GT500

Emsisoft Employee
  • Content Count

    12835
  • Joined

  • Days Won

    386

Everything posted by GT500

  1. Unfortunately the only way to do it right now is by uploading file pairs one at a time. The easiest way to handle this is to create a spreadsheet with two columns, one with the first 5 bytes of each JPG image and the next with the file names. Then sort the rows by the column with the first 5 bytes, and that will group together all files in the list that have the same first 5 bytes. Then pick out the best file from each group you can use as a file pair.
  2. The decrypter will tell you if your files have online ID's or offline ID's.
  3. Most browsers automatically save all downloads into the "Downloads" folder, and all a malicious website has to do is trick a user into clicking a link to initiate a download. Some scripts are also able to initiate downloads without user interaction. If the users were browsing with Firefox then this is normal, since it doesn't implement IOfficeAntiVirus or AMSI. Google Chrome implements IOfficeAntiVirus, and most Microsoft applications implement one of those API's as well (including their browsers). They allow an application to request an Anti-Virus software scan a file, so the File Guard (if it was on) would have scanned any files for a browser that implements one of these API's before it was saved.
  4. I already know what the file in the log entry he posted is. It's a legit Google Chrome installer, digitally signed by Google. You could type "google" into the search field in Process Hacker to make it easier to see.
  5. It's possible that a2service is crashing during shutdown. Hopefully the debug logs will give us an idea of whether or not that happened. I don't think that's the case here, however it would be relatively easy for @Quirky to check. All he'd have to do is turn debug logging on and off, and see what happens.
  6. GT500

