Solved

CryptoLocker Recurring After Restore

Posted on 2014-01-22
3
488 Views
Last Modified: 2014-02-01
Hi folks!

I had an employee's computer get hit with the CryptoLocker malware. Fortunately, we have good backups of everything, so no data was lost. I restored her entire desktop using an image backup made before the infection. That should have cleared the local copy of her profile, her registry settings, her data, and all. I also restored, from backup, her roaming profile folder on our file server, as well as her home folder on the server. We also redirect the AppData folder to the server, so I restored that as well.

Lo and behold, the next time she logged in, CryptoLocker re-appeared and started encrypting things again. I've done a complete scan of her computer and our file server using MalwareBytes, and can't find anything outside of the locations I mentioned.

What am I missing? How could CryptoLocker still be tied to her login in some way, and how can I manage to get rid of it once and for all?

Thanks,
Ithizar
0
Comment
Question by:Ithizar
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
3 Comments
 
LVL 26

Accepted Solution

by:
Thomas Zucker-Scharff earned 500 total points
ID: 39800695
Are you sure she didn't do something before this started happening again?

Does the computer have a static IP?  If so, you will need to use DBAN to completely wipe the computer and then restore again from the image (you are sure that the image is pre-infection?).  Make sure when you reinstall/reimage that you add some extra security - what OS?  What antimalware are you running on that machine?
0
 

Author Comment

by:Ithizar
ID: 39800741
I can't say with 100% confidence that she didn't do something that could have re-infected her computer, of course. However, she is a fairly computer savvy employee and we had discussed the ways she could have gotten infected in the first place. So it seems unlikely -- but, again, not impossible -- that she did something to re-infect her computer.

No, the computer doesn't have a static IP. It is assigned its address by our DHCP server.

The backup I restored was created using the Macrium Reflect software, which is what we use for all our backups. It was a complete image backup of the entire hard drive including all partitions and the MBR. Do you still feel it is necessary to use DBAN to wipe the hard drive in advance of doing that type of restore?

The OS is Windows 7 Enterprise x64. It is up-to-date with the latest service pack. We run Faronics Anti-Virus on it, and then I did manual scans with MalwareBytes.

Thanks!
0
 
LVL 26

Expert Comment

by:Thomas Zucker-Scharff
ID: 39801146
I confess that I am unfamiliar with Faronics.  Cryptolocker is a nasty piece of software.  It sounds like you've done everything possible and since that sounds like a bare metal restore, DBAN is probably not necessary.  There are some malware variants that lodge in the BIOS (basic instructions that allows the software to redownload after a bare metal restore.  Cryptolocker, AFAIK, does not do this, but it is something to think about.

Does Faronics have powerful Heuristics?  It looks like it has a HIPS section (took a quick look at the website).  Is HIPS turned on/active for this computer?

BTW, do you like Faronics?  It looks good and I am considering other solutions.
0

Featured Post

The Eight Noble Truths of Backup and Recovery

How can IT departments tackle the challenges of a Big Data world? This white paper provides a roadmap to success and helps companies ensure that all their data is safe and secure, no matter if it resides on-premise with physical or virtual machines or in the cloud.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

The recent Microsoft changes on update philosophy for Windows pre-10 and their impact on existing WSUS implementations.
There are many software programs on offer that will claim to magically speed up your computer. The best advice I can give you is to avoid them like the plague, because they will often cause far more problems than they solve. Try some of these "do it…
Windows 8 comes with a dramatically different user interface known as Metro. Notably missing from the new interface is a Start button and Start Menu. Many users do not like it, much preferring the interface of earlier versions — Windows 7, Windows X…
This Micro Tutorial will give you a basic overview of Windows DVD Burner through its features and interface. This will be demonstrated using Windows 7 operating system.

752 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question