GT500

Emsisoft Employee
  • Content Count

    11167
  • Joined

  • Days Won

    322

Everything posted by GT500

  1. Are you able to configure Malwarebytes Anti-Malware so that it doesn't run when Windows starts, and then restart your computer? I'm curious to see if you still have the same issue without Malwarebytes Anti-Malware running.
  2. Clearing logs only applies to the forensics logs. EAM no longer has UI options for dealing with scan logs. They're pretty small, so I don't think the fact that they are never deleted has been considered as problematic before.
  3. Awesome, thanks for letting me know. 👍
  4. Does this error happen every time you run the decrypter? If if always happens, or at least is easy to reproduce, then we may be able to get some debug information to aid in determining what's causing the issue.
  5. Out of curiosity, is this fixed in the current beta version? Here's how to install it: Open Emsisoft Anti-Malware. Click on the little gear icon on the left side of the Emsisoft Anti-Malware window (roughly in the middle). Click on Updates in the menu at the top. On the left, in the Updates section, look for Update feed. Click on the box to the right of where it says Update feed, and select Beta from the list. Right-click on the little Emsisoft icon in the lower-right corner of the screen (to the left of the clock). Select Update now from the list.
  6. The short explanation is that when the ransomware executes it will connect to its command and control servers via the Internet. If it's able to connect, the servers will generate a unique ID and unique public and private RSA keys, and then send the ID and public key to the ransomware. The ransomware will then begin encrypting files using the public key it received from the servers, adding the ID it received to the files and ransom notes for identification. Once the ransomware has received the ID and public key, disconnecting the Internet will have no effect, and the only way to stop it is to terminate the ransomware so that it is no longer running (for the average person shutting down the computer is the easiest way to do this). As Demonslay335 already mentioned, this is actually a newer variant, and a bug in the decrypter was causing it to call it an old variant. The bug has been fixed, however this didn't effect decryption, and your ID is an online ID, so there is currently no way to decrypt your files. There is more information at the following link: https://support.emsisoft.com/topic/32045-about-the-stopdjvu-decrypter/ This is a newer variant of STOP/Djvu. If you have an offline ID, then once we can find the decryption key for this variant and add it to our database you should be able to recover your files. However, if you have an online ID (which is more likely) then it will not be possible to recover your files. There is more information at the following link: https://support.emsisoft.com/topic/32045-about-the-stopdjvu-decrypter/ This is a newer variant of STOP/Djvu, and your ID is an online ID, so there is currently no way to decrypt your files. There is more information at the following link: https://support.emsisoft.com/topic/32045-about-the-stopdjvu-decrypter/ As Demonslay335 already mentioned, this is actually a newer variant, and a bug in the decrypter was causing it to call it an old variant. The bug has been fixed, however this didn't effect decryption, and your ID is an online ID, so there is currently no way to decrypt your files. There is more information at the following link: https://support.emsisoft.com/topic/32045-about-the-stopdjvu-decrypter/ No, we'd need to extract the private key from the decrypter they send to victims who have paid the ransom.
  7. If you have original copies of some of the encrypted files, then you can use them as file pairs, and submit them using the form at the following link: https://decrypter.emsisoft.com/submit/stopdjvu/ There's more information at the following link: https://support.emsisoft.com/topic/32045-about-the-stopdjvu-decrypter/
  8. I've asked the developer of the decrypter about this error.
  9. We've already analyzed it. You won't learn anything that can help decrypt your files by playing with it in a virtual machine, however I do recommend keeping the virtual machine as a safe place to run things you download to make sure they're safe. Just keep in mind that a lot of malware won't run in a virtual machine, as they detect it and abort execution to prevent analysis. We can see your Scheduled Tasks in the FRST logs, and can script removal of any malicious ones via the fixlist.
  10. There is more information at the following link: https://support.emsisoft.com/topic/32045-about-the-stopdjvu-decrypter/
  11. This isn't an old variant. There was a bug in the decrypter that caused it to always say this, and it has been fixed in version 1.0.0.4 so that it will display the correct message. Note that this did not effect decryption in any way.
  12. This is a newer variant of STOP/Djvu. If you have an offline ID, then once we can find the decryption key for this variant and add it to our database you should be able to recover your files. However, if you have an online ID (which is more likely) then it will not be possible to recover your files. There is more information at the following link: https://support.emsisoft.com/topic/32045-about-the-stopdjvu-decrypter/
  13. There are some variants where we don't have keys for offline ID's. If the variant is .nelasod then you should be able to upload file pairs to help the decrypter "learn" how to decrypt your files. There is more information at the following link: https://support.emsisoft.com/topic/32045-about-the-stopdjvu-decrypter/ That's an online ID, however if the variant is .nelasod then you should be able to upload file pairs to help the decrypter "learn" how to decrypt your files. There is more information at the following link: https://support.emsisoft.com/topic/32045-about-the-stopdjvu-decrypter/
