webroot can't find Cryptowall 3.0


I was hit with Cryptowall 3.0 on 6 Feb.  Helpful experts on another forum guided me through a lengthy, thorough cleaning procedure, including numerous scans and logs.
 
Today, 30 days later, after booting my laptop, Cryptowall did its thing again -- new files are encrypted, old files are encrypted twice now, and the .png and .txt ransom files appeared.  No website access or e-mails; the machine was just sitting there for a couple of hours.  It looks to me like this virus hides really well.  Now I've just finished running Malwarebytes, Avast, and Webroot -- so far, nothing I've tried can detect it.  I've been reading speculation that the virus cleans up after itself and hibernates in a hidden boot partition.  
 
 
My question:  can you guys help me truly clean this?  Or I should just give up this laptop?
 
Thanks.
 
-Jeff

20 replies

Userlevel 7
Badge +52
Hello and Welcome to the Webroot Community Forums!
 
The best thing to do is to contact support and ask Webroot Support to take a look this for you.  There is no charge for this if you are a WSA license holder, with a current subscription.
Thanks for your reply.
 
I would be happy to purchase a license if I thought Webroot can find Cryptowall 3.0.  As it stands, it cannot.
 
It sounds like really there is nothing out there that works against the modern ransomwares.  The beauty of it (or nastiness, depending on your point of view) is that it runs infrequently and cleans up except for some minimal amount of "spore code", which can't be found by anti-malware.
 
I think that's the end for this laptop.  I'll use it for another 29 days and avoid any further hassle.
 
-Jeff
 
Userlevel 7
Badge +52
The first and best method is to restore your files from a recent backup. If you have been regularly performing backups, then you should use your backups to restore your files.
 
Always perform regular backups
 
Try to restore previous versions of files using Windows folder tools. To learn more, please read Previous versions of files.
 
 
Userlevel 2
My cousin just told me she took her computer to the Geek Squad and they were able to remove it for her. I don't know if this is something you would care to look into rather than loose the laptop all together.
I am contacting them this morning my self to see if they can remove this miserable thing!
Userlevel 7
Badge +13
I would definitely contact Webroot support ASAP as is stated in a previous post in this thread,provided you are a current subscriber.Support and malware removal is free of charge.I would rather go that route.Webroot techs are quite good at what they do.I'm not very fond of Geek Squad personally,as i have worked on quite a few pc's and laptops they nuked.Depending on how busy  Geek Squad is,you can be without your pc/laptop for quite some time.Webroot support is very quick and effiecient.I would advise that route first.
Userlevel 2
I made a ticket last night and am waiting but don't have time to sit on the phone because I have to go to work this after noon and then tonight.  I have 8:30 my time. a.m..  I am computer stupid so trying to follow directions would be mind boggeling also. I would drive you to the nut farm.
If you can help me though please, please do!!  I do have a license. I have had webroot for a few years now ever since the geek squad put it on my sons laptop a few years back.
Thanks for this advice.
 
I have doubt that Webroot experts (or GeekSquad or others) can find Cryptowall 3.0 in its latent form, between its first infection and the 30 day intervals at which it re-emerges.  As I say I, know for sure it's on one of my laptops, having seen it wake up and run again after a 30 day hibernation.  I haven't found any anti-malware program yet that can find it.  I've tried:
 
  F-Secure online scanner
  Malwarebytes (both scan and anti-Rootkit)
  Farbar Recovery Scan Tool (FRST)
  WebRoot SecureAnywhere
 
So I just saw it run, and no anti-malware can find it -- sort of amazing, if you ask me.  Given this, I don't see how the tech experts would find it, unless they can say they've actually found and removed the latent version before, using steps above and beyond the available anti-malware softwares.
 
My next step is to replace the MBR, and monitor the laptop closely at the next 30 day interval.
 
-Jeff
 
Userlevel 7
Replacing the MBR wont do anything, Cryptowall doesnt affect the MBR in any way. What exactly is your issue? Removing Cryptowall is actually quite easy, recovering the files is the difficult part. 
Rakanisheu-
 
Above I listed half-dozen anti-malwares that could not find Cryptowall 3.0 just after it had just run an hour earlier.
 
Since I'm not using that laptop for anything (after the initial infection in early Feb) I'm trying various things (other than the above-listed anti-malwares) and see if that stops it on when I expect to see it next (April 5 at 2:45p).
 
As far as Cryptowall not affecting the MBR and other boot partitions, what other methods would it use to auto-start after counting precisely 720 hrs, and yet remain undetected?  It looks to me like Cryptowall 3.0 hides quite a lot better than people realize.
 
-Jeff
Userlevel 2
I took my laptop to the Geek Squad and they had to restore it to factory condition.  They couldn't find it and my operating system became unstable. 
They also found 114 other viruses that Webroot was not able to detect.  I was told there isn't an anti-virus on the market that can protect us from them all. 
My laptop works great now. I had to loose all my files but did not give them thiefs anything. 
I was also told that some of the people that did pay just got their bank accounts stolen and do not get their files un-encrypted.
Userlevel 7
Badge +62
HI Debbee,
 
It's great to hear that the Geek Squad fixed your computer.
 
It is true that some viruses are missed and no one security can get them all. But Webroot is the way of the future as explained  here thread by TripleHelix.
 
