I have Crytolocker on my computer you are my security please remove this as I cant use my computer


Crytolocker as appearded on my computer and removed and blocked my files please help you are my pc  security

21 replies

Userlevel 7
Badge +34
Thanks for the press release regarding Prevx, Daniel. I knew some of that but it puts it all nicely in context.
 
I am giving the idea of Beta testing some more thought. Reading a few threads on Wilders has made me realise that several testers of various beta products have multiple PCs and problems with one computer would not be a major issue. I only have one PC that I use for everything, including all my financial stuff and therefore I need to make sure that I am not compromised. My recent renewed interest in security (and adoption of WSA) was sparked by the Panda AV debacle earlier this year which managed to screw my PC completely and made me search for a better solution.
http://news.thewindowsclub.com/panda-antivirus-update-likely-brick-windows-systems-restart-74490/
 
I am encouraged to hear that all WSA beta versions are very stable and so should not give any trouble.
 
I would certainly like to be able to test the driver option for the web filtering so perhaps I will give put in a request!
 
Regards
 
Nemo
Userlevel 7
Badge +56
Nemo wrote:First thing I did!
I am using 2.73a Beta - I overcame my reluctance of Betas and am impressed. One of these days I might take the plunge and try and sign up for WR beta testing although I can't help thinking that I'm not experienced enough to be of much assistance.
All the best
Nemo
 
 
@
 
It's not really a big deal and they are very stable and some of us have been Beta testing from the Beginning very early 2011 to get the First WSA 2012 out in the fall of 2011! And we also Beta tested Prevx before Webroot acquired Prevx and lots is still the same but Webroot made it much better IMO! http://www.webroot.com/us/en/company/press-room/releases/technology-acquisition-cloud-security
 
Think it over buddy!
 
Daniel :D
 
Userlevel 7
Hi Roy
 
Appreciate what you are saying and that is why the Feature Request also includes the option to notify the user when an item is put to 'monitor', with the recommendation that the default is 'No' so that the user has to overt change it so as to be notifed.  Hopefully, that means that there would be no change for users unless they wanted the notification and took the trouble to change the option to notify setting.
 
Regards, Baldrick
Userlevel 7
The problem is about notifying customers is 
 
  • People tend to ignore emails (esp IT related emails)
  • They unsubscribe from said emails
  • They claim its SPAM and complain
  • If we use the product in messenging function we get complaints
I used to do webinar events and they were very popular but the people that go to said events are the type of people that already have a interest in security. 
Userlevel 7
Badge +34

Glad to see that I have already kudoed it.  Hope that you have too?
 
First thing I did!
 
I am using 2.73a Beta - I overcame my reluctance of Betas and am impressed. One of these days I might take the plunge and try and sign up for WR beta testing although I can't help thinking that I'm not experienced enough to be of much assistance.
 
All the best
 
Nemo
Userlevel 7
Cheers, Nemo
 
Glad to see that I have already kudoed it.  Hope that you have too?
 
Glad to see that yo are on board re. VS... if you are running the release version (v2.50) then hold on for some super new features as and when the next release is officially rolled out (current TH & I am testing v2.73a...and it is a quantum leap on from v2.50).
 
Now back on topic...lest we fall foul of the Community Guidelines. ;)
 
Regards, Baldrick
Userlevel 7
Badge +34
@
 
I found the thread in Feature Request - here's the link.
 
https://community.webroot.com/t5/Ideas-Exchange/Notification-pop-up-unknown-application-is-started-monitoring-is/idi-p/193308
 
Thanks for the clarification regarding my general understanding of zero-day variants. I started using VS only yesterday and totally agree that it feels like a great combo.
 
 
@
 
Appreciate all the cliches! :D
 
 
Userlevel 7
Badge +7
Hey Nemo,
 
A cliché can say it all :)
 
"It has to get worse before it gets better."
The reason we are in this thread to begin with...
 
"The best offense is the good defense." or "The best defense is the good offense."
WSA and any improvements the developers can build into it + any other tools you can pile on top to help.
 
“The best-laid schemes of mice and men oft go awry and leave us nothing but grief and pain, for promised joy!”
New variants every day, more divisive web pages and emails to entice even the best-prepared and equipped techie into the spider's web.
 
"Last line of defense."
Don't forget frequent and validated backups to restore back to a state before the infection.  Given the worst outcome, even once a day backups will keep you no more than 24 hours away from a clean state.
 
The Best,
Dave
Userlevel 7
Hi Nemo
 
It should be a Feature Request, and so logged under that section of the Community Forums.  If you find that I am hallucinating then you are most welcome to start a new Feature Rerquest yourself re. this additional feature. ;)
 
With regard to how other 'standard' AVs might react to CryptoLocker I could not possibly comment except to say that most if not all the mainstream ones will have some feature or two that tries to handle zero-day variants so to say that they would let them through would be harsh...as no system is perfect (and if you look around a number of them are starting to copy WSA in terms of some form of journalling of files & apps that are suspicious - Emsisoft being the latest from what I read about their latest version).
 
