GT500

Emsisoft Employee
  • Content Count

    13320
  • Joined

  • Days Won

    413

Posts posted by GT500


  1. 12 hours ago, Seydmoobin said:

    When the virus been in my computer they not allow me to use emsisoft emergency kit its crashing and thanks for god 80% of my files i can download them 

    The STOP/Djvu ransomware is actually really easy to remove (the decrypter actually disables it so it can't encrypt any new files), however it's possible the computer was infected by other things as well. Of course reinstalling Windows would have gotten rid of any active infections.


  2. This is a newer variant of STOP/Djvu. If you have an offline ID, then once we can find the decryption key for this variant and add it to our database you should be able to recover your files. However, if you have an online ID (which is more likely) then it will not be possible to recover your files. There is more information at the following link:
    https://support.emsisoft.com/topic/32045-about-the-stopdjvu-decrypter/


  3. 21 hours ago, Aslam Mukadam said:

    No key for New Variant offline ID: I6hXMDXkHGafsmFBIn2oJ0Y07Q3ZWPy43JWTINt1
    Notice: this ID appears be an offline ID, decryption MAY be possible in the future

    This is a newer variant of STOP/Djvu. Fortunately your ID is an offline ID, however we don't yet have the private key for it. I recommend running the decrypter once every week or two so that you can see when we've been able to add the private key for your variant.

    There is more information at the following link:
    https://support.emsisoft.com/topic/32045-about-the-stopdjvu-decrypter/


  4. 10 hours ago, packerman said:

    Why does this product constantly flag games?

    Game developers and publishers do not normally digitally sign their binaries, and since they tend to update them frequently these days it's difficult to keep them whitelisted so that they won't be detected.

    My recommendation in the case of crashes is to add the folder the game is launching from to the exclusions for scanning and monitoring in Emsisoft Anti-Malware, which will prevent Emsisoft Anti-Malware from opening hooks to the game while it's running. You can find Steam and Origin games in the following folders by default:

    • C:\Program Files (x86)\Steam\steamapps\common\
    • C:\Program Files (x86)\Origin Games\

    Here are instructions on excluding a folder from scanning and monitoring:

    1. Open Emsisoft Anti-Malware.
    2. Click on the little gear icon on the left side of the Emsisoft Anti-Malware window (roughly in the middle).
    3. Click on Exclusions in the menu at the top.
    4. The exclusions section contains two lists (Exclude from scanning and Exclude from monitoring). Look for the box right under where it says Exclude from scanning.
    5. Click on the Add folder button right below the Exclude from scanning box.
    6. Navigate to the folder you would like to exclude, click on it once to select it, and then click OK.
    7. Scroll down to the box under Exclude from monitoring and click the Add folder button right below that box.
    8. Navigate to the folder you would like to exclude, click on it once to select it, and then click OK.
    9. Close Emsisoft Anti-Malware.

    Note: If a program is still running when you exclude its folder, then you will need to close it and reopen it for the exclusion to fully take effect. In some cases (such as for programs that run on startup) you will need to restart your computer before this will happen, however a restart is not normally needed for games.


  5. 11 hours ago, Carl1223_Delta said:

    I did not restore to be able to obtain the file to upload to VirusTotal for testing because I have that issue with going into the WindowsApps folder where even though I'm the Admin and supposedly have ALL the power, Windows will not let me access it.

    That's normal. Windows has extra protection on that folder to prevent access, and restoring the file should fail. The only easy way to restore a file from a Microsoft Store app that gets deleted is to uninstall the app and then reinstall it.

    According to VirusTotal the file that was flagged by the Behavior Blocker isn't digitally signed, however there are ways of signing a file that won't be reflected on VirusTotal (I would believe signatures can be contained in separate "catalogue" files). Regardless, if the file wasn't digitally signed or there was some reason why EAM could not read the signature then that would account for why the Behavior Blocker reacted to it.

    • Thanks 1

  6. 6 hours ago, Free amr said:

    j'ai le même problème avec l'   extension  .lyli

    Je reçois également ce message   cet identifiant semble être un identifiant en ligne, le déchiffrement est impossible 

    This is a newer variant of STOP/Djvu. If you have an offline ID, then once we can find the decryption key for this variant and add it to our database you should be able to recover your files. However, if you have an online ID (which is more likely) then it will not be possible to recover your files. There is more information at the following link:
    https://support.emsisoft.com/topic/32045-about-the-stopdjvu-decrypter/

     

    Traduction fournie par Google:
    Il s'agit d'une nouvelle variante de STOP / Djvu. Si vous avez un identifiant hors ligne, une fois que nous pourrons trouver la clé de décryptage pour cette variante et l'ajouter à notre base de données, vous devriez pouvoir récupérer vos fichiers. Cependant, si vous avez un identifiant en ligne (ce qui est plus probable), il ne sera pas possible de récupérer vos fichiers. Il y a plus d'informations sur le lien suivant:
    https://support.emsisoft.com/topic/32045-about-the-stopdjvu-decrypter/


  7. 7 hours ago, SimiK said:

    Have you come across a situation like this before?

    It usually means that more than one variant of STOP/Djvu has infected the computer. The variant that used the extension .mado was first seen in March, and was probably replaced by another one in early April.

