Jump to content


  • Posts

  • Joined

  • Last visited


0 Neutral

About LUPike

  • Birthday 08/22/1970

Contact Methods

  • Website URL

Profile Information

  • Gender
  • Location

Recent Profile Visitors

2107 profile views
  1. I stand corrected (beat you to it)... the owner of cock.li and rape.lol is Vincent Canfield. He lived in Maine, but apparently is now living in Romania... so, not surprising this stuff came from there. Apparently his services have already made main stream news.
  2. Files attached. My post was "LITERALLY" the first on Emsisoft for rapid. This variant hasn't been out very long, and very few outlets have any information on it. Let's try to capture as much info as possible. FYI... the website the email and DNS is hosted through (rape.lol) is through a hosting company in Romania. A side-bar (has been reported as an alternate email address for the ransom) is 'cock.li'. That domain is registered through an individual (?) in Maine. ...someone please find me an address to these SOB's... I want to pay them a visit. Analog Clock-Google.gg.rapid Defaults.ini.rapid sdb1m.inf.rapid WelcomeFax.tif.rapid
  3. I have a PC (and data on a couple of network shares) that have been encrypted by Rapid/Paymeme. The ransomware set VSS to a limit of 0, then restarted the volsnap service and then stopped VSS (resulting in no previous versions on the local PC). It targeted a long list of typical file extensions, including image files (png, jpg, etc...), document files (txt, xls, xlsx, doc, etc...), data storage files (dbf, mdb, pst, etc...), and application files (exe, dll, etc...). The information I have discovered so far shows that the encryption is performed by a process (named either rapid.exe or info.exe, and running as a user account and NOT as system). Stopping the 'infection' symply means killing that process. I have done that. I have already ran 'SpyHunter Malware' (recommended by another forum with several infections on it). That software did discover the registry entries for the software and the executable, and 'cleaned' them. The initial executable appears to have been a file in %Username%\desktop\Rapid-RU2.exe. Is anyone at Emsisoft familiar with this threat? Are there existing decryptors available? Thanks, -LUPike
  4. I wanted to note that I did uninstall EAM, and perform a fresh reinstall (after a reboot). With in a few minutes of the installation completing, the EAM interface went non-responsive... and less than 3 minutes later nothing was working. I only tried this on a single PC. I was not able to draw a direct corollary to Emsisoft update engine, but in the logs on two separate PC's, I did see that the EAM updater had updated 'Core' files prior to those particular systems being affected. As a note, these are different than the standard 'Scheduler' updates, which appear to be threat definitions. Also, Reboots did not correct the issue, they simply let the PC run for a short period of time before becoming unusable again. GT500, I have not had a chance to run FRST on any of the affected computers since the initial report. I will be able to get that started after 5:00 PM Central Time today. ...and to answer your question in a previous post, there were no other running security programs on the systems at the time of the issue. The systems did have CryptoPrevent installed previously (had been uninstalled), and, of course, they have the Windows Firewall.
  5. At least one of the PCs in the affected office is running an AMD chipset, so a Microsoft released intel update is not applicable on that PC (there may be two other AMD systems, but I have not confirmed). I have numerous other offices that are running EAM without issue (including my own office and my wife's workplace). This issue is going to be specific to the applications being used at the office, but it is clear that EAM (and possibly EEC) is(are) the application(s) causing the lockups. After removing EAM on all systems, I have not had a single reported issue.
  6. JeremyNicoll, In my case, no. The first issue appeared on a single PC a little over a week ago. The subsequence machines in that office all began exhibiting the problem on Wednesday, about noon... ALL of the computers with EAM on them. Rebooting into safe mode, disabling all EAM related services and startup options (using MSCONFIG) and rebooting into normal mode resolved the issue... but now they are in an 'unprotected' mode.
