GT500

Emsisoft Employee
  • Content Count

    13290
  • Joined

  • Days Won

    412

Everything posted by GT500

  1. This is a newer variant of STOP/Djvu. Fortunately your ID is an offline ID, however we don't yet have the private key for it. I recommend running the decrypter once every week or two so that you can see when we've been able to add the private key for your variant. There is more information at the following link: https://support.emsisoft.com/topic/32045-about-the-stopdjvu-decrypter/
  2. You need to upload file pairs via our online submission form so that the decrypter can be "trained" how to decrypt your files. There is more information at the following link: https://support.emsisoft.com/topic/32045-about-the-stopdjvu-decrypter/
  3. Have you tried other file pairs?
  4. This is a newer variant of STOP/Djvu. If you have an offline ID, then once we can find the decryption key for this variant and add it to our database you should be able to recover your files. However, if you have an online ID (which is more likely) then it will not be possible to recover your files. There is more information at the following link: https://support.emsisoft.com/topic/32045-about-the-stopdjvu-decrypter/
  5. Please try the instructions at the following link to reset your HOSTS file: https://support.microsoft.com/en-us/help/972034/how-to-reset-the-hosts-file-back-to-the-default We get private keys for offline ID's when a victim with an offline ID pays the ransom and donates their private key to us. When or if that happens isn't predictable. I recommend making a backup of your encrypted files for now, that way you don't have to worry about anything else happening to them while you're waiting for someone to donate the private key for your offline ID to us. I recommend running the decrypter once every week or two, and when it starts decrypting files then you'll know we have the private key for your offline ID. It's possible that private keys being added to our database may be mentioned in the STOP ransomware support topic at BleepingComputer, however the vast majority of the posts there are just people asking for help: https://www.bleepingcomputer.com/forums/t/671473/stop-ransomware-stop-puma-djvu-promo-drume-help-support-topic/ Yes, the decrypter will not work without an Internet connection. It must be able to connect to our servers, as all information about ID's and keys are stored in an online database on our servers.
  6. This is a newer variant of STOP/Djvu, and your ID is an online ID, so there is currently no way to decrypt your files. There is more information at the following link: https://support.emsisoft.com/topic/32045-about-the-stopdjvu-decrypter/
  7. This is a newer variant of STOP/Djvu. Fortunately your ID is an offline ID, however we don't yet have the private key for it. I recommend running the decrypter once every week or two so that you can see when we've been able to add the private key for your variant. There is more information at the following link: https://support.emsisoft.com/topic/32045-about-the-stopdjvu-decrypter/
  8. This is a newer variant of STOP/Djvu, and your ID is an online ID, so there is currently no way to decrypt your files. There is more information at the following link: https://support.emsisoft.com/topic/32045-about-the-stopdjvu-decrypter/
  9. This is a newer variant of STOP/Djvu. Fortunately your ID is an offline ID, however we don't yet have the private key for it. I recommend running the decrypter once every week or two so that you can see when we've been able to add the private key for your variant. There is more information at the following link: https://support.emsisoft.com/topic/32045-about-the-stopdjvu-decrypter/
  10. This is a newer variant of STOP/Djvu, and your ID is an online ID, so there is currently no way to decrypt your files. There is more information at the following link: https://support.emsisoft.com/topic/32045-about-the-stopdjvu-decrypter/
  11. Here's how to switch to the Delayed update feed and install the older version that's in it: Open Emsisoft Anti-Malware. Click on the little gear icon on the left side of the Emsisoft Anti-Malware window (roughly in the middle). Click on Updates in the menu at the top. On the left, in the Updates section, look for Update feed. Click on the box to the right of where it says Update feed, and select Delayed from the list. Right-click on the little Emsisoft icon in the lower-right corner of the screen (to the left of the clock). Select Update now from the list.
  12. I had a feeling that might not help if you were only using it for on-demand scanning. I'm pretty sure this is just a timing issue. In order to proceed we're going to need a way to not only produce this reliably, but also a way to get debugs logs when we need them. Hopefully I'll be able to figure something out with my virtual machine configuration. I can't remember if anyone mentioned this or not, but how much RAM is in the computers having this issue? I'm curious to see if the computers that have the issue more often also have less RAM.
  13. Did a dialog appear allowing you to submit a crash report? If you submitted one, then the developers should be able to investigate it.
  14. In your case things are a little different, as I explained in a private message. The WSC registration information for Emsisoft Anti-Malware is incorrect, which is causing the issue.
