GT500

7 hours ago, jedsiem said:

I sense a different kind of root cause here. When trying to switch the update branch or trying to deactivate the "autoupdate" option, the change is not accepted.
The change was reverted instantly back. So it feels like EMSI isn't able to keep the change.

Any idea beside deinstalling and reinstalling?

Do you manage EAM via our Cloud Console (my.emsisoft.com)? If yes, then did you make the changes to settings in your workspace settings, or locally on the effected machine?

12 hours ago, Ramesh Guguloth said:

IMG_1281.JPG.mmpa.lockbit.id-1244D102.[[email protected]].ROGER

Please help me my number is ****************

That's Dharma, and Dharma isn't decryptable.

14 hours ago, Bahas said:

I've applied the decryptor to my files and it's show that it's an online one. here's the ID appears.

Error: No key for New Variant online ID: bzc2gX7XeZ7Y4znCCIJRVEkKtKXcviloNgnOH8Nn
Notice: this ID appears to be an online ID, decryption is impossible

Different files can have different ID's, and it's possible for the ransomware to switch from using an offline ID and public key to using an online ID and public key in the middle of encrypting files if it's suddenly able to communicate with its command and control servers and request an ID and keys be generated for your computer.

14 hours ago, Bahas said:

Any chance to get back my files or not???

Files with online ID's can't be decrypted unless you can get the private key for your ID from the criminals, and they only give those to people who pay the ransom.

16 hours ago, halcetin said:

  Özür dilerim. Çevrim dişı kimlik varsa anlamadığımdan soruyorum. virusu yayan kişinin  PC bıraktıgı notun içinde beni oku   t1 ile biten Kişisel Kimlikten    bahsediyorsanız var. ilk  mesajımda size gönderdim         Sizin kimlik  ID     bu var    uzantı   .igal

Yes, I was referring to the Personal ID in the "_readme.txt" file that you attached to your post. It's an offline ID, so if you just run the decrypter once every week or two then if someone sends us a private key for this variant the decrypter should start decrypting your files once we add the private key to our database.

Google tarafından sağlanan çeviri:
Evet, gönderinize eklediğiniz "_readme.txt" dosyasındaki Kişisel Kimliğe atıfta bulunuyordum. Bu çevrimdışı bir kimliktir, bu nedenle şifre çözücüyü haftada bir veya iki kez çalıştırırsanız, biri bize bu değişken için özel bir anahtar gönderirse şifre çözücü, özel anahtarı veritabanımıza ekledikten sonra dosyalarınızın şifresini çözmeye başlamalıdır.

8 hours ago, bbbb said:

Out of curiosity, what is main cause that your scanning popular utilities like adwCleaner, GPUZ, Process Explorer from MS/Sysinternals etc.. making Defender crazy (because when defender scan/control by itself these utilities it does not have any problems with them)?

Windows Defender is just scanning everything that EEK scans. If EEK extracts an archive to scan the contents, Windows Defender will scan the extracted files as well (usually before EEK has a chance to).

8 hours ago, bbbb said:

BTW Nirsoft utilities something wrong with them? Or just "nature" of them making Defender going crazy when eek scan them?

There have been a number of instances of Nirsoft utilities being bundled with malicious software due to their capabilities, and due to this Anti-Virus software from quite a few companies will detect them as potentially dangerous or unwanted.

5 hours ago, Joe FMInvest said:

I used a company called Fast Data Recovery ...

This company doesn't recover your files, they secretly pay the ransom and then overcharge you for doing so.

4 hours ago, Nana said:

how about this case? has anyone found a solution

This is Phobos. It's not decryptable.

8 hours ago, Georgi said:

Do you have any update of this Basilisque Locker Ransomware?

I don't think we ever got a copy of the ransomware's executable (the malicious program that encrypts files). I'll ask to be certain.

Disable Security Center Integration in Emsisoft Anti-Malware (in Advanced settings), run the following command in an elevated (running as admin) Command Prompt, restart the computer, and then re-enable Security Center Integration:

WMIC /NODE:localhost /NAMESPACE:\\root\SecurityCenter2 PATH AntiVirusProduct WHERE "displayName like 'Emsisoft%'" DELETE

3 hours ago, Déco said:

Hello, I would like to know if Emsisoft supports Opera browser, if I use Opera will I be protected against phishing and bank protection? Or does protection only apply to Chrome?

Our extension only officially supports Google Chrome, Microsoft Edge (both new and old versions), and Mozilla Firefox. That being said, the extension does work in other Chromium based browsers (such as Vivaldi), and thus it should work fine in Opera as well.

QA let me know that "free with no AV" in Kabuto means "uninstall Emsisoft Anti-Malware", so please allow me to apologize for that mistake.

