Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x
?
Solved

Virus HELP

Posted on 2014-10-15
8
Medium Priority
?
190 Views
Last Modified: 2014-10-30
We have now gotten hit for a second time by the Cryptowall Ransomware.      We had everything cleaned up (we thought) and was smooth sailing for about 2 weeks.    Then it hit again and the source is the same user PC that had it before.   However, let me say, the original PC was taken offline and he was given a different machine.  

Can this virus "attach" itself to a user profile????

Or is it more likely that he re-visited a website and got it again.  

I want to understand how this can happen again in such a short period of time.
0
Comment
Question by:bankwest
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
8 Comments
 
LVL 83

Expert Comment

by:David Johnson, CD, MVP
ID: 40383201
user probably opened the same attachment.. did you install the cryptowall prevention toolkit?  Don't forget to update it periodically
0
 
LVL 24

Assisted Solution

by:VB ITS
VB ITS earned 668 total points
ID: 40383215
Can this virus "attach" itself to a user profile????
Or is it more likely that he re-visited a website and got it again.
From what I've seen, yes the virus does store itself in the user profile. You said you gave the user a new machine though - did you re-setup his user profile on the new machine? i.e. did you have to copy over his files to his Desktop, set up Outlook again, etc. etc.? Do you guys redirect any folders, such as AppData, Desktop, My Documents, etc.?

If you use roaming profiles or folder redirection then there's a possibility the virus was not entirely removed (depends on what tool you used to remove the virus). I'd say it's more likely though that he was tricked into clicking on something where he re-infected himself. Some people never learn.
0
 
LVL 6

Expert Comment

by:Wylie Bayes
ID: 40383232
I would use Kaspersky Rescue Disk 10 on any machines you suspect have the virus.  

It's a bootable disk that pulls current definitions from the internet and then sweeps the system, including the boot sectors.

http://support.kaspersky.com/4162
0
Use Case: Protecting a Hybrid Cloud Infrastructure

Microsoft Azure is rapidly becoming the norm in dynamic IT environments. This document describes the challenges that organizations face when protecting data in a hybrid cloud IT environment and presents a use case to demonstrate how Acronis Backup protects all data.

 

Author Comment

by:bankwest
ID: 40383261
I will look at the Cryptowall prevention kit.    

We thought we had virus taken care of.

What should we be using to be sure it is REMOVED completely?
0
 
LVL 50

Assisted Solution

by:jcimarron
jcimarron earned 664 total points
ID: 40383351
bankwest--
It is not easy to get rid of Cryptowall, but here is bleepingcomputer's tutorial on it.
http://www.bleepingcomputer.com/virus-removal/cryptowall-ransomware-information
and from MalwareBytes
https://forums.malwarebytes.org/index.php?/topic/150193-removal-instructions-for-cryptowall/

However, if it is just one PC user, then that user has to be educated not to access sites which cause Cryptowall.
Look at the "How to prevent your computer from becoming infected by CryptoWall" section in the above bleepingcomputer link.  
Should this user be blocked from the internet?
0
 
LVL 18

Accepted Solution

by:
web_tracker earned 668 total points
ID: 40383526
Although many viruses can be transferred by transferring the user's profile to the new computer, but I do not believe this type of malware is transmitted via the user's email attachments or files from their profile. I believe this type of infection is due to a drive by infection, the user is visiting the same site that infected him in the first place.  It may have been a legitimate site, that someone hacked into and infected. I have heard that even MS has had websites infected by hackers in the past.  I would analyse what type of firewall and antimalware/antivirus software you are using. The paid version of malwarebytes does a good job of preventing this type of infection.
0
 

Author Closing Comment

by:bankwest
ID: 40414191
All very good information.   I went with MalwareBytes and appreciate all the other input
0
 
LVL 50

Expert Comment

by:jcimarron
ID: 40414552
bankwest--
Glad to have helped.
0

Featured Post

10 Questions to Ask when Buying Backup Software

Choosing the right backup solution for your organization can be a daunting task. To make the selection process easier, ask solution providers these 10 key questions.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Possible fixes for Windows 7 and Windows Server 2008 updating problem. Solutions mentioