safety

I think the decryption of your mp3 files was correct using esetteslacryptdecryptor.exe, but there is also a second layer of encryption, and this, unfortunately, is Cryptowall 3. Judging by the first 16 bytes at the beginning of each file after decryption. (The first 16 bytes are the same for all files)
723800F3740E5CF011BDB7F6EE44EC63

I think the decryption of your mp3 files was correct using esetteslacryptdecryptor.exe, but there is also a second layer of encryption, and this, unfortunately, is Cryptowall 3. Judging by the first 16 bytes at the beginning of each file after decryption. (The first 16 bytes are the same for all files)
723800F3740E5CF011BDB7F6EE44EC63

1.5 years after the leak, the builder began to work smarter, but at first the folder with the builder files remained on the disk.

Some of the attackers do not change the private key for a long time (decrutor), and after redeeming the key there is a chance to help other victims.
>>>> Your personal DECRYPTION ID: 0D4726C60545E66F7A63330CE76CDAF9
>>>> Your personal DECRYPTION ID: 0D4726C60545E66F4343434343434343
>>>> Your personal DECRYPTION ID: 0D4726C60545E66FEFE02D17117DDA22
>>>> Your personal DECRYPTION ID: 0D4726C60545E66F7A63330CE76CDAF9
 
 

Dear users,
Another year has passed and we would like to thank you all for being our users and fans, especially to those who have been active and helpful in our forum and contributed to our mutual endeavor to defend our digital worlds. My special thanks to Itman for his tireless presence here and willingness to help the others
We would like to ask you to spend a few minutes and give us feedback on how we were doing, what you like about ESET and what is not that good and where we could improve. We endeavor to listen to your feedback, tailor the products to your needs and liking while maintaining the products effective, easy to control with small footprint on your systems. If you were not content with how your support tickets, queries or issue reports were handled, we would appreciate if you could provide a ticket number, links to this forum, etc. in a comment so that we could review them and try to improve things in the future.
With ESET home products v17 and Endpoint v11 just around the corner (program update to v17 is already available on the pre-release update channel), you can look forward to features like Browser Privacy & Security with Secure Search or Browser Cleanup as well as a new tier product ESET Security Ultimate which will bring VPN as an addition to existing features for a start. Last but not least, we are excited to tell you that next year we're going to substantially improve the HIPS-based Deep Behavior Inspection, Ransomware shield, scanning on multicore processsor systems, etc.

Regards,
Marcos

In general, the topic with this miner ("REALTEKD / TASKHOSTW") on technical forums in Russia and apparently in Ukraine over the past few years in popularity can only be compared with the Stop Djvu encryptor (but there at least the file extension changes stably, but here there is practically nothing does not change).
Many antiviruses are taken out and blocked, not only ESET. In both cases, the infection occurs as a result of the use of hacked programs. The installer with this miner, as a rule, is several Gb, and there is no way to check it for viruses.
In addition to blocking the launch of installers and utilities, blocking standard installation paths for anti-virus programs, access to the sites of technical forums and anti-virus companies is also blocked.

Blocking execution of Python scripts via a HIPS is somewhat "an effort in futility" given the multiple ways the scripts can be run: https://realpython.com/run-python-scripts/ .
Now if Eset HIPS had the capability to block read access of a file plus global file wildcard use capability, then a HIPS rule could be created to block/ask for *.py and *.pyw file access.
Finally, .py scripts can be converted to a .exe just like .bat, etc. scripts can be .
The main danger of Python scripts is they are not parsed by Win AMSI interface. On the other hand, AMSI is being bypassed so much by malware these days, its probably a moot point.

Based on what I read here: https://github.com/Hawkish-Team/Hawkish-Grabber , I would say detection likelihood would be low.

Is it possible to decrypt files for modified FONIX/RYUK?
https://www.virustotal.com/gui/file/ee864a8610aea416b02ae7959606775444af70f3e424315edf3463c87e66f4c3/details
Crypted+.rar efsw_logs.zip ESVC_SARABI_20230613153602.zip
Filecoder.zip

Reinstalling the system may affect the investigation of the incident, but in order to analyze "whether or not decryption of files is possible", the user transferred everything that was needed: encrypted files, the body of the encryptor, a ransom note, additional files, from which it was previously possible to restore the key.
DrWeb requirements are quite strict: free decryption is possible if the user has a license for the DrWeb product, if the product has been installed, updated and skipped the encryptor file.
Nothing is known about the presence of FONIX decryption in DrWeb, Bitdef used cpriv.key (i.e. key file) previously, Gillespie (Emsisoft) also wrote about the need for a key file to decrypt FONIX, Avast uses a key file (cpriv.key, hrmlog1 ) to restore the session private key and then decrypt the files, Kaspersky receives the session key and adds it to the Rakhni public decryptor.
 