  7. GT500, The user with the affected machine has been busy with end of month reporting. I have ran the Service Control command to remove the EPP service, but have not had an opportunity to uninstall all drivers and reinstall them... The reason for this update is that, today about noon, all of the remaining PC's at this office (13 systems) began doing the same thing. Several of the system logs I reviewed (eventvwr -> System Log) shows a2service.exe crashes numerous times, and at some point, the system stops responding completely. The desktop and open applications are still visible, some explorer activity will be captured and respond (right click on system tray and launch "Task Manager" (Task Manager never opens), click on the Windows Orb and the system presents the programs menu, etc...) but no applications are responding and on most of the computers, I was unable to get the context menu for Emsisoft tray icon to "Shut down protection". Once a desktop system gets to this point, the only option is to physically power down the computer, enter "Safe Mode" on restart, open MSCONFIG and disable the Emsisoft services, and restart the computer. This has resolved the issue for all affected computers (14 out of 14). All systems are currently running with Emsisoft Anti Malware disabled until either a fix can be found or a replacement AV package is chosen. While reviewing the issue today, I did notice that an Emsisoft software update was downloaded and installed on two of the PC's after 12:00pm Central Time today. (the issue appears to have started on all affected computers about lunch time today). I did not check this on all affected PC's due to a lack of available time on-site. All 14 of the computers were reporting into an ECC server prior to the original issue, and 13 of the desktop clients were reporting into the ECC server until EAM was disabled on the systems this afternoon.
  8. Thanks GT500... I will do that as soon as possible, and update the results. -Ronnie
  9. Peter2150, I have EAM running on many computers... the office this is in alone has 13 seats, and almost all of them are Win7Pro x64. Regardless, this is a new problem that just began today on this PC, after a reboot. It was working without issue for the last several months. I have attached a list of the software installed on the system below (SoftwareList.txt). I installed Enterprise Console at this site earlier this month to simplify EAM configuration, specifically for numerous exclusions required for a software upgrade at the end of this month. I can try installing EAM without EC tomorrow morning. GT500, I ran FRST (64bit) on the PC and have included the Addition.txt and FRST.txt log files below. Addition.txt FRST.txt SoftwareList.txt
  10. Specs: Emsisoft Anti-Malware v17.12.1.8340 Windows 7 Professional - SP1 64bit Intel i5 w/16GB RAM System has been running fine for several weeks, and after rebooting this morning, the system freezes up (stops responding) after logon. Booting into safe mode and using MSConfig to Disable Emsisoft (Services and Startup) allowed the PC to boot and be usable. The software was showing it was up to date. I uninstalled the software and reinstalled with the Emsisoft Web Installer. When prompted, I entered the license key, and then joined the system to the Emsisoft Enterprise Console. The application showed Connecting... then Connected, and the OS locked up again. Windows Explorer and all open applications become non-responsive. I rebooted the system in safe-mode and used MSConfig to disable Emsisoft (Services and Startup), and rebooted into normal startup. After login, the system operated normally. I began an uninstall (again) on Emsisoft Anti-Malware so the user could continue her day, and the uninstall process went non-responsive. After over 15 minutes, I forced the process closed. Appwiz.cpl no-longer shows Emsisoft Anti-Malware in the installation list, however the registry entries still exist, so I feel I have an incomplete 'uninstall' as-well. SO, with all that said, I have two issues. The first item that I believe needs to be resolved is to cleanup the failed/partial uninstall. Is there a tool/process for either 'cleaning up' the uninstaller or a manual uninstall process? The second issue is Emsisoft Anti-Malware causing the Windows 7 Professional PC to become non-responsive on startup. I did not have time to test without joining the PC to the Enterprise Console; however, I am not sure if that could affect the OS.
  11. Thanks Kevin! I ran the reports on the 31st... no changes to PC since then to my knowledge. I am attaching the logs... if you need newer ones, I completely understand and can run fresh reports. Thanks again, -Ronnie a2scan_150131-164300.txt FRST.txt
  12. Thanks Kevin, I re-ran RogueKiller and selected and deleted the items you had listed above. The log is attached. Once that process completed, I rebooted the PC and attempted to load several webpages using both Chrome and Internet Explorer. Neither experienced any unusual pop-ups, redirects, nor ad insertions. I will watch it for the next few days and report any issues... but i think that took care of it. Thanks again. -Ronnie RKreport_DEL_01272015_180906.log
  13. Thanks Kevin. I ran the scan today... the report is attached. -Ronnie RKreport_SCN_01272015_113959.txt
  • Create New...