Kevin Zoll

Emsisoft Employee
  • Content Count

    18808
  • Joined

  • Last visited

  • Days Won

    177

Everything posted by Kevin Zoll

  1. Run a fresh scan with FRST, attach the new FRST scan reports to your reply
  2. It also appears that NEMTY is unbreakable and cannot be decrypted using third-party decryption tools.
  3. That is the dangers of downloading pirated software. Let's make sure of what we're dealing with. The following site is quite good at identification, and will also offer advice on who, if anyone, might have a decrypter available, even if it is not us. We contribute to the site as well.Please visit the following website and upload both an encrypted file (between 256KB and 2MB in size would be best) and a ransom note for proper identification, and share with me the web address of the results page: https://id-ransomware.malwarehunterteam.com/ Please be sure to read the information link on the results page, as to whether we have a decrypter or not, sometimes someone else's decrypter is listed, or other information is available that might be useful for recovery.Outright cracking secure encryption is currently not possible. The encryption used is the same thing governments use and can take on the order of billions of years (no, I'm not exaggerating) with current technology to completely brute-force decrypt even a single victim's computer. Google searching for "time to decrypt AES-256" is pretty enlightening.If this is on a server, please make sure RDP (Remote Desktop Protocol) into your server is protected by proper difficult passwords (all of them), that you audit every account on the server and every machine that can access the server, and use firewalling to limit the range of IP addresses that can use RDP into your server. Also make sure it is up to date with all the latest security patches from Microsoft, especially ones such as the EternalBlue exploit patch. Many criminals using ransomware variants these days use RDP exploits to break in physically, so the attacker can turn off any protection that is on the machine prior to encrypting it. There is no protection against that if they are able to get in, so it is very important to secure the server.
  4. Somehow it is protecting itself and reinstalling on startup. Let's try use AdwCleaner. Download AdwCleaner and save it on your Desktop. Close all open programs and Internet browsers (you may want to print out or write down these instructions first). Double click on adwcleaner.exe to run the tool. Click on the Scan button. After the scan has finished, click on the Clean button. Confirm each time with OK. You will be prompted to restart your computer. A text file will open in Notepad after the restart (this is the log of what was removed), which you can save on your Desktop. Attach that log file to your reply. NOTE: If you lose that log file for any reason, you can find it at C:\AdwCleaner on your computer.
  5. You can remove these three detections: [PUP.AutoIt.Gen (Potentially Malicious)] (shortcut) OP Auto Clicker.lnk -- C:\Users\Johnson Hwang\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\OP Auto Clicker.lnk => C:\Users\JOHNSO~1\DOWNLO~1\AUTOCL~1.EXE -> Found [PUP.AutoIt.Gen (Potentially Malicious)] (file) f_01cfdd -- C:\Users\Johnson Hwang\AppData\Local\Google\Chrome\User Data\Default\Cache\f_01cfdd -> Found [PUP.AutoIt.Gen (Potentially Malicious)] (file) AutoClicker.exe -- C:\Users\Johnson Hwang\Downloads\AutoClicker.exe -> Found
  6. Run a fresh scan with RogueKiller the deletion log is incomplete. Which indicates that the fix may no have ran completely.
  7. Close all programs and disconnect any USB or external drives before running the tool. Double-click RogueKiller.exe to run the tool again. Once the Prescan has finished, click Scan. Once the Status box shows "Scan Finished". Select the following items: [PUP.Easeware (Potentially Malicious)] (Easeware Technology Limited) \Driver Easy Scheduled Scan -- C:\Program Files\Easeware\DriverEasy\DriverEasy.exe [--scan] -> Found [PUP.Easeware (Potentially Malicious)] (Easeware Technology Limited) C:\Windows\Tasks\Driver Easy Scheduled Scan.job -- C:\Program Files\Easeware\DriverEasy\DriverEasy.exe [--scan] -> Found [PUP.Gen1|PUP.MailRU (Potentially Malicious)] (X86) HKEY_LOCAL_MACHINE\Software\Mail.Ru -- N/A -> Found [PUP.Gen1|PUP.MailRU (Potentially Malicious)] (X64) HKEY_USERS\.DEFAULT\Software\Mail.Ru -- N/A -> Found [PUP.Gen1|PUP.MailRU (Potentially Malicious)] (X64) HKEY_USERS\S-1-5-18-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-08232019090236034\Software\Mail.Ru -- N/A -> Found [PUP.Gen1|PUP.MailRU (Potentially Malicious)] (X64) HKEY_USERS\S-1-5-18-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-08232019090239737\Software\Mail.Ru -- N/A -> Found [PUP.Gen1|PUP.MailRU (Potentially Malicious)] (X64) HKEY_USERS\S-1-5-21-1746082704-2882651586-2436767360-1001\Software\Mail.Ru -- N/A -> Found [PUP.Gen1|PUP.MailRU (Potentially Malicious)] (X64) HKEY_USERS\S-1-5-18\Software\Mail.Ru -- N/A -> Found [PUP.Gen1|PUP.MailRU (Potentially Malicious)] (X64) HKEY_USERS\S-1-5-21-1746082704-2882651586-2436767360-1001\Software\AppDataLow\Software\Mail.Ru -- N/A -> Found >>>>>> XX - Uninstall [PUP.Easeware (Potentially Malicious)] (X64) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\DriverEasy_is1 -- N/A -> Found >>>>>> O87 - Firewall [PUP.Easeware (Potentially Malicious)] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules|{C7F849EF-2A4F-454A-9EB0-EB676A21D505} -- (Easeware Technology Limited) v2.28|Action=Allow|Active=TRUE|Dir=Out|App=C:\Program Files\Easeware\DriverEasy\DriverEasy.exe|Name=Driver Easy|Desc=Allow Driver Easy Access Internet to Scan and Download Drivers.| (C:\Program Files\Easeware\DriverEasy\DriverEasy.exe) -> Found [PUP.Easeware (Potentially Malicious)] (shortcut) Driver Easy.lnk -- C:\Users\Johnson Hwang\Desktop\Driver Easy.lnk => C:\PROGRA~1\Easeware\DRIVER~1\DRIVER~1.EXE -> Found [PUP.AutoIt.Gen (Potentially Malicious)] (shortcut) OP Auto Clicker.lnk -- C:\Users\Johnson Hwang\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\OP Auto Clicker.lnk => C:\Users\JOHNSO~1\DOWNLO~1\AUTOCL~1.EXE -> Found [PUP.OnlineIO (Potentially Malicious)] (folder) AdvinstAnalytics -- C:\Users\Johnson Hwang\AppData\Local\AdvinstAnalytics -> Found [PUP.MailRU (Potentially Malicious)] (folder) Mail.Ru -- C:\Users\Johnson Hwang\AppData\Local\Mail.Ru -> Found [PUP.MailRU (Potentially Malicious)] (folder) Mail.Ru -- C:\ProgramData\Mail.Ru -> Found [PUP.Easeware (Potentially Malicious)] (shortcut) Driver Easy.lnk -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Driver Easy\Driver Easy.lnk => C:\PROGRA~1\Easeware\DRIVER~1\DRIVER~1.EXE -> Found [PUP.Easeware (Potentially Malicious)] (shortcut) Uninstall Driver Easy.lnk -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Driver Easy\Uninstall Driver Easy.lnk => C:\PROGRA~1\Easeware\DRIVER~1\unins000.exe -> Found [PUP.Easeware (Potentially Malicious)] (folder) Easeware -- C:\Program Files\Easeware -> Found [PUP.Easeware (Potentially Malicious)] (shortcut) Driver Easy.lnk -- C:\Users\Johnson Hwang\Desktop\Driver Easy.lnk => C:\PROGRA~1\Easeware\DRIVER~1\DRIVER~1.EXE -> Found [PUP.AutoIt.Gen (Potentially Malicious)] (file) AutoClicker.exe -- C:\Users\Johnson Hwang\Downloads\AutoClicker.exe -> Found'CODE' Click the Delete button. Attach the RogueKiller report to your next reply. The log can also be found on your desktop labeled (RKreport[X]_D_xxdatexx_xtimex.txt) The highest number of [X], is the most recent Delete log.
  8. Let's take a look using a different tool. Download RogueKiller from https://www.fosshub.com/RogueKiller.html and save it to your desktop. Double-click on setup.exe to install RogueKiller. Close all programs and disconnect any USB or external drives before running the tool. Right-click RogueKiller.exe and select Run As Administrator to run the tool. Once the Prescan has finished, click Scan. Once the Status box shows "Scan Finished", click on the "Report" button and attach the scan log to your reply.
  9. Other than a single Alternate Data Stream everything else looks fine. How are things running?
  10. Let's take a fresh look.Run a fresh scan FRST, attach the new FRST scan reports to your reply.Be sure to let me know how things are running.
  11. Please run FRST again. Next, select and copy the following text, including the words Start:: and End::. Switch back to the FRST program window, and click the Fix button. It should read the fix directly from the clipboard and run the fix. When it is finished, please attach the fixlog.txt file it created in the same folder the FRST program is in.