Sorry you lost your files and that's why it's important to have a back up of everything on an external drive or usb.We all learn and we are all vulnerable to cyber space and we fight back the best way we can by protecting ourselves and again backing up our systems.
 
Thank you for getting back to us and letting us know that things turned out for you..even though it was an inconvience and scary wasn't it? It would of been to me very upsetting.:@
 
 
Best Regards,
 
 
Userlevel 2
I'm more angry at myself for being too lazy to back things up like my son continuosly told me to.  I thought drop box and cloud would be good enough. They were not.
Then I opened a junk email I meant to delete but, the way my system was running, everything was shaky and it opened instead of getting deleted. It was something about 7-UP.  Then I notice shortly after another tab was opened with the virus on it.
Webroot kept scanning like every 30 minutes so I think it could tell something wasn't right.
 
It's such a shame these people use their intelligence for evil when they could do so good.
 
Who knows, maybe they are doing both??
 
I will still use Webroot because I still think it's the best on the market. Nothing is perfect.
This has taught me a valuable lesson. 
Userlevel 7
@ wrote:
I took my laptop to the Geek Squad and they had to restore it to factory condition.  They couldn't find it and my operating system became unstable. 
They also found 114 other viruses that Webroot was not able to detect.  I was told there isn't an anti-virus on the market that can protect us from them all. 
My laptop works great now. I had to loose all my files but did not give them thiefs anything. 
I was also told that some of the people that did pay just got their bank accounts stolen and do not get their files un-encrypted.
Hi Debbie
 
Just to add to what Sherry has quite correctly stated...and quite specifically, in my humble opinion if they stated that they"...also found 114 other viruses that Webroot was not able to detect" then they are being a little disingenuous.  What they most likely found were  
non-malware programs we commonly refer to as PUAs or Potentially Unwanted Applications.
 
I won't boar you withthe usual spiel on these but suffice to say that whilst annoying they are for the most part just that rather than a danger to your system.  WSA does detect and remove many PUA's, and more are being added, but WSA does not detect all of them. A simple browser add-on with PUA behaviour that is easy to identify and easy to remove is not likely to be detected and removed by WSA. Those that are intentionally difficult to locate and remove are. Please see this link for more information regarding Webroot's stance on these annoying programs.
 
I should point out that if you do indeed have trouble with these sorts of programsa then you to Open a Support Ticket & ask Webroot Support to take a look and remove these for you.  And the best part of this is that as a holder of a valid WSA subscription...there is NO CHARGE for this service.
 
I hope that the above is of assistance and helps clarify what I would call the misinformation that you have been provided with.
 
Regards, Baldrick
Well.  this post was reported initially a few MONTHS back and your product is still unable to detect the CryptoWall 3.0.
 
I certainly hope that you guys are doing your homework.... and wish that my choice switching my clients to your product was the right one.
 
I hope there is a 'cunning plan' somewhere in your works to remedy this.
 
Darko
Userlevel 7
Badge +56
I think there's a misconception of what Cryptowall 3.0 is - it's not a static malware.  They release new versions all the time.  We name those "3.0" as a class because they're all in the same family, but they constantly release new versions to try and bypass our (and other AV providers) defenses.  It's not like they put out release notes with every new version 🙂  And correspondingly we are putting in place new defenses with each patch.  And we've actually had to stop noting in our release notes which new malware we're improving our protection against, as that ends up being a clue for the malware writers that their latest strategies have been thwarted.
so you are saying that the crypto virus I am currently dealing with isn't the same version as of 3 months ago?
hmm.. interesting considering my spyhunter identifies it as such.
Anyway,, I guess time will tell whether your product is indeed worth keeping. I hope it is.
D
Userlevel 7
Badge +56
I'm not sure how Spyhunter is classifying it - could be that the recognize the similarity and classify them all together.  Without comparing the files side by side I couldn't say whether they are identical or not.  What I can say is that once we've identified and flagged a version, then Webroot will definitely block it.  Three months is indeed a long time in the life of cryptoware - they're putting out new versions weekly at least.
Userlevel 2
That's what I figured. they are some kind of annoying pest when I get stupid and click on a link on of my friends want me to look at. It's like a baiter link that fills your computer with those little things your talking about. 
{I am not techy in the least}
I also switched to "LUBUNTU" instead of "WINDOWS"  as I understand it is a lot harder to get infected with all this nonsense. I also like using it and as soon as I can figure out how to find the things I want and need I am sure my experience will be wonderful. For now, my son tells me to Google it and try to figure it out but, that isn't going to happen! lol
 
I'm doing okay with this and will stick with Webroot because where ever I go I still see Webroot is the top rated and most talked about Antivirus protection on the market. I'm a lifer!
I was just hit with a ransomlock HELP_DECRYPT along with my PowerShell that kept randomly popping up saying that the program stopped working.  I downloaded a free version of Malwarebytes and after 2 hours it quarantined 1704 issures.  No more ransom message when I boot and PowerShell seems to be working.  However, all my MS Office files; Word, Excel and PDF's are all locked up.  Anyone have any ideas how to decrypt them?
 
Userlevel 7
Badge +62
Hi @
 
Welcome to the Webroot Community,
 
From what I hear is after a file is encrypted it is basically useless (Unless you pay the ransom they demand). This is where you need to access a good backup to restore this data.
 
But you can submit a Support Ticket free of charge with an active subscription and they will gladly check this out for you.
 
 
Good Luck,
 
Kind Regards,

Reply