also need more reports of incidents involving this ransomware in order to consider it a priority. https://www.nomoreransom.org/en/report-a-crime.html
  21. That's correct, however STOPDecrypter doesn't support this version of STOP/Djvu at all, so even if it was an offline key that was used then decryption wouldn't be possible. @Richard please note that this particular ransomware is distributed mainly with pirated software and fake pirated music and videos/movies. Certain cracking/activation bypassing software (KMSPico for instance) are particularly well known for it, so we highly recommend avoiding such things.
  22. That is more than likely a variant of the STOP/Djvu ransomware. You may verify that using ID Ransomware if you'd like to: https://id-ransomware.malwarehunterteam.com/ Important: STOP/Djvu now installs the Azorult trojan as well, which allows it to steal passwords. It is imperative that you change all passwords (for your computer and for online services you use) once your computer is clean. Also note: While most ransomwares will automatically delete themselves after they finish encrypting files, some are now leaving behind components on computers they infect that will encrypt any new files saved and will encrypt any files you manage to decrypt. It's best to check and make sure that no such components have been left behind, so I recommend following the instructions at the link below to get us logs from FRST so that one of our experts can make sure there is nothing malicious still on your computer (please attach the log files FRST saves to a reply to this topic on the forums): https://help.emsisoft.com/en/1738/how-do-i-run-a-scan-with-frst/ Note: If anything that appears suspicious is found in your logs, then your post will be moved into a new topic to facilitate better communication between you and whoever is assisting you. We'll also try to make sure that you are following the new topic so that you receive e-mail notifications when someone replies to it.
  23. Not yet, but it's still being worked on.