  12. Hello and welcome to the Emsisoft support forums. Let's make sure of what we're dealing with. The following site is quite good at identification, and will also offer advice on who, if anyone, might have a decrypter available, even if it is not us. We contribute to the site as well.Please visit the following website and upload both an encrypted file (between 256KB and 2MB in size would be best) and a ransom note for proper identification, and share with me the web address of the results page: https://id-ransomware.malwarehunterteam.com/ Please be sure to read the information link on the results page, as to whether we have a decrypter or not, sometimes someone else's decrypter is listed, or other information is available that might be useful for recovery.Outright cracking secure encryption is currently not possible. The encryption used is the same thing governments use and can take on the order of billions of years (no, I'm not exaggerating) with current technology to completely brute-force decrypt even a single victim's computer. Google searching for "time to decrypt AES-256" is pretty enlightening.If this is on a server, please make sure RDP (Remote Desktop Protocol) into your server is protected by proper difficult passwords (all of them), that you audit every account on the server and every machine that can access the server, and use firewalling to limit the range of IP addresses that can use RDP into your server. Also make sure it is up to date with all the latest security patches from Microsoft, especially ones such as the EternalBlue exploit patch. Many criminals using ransomware variants these days use RDP exploits to break in physically, so the attacker can turn off any protection that is on the machine prior to encrypting it. There is no protection against that if they are able to get in, so it is very important to secure the server.
  13. You may or may not get your data back. Some will take your money and never sen you a decryption tool. Others will send you a decryption tool or a broken private encryption key that cannot decrypt the data. There are some that will send you the private key and a working decryption tool. You are rolling the dice, and hoping that you come up with a winning roll.
  14. Unfortunately, it looks like this one cannot be broken, at least at this time. There is a piece of malware running on the system and we need to take care of that. Copy the below code to Notepad; Save As fixlist.txt to your Desktop. Close Notepad. NOTE: It's important that both files, FRST64, and fixlist.txt are in the same location or the fix will not work. NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system Run FRST64 and press the Fix button just once and wait. If the tool needed a restart please make sure you let the system restart normally and let the tool complete its run after restart. The tool will make a log on the Desktop (Fixlog.txt). Attach it to your reply. NOTE: If the tool warns you about an outdated version please download and run the updated version.
  15. Hello, Let's make sure of what we're dealing with. The following site is quite good at identification, and will also offer advice on who, if anyone, might have a decrypter available, even if it is not us. We contribute to the site as well.Please visit the following website and upload both an encrypted file (between 256KB and 2MB in size would be best) and a ransom note for proper identification, and share with me the web address of the results page: https://id-ransomware.malwarehunterteam.com/ Please be sure to read the information link on the results page, as to whether we have a decrypter or not, sometimes someone else's decrypter is listed, or other information is available that might be useful for recovery.Outright cracking secure encryption is currently not possible. The encryption used is the same thing governments use and can take on the order of billions of years (no, I'm not exaggerating) with current technology to completely brute-force decrypt even a single victim's computer. Google searching for "time to decrypt AES-256" is pretty enlightening.If this is on a server, please make sure RDP (Remote Desktop Protocol) into your server is protected by proper difficult passwords (all of them), that you audit every account on the server and every machine that can access the server, and use firewalling to limit the range of IP addresses that can use RDP into your server. Also make sure it is up to date with all the latest security patches from Microsoft, especially ones such as the EternalBlue exploit patch. Many criminals using ransomware variants these days use RDP exploits to break in physically, so the attacker can turn off any protection that is on the machine prior to encrypting it. There is no protection against that if they are able to get in, so it is very important to secure the server.