You are right, Filecoder.FONIX can be decrypted. Please email the above logs and files to samples[at]eset.com.

It's an AMS detection. As such, no way to exclude it as far as I am aware of other than disabling Potentially Dangerous Application Detection category as you previously did:

 
 

You can create a detection exclusion with "Win32/UniversalVirusSniffer.A" and another one with "Suspicious object" and the file hash should it still be detected.

It appears Eset terminated all support for Win XP yesterday:

Hello @safety,
which update server has the customer set?
Does the offline license file contain the username and password?
Can you send me the offline license file via a private message to check?
Peter

We've made a workaround so now activation works also for legacy products.

Please check your private message.

ESI v2 doesn't support service scripts. It basically allows only collecting and viewing logs with advanced filtering options not present in ESI v1.

I dont have that file , but i found which file was. I Know that i have saved some where.
This was folder name... C:\Windows\System32\rMZ0nIulz9
Script is inside the rar
Script was on system32 not partition D on partition D i saved only to help others


rMZ0nIulz9.rar

You have several 3rd party dlls injected in the msedge.exe process:
c:\programdata\a-volute\a-volute.28054df1f58b4\modules\scheduledmodules\x64\nahimicosd.dll (Nahimic)
c:\program files\common files\crypto pro\shared\pkivalidator.dll (Crypto-PRO company)
c:\program files\crypto pro\csp\cpcspi.dll (Crypto-PRO company)
c:\program files\crypto pro\csp\cpsuprt.dll (Crypto-PRO company)
c:\program files\crypto pro\csp\cpui.dll (Crypto-PRO company)
c:\windows\system32\cpsspap.dll (Crypto-PRO company)
c:\program files\crypto pro\csp\cpcsp.dll (Crypto-PRO company)
c:\program files\common files\crypto pro\appcompat\cpschan.dll (Crypto-PRO company)
c:\program files\common files\crypto pro\appcompat\cpmsi.dll (Crypto-PRO company)
The difference between v15.1 and v15.0 and older is that we now open a secure browser even if an untrusted dll is loaded. In such case the above notification is displayed.
Will need to check with devs as to which of the dlls is not trusted. Will keep you posted.

Really, there is no issue with posting a Log file attachment to a forum posting. Only Eset moderators can access those attachments.

The work around for this issue till it is resolved is to disabled "Secure all browsers" per the below screen shot. This will prevent any browser extensions from loading in Banking &Payment Protection mode and should eliminate the error message.

Please provide ELC logs too. Before launching a browser and reproducing the issue, enable advanced logging under Help and support -> Technical support. After reproducing the warning, disable logging and then collect logs with ELC.
Most likely there is an untrusted dll loaded in the browser which is allowed as of v15.1, however, the notification is displayed. With previous versions it was not possible to launch the secured browser in such case.

Your symptoms indicate that your MS SQL server may be compromised.  Some things you will want to immediately do are:
Ensure MS SQL Ports are not exposed to the internet.  Typically this will be port 1433 but could be a different port. Audit existing MS SQL user accounts and disable and/or reset the password for all accounts (may need to do this for Windows accounts too as MS SQL can allow the use of Windows Authentication for management) Generate ESET Log Collector logs Check for the following SQL Settings being enabled as they can be abused by attackers:
'xp_cmdshell' - Allows SQL to execute external applications like CMD.exe or Powershell.exe or other 'Ole Automation Procedures' - Allows SQL to execute OLE (similar to MS office macros) and can lead to SQL executing external applications, making network connections, etc... 'show advanced options' - Allows advanced features of SQL to be used (this allows the above features to be used). There are multiple ways MS SQL can be leveraged to execute malicious code.  The most popular are:
Stored Procedures - Can be scheduled inside of MS SQL to execute at specific intervals Triggers - There are 3 types of triggers DDL (Data Definition Language) - executes code whenever statements like CREATE, ALTER, DROP are used. LOGIN - Executes code whenever a user logs into the MS SQL system. DML - (Data Manipulation Language - executes code whenever statement like INSERT, UPDATE, DELETE are used. .NET - MS SQL does have the ability to execute .NET libraries, but this is much harder and rarer to see. I will send you a direct message with some more specific pointers on identifying if your SQL Server is currently compromised. 

If ESET is still giving detections and communications to the IP that was logged at port 80 , then it's not blocked , because the communication has been made and ESET has blocked/dropped it as suspicious botnet activity , blocking the IP totally for all ports can help prevent further communications to the botnet server.

I did come across the Google ProjectZero article that recommended that winhttpautoproxysvc  service be disabled: https://googleprojectzero.blogspot.com/2017/12/apacolypse-now-exploiting-windows-10-in_18.html . BTW - this was patched by Microsoft.
At the same time I found this later dated router vulnerability advisory that also might be worth exploring:
https://www.kb.cert.org/vuls/id/598349
Of note is the recommended mitigation for this is: