Virus & Spyware

7 Gold

CryptoLocker, CryptoPrevent

Remark: The following is a composite summary/compilation of important information gleaned from various sources (which are cited at the end of this post).

“CryptoLocker” is the generic name for an increasingly prevalent and nasty strain of malicious software that encrypts your files until you pay a ransom... The trouble with CryptoLocker is not so much in removing the malware — that process appears to be surprisingly trivial in most cases. The real bummer is that all of your important files — pictures, documents, movies, MP3s — will remain scrambled with virtually unbreakable encryption unless and until you pay the ransom demand.

It is therefore absolutely critical that Cryptolocker be PREVENTED from impacting your system... because "after the fact", while the malware itself can be removed, your data canNOT be restored :-(

For example, the FREE version of MBAM, which detects Cryptolocker infections as Trojan.Ransom, may be able to remove the infectious malware, but it cannot recover your encrypted programs/data files. Fortunately, users of Malwarebytes Anti-Malware Pro are protected from Crytolocker via the PRO version's realtime malware-execution-prevention and blocking of malware sites and servers.

It is now being recommended that all home users download and run CryptoPrevent , a tiny (and FREE) utility, which will PREVENT CryptoLocker infections, by setting software policy restrictions that should block Cryptolocker from running from the known locations it has been using.   [Note:   Some security software, including McAfee's SiteAdvisor, currently "red-flag" the CryptoPrevent site as being potentially dangerous.   All indications are that this is a false positive.   Avast users may find that its Behavior Shield might flag CryptoPrevent (likely based on its limited "file reputation"), resulting in Avast auto-sandboxing (in avast 8) or DeepScanning (avast 2014) the program.]

Download the most current version --- it's being updated frequently --- then run it using the default/checked options, and click APPLY.   That's all there is to it!

 

 

Disclaimers:   1)  Since CryptoPrevent's methodology (of setting software restriction policies) is publicly known, I have no idea what's to prevent the CryptoLocker malware from editing one's registry, countering these software restriction policy changes, and then implementing its notorious deed.   Likewise, what's to stop CrytoLocker from dropping its loaders in alternative [random] directories that don't have corresponding software restriction policies set?   Of course, CryptoPrevent could then counter with an update which includes the new locations... but that puts it in the position of always "playing catch-up" to the malware.  I welcome a definitive answer from security experts.

2) I am not yet in a position to guarantee the safety for average users to deploy CryptoPrevent.   My questions:  Can it... either via enabling... or especially via its UNdo feature... do any harm?  Specifically, can its UNdo inadvertently remove protection that was placed there previously by another program, if CryptoPrevent happens to protect the identical registry entry?... or are all of CryptoPrevent's registry entries unique to that program?  [EDIT:   As it's highly unlikely that Home Users have separately invoked any "Group Policy" restrictions, there's little chance of my UNdo fears here being realized.] 

In short, while CryptoPrevent appears to be an extremely important tool (WinXP [SP2/SP3], Vista, 7, 8, 8.1), be advised I can take no responsibility should anything go wrong.  [For what it's worth, I *HAVE* deployed CryptoPrevent on my primary Win7x64 Pro SP1 and my secondary WinXP Pro SP3 systems... so I'm not suggesting people be "guinea-pigs" for something that I haven't already tried myself.   So far, I really like what I see :emotion-1: .]

 

SOURCES:

Definitive Guide to CryptoLocker (by Lawrence Abrams [aka "Grinler" ]): http://www.bleepingcomputer.com/virus-removal/cryptolocker-ransomware-information

http://krebsonsecurity.com/2013/11/how-to-avoid-cryptolocker-ransomware/

http://blog.malwarebytes.org/intelligence/2013/10/cryptolocker-ransomware-what-you-need-to-know/

CryptoPrevent:  http://www.foolishit.com/vb6-projects/cryptoprevent/

 

Free Internet Security - WOT Web of Trust       Use OpenDNS       MalwareBytes Anti-Malware


Windows 10 Pro (64-bit), Panda DOME 20, MBAM4 Pro, Windows Firewall, OpenDNS Family Shield, SpywareBlaster, MVPS HOSTS file, MBAE Premium, MCShield, WinPatrol PLUS, SAS (on-demand scanner), Zemana AntiLogger Free, Microsoft EDGE, Firefox, Pale Moon, uBlock Origin, CryptoPrevent.


[I believe computer-users who sandbox (Sandboxie) are acting prudently.]

Replies (62)
5 Rhenium

I have the free version-CryptoPrevent- installed on one of my Windows 7 machines.  I would like to completely uninstall this free version however it does not show up in the Control Panel under the Programs.  How can I uninstall this program? 

Forum Member Since 2001

7 Thorium

If you can't find the Uninstall, the developer has a forum here: http://foolishtech.com/viewforum.php?f=5


Windows Insider MVP 2016 - Present

Microsoft MVP - Consumer Security 2006-2016

Social Media and Community Professional

7 Gold

Annie,

As pointed out in an earlier reply to Dale, there are two versions of the program available from its website:   a ZIP/extractable version which is self-contained [i.e., no need to install/uninstall], and an installer version [which can be installed/uninstalled].   Only the second version --- which actually performs an installation --- will appear in your Control Panel for uninstalling.  

If you used the ZIP/extractable version, all you have to do is delete the files --- the ZIPped archive, and the extracted executable --- from your computer to "completely" remove them from your system.   HOWEVER:   If you applied the protection, simply deleting the executable file will leave the protection intact.   If you [also] want to remove the protection (from your registry), you should use CryptoPrevent to  UNDO  its protection, before you delete the program!

Remark:  If you used the installer --- which apparently you didn't --- I'm not sure whether or not a formal "uninstall" will automatically remove the protection.   The safer approach here too would be to UNDO the protection before uninstalling (--- assuming that's what you want to do).

Question:   Did you have a problem with the program? --- Given the potential protection it offers (free, and with no noticeable impact on one's system), I'm wondering why you feel the need to "completely uninstall" it?

Free Internet Security - WOT Web of Trust       Use OpenDNS       MalwareBytes Anti-Malware


Windows 10 Pro (64-bit), Panda DOME 20, MBAM4 Pro, Windows Firewall, OpenDNS Family Shield, SpywareBlaster, MVPS HOSTS file, MBAE Premium, MCShield, WinPatrol PLUS, SAS (on-demand scanner), Zemana AntiLogger Free, Microsoft EDGE, Firefox, Pale Moon, uBlock Origin, CryptoPrevent.


[I believe computer-users who sandbox (Sandboxie) are acting prudently.]

5 Rhenium

ky331,  When I installed this CryptoPrevent on my first computer I used the zip file.  I misunderstood  how the free vs. the paid version worked. I wanted the paid version.   I wanted to completely uninstall/remove the zip version.

When the zip version was installed it left files on my desktop and I wanted this program to go to my Programs.  I now have this program installed properly.  There was really nothing I found wrong with the program.  If it does what it says it is going to do then it is well worth the money.  I should have used the installer version the first time around. I have since gotten this program installed with the installer and removed the zip version. Also it is a real plus that CryptoPrevent can be used on multiple computers. Thanks for the help.  :emotion-21:

Forum Member Since 2001

7 Gold

As always, glad to be of help.

Just a thought... if you want to splurge on a paid program, personally, I'd say the money is better spent on MBAM PRO.   First off, MBAM PRO will protect you against CryptoLocker, so you'll be getting that important coverage.   But more significantly, MBAM PRO protects you against so many other varieties of malware --- so the comparative "bang for your buck" is just awesome.

While I don't want to minimize the danger of CryptoLocker... if you "catch" it, your system will be devastated... I also have to wonder just how long the malware writers intend on keeping it alive --- I think that, at some point, they'll conclude there are enough protection vehicles readily available, that it's no longer worth their time to focus on this one entry vector.   Instead, they [or other malware writers] will create a completely new vehicle for malicious system penetration.   If I'm correct, then at that [future] point, CryptoPrevent's value will become muted, and the program may cease to be supported.   In contrast, MBAM should continue to adapt to all forms of significant malware that are created many years into the future.  

You are correct in the statement that a single purchase of CryptoPrevent Premium is valid for ALL your home computers, so that's a definite plus for CryptoPrevent.

Free Internet Security - WOT Web of Trust       Use OpenDNS       MalwareBytes Anti-Malware


Windows 10 Pro (64-bit), Panda DOME 20, MBAM4 Pro, Windows Firewall, OpenDNS Family Shield, SpywareBlaster, MVPS HOSTS file, MBAE Premium, MCShield, WinPatrol PLUS, SAS (on-demand scanner), Zemana AntiLogger Free, Microsoft EDGE, Firefox, Pale Moon, uBlock Origin, CryptoPrevent.


[I believe computer-users who sandbox (Sandboxie) are acting prudently.]

5 Rhenium

I have had Malwarebytes Pro for several years and it is a wonderful program.  It is on several of my computers.  I wanted to try the paid version vs. the free CryptoLocker to have the automatic updates.  Maybe that isn't the best way to go.  I hope the program is around for awhile so I get my money's worth. 

Forum Member Since 2001

7 Gold

CryptoLocker may be around much longer than I've speculated.

If CryptoPrevent blocks CryptoLocker on even one of your systems, you will have gotten (more than) your money's worth.

And even if you never catch CryptoLocker, you can't put a price on "the peace-of-mind" CryptoPrevent offers you :emotion-1: .

Free Internet Security - WOT Web of Trust       Use OpenDNS       MalwareBytes Anti-Malware


Windows 10 Pro (64-bit), Panda DOME 20, MBAM4 Pro, Windows Firewall, OpenDNS Family Shield, SpywareBlaster, MVPS HOSTS file, MBAE Premium, MCShield, WinPatrol PLUS, SAS (on-demand scanner), Zemana AntiLogger Free, Microsoft EDGE, Firefox, Pale Moon, uBlock Origin, CryptoPrevent.


[I believe computer-users who sandbox (Sandboxie) are acting prudently.]

7 Gold

BillP (WinPatrol) posted the following on Facebook, in response to the question:  [Can] WinPatrol can block the CryptoLocker viruses?

"At this time, I wouldn't feel comfortable  saying WinPatrol will protect you against this kind of threat.  WinPatrol's protection by design is focused on a program infiltrating your computer so it can hide and mess with your system on a regular basis.

Crypto style programs aren't really sophisticated in the way they remain on your system. In fact, if you remove the Trojan part of the threat it could prevent you from seeing the instructions on how to save your files. While I highly recommend daily backups over paying an extortionist it would be possible to restore their files via our History button.

I'm currently spending  a lot of time researching this threat so I do have a bit of experience.  Using WinPatrol PLUS I have been able to detect the infiltration in time before any damage was done. Using the free version some files were compromised. However, this was under lab conditions and not by a typical user who would have allowed CryptoLocker to run in the first place. My experience is that typical users could fall prey to the download but instinct would kick in the moment they clicked.

I'm pleased to note I have not received any reports of attacks by WinPatrol users.  That either means WinPatrol users are very careful or Scotty has alerted them in time.  I still wouldn't try it unless I knew everything was backed up or I was running in a virtual sandbox. The target audience for CrytoLocker may not be the same as those using WinPatrol.
If your files have already been encrypted WinPatrol will not be able to help at this time.

I am actually been looking at a solution to Cryptolocker and other attacks I expect to see in the future. Using some older code from WinPatrol. I believe it would possible to provide a solution for CryptoLocker however it uses the same technology common in root kits. I'm not sure if most users would find that acceptable. I do have an idea for a better solution but need some funding before I can make this happen.

For now, use extra care and if you own a business train your users and keep a firewall between your employees."

Free Internet Security - WOT Web of Trust       Use OpenDNS       MalwareBytes Anti-Malware


Windows 10 Pro (64-bit), Panda DOME 20, MBAM4 Pro, Windows Firewall, OpenDNS Family Shield, SpywareBlaster, MVPS HOSTS file, MBAE Premium, MCShield, WinPatrol PLUS, SAS (on-demand scanner), Zemana AntiLogger Free, Microsoft EDGE, Firefox, Pale Moon, uBlock Origin, CryptoPrevent.


[I believe computer-users who sandbox (Sandboxie) are acting prudently.]

7 Gold

CryptoPrevent v4.3.2 (11 April 2014) – added support for redirected %appdata% directories (Windows folder redirection typically only used on larger networks.)

Free Internet Security - WOT Web of Trust       Use OpenDNS       MalwareBytes Anti-Malware


Windows 10 Pro (64-bit), Panda DOME 20, MBAM4 Pro, Windows Firewall, OpenDNS Family Shield, SpywareBlaster, MVPS HOSTS file, MBAE Premium, MCShield, WinPatrol PLUS, SAS (on-demand scanner), Zemana AntiLogger Free, Microsoft EDGE, Firefox, Pale Moon, uBlock Origin, CryptoPrevent.


[I believe computer-users who sandbox (Sandboxie) are acting prudently.]

7 Gold

v4.3.3 (May 16, 2014) – updated digital signature on CryptoPrevent executables.

Free Internet Security - WOT Web of Trust       Use OpenDNS       MalwareBytes Anti-Malware


Windows 10 Pro (64-bit), Panda DOME 20, MBAM4 Pro, Windows Firewall, OpenDNS Family Shield, SpywareBlaster, MVPS HOSTS file, MBAE Premium, MCShield, WinPatrol PLUS, SAS (on-demand scanner), Zemana AntiLogger Free, Microsoft EDGE, Firefox, Pale Moon, uBlock Origin, CryptoPrevent.


[I believe computer-users who sandbox (Sandboxie) are acting prudently.]

Top Contributor
Latest Solutions