  16. Thread ClosedReason: Lack of ResponsePM either Kevin, Elise, or Arthur to have this thread reopened.The procedures contained in this thread are for this user and this user only. Attempting to use the instructions in this thread on a system, other than the one they were written for, could result in damaging the Operating System beyond repair. Do Not use any of the tools mentioned in this thread without the supervision of a Malware Removal Specialist.All posters requesting Malware Removal assistance are required to follow all procedures in the thread titled START HERE if you don't we are just going to send you back to this thread
  17. You most likely need to download the drivers from your computer manufacturers support page.
  18. Thread ClosedReason: Lack of ResponsePM either Kevin, Elise, or Arthur to have this thread reopened.The procedures contained in this thread are for this user and this user only. Attempting to use the instructions in this thread on a system, other than the one they were written for, could result in damaging the Operating System beyond repair. Do Not use any of the tools mentioned in this thread without the supervision of a Malware Removal Specialist.All posters requesting Malware Removal assistance are required to follow all procedures in the thread titled START HERE if you don't we are just going to send you back to this thread
  19. I recommend that you start with first reinstalling the Intel Dynamic Platform & Thermal Framework Driver. Then disable all Chrome extensions and re-enable them one at a time until you find the extension that is causing Chrome to crash.
  20. Yes, the entire archive will be deleted. It is not possible to just remove one or more files from a ZIP archive. You would need to unZip the archive then scan the folder and quarantine or delete the infected emails.
  21. Hello, The main causes of laptop random reboots, list in order, are: Heat Faulty hardware Faulty drivers Software crashes Malware You logs show no Malware. Also I see no crash dumps in the FRST logs. The Event log shows that Chrome is misbehaving and an Intel Driver is crashing. There is an Alternate Data Stream that should be removed. Copy the below code to Notepad; Save As fixlist.txt to your Desktop. Close Notepad. NOTE: It's important that both files, FRST64, and fixlist.txt are in the same location or the fix will not work. NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system Run FRST64 and press the Fix button just once and wait. If the tool needed a restart please make sure you let the system restart normally and let the tool complete its run after restart. The tool will make a log on the Desktop (Fixlog.txt). Attach it to your reply. NOTE: If the tool warns you about an outdated version please download and run the updated version.
  22. Thread ClosedReason: Lack of ResponsePM either Kevin, Elise, or Arthur to have this thread reopened.The procedures contained in this thread are for this user and this user only. Attempting to use the instructions in this thread on a system, other than the one they were written for, could result in damaging the Operating System beyond repair. Do Not use any of the tools mentioned in this thread without the supervision of a Malware Removal Specialist.All posters requesting Malware Removal assistance are required to follow all procedures in the thread titled START HERE if you don't we are just going to send you back to this thread
  23. It's a Behavioral alert on the part of or Behavior Blocker. Behavior Blocker detected suspicious behavior "CryptoMalware" of C:\Users\*******\AppData\Local\Temp\CR_4D200.tmp\setup.exe (SHA1: 2464A40A0FEFD6F569B015F68E57E99DAB147C58) I've reported it to our lab. They should fix it shortly.
  24. opy the below code to Notepad; Save As fixlist.txt to your Desktop. Close Notepad. NOTE: It's important that both files, FRST64, and fixlist.txt are in the same location or the fix will not work. NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system Run FRST64 and press the Fix button just once and wait. If the tool needed a restart please make sure you let the system restart normally and let the tool complete its run after restart. The tool will make a log on the Desktop (Fixlog.txt). Attach it to your reply. NOTE: If the tool warns you about an outdated version please download and run the updated version.
  25. Hello, Unfortunately, this is GlobeImposter 2.0 and there is no know way to decrypt GlobeImposter 2.0 files using third-party tools.