    NEW Help File

    I understand. It's just that the comment sort of steered things a bit off topic.
  7. If law enforcement is able to catch the criminals or otherwise gain access to their servers and release their private keys for use in decrypters, then we can add them to our database so that everyone can get their files back. Right now the criminals who made/distributed the STOP/Djvu ransomware are the only ones that can decrypt files that have online ID's. That isn't going to change until the private keys that are in the possession of the criminals are released publicly.
  8. This is a newer variant of STOP/Djvu. If you have an offline ID, then once we can find the decryption key for this variant and add it to our database you should be able to recover your files. However, if you have an online ID (which is more likely) then it will not be possible to recover your files. There is more information at the following link: https://support.emsisoft.com/topic/32045-about-the-stopdjvu-decrypter/
  9. If law enforcement is able to catch the criminals or otherwise gain access to their servers and release their private keys for use in decrypters, then we can add them to our database so that everyone can get their files back. Our recommendation is to save a backup of your encrypted files and keep it in a safe place in case decryption is possible at some point in the future. We also recommend keeping an eye on BleepingComputer's newsfeed, as they will usually report on new developments with ransomware decrypters: https://www.bleepingcomputer.com/ If you have an RSS feed reader, then they also have an RSS feed so that you don't have to manually check for news: https://www.bleepingcomputer.com/feed/
  10. Don't follow advice you find in YouTube videos or random online tutorials unless a ransomware expert recommends it. Just in the first 2 minutes of that video I noticed a number of mistakes in the information, which suggests they don't actually understand much about this ransomware. I did not watch the rest of the video to see how much of the remaining information was also incorrect. This is a newer variant of STOP/Djvu. If you have an offline ID, then once we can find the decryption key for this variant and add it to our database you should be able to recover your files. However, if you have an online ID (which is more likely) then it will not be possible to recover your files. There is more information at the following link: https://support.emsisoft.com/topic/32045-about-the-stopdjvu-decrypter/
  11. For most file types you only need a single file pair per file type. JPEG/JPG and a few others are different, and will need you to upload a new file pair for each source the files came from (a specific camera can be a source, a specific phone can be a source, a specific image editing program can be a source, etc). Go ahead and see what the decrypter can decrypt, and then decide what file pair to work on next based on that. Keep an eye on the first 5 bytes that the decrypter mentions for files it can't decrypt, because the file pairs work for all files that have the same first 5 bytes.
  12. I see ID Ransomware wasn't able to identify your files. This probably means it isn't WannaCryFake. Would it be possible to ZIP a few files and attach them to a reply?
  13. Have you tried a tool such as Process Hacker or Process Explorer to see what's launching the Chrome installer from your TEMP folder? Both of these tools show processes in a tree view so that you can easily tell which processes launched other processes, and you can hover over a process in the list to see a tooltip with the command that was used when launching it. As an example of the tree view, here's a screenshot showing how slack.exe launched several more instances of slack.exe, upc.exe launched UplayWebCore.exe, and steam.exe launched steamwebhelper.exe which in turn launched more instances of steamwebhelper.exe:
  14. I've forwarded all of your logs to QA as well so that they can look into this further.
  15. I can see the following entries from the event logs related to EAM. Do these correspond to times you powered on/restart your computer and had this issue? Error: (07/25/2020 05:52:56 PM) (Source: Application Error) (EventID: 1000) (User: ) Description: Faulting application name: a2service.exe, version: 2020.7.2.10280, time stamp: 0x5f031bef Faulting module name: unknown, version: 0.0.0.0, time stamp: 0x00000000 Exception code: 0xc0000005 Fault offset: 0x00000000001f0fd8 Faulting process id: 0x708 Faulting application start time: 0x01d66291490423e9 Faulting application path: C:\Program Files\Emsisoft Anti-Malware\a2service.exe Faulting module path: unknown Report Id: 0aca9096-9738-4163-815c-30b4bf1622dd Faulting package full name: Faulting package-relative application ID: Error: (07/24/2020 02:34:36 PM) (Source: Application Error) (EventID: 1000) (User: ) Description: Faulting application name: a2service.exe, version: 2020.7.2.10280, time stamp: 0x5f031bef Faulting module name: unknown, version: 0.0.0.0, time stamp: 0x00000000 Exception code: 0xc0000005 Fault offset: 0x00000000001f0fd8 Faulting process id: 0x6f4 Faulting application start time: 0x01d6619cd3231f0a Faulting application path: C:\Program Files\Emsisoft Anti-Malware\a2service.exe Faulting module path: unknown Report Id: 2765a22c-4860-40b7-a6f2-adb3f2ce26f2 Faulting package full name: Faulting package-relative application ID: Error: (07/25/2020 05:53:01 PM) (Source: Service Control Manager) (EventID: 7031) (User: ) Description: The Emsisoft Protection Service service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 0 milliseconds: Restart the service. Error: (07/24/2020 02:34:42 PM) (Source: Service Control Manager) (EventID: 7031) (User: ) Description: The Emsisoft Protection Service service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 0 milliseconds: Restart the service.
  16. This is a newer variant of STOP/Djvu, and your ID is an online ID, so there is currently no way to decrypt your files. There is more information at the following link: https://support.emsisoft.com/topic/32045-about-the-stopdjvu-decrypter/
  17. This is a newer variant of STOP/Djvu, and your ID is an online ID, so there is currently no way to decrypt your files. There is more information at the following link: https://support.emsisoft.com/topic/32045-about-the-stopdjvu-decrypter/
  18. This is a newer variant of STOP/Djvu, and your ID is an online ID, so there is currently no way to decrypt your files. There is more information at the following link: https://support.emsisoft.com/topic/32045-about-the-stopdjvu-decrypter/
  19. This is a newer variant of STOP/Djvu. If you have an offline ID, then once we can find the decryption key for this variant and add it to our database you should be able to recover your files. However, if you have an online ID (which is more likely) then it will not be possible to recover your files. There is more information at the following link: https://support.emsisoft.com/topic/32045-about-the-stopdjvu-decrypter/
  20. This is a newer variant of STOP/Djvu. If you have an offline ID, then once we can find the decryption key for this variant and add it to our database you should be able to recover your files. However, if you have an online ID (which is more likely) then it will not be possible to recover your files. There is more information at the following link: https://support.emsisoft.com/topic/32045-about-the-stopdjvu-decrypter/
  21. This is a newer variant of STOP/Djvu. If you have an offline ID, then once we can find the decryption key for this variant and add it to our database you should be able to recover your files. However, if you have an online ID (which is more likely) then it will not be possible to recover your files. There is more information at the following link: https://support.emsisoft.com/topic/32045-about-the-stopdjvu-decrypter/
  22. This is a newer variant of STOP/Djvu. If you have an offline ID, then once we can find the decryption key for this variant and add it to our database you should be able to recover your files. However, if you have an online ID (which is more likely) then it will not be possible to recover your files. There is more information at the following link: https://support.emsisoft.com/topic/32045-about-the-stopdjvu-decrypter/
  23. Those options are enabled by default, and don't effect the amount of time the notification is displayed for. BTW: @JeremyNicoll this topic seems to be getting a bit confusing. Do you mind if I handle it? Let's try getting a diagnostic log. The instructions and download are available at the following link: https://help.emsisoft.com/en/1735/how-do-i-use-the-emsisoft-diagnostic-tool/
  24. GT500

    NEW Help File

    If you're concerned about the documentation not being available online, you should create a new topic about it. No need to hijack stapp's bug report.
  25. It looks like the certificate the file was signed with isn't blacklisted, so normally the Behavior Blocker wouldn't have been triggered by it. That could indicate that the file was moved or deleted before the signature could be read.