GT500

Emsisoft Employee
  • Content Count

    13117
  • Joined

  • Days Won

    400

Everything posted by GT500

  1. It would take even the most powerful super computer thousands of years to brute force the private key for your ID. There's no way we could do it.
  2. Registry exclusions can't be added manually, and can't be added via a workspace, so this procedure would have to be performed on each workstation separately. If you want to set this via a workspace policy then there's a setting in the Scanner Settings labeled Detect registry policies settings that you can disable, and that should prevent these detections as well. This setting can be configured in policies, and individually for each device that Emsisoft Anti-Malware is installed on (in the "Protection Settings" category).
  3. From what I'm seeing in the logs, this looks like it may have a different cause for everyone. @marko I'm seeing a string of the following errors in your FRST Addition log: Error: (09/11/2020 08:15:05 PM) (Source: SecurityCenter) (EventID: 16) (User: ) Description: Error while updating status to SECURITY_PRODUCT_STATE_ON. The product name is missing, which suggests that whatever Anti-Virus product (presumably Emsisoft Anti-Malware) the entry is for probably has a corrupt registration with the Security Center. I'm going to send you a private message with a command to run to see if this is the case. @Quirky in your case I'm seeing several of the following error, which suggest that an important part of the Windows Security Center isn't able to run, and thus Windows may not be able to track the status of Emsisoft Anti-Malware properly: Error: (09/08/2020 12:24:03 PM) (Source: DCOM) (EventID: 10005) (User: NT AUTHORITY) Description: DCOM got error "1115" attempting to start the service SecurityHealthService with arguments "Unavailable" in order to run the server: {8C9C0DB7-2CBA-40F1-AFE0-C55740DD91A0} Try right-clicking on the Start button, selecting Windows PowerShell (Admin) from the list, once PowerShell is ready type in CMD and press Enter on your keyboard, and then paste the following command and press Enter again: secedit /configure /cfg %windir%\inf\defltbase.inf /db defltbase.sdb /verbose This command is supposed to reset all Windows Security Center settings. It may not restore Windows Security Center services to their defaults states, so if you've disabled the SecurityHealthService then you may need to change it back to automatic startup. @andrewek your logs don't show any errors that might indicate why this may be happening, however I did notice that both computer have Malwarebytes installed on them. Is real-time protection active? If so, can you try excluding the following file in Malwarebytes, and then reboot the computer to see if that helps (be sure to restart by right-clicking on the Start button, going to Shut down or sign out, and selecting Restart from that menu to bypass Fast Startup)? C:\Program Files\Emsisoft Anti-Malware\eppwsc.exe
  4. Unless the defrag managed to corrupt something (file or registry data), then I'm not certain how it could have caused the issue to reappear. It's possible that it was just a weird coincidence and that something else caused it, however at this point everything is just speculation since we don't have any debug info beyond the FRST logs. Anyway, I've downloaded everyone's FRST logs and will take a look at them to see what I find.
  5. This is a newer variant of STOP/Djvu, and your ID is an online ID, so there is currently no way to decrypt your files. There is more information at the following link: https://support.emsisoft.com/topic/32045-about-the-stopdjvu-decrypter/ The only way to get an offline ID is if the decrypter isn't able to connect to its command and control servers when it encrypts your files. Since your files are already encrypted, your ID and keys have already been generated and used during encryption, so there's no way to change that now.
  6. This is a newer variant of STOP/Djvu. If you have an offline ID, then once we can find the decryption key for this variant and add it to our database you should be able to recover your files. However, if you have an online ID (which is more likely) then it will not be possible to recover your files. There is more information at the following link: https://support.emsisoft.com/topic/32045-about-the-stopdjvu-decrypter/
  7. This is a newer variant of STOP/Djvu. If you have an offline ID, then once we can find the decryption key for this variant and add it to our database you should be able to recover your files. However, if you have an online ID (which is more likely) then it will not be possible to recover your files. There is more information at the following link: https://support.emsisoft.com/topic/32045-about-the-stopdjvu-decrypter/
  8. This is a newer variant of STOP/Djvu, and your ID is an online ID, so there is currently no way to decrypt your files. There is more information at the following link: https://support.emsisoft.com/topic/32045-about-the-stopdjvu-decrypter/
  9. This is a newer variant of STOP/Djvu, and your ID is an online ID, so there is currently no way to decrypt your files. There is more information at the following link: https://support.emsisoft.com/topic/32045-about-the-stopdjvu-decrypter/