I've also been told that Kabuto runs scheduled tasks once every couple of hours or so, and so it may take some time for Emsisoft Anti-Malware to be uninstalled.

12 hours ago, halcetin said:

Sayın Emisoft Desteği; 27 .12. 2020 tarihinde dizustu bilgisayarıma .igal uzantılı virüs girdi C ve D de bulunan 700GB tüm arşivim (pdf, rar, mp3, wav, exel, word, jpeg.pnp,) şifrelendi virüs taraması yaptırdım açılmıyor Bu. igal uzantılı virüs için çözüm nedir ne yapmalıyım. beni aydınlatırsanız memnun olurum.

This is a newer variant of STOP/Djvu. If you have an offline ID, then once we can find the decryption key for this variant and add it to our database you should be able to recover your files. However, if you have an online ID (which is more likely) then it will not be possible to recover your files. There is more information at the following link:
https://support.emsisoft.com/topic/32045-about-the-stopdjvu-decrypter/

Google tarafından sağlanan çeviri:
Bu, STOP / Djvu'nun daha yeni bir çeşididir. Çevrimdışı bir kimliğiniz varsa, bu varyant için şifre çözme anahtarını bulup veritabanımıza ekledikten sonra dosyalarınızı kurtarabilmeniz gerekir. Ancak, çevrimiçi bir kimliğiniz varsa (ki bu daha olasıdır), dosyalarınızı kurtarmanız mümkün olmayacaktır. Aşağıdaki bağlantıda daha fazla bilgi var:
https://support.emsisoft.com/topic/32045-about-the-stopdjvu-decrypter/

14 hours ago, sufiyan said:

so sir what can i do?

Our recommendation is to save a backup of your encrypted files and keep it in a safe place in case decryption is possible at some point in the future.

We also recommend keeping an eye on BleepingComputer's newsfeed, as they will usually report on new developments with ransomware decrypters:
https://www.bleepingcomputer.com/

If you have an RSS feed reader, then they also have an RSS feed so that you don't have to manually check for news:
https://www.bleepingcomputer.com/feed/

What did the ransomware add to the end of the names of all of your files?

O que o ransomware adicionou ao final dos nomes de todos os seus arquivos?

It won't continue to run with real-time protection once the trial license has expired.

Normally our software would automatically downgrade to freeware mode once the trial license has expired, however I don't think the Enterprise Security licensing allows for running in freeware mode. I'll ask QA to verify.

Windows Defender will detect a number of utilities, especially from Nirsoft. These detections are normal, and the only way to prevent them would be to exclude a2emergencykit.exe from Windows Defender's protection so that it doesn't monitor it.

19 hours ago, dkds said:

let me understand pls; for what reason then, it goes into this mode,  if  change nothing?

Emsisoft Anti-Malware enters Silent Mode when a fullscreen application is open (games, videos, etc). By default Silent Mode will prevent updates, suppress notifications, and prevent scheduled scans from running in order to prevent these features from disrupting a user's activity on the computer. If you disable all of these, then Silent Mode will do nothing when it activates.

12 minutes ago, sufiyan said:

so sir how i decrypt online id

The only known way is to obtain the private key from the criminals, and currently they only known way to do that is to pay the ransom.

17 hours ago, Amigo-A said:

My guess is confirmed. This is Phobos Ransomware.

Unfortunately Phobos isn't decryptable.

4 hours ago, jedsiem said:

Is there a best practice? Hints for registry keys to check?

Can you try running the following PowerShell command, and paste the output into a reply (you can send it in a private message if there's anything confidential in the output)?

Get-CimInstance -Namespace root/SecurityCenter2 -ClassName AntivirusProduct

The command doesn't require admin rights on Windows 10.

13 hours ago, Amigo-A said:

No. We need original files of notes, the picture will not do in this case.

The PDF wasn't what I thought it was. My mistake.

You're welcome.

11 hours ago, Amigo-A said:

Attach a ransom note and several different encrypted files to your message. 

It looks like they already did that.

13 hours ago, AD Music said:

I got my files encrypted with .coos extension :[ is there literally any way i can get back my only one mp3 file

Im soo sad :,(

It might be possible to use software intended for recovering MP3 files, as the ransomware only encrypts a small portion of the beginning of the files. Larger files that are in formats that are tolerant of missing data can actually be recovered, and some music and video formats fall into that category.

You're welcome.

21 hours ago, arifromansa12 said:

No key for New Variant online ID: kHPl9xz72WpsHv4iypkRLqWBRMDZZ62f5hZhTado
Notice: this ID appears to be an online ID, decryption is impossible

This is a newer variant of STOP/Djvu, and your ID is an online ID, so there is currently no way to decrypt your files. There is more information at the following link:
https://support.emsisoft.com/topic/32045-about-the-stopdjvu-decrypter/