  14. This is a newer variant of STOP/Djvu. If you have an offline ID, then once we can find the decryption key for this variant and add it to our database you should be able to recover your files. However, if you have an online ID (which is more likely) then it will not be possible to recover your files. There is more information at the following link: https://support.emsisoft.com/topic/32045-about-the-stopdjvu-decrypter/ Assuming the variant is .nakw then this is a bug in the decrypter causing it to say it's an Old Variant. This is actually a new variant, and this bug has been fixed in version 1.0.0.4, however please note that this bug had no effect on decryption of files and neither will the fix. Your ID is an online ID, so there is currently no way to decrypt your files. There is more information at the following link: https://support.emsisoft.com/topic/32045-about-the-stopdjvu-decrypter/
  15. We've since discovered a bug in the decrypter that caused it to always say it was an Old Variant. This has been fixed in version 1.0.0.4, however please note that this does not effect decryption in any way, and only effects the message the decrypter displays.
  16. This is a newer variant of STOP/Djvu. If you have an offline ID, then once we can find the decryption key for this variant and add it to our database you should be able to recover your files. However, if you have an online ID (which is more likely) then it will not be possible to recover your files. There is more information at the following link: https://support.emsisoft.com/topic/32045-about-the-stopdjvu-decrypter/
  17. This is a newer variant of STOP/Djvu, and your ID is an online ID, so there is currently no way to decrypt your files. There is more information at the following link: https://support.emsisoft.com/topic/32045-about-the-stopdjvu-decrypter/
  18. This is a newer variant of STOP/Djvu, and your ID is an online ID, so there is currently no way to decrypt your files. There is more information at the following link: https://support.emsisoft.com/topic/32045-about-the-stopdjvu-decrypter/ Please download the following fixlist.txt file and save it to the Desktop: https://www.gt500.org/emsisoft/fixlist/2020-01January-28/ABN/fixlist.txt NOTE: It's important that both files, the FRST download from earlier and the fixlist file, are in the same location or the fix will not work. If you need to, please copy the files from your Downloads folder to your desktop. Run the FRST download from earlier, and press the Fix button just once and wait. If for some reason the tool needs to restart your computer, please make sure you let the computer restart normally. After that let the tool complete anything it still needs to do. When finished FRST will generate a log on the Desktop (Fixlog). Please attach it to a reply.
  19. This is a newer variant of STOP/Djvu, and your ID is an online ID, so there is currently no way to decrypt your files. There is more information at the following link: https://support.emsisoft.com/topic/32045-about-the-stopdjvu-decrypter/
  20. Our recommendation is to make a backup copy of your encrypted files, and wait until the private keys are released publicly so that we can add them to the decrypter. Only if the files have an offline ID. Newer variants use RSA keys, and we need the private key to decrypt the files. We can only get private keys for offline ID's, and only if they are donated by those who have paid the ransom. I assume he's already mentioned this at BleepingComputer, however he's discovered a bug that caused the decrypter to always say "Old Variant". This bug is now fixed, and version 1.0.0.4 of the decrypter should no longer be getting this wrong.
  21. Then you'll have to use a file sharing service to upload them to, and then send us the link to download the files. Just be sure not to send anything with private information in it. You can use any file sharing service you would like, however WeTransfer allows up to 2 GB for free without an account. If you need to enter an e-mail for them to send the download link to, then you can enter [email protected] (just be sure to mention your username on the forums, why you're sending the files, that they are for me, and leave a link to this topic in your message as well).
  22. Go ahead and attach your diag log here instead of the other topic, and if you could also get me log from FRST then that would be great. You can find instructions for downloading and running FRST at the following link: https://help.emsisoft.com/en/1738/how-do-i-run-a-scan-with-frst/ Note: When FRST checks the Windows Firewall settings, Emsisoft Anti-Malware's Behavior Blocker will quarantine it automatically. This can be avoided by clicking "Wait, I think this is safe" in the notification that is displayed while FRST is scanning, however if a2guard.exe (which draws the System Tray/Notification area icon) then you will not see notifications. In this instance, if EAM just quarantines FRST without warning, then attach the logs it saved to a reply as they'll contain most of what I need to see.
  23. Let's try getting a diagnostic log. The instructions and download are available at the following link: https://help.emsisoft.com/en/1735/how-do-i-use-the-emsisoft-diagnostic-tool/ Let's move this to your newer topic instead, since I think fixing that issue will fix both issues:
  24. Do you use a 24-hour clock format on your computer? From what I'm seeing, times up to 23:59 should work.
  25. That's a newer variant, not and older variant. I assume the decrypter told you otherwise? We're looking in to why the decrypter is making that mistake, however our assumption at the moment is that it is defaulting to saying that when it can't connect to our database.