Virus HELP

We have now gotten hit for a second time by the Cryptowall Ransomware.      We had everything cleaned up (we thought) and was smooth sailing for about 2 weeks.    Then it hit again and the source is the same user PC that had it before.   However, let me say, the original PC was taken offline and he was given a different machine.  

Can this virus "attach" itself to a user profile????

Or is it more likely that he re-visited a website and got it again.  

I want to understand how this can happen again in such a short period of time.
bankwestCTO/CashierAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

David Johnson, CD, MVPOwnerCommented:
user probably opened the same attachment.. did you install the cryptowall prevention toolkit?  Don't forget to update it periodically
0
VB ITSSpecialist ConsultantCommented:
Can this virus "attach" itself to a user profile????
Or is it more likely that he re-visited a website and got it again.
From what I've seen, yes the virus does store itself in the user profile. You said you gave the user a new machine though - did you re-setup his user profile on the new machine? i.e. did you have to copy over his files to his Desktop, set up Outlook again, etc. etc.? Do you guys redirect any folders, such as AppData, Desktop, My Documents, etc.?

If you use roaming profiles or folder redirection then there's a possibility the virus was not entirely removed (depends on what tool you used to remove the virus). I'd say it's more likely though that he was tricked into clicking on something where he re-infected himself. Some people never learn.
0
Wylie BayesNetwork Technician IIICommented:
I would use Kaspersky Rescue Disk 10 on any machines you suspect have the virus.  

It's a bootable disk that pulls current definitions from the internet and then sweeps the system, including the boot sectors.

http://support.kaspersky.com/4162
0
How do you know if your security is working?

Protecting your business doesn’t have to mean sifting through endless alerts and notifications. With WatchGuard Total Security Suite, you can feel confident that your business is secure, meaning you can get back to the things that have been sitting on your to-do list.

bankwestCTO/CashierAuthor Commented:
I will look at the Cryptowall prevention kit.    

We thought we had virus taken care of.

What should we be using to be sure it is REMOVED completely?
0
jcimarronCommented:
bankwest--
It is not easy to get rid of Cryptowall, but here is bleepingcomputer's tutorial on it.
http://www.bleepingcomputer.com/virus-removal/cryptowall-ransomware-information
and from MalwareBytes
https://forums.malwarebytes.org/index.php?/topic/150193-removal-instructions-for-cryptowall/

However, if it is just one PC user, then that user has to be educated not to access sites which cause Cryptowall.
Look at the "How to prevent your computer from becoming infected by CryptoWall" section in the above bleepingcomputer link.  
Should this user be blocked from the internet?
0
web_trackerComputer Service TechnicianCommented:
Although many viruses can be transferred by transferring the user's profile to the new computer, but I do not believe this type of malware is transmitted via the user's email attachments or files from their profile. I believe this type of infection is due to a drive by infection, the user is visiting the same site that infected him in the first place.  It may have been a legitimate site, that someone hacked into and infected. I have heard that even MS has had websites infected by hackers in the past.  I would analyse what type of firewall and antimalware/antivirus software you are using. The paid version of malwarebytes does a good job of preventing this type of infection.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
bankwestCTO/CashierAuthor Commented:
All very good information.   I went with MalwareBytes and appreciate all the other input
0
jcimarronCommented:
bankwest--
Glad to have helped.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Vulnerabilities

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.