Yes, VS should lock down the system (assuming that you are running in ALWAYS ON or SMART mode) should anything get past WSA...indeed, hence why I love the combo. I trust in WSA but nothing is entirely 100%...though WSA made be the closest to that, i.e. 99.99%, but a layered defense is even safer. :D
 
Regards, Baldrick 
Userlevel 7
Badge +34
Hi Baldrick
 
The monitoring feature sounds like a good idea. I will see if I can find the thread.
 
Just so I am clear about this then. With a zero day variant of Cryptolocker (or similar), a standard AV would probably let it through to go about its nasty business, WSA would let it through but monitor it whereas a lock-down anti-executable defence (like VoodooShield) would stop it executing in the first place. If I'm right about this, I can see why you like your combo! :D
 
Nemo
Userlevel 7
Hi Nemo
 
It is the contribution by the Webroot staff (past and present) that help us greatly.  Roy has posted about CryptoLocker variants before in response to similar enquiries...and we learn from receiving that professional input that makes the Community such a great place.
 
In terms of savvyness I agree that it would be useful if there was some more overt way for WSA to let users know that potentially threatening behavior has been detected...but then it is a balance between protection and unnecessarily scaring users.
 
To that end I believe that there is a Feature Request (cannot remember if I initiated it or some one else did) to have a new feature that informs the user when a file or app has been set to 'monitored' so that they are aware that there has been potentially nefarious behaviour detected, etc.  That of course would need an option (set by default = 'No') to allow the warnings to be displayed or not.
 
Will have to check up on whether that has indeed been raised and if so then what the status is.
 
Regards, Baldrick
Userlevel 7
Badge +34
Thanks for the very prompt responses guys.
 
I didn't quite appreciate all the new variants that are released every day and the difficulty (impossibility) of keeping 'normal' AV databases up-to-date.
 
I think your comments about 'saviness' are very pertinent Baldrick and am wondering if Webroot could perhaps be a little more pro-active in spreading the word on that. Perhaps these forums are the means to do that but I suspect that WR has a lot of customers who, like the majority out there, have no interest in malware issues until they become personally infected.
 
Regards
 
Nemo
 
 
Userlevel 7
Hi Nemo
 
EDIT: I see that Roy has gotten there before me. ;)
 
Good question and my guess is that we may be in the realms of new varients of an old problem...it is not that WSA is not detecting the infection itis just that the infection may be new and rather than just letting the new variants go on their merry way to wreak havoc as would be the case with some security apps who had not encountered the new variant, WSA has the secondary layer of protection (not a cure but rather protection) of monitoring and then journalling the activity of 'undetermined' files.
 
But if we are talking about prevention rather than cure...then we must not forget the 1st layer of prevention...which is user savvyness. i.e., not opening email is not sure of the provenance, not clicking on/opening email attachments from the same or that may be even the slightest bit suspicious.
 
Let's just hope that Support can assist in the cases of these two users who have unfortunately become the vitims of these very nasty peopl generating and using this malware.
 
Regards, Baldrick
Userlevel 7
It's not as though Crypolocker is new malware but I guess there may be new variants
 
CryptoLocker is a family name for a specific group of infections. Its not like there is one file doing the rounds that you just have to stop. There a thousands of new variants of it created every hour each a little different. In the same way that there are thousands of variants of bacteria you cant take a single tablet to cure you of everything when you are sick. There are also so many other factors to think about too, I have seen people ignore our alerts multiple times and then go and run the infection then complain that they got infected.
 
If people used a decent email service I'd wager that Cryptolocker worldwide would take a nosedive. I have seen email in my junk accounts that have it but they are all caught by Gmail/Outlooks spam filter. 
Userlevel 7
Badge +34
Hi Baldrick
 
On a general note, I am wondering why WSA did not prevent Crypolocker from executing on the PCs of the two unforunate victims. My understanding is that if a malware link is clicked on, WSA should prevent it being executed in the first place.
 
I understand that Support may be able to rollback to a pre-infected state but surely prevention is always better than cure? It's not as though Crypolocker is new malware but I guess there may be new variants. Either way WSA is marketed as having your back with zero day exploits anyway.
 
Would be interested in your, or any of the other regulars, comments on this.
 
Regards
 
Nemo
 
Userlevel 7
Hi Santi2010
 
If I may add at this point...try to minimise the use of your computer until Support respond.  The reason for this is that some avriants of this encryption malware are known to repliocate themselves under new names to new locations on the infected system, so as to make them harder to find and also to remove.
 
Regards, Baldrick
Userlevel 7
Badge +54
You are very welcome.
Thanks!
Userlevel 7
Badge +54
@ wrote:
I am having the same issue!!!  Did you get your issue resolved???
Hi and welcome to the Community @ I would suggest you contact support as per the previous post.
Support is free of charge to current subscription holders.
I am having the same issue!!!  Did you get your issue resolved???
Userlevel 7
Badge +62
Hello @m
 
Welcome to the Webroot Community,
 
Sorry to hear this,
 
I would advise contacting our support team so they can take a look at this issue for you and get it resolved free of charge.
 
Support Number: 1-866-612-4227
Support Ticket: https://detail.webrootanywhere.com/servicewelcome.asp
 
Best Regards,

Reply