CryptoLocker Recurring After Restore

Hi folks!

I had an employee's computer get hit with the CryptoLocker malware. Fortunately, we have good backups of everything, so no data was lost. I restored her entire desktop using an image backup made before the infection. That should have cleared the local copy of her profile, her registry settings, her data, and all. I also restored, from backup, her roaming profile folder on our file server, as well as her home folder on the server. We also redirect the AppData folder to the server, so I restored that as well.

Lo and behold, the next time she logged in, CryptoLocker re-appeared and started encrypting things again. I've done a complete scan of her computer and our file server using MalwareBytes, and can't find anything outside of the locations I mentioned.

What am I missing? How could CryptoLocker still be tied to her login in some way, and how can I manage to get rid of it once and for all?

Thanks,
Ithizar
IthizarAsked:
Who is Participating?

Improve company productivity with a Business Account.Sign Up

x
 
Thomas Zucker-ScharffConnect With a Mentor Systems AnalystCommented:
Are you sure she didn't do something before this started happening again?

Does the computer have a static IP?  If so, you will need to use DBAN to completely wipe the computer and then restore again from the image (you are sure that the image is pre-infection?).  Make sure when you reinstall/reimage that you add some extra security - what OS?  What antimalware are you running on that machine?
0
 
IthizarAuthor Commented:
I can't say with 100% confidence that she didn't do something that could have re-infected her computer, of course. However, she is a fairly computer savvy employee and we had discussed the ways she could have gotten infected in the first place. So it seems unlikely -- but, again, not impossible -- that she did something to re-infect her computer.

No, the computer doesn't have a static IP. It is assigned its address by our DHCP server.

The backup I restored was created using the Macrium Reflect software, which is what we use for all our backups. It was a complete image backup of the entire hard drive including all partitions and the MBR. Do you still feel it is necessary to use DBAN to wipe the hard drive in advance of doing that type of restore?

The OS is Windows 7 Enterprise x64. It is up-to-date with the latest service pack. We run Faronics Anti-Virus on it, and then I did manual scans with MalwareBytes.

Thanks!
0
 
Thomas Zucker-ScharffSystems AnalystCommented:
I confess that I am unfamiliar with Faronics.  Cryptolocker is a nasty piece of software.  It sounds like you've done everything possible and since that sounds like a bare metal restore, DBAN is probably not necessary.  There are some malware variants that lodge in the BIOS (basic instructions that allows the software to redownload after a bare metal restore.  Cryptolocker, AFAIK, does not do this, but it is something to think about.

Does Faronics have powerful Heuristics?  It looks like it has a HIPS section (took a quick look at the website).  Is HIPS turned on/active for this computer?

BTW, do you like Faronics?  It looks good and I am considering other solutions.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.