     

    7 hours ago, SimiK said:

    I was going to show you a screenshot of the readme.txt file, however after trying to search for it on my cousin's laptop, it does not seem to be there so i cannot get the personal ID.

    The decrypter will tell you the ID for each file. The ransomware adds the ID used to the end of each encrypted file, so it's not necessary to get it from the ransom notes.
    https://www.emsisoft.com/ransomware-decryption-tools/stop-djvu


  8. 20 hours ago, Seydmoobin said:

    Can i decrypt them in future?

    If law enforcement is able to catch the criminals or otherwise gain access to their servers and release their private keys for use in decrypters, then we can add them to our database so that everyone can get their files back.

    Our recommendation is to save a backup of your encrypted files and keep it in a safe place in case decryption is possible at some point in the future.

    We also recommend keeping an eye on BleepingComputer's newsfeed, as they will usually report on new developments with ransomware decrypters:
    https://www.bleepingcomputer.com/

    If you have an RSS feed reader, then they also have an RSS feed so that you don't have to manually check for news:
    https://www.bleepingcomputer.com/feed/


  9. 5 hours ago, Skori said:

    Hello.

    We got a decryption tool. Is it useful for you to have a sample of encrypted file and this decryption tool for possible development of your own general decryptor?

    It won't tell us as much as the ransomware itself would, however it might be worth looking at. Feel free to ZIP the files and attach them to a reply here on the forums.

    And yes, it would be best to have at least one file pair (if not two or three) just in case we need them during analysis.


  10. 7 hours ago, Seydmoobin said:

    No key for New Variant online ID: N9ylLj1cTLQSen5sOG509nwcCvGHg8n4uVbt3eh5
    Notice: this ID appears to be an online ID, decryption is impossible

    This is a newer variant of STOP/Djvu, and your ID is an online ID, so there is currently no way to decrypt your files. There is more information at the following link:
    https://support.emsisoft.com/topic/32045-about-the-stopdjvu-decrypter/


  11. 11 hours ago, bullet007 said:

    I too attacked by .kolz on 20 sep....

    This is a newer variant of STOP/Djvu. If you have an offline ID, then once we can find the decryption key for this variant and add it to our database you should be able to recover your files. However, if you have an online ID (which is more likely) then it will not be possible to recover your files. There is more information at the following link:
    https://support.emsisoft.com/topic/32045-about-the-stopdjvu-decrypter/

     

    11 hours ago, bullet007 said:

    Do please Contact me ************ so we can share what are steps are possible

    Please do not ask other people to contact you, or respond to requests from others to contact them. It's highly likely that criminals will try to contact you and scam you out of money with false promises of decryption or file recovery.


  12. This is a newer variant of STOP/Djvu. If you have an offline ID, then once we can find the decryption key for this variant and add it to our database you should be able to recover your files. However, if you have an online ID (which is more likely) then it will not be possible to recover your files. There is more information at the following link:
    https://support.emsisoft.com/topic/32045-about-the-stopdjvu-decrypter/


  13. 19 hours ago, Advanced User said:

    By default, older versions had the normal window size on any computer. Why is it crooked in the new version?

    It looks like, if there's window position and size data in the config file, EEK is reading it and using it when displaying the window. If you want to reset it back to default, then either delete the a2settings file in the EEK folder, or download a fresh copy of EEK. Technically it is also possible to edit the data in the a2settings file to remove the old information in the [Position] section in order to reset it without deleting the entire file, however we don't recommend doing this.

     

    19 hours ago, Advanced User said:

    The product is becoming more and more like an Indian craft.

    Without knowing exactly what you mean by this comment, it may be in violation of our forum guidelines (specifically the section titled "Posting and transmitting content"). I recommend familiarizing yourself with them.


  14. 4 hours ago, BilalD said:

    Finally Emsisoft STOP / Djvu Decryptor worked for ransomware with .nile extension. Today I decrypted my all encrypted files and I got my files again after 50 days. I'm so happy 😊 thanks @GT500 for helping me, thanks Emsisoft, I am grateful to you, God be with you... 🙏🙏

    Awesome, we're glad to hear that your files were decrypted. :thumbs:

    • Haha 1

  15. 6 hours ago, SimiK said:

    Does the emsisoft decryptor have a key for this ransomware? do you need to see the ID?

    This is a newer variant of STOP/Djvu. If you have an offline ID, then once we can find the decryption key for this variant and add it to our database you should be able to recover your files. However, if you have an online ID (which is more likely) then it will not be possible to recover your files. There is more information at the following link:
    https://support.emsisoft.com/topic/32045-about-the-stopdjvu-decrypter/

    You can post the ID here if you want me to let you know if it's online or offline.


  16. 23 hours ago, Mr.A3 said:

    No key for New Variant offline ID ??????????????????????
    Notice: this ID appears be an offline ID, decryption MAY be possible in the future

    This is a newer variant of STOP/Djvu. Fortunately your ID is (presumably) an offline ID, however we don't yet have the private key for it. I recommend running the decrypter once every week or two so that you can see when we've been able to add the private key for your variant.

    There is more information at the following link:
    https://support.emsisoft.com/topic/32045-about-the-stopdjvu-decrypter/