  10. We rarely update our decrypter. It's not necessary since it draws keys from a database. That being said, we won't be able to obtain private keys for online ID's unless law enforcement is able to arrest the criminals or otherwise gain access to their servers and release their database of keys for use in decrypters. Our recommendation is to save a backup of your encrypted files and keep it in a safe place in case decryption is possible at some point in the future. We also recommend keeping an eye on BleepingComputer's newsfeed, as they will usually report on new developments with ransomware decrypters: https://www.bleepingcomputer.com/ If you have an RSS feed reader, then they also have an RSS feed so that you don't have to manually check for news: https://www.bleepingcomputer.com/feed/
  11. This is a newer variant of STOP/Djvu, and your ID is an online ID, so there is currently no way to decrypt your files. There is more information at the following link: https://support.emsisoft.com/topic/32045-about-the-stopdjvu-decrypter/
  12. No, we already have a decrypter. You'll need to have original copies of at least a few encrypted files available in order for our servers to generate a keystream for the decrypter to use. Check anywhere you may have saved or sent files in the past. Check your phone, memory cards, USB flash drives or hard drives. Also check websites you may have uploaded files to such as social media, file sharing networks, e-mail or other messaging services, etc. You can also ask friends and family who you may have shared files with to see if they have original copies of any of your encrypted files.
  13. Technically these aren't fall positives. They're common modifications made by malware that hamper troubleshooting, and are usually considered undesirable outside of a corporate environment where the administrator has determined that these system tools should not be available to regular users on the system. In the scan results, simply right-click on the entry you want to exclude and select Add to exclusions. This should prevent it from being detected in future scans.
  14. I have that update for Windows 10 1909 installed as well, so I suspect that the issue happening on that particular startup was just a coincidence. Can everyone who's still seeing the WSC issues go ahead and post fresh FRST logs for me to review? I want to see if there are any similarities between your systems that might account for why you're all still having this issue. You can find instructions for downloading and running FRST at the following link: https://help.emsisoft.com/en/1738/how-do-i-run-a-scan-with-frst/ Note: When FRST checks the Windows Firewall settings, Emsisoft Anti-Malware's Behavior Blocker will quarantine it automatically. This can be avoided by clicking "Wait, I think this is safe" in the notification that is displayed while FRST is scanning.
  15. This is a newer variant of STOP/Djvu, and your ID is an online ID, so there is currently no way to decrypt your files. There is more information at the following link: https://support.emsisoft.com/topic/32045-about-the-stopdjvu-decrypter/
  16. No, we don't have the private key for .oonn's offline ID yet.
  17. This is an older variant of the STOP/Djvu ransomware. There is more information (and a decrypter download) at the following link: https://support.emsisoft.com/topic/32045-about-the-stopdjvu-decrypter/ You'll need to upload file pairs via our online submission form so that the decrypter can be "trained" how to decrypt your files.
  18. This is an older variant of the STOP/Djvu ransomware. There is more information (and a decrypter download) at the following link: https://support.emsisoft.com/topic/32045-about-the-stopdjvu-decrypter/ If your files have online ID's, then you'll need to upload file pairs via our online submission form so that the decrypter can be "trained" how to decrypt your files.
  19. This is a newer variant of STOP/Djvu, and your ID is an online ID, so there is currently no way to decrypt your files. There is more information at the following link: https://support.emsisoft.com/topic/32045-about-the-stopdjvu-decrypter/ Once a key is created, it doesn't change. If your key starts off as online, then it will always be online.
  20. If law enforcement is able to catch the criminals or otherwise gain access to their servers and release their private keys for use in decrypters, then we can add them to our database so that everyone can get their files back. Our recommendation is to save a backup of your encrypted files and keep it in a safe place in case decryption is possible at some point in the future. We also recommend keeping an eye on BleepingComputer's newsfeed, as they will usually report on new developments with ransomware decrypters: https://www.bleepingcomputer.com/ If you have an RSS feed reader, then they also have an RSS feed so that you don't have to manually check for news: https://www.bleepingcomputer.com/feed/
  21. Try the instructions at the following link to reset your HOSTS file back to default: https://support.microsoft.com/en-us/help/972034/how-to-reset-the-hosts-file-back-to-the-default
  22. Some infections may inject code into HTML or JavaScript files, however you'd have to manually check them to verify if that's the case or not.
  23. There shouldn't be a limit to the number of devices allowed in a policy, assuming you mean policies in your workspace in MyEmsisoft.
  24. It's possible that something may have prevented an update from installing properly, requiring an extra restart to finish the process. Unfortunately for us to know for certain, Emsisoft Anti-Malware would have needed to be saving debug logs at the time the issue happened, and it doesn't do this by default. If the issue happens again, then let us know. If it keeps reoccurring then we should be able to get debug logs.