GT500

Emsisoft Employee
  • Content Count

    10465
  • Joined

  • Days Won

    294

Everything posted by GT500

  1. Do you have 7-Zip or WinRAR? You could try a 7z or RAR archive instead of ZIP.
  2. Do you see the error message in your screenshot? "invalid file pair". This means that you didn't supply two copies of the same file.
  3. Unfortunately that won't work with the type of encryption that MegaLocker uses. If it did, then our decrypter would allow everyone to get their files back without us needing to have their decryption keys on file first.
  4. Note that the decrypter Amigo-A mentioned will more than likely only work for you if your ID ends in t1 which means it's an offline ID.
  5. Note that the decrypter Amigo-A mentioned will more than likely only work for you if your ID ends in t1 which means it's an offline ID.
  6. That depends on how long it takes for us to find a private key for an offline ID. If your ID ends in t1 then you can try the decrypter again periodically to see if the key has been added.
  7. The file used for the file pair can't be under 150 KB, however I'll have to ask if the decrypter could handle files that small. There are some oddities to how STOP/Djvu encrypts files, which may complicate things.
  8. Which decrypter are you having trouble with? The one for STOP/Djvu? Can you use the "Add folder" button to add the folders you keep your pictures and videos in? You should also be able to drag-and-drop the folders/files into the decrypter window.
  9. @marko the error attaching the file could mean either the file is too large, or you've reached the maximum amount of megabytes for your attachment quota (or at least the file you're trying to attach is large enough to exceed that quota). Your attachment quote is 250 MB, and you've used 146.59 MB of that quota, meaning you have 103.41 MB remaining.
  10. It's an online ID, which means the decrypter will need some help figuring out how to decrypt your files. You'll need to submit what we call "file pairs" (an original unencrypted file and an encrypted copy of the same file) to our submission site so that the decryption service can "learn" how to decrypt your files. More information and instructions are available at the following link: https://www.bleepingcomputer.com/news/security/stop-ransomware-decryptor-released-for-148-variants/ The submission form for file pairs can be found at the following link: https://decrypter.emsisoft.com/submit/stopdjvu/ Important note: You will need to supply file pairs for each type of file you want to decrypt. For instance, if you submit a file pair for an MP3 file, then the decrypter should be able to decrypt all MP3 files that have the same ID. There are a few odd files where a single file pair won't be enough (JPEG/JPG images for instance), and there are a few types of files that are essentially just ZIP archives and won't need extra files pairs if you've already supplied one of them (Office documents such as DOCX and XLSX files for instance).
  11. The .nols variant is one of the newer ones which uses RSA encryption. Unless your ID ends in t1 then your files won't be decryptable, and right now even if your ID ends in t1 I don't think we have the offline decryption keys for .nols yet so the decryption service would need to have those added before it would be possible to decrypt the files.
  12. The .masodas variant is supported by the Emsisoft STOP/Djvu decryption service, however your ID is an online ID, and thus you're going to need to supply file pairs to our online submission form before the decrypter will be able to decrypt your files. You can find more information and instructions at the following link: https://www.bleepingcomputer.com/news/security/stop-ransomware-decryptor-released-for-148-variants/
  13. There may still be some issues with the check for EBS (Emsisoft Browser Security) and multiple profiles in certain browsers. For now, if you don't want to see the notifications, then try the following: Open Emsisoft Anti-Malware. Click on Settings. Click on Notifications in the menu at the top. Disable the setting for Browser Security verifications. Note: All this setting does is disable the notification EAM displays if the EBS extension is not installed.
  14. @Alan_S from the debug logs, it appears to be the Windows Servicing Stack that's calling TrustedInstaller. This is more than likely related to Windows trying to install updates. The section in the debug logs that shows it starts with nlaapi.dll (Network Location Awareness API), which is capable of notifying applications (in this case probably the Servicing Stack) of network location changes. What I saw started on line 7,417 of the a2service log.
  15. @smili you'll need to follow the instructions in the article at the following link for supplying file pairs to help the decryption service learn how to decrypt your files: https://www.bleepingcomputer.com/news/security/stop-ransomware-decryptor-released-for-148-variants/
  16. You need what we call a "file pair", which is an original unencrypted file and an encrypted copy of the same file. You then submit those via our website, and that will help the decryption service learn how to decrypt some of your files. It's important to note that this does not work for all files. For instance, if you use a file pair for an MP3 file, then the decrypter should be able to decrypt most (if not all) MP3 files on your computer, however it will not be able to decrypt any other files. You'll need to have a file pair for every type of file you want to decrypt.
  17. It would more than likely only be possible if law enforcement catches the criminals behind STOP/Djvu and releases the database of private keys for us to use in our decrypter.
  18. I was reminded by @Amigo-A that .nelasod was in fact an older variant, which is supported by our decrypter. Please see the information and instructions at the following link to learn about the decrypter and how to use it. https://www.bleepingcomputer.com/news/security/stop-ransomware-decryptor-released-for-148-variants/
  19. It may be a new variant of STOP/Djvu. ID Ransomware can confirm this: https://id-ransomware.malwarehunterteam.com/
  20. That's an online ID for a newer variant of STOP/Djvu that uses RSA encryption. It won't be possible to decrypt your files.
  21. They were already submitted once, so that could be the problem. What happens when you try to run the decrypter to decrypt your MP4 files? Does it give you an error?
  22. I recommend uploading a copy of the ransom note along with an encrypted file to ID Ransomware so that you can verify which ransomware you are dealing with: https://id-ransomware.malwarehunterteam.com/ You can paste a link to the results into a reply if you would like for me to review them.
  23. I'm not aware of any need for TrustedInstaller to run on startup (at least not for EAM). Can you try monitoring with Process Hacker and let me know what the parent process for TrustedInstaller is?
  24. .nelasod is one of the newer variants that uses secure RSA encryption. Unless the ID ends in "t1" then it's doubtful the decrypter will ever be able to decrypt your files.