  15. A timing issue basically means that the time a certain function is executed is what's causing a bug (for instance it could be happening at the same time as something else which could cause the function to hang). This would explain why it doesn't happen when debug logging is on, as that changes the timing of everything. That's two of you now reporting the issue happens more frequently on machines with slower processors. That makes me wonder if I could reproduce the issue if I restricted my VM's to only one core, and installed EAM. It still wouldn't be a great test, since the CPU in the host system is an AMD Ryzen 7 3800X (meaning the per-core performance is fairly good), but bottlenecking the VM like that may produce similar enough conditions to an older and slower CPU.
  16. I'm not aware of any plans to add a dark theme to the forums, however if we ever have to edit the current theme then it's always possible we may do a dark version as well if it's not too time consuming (forums are rather complicated and it can take a while to adjust colors and test them).
  17. According to Process Hacker "Windows Security Service" is the friendly name for "SecurityHealthService". It's possible it's only failing part of the time.
  18. No, there's no way to decrypt files that have been encrypted by the Dharma ransomware (the one that left .ROGER on the end of file names). I don't think we know for certain about LockBit yet, however it doesn't really matter as your files have been encrypted by both. Tradução fornecida pelo Google: Não, não há como descriptografar arquivos que foram criptografados pelo Dharma ransomware (aquele que deixou .ROGER no final dos nomes dos arquivos). Acho que ainda não sabemos com certeza sobre o LockBit, no entanto, isso realmente não importa, pois seus arquivos foram criptografados por ambos.
  19. It would take even the most powerful super computer thousands of years to brute force the private key for your ID. There's no way we could do it.
  20. Registry exclusions can't be added manually, and can't be added via a workspace, so this procedure would have to be performed on each workstation separately. If you want to set this via a workspace policy then there's a setting in the Scanner Settings labeled Detect registry policies settings that you can disable, and that should prevent these detections as well. This setting can be configured in policies, and individually for each device that Emsisoft Anti-Malware is installed on (in the "Protection Settings" category).
  21. From what I'm seeing in the logs, this looks like it may have a different cause for everyone. @marko I'm seeing a string of the following errors in your FRST Addition log: Error: (09/11/2020 08:15:05 PM) (Source: SecurityCenter) (EventID: 16) (User: ) Description: Error while updating status to SECURITY_PRODUCT_STATE_ON. The product name is missing, which suggests that whatever Anti-Virus product (presumably Emsisoft Anti-Malware) the entry is for probably has a corrupt registration with the Security Center. I'm going to send you a private message with a command to run to see if this is the case. @Quirky in your case I'm seeing several of the following error, which suggest that an important part of the Windows Security Center isn't able to run, and thus Windows may not be able to track the status of Emsisoft Anti-Malware properly: Error: (09/08/2020 12:24:03 PM) (Source: DCOM) (EventID: 10005) (User: NT AUTHORITY) Description: DCOM got error "1115" attempting to start the service SecurityHealthService with arguments "Unavailable" in order to run the server: {8C9C0DB7-2CBA-40F1-AFE0-C55740DD91A0} Try right-clicking on the Start button, selecting Windows PowerShell (Admin) from the list, once PowerShell is ready type in CMD and press Enter on your keyboard, and then paste the following command and press Enter again: secedit /configure /cfg %windir%\inf\defltbase.inf /db defltbase.sdb /verbose This command is supposed to reset all Windows Security Center settings. It may not restore Windows Security Center services to their defaults states, so if you've disabled the SecurityHealthService then you may need to change it back to automatic startup. @andrewek your logs don't show any errors that might indicate why this may be happening, however I did notice that both computer have Malwarebytes installed on them. Is real-time protection active? If so, can you try excluding the following file in Malwarebytes, and then reboot the computer to see if that helps (be sure to restart by right-clicking on the Start button, going to Shut down or sign out, and selecting Restart from that menu to bypass Fast Startup)? C:\Program Files\Emsisoft Anti-Malware\eppwsc.exe
  22. Unless the defrag managed to corrupt something (file or registry data), then I'm not certain how it could have caused the issue to reappear. It's possible that it was just a weird coincidence and that something else caused it, however at this point everything is just speculation since we don't have any debug info beyond the FRST logs. Anyway, I've downloaded everyone's FRST logs and will take a look at them to see what I find.
  23. This is a newer variant of STOP/Djvu, and your ID is an online ID, so there is currently no way to decrypt your files. There is more information at the following link: https://support.emsisoft.com/topic/32045-about-the-stopdjvu-decrypter/ The only way to get an offline ID is if the decrypter isn't able to connect to its command and control servers when it encrypts your files. Since your files are already encrypted, your ID and keys have already been generated and used during encryption, so there's no way to change that now.
  24. This is a newer variant of STOP/Djvu. If you have an offline ID, then once we can find the decryption key for this variant and add it to our database you should be able to recover your files. However, if you have an online ID (which is more likely) then it will not be possible to recover your files. There is more information at the following link: https://support.emsisoft.com/topic/32045-about-the-stopdjvu-decrypter/