Solved

CryptoLocker Recurring After Restore

Posted on 2014-01-22
3
487 Views
Last Modified: 2014-02-01
Hi folks!

I had an employee's computer get hit with the CryptoLocker malware. Fortunately, we have good backups of everything, so no data was lost. I restored her entire desktop using an image backup made before the infection. That should have cleared the local copy of her profile, her registry settings, her data, and all. I also restored, from backup, her roaming profile folder on our file server, as well as her home folder on the server. We also redirect the AppData folder to the server, so I restored that as well.

Lo and behold, the next time she logged in, CryptoLocker re-appeared and started encrypting things again. I've done a complete scan of her computer and our file server using MalwareBytes, and can't find anything outside of the locations I mentioned.

What am I missing? How could CryptoLocker still be tied to her login in some way, and how can I manage to get rid of it once and for all?

Thanks,
Ithizar
0
Comment
Question by:Ithizar
  • 2
3 Comments
 
LVL 27

Accepted Solution

by:
Thomas Zucker-Scharff earned 500 total points
ID: 39800695
Are you sure she didn't do something before this started happening again?

Does the computer have a static IP?  If so, you will need to use DBAN to completely wipe the computer and then restore again from the image (you are sure that the image is pre-infection?).  Make sure when you reinstall/reimage that you add some extra security - what OS?  What antimalware are you running on that machine?
0
 

Author Comment

by:Ithizar
ID: 39800741
I can't say with 100% confidence that she didn't do something that could have re-infected her computer, of course. However, she is a fairly computer savvy employee and we had discussed the ways she could have gotten infected in the first place. So it seems unlikely -- but, again, not impossible -- that she did something to re-infect her computer.

No, the computer doesn't have a static IP. It is assigned its address by our DHCP server.

The backup I restored was created using the Macrium Reflect software, which is what we use for all our backups. It was a complete image backup of the entire hard drive including all partitions and the MBR. Do you still feel it is necessary to use DBAN to wipe the hard drive in advance of doing that type of restore?

The OS is Windows 7 Enterprise x64. It is up-to-date with the latest service pack. We run Faronics Anti-Virus on it, and then I did manual scans with MalwareBytes.

Thanks!
0
 
LVL 27

Expert Comment

by:Thomas Zucker-Scharff
ID: 39801146
I confess that I am unfamiliar with Faronics.  Cryptolocker is a nasty piece of software.  It sounds like you've done everything possible and since that sounds like a bare metal restore, DBAN is probably not necessary.  There are some malware variants that lodge in the BIOS (basic instructions that allows the software to redownload after a bare metal restore.  Cryptolocker, AFAIK, does not do this, but it is something to think about.

Does Faronics have powerful Heuristics?  It looks like it has a HIPS section (took a quick look at the website).  Is HIPS turned on/active for this computer?

BTW, do you like Faronics?  It looks good and I am considering other solutions.
0

Featured Post

Netscaler Common Configuration How To guides

If you use NetScaler you will want to see these guides. The NetScaler How To Guides show administrators how to get NetScaler up and configured by providing instructions for common scenarios and some not so common ones.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

New Windows 7 Installations take days for Windows-Updates to show up and install. This can easily be fixed. I have finally decided to write an article because this seems to get asked several times a day lately. This Article and the Links apply to…
When you start your Windows 10 PC and got an "Operating system not found" error or just saw  "Auto repair for startup" or a blinking cursor with black screen. A loop for Auto repair will start but fix nothing.  You will be panic as there are no back…
In this video, we discuss why the need for additional vertical screen space has become more important in recent years, namely, due to the transition in the marketplace of 4x3 computer screens to 16x9 and 16x10 screens (so-called widescreen format). …
This Micro Tutorial will teach you how to change your appearance and customize your Windows 7 interface to your unique preference. This will be demonstrated using Windows 7 operating system.

830 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question