Emsisoft Employee
  • Content Count

  • Joined

  • Days Won


Posts posted by GT500

  1. 20 hours ago, psamanta said:

    No key for New Variant offline ID: hZcC4PEfaqDNIXxy0ProMPOAk3JS3K1JoUqoq0t1
    Notice: this ID appears be an offline ID, decryption MAY be possible in the future

    This is a newer variant of STOP/Djvu. Fortunately your ID is an offline ID, however we don't yet have the private key for it. I recommend running the decrypter once every week or two so that you can see when we've been able to add the private key for your variant.

    There is more information at the following link:

  2. Also, note that if you can get us debug logs from a system having this issue then it will help us better understand what's going on so that we can fix it. Here's some instructions on how to get debug logs for us:

    1. Open Emsisoft Anti-Malware.
    2. Click on the little gear icon on the left side of the Emsisoft Anti-Malware window (roughly in the middle).
    3. Click Advanced in the menu at the top.
    4. Scroll to the bottom of the Advanced section, and change the option for Debug logging to Enabled always.
    5. After that, close the Emsisoft Anti-Malware window.
    6. Reproduce the issue you are having (wait for EAM to start causing the system to hang on startup).
    7. Once you have reproduced the issue, work around the startup issue (either via the method I mentioned above or via the method you're already using) so that you can start Windows normally.
    8. ZIP the debug logs (located in %ProgramData%\Emsisoft\Logs which you can paste the the Run dialog to quickly navigate to) and send them to me in a private message.

    Note that if you need to send the logs via e-mail that you can send them to and include a link to this forum topic.

  3. 11 hours ago, NiThR0 said:

    Unfortunately, system stops responding when EAM is loading after system booted. Only hard reset helps.

    How long have you waited to see if the system starts responding again?

    Without getting debug logs, the only thing I think may help is to put EAM in Silent Mode, as EAM won't download updates in Silent Mode. Please note that this won't work if you simply enable Silent Mode in EAM's settings, as it won't persist after a restart. You'll need to have EAM connected to a workspace in MyEmsisoft and you'll need to enable Silent Mode in the workstation's settings in MyEmsisoft. The nice thing about this is it can be done while the workstation is offline, as the setting is applied on startup when EAM connects to the Emsisoft Cloud Console to sync its settings with your workspace.

    FYI: I did test using Silent Mode this way to prevent updates from installing on startup, and the Silent Mode setting is applied before EAM attempts to check for updates, so it does successfully block the update that will run on startup if the database hasn't been updated within the past hour.

  4. On 10/29/2020 at 12:03 AM, NiThR0 said:

    Often this problem occurs when PC being offline some days, last time about 7 days. And after PC is on when EAM is loading it might hang with high chances.

    That's almost certainly due to the update running during startup, as it would have to update more of the database after 7 days offline than it would after only one night. You may be able to cancel the update when this is likely to happen, and then run it later after everything has finished loading.

  5. 10 hours ago, Arik said:

    have ever any law enforcement got them?

    Some of the criminals who have made/distributed ransomware have been arrested. To my knowledge, no one associated with the STOP ransomware has ever been arrested though.


    10 hours ago, Arik said:

    this guy is from L.A

    No, he's not located in the United States. If he was and it was that easy to track him down, then he'd have been in jail over a year ago.


    10 hours ago, Arik said:

    he hacked my facebook too.

    Sometime in early 2019 the Azorult password stealer was added to the STOP ransomware, so when the ransomware runs on your computer it will attempt to steal any saved passwords on your computer and send them back to the criminals who made/distributed the ransomware. Be sure to change all of your passwords.

  6. 16 hours ago, Andrej said:

    Is there any risk that virus can come back?

    Only if you run whatever pirated software the ransomware came from to begin with. It's also possible to reinfect the system by downloading/running new pirated software, so we recommend avoiding piracy for the safety of your computer and files.

  7. 7 hours ago, Andrej said:

    I cleaned computer with malware software. It found as much as possible harmfull files and programs. Is it now safe to use computer and share files?

    It should be. Most Anti-Virus software can easily detect and remove the STOP ransomware. If you want a second opinion, then you can try using Emsisoft Emergency Kit to run a scan and quarantine anything it finds:

  8. 7 hours ago, Andrej said:

    When will key be possible to decrypted?

    If law enforcement is able to catch the criminals or otherwise gain access to their servers and release their private keys for use in decrypters, then we can add them to our database so that everyone can get their files back.


    7 hours ago, Andrej said:

    How will I be informed if there will be any solutions?

    We recommend keeping an eye on BleepingComputer's newsfeed, as they will usually report on new developments with ransomware decrypters:

    If you have an RSS feed reader, then they also have an RSS feed so that you don't have to manually check for news:

    You can also follow the STOP ransomware support thread on the BleepingComputer forums:

  9. 23 hours ago, long said:

    ...  meaning that the quarantine area rescan function is used for the quarantine procedure for the traditional Anti-Virus engine to report viruses?

    Actually meaning that the re-scan feature isn't going to show any difference in detection for threats quarantined by the Behavior Blocker.


    23 hours ago, long said:

    The ones isolated by Behavior Blocker only need to be whitelisted by the analyst and then manually restored by the user?

    That's correct.

  10. 53 minutes ago, long said:

    I am a Chinese user, yesterday at 0:17 (Beijing time), behavior monitoring misreported v2rayN.exe of v2rayN agent software, I made a false alarm submission via quarantine false alarm button, and at 0:20 replied me with an email: this file has been whitelisted and will be updated online in the next 15 minutes.
    But until now, after several updates, the quarantine false alarm file is still not detected by the update, and my manual rescan of the quarantine file still says that the quarantine is not a false alarm.

    Emsisoft Anti-Malware contains two separate guards that detect threats running on your computer. One is the File Guard which is a traditional Anti-Virus using two engines and databases (our own and the one from BitDefender), and the other is the Behavior Blocker which detects things based entirely on behavior (if something exhibits any sort of behavior that could potentially be malicious and it isn't a known safe application then it gets quarantined).

    Your screenshot shows that this was quarantined by the Behavior Blocker, and thus the quarantine re-scan will not show any change in its detection (the re-scan only uses the on-demand Anti-Virus scanner and changes to the Behavior Blocker's whitelist won't be reflected in the re-scan). Just restore it from quarantine, and if our malware analysts whitelisted it then it shouldn't be detected again.


    57 minutes ago, long said:

    There is another false alarm: Panda.exe from the Panda Proxy software. I also received a false alarm via the Quarantine False Alarm button and was sent a reply to the email, but after several updates, the quarantine false alarm file is still not detected by the update and my manual rescan of the quarantine file still says that the quarantine is not a false alarm.

    This was also detected by the Behavior Blocker.

  11. 11 hours ago, GOGAEU said:

    The public key used for encryption is this one: 6N5r9nDQfSRh5JQhBBCw1kMaQbcnOKtXUu6LD4Wk

    That's not a public key, it's an ID. It's used as a form of identification, so that when you pay the ransom the criminals know what private key to send you.

    As for the ransomware, it's a newer variant of STOP/Djvu and your ID is an online ID, so there is currently no way to decrypt your files. There is more information at the following link:

  12. 12 hours ago, Ujjwal Pratap singh said:

    Sir I am waiting for decrypt my files . Does you get the id if not then how much should I wait please email me  ***********

    Please don't post your e-mail address publicly, or ask other to contact you privately. Scammers and other criminals will take any opportunity they can to try to trick you into sending them money or personal information.

    As for you files, assuming they were encrypted by the STOP/Djvu ransomware, please see the information at the following link:

  13. 23 hours ago, Anku said:

    Those virus have online ID, and that means it's impossible to recovery my files.

    Correct. It means the public key your files were encrypted with was randomly generated, so the private key to decrypt your files will be unique, and since only the criminals who made/distributed the ransomware have the private keys there's no way we'll be able to decrypt your files.