I have just found out, that UAC will not protect you against it unless your files are in a protected folder like ProgramFiles. I moved my backups accordingly.
This. Although UAC still won't do much. Once you elevate a program it can do anything it wants. P.S.: There are some default folders which will give you error warnings when changing permissions in ACL, like "My Documents" for example. It's better to create a new folder, messing around with permissions setting, then once it's all set, move your files to that folder.
It is not as simple as it sounds. I have had my share of headaches due to changing permissions, never again. Anyway Windows will protect ProgramFiles until the last breath.
DNS Sinkhole campaign underway for CryptoLocker http://www.bleepingcomputer.com/forums/t/511780/dns-sinkhole-campaign-underway-for-cryptolocker/
Really disconcerting, the idea of having your system and data ripped from your control and held for ransom. Just added CryptoPrevent to my systems today. I also need to implement consistent and regular system backups.
CryptoPrevent Has anyone tried CryptoPrevent? I found out about it on Britec09's latest YouTube video on how to remove CryptoLocker Ransomeware. CryptoLocker: http://www.foolishit.com/posts/cryptolocker-prevention/
There is also ShadowExplorer to aid in repairing damage caused by CryptoLocker: http://www.shadowexplorer.com/
One source is touting Winpatrol as useful tool against CryptoLocker http://www.computergeeksonline.net/...eared-virus-history-good-reason/#comment-1649
Re: CryptoPrevent I tried CP but the test only said it was working with AppGuard on. With AG off the test failed..at least that is how i saw it..
I installed it last Friday. On Monday nite I was about to reinstall Sandboxie, the installer would initialize but failed to open or run. No errors, or error messages showed on screen. However, in event viewer 'application', I saw an error which stated that sandboxie.exe was restricted by administrator because of a policy rule. I am admin of my system(s) and I made no such rule. I checked to determine if my AV, or firewall, had gone behind my back with some admin chores of their own. I found nothing, and disabling each one was no help. So I then tried to update my Firefox browser to v25. No go there either. Long story short, I discovered CryptoPrevent when 'block' is initiated institutes SRP policies that override the administrator's rights, and was blocking the installers for certain programs from running, until I undid the block.
Re: CryptoPrevent I would be careful applying this happily as it may break the installation or operation of software needing access to those parts of the system (and judging from the area been locked many security tools will be affected). Better to use Brain 2.0 if you can...
When I first read this thread, the info from some of the links gave the file types that were affected and my understanding was that it wasn't system files like OS and programmes. Now it appears from a recent link programs are affected too. So the question is, is this thing morphing into something worse as time goes by?
There must be some confusion, the OS issues or program non functioning correctly are linked to a tool been developed to prevent the infections not the malware itself...
Im aware that using the CryptoPrevent blocking tool can cause issues with some programmes opening but Im not talking about that, but the conflicting reports between computergeeksonline and other reports, 2 of which Ive listed here which dont list executables. (Bold emphasis mine)
For a concise and up to date read http://www.bleepingcomputer.com/virus-removal/cryptolocker-ransomware-information Over 100 pages in a the thread here tells of the threat as it evolved and people began to be aware of it. http://www.bleepingcomputer.com/forums/t/506924/cryptolocker-hijack-program/
About 15 mins ago I went to foolishit.com to update CryptoPrevent to its latest release. Once on the website, the text on the webpage kept zooming from normal to fill the whole screen (which wreaked havoc with my eyes). When I scolled down to the end of the page and clicked on the link to download I ended up on Hitman Pro site. I closed that webpage and went back on CryptoPrevent page tried the download link again. I was again sent to another website of different utility. I glanced at my system tray and saw the icon for my AV showing it had shut down and I quickly killed IE in the task manager. Once off the site the AV icon returned to normal. I downloaded the update from majorgeeks instead, and I am now running a MBAM scan on the PC. Don't what that was all about but I thought I spread a word of caution.
Thanks Stapp. I couldn't remember what that site was but now Ive bookmarked it. Aztony that sounds weird. Wonder what that was all about.
I believe Sandboxie can be configured to block access to your file folders. Plus it should virtualize the files by default. No idea about DefenseWall. AppGuard seems to be able to block access as well, but I'm not 100% sure on that.
I assume NVT ERP and AppGuard used together (both in Lockdown mode) would prevent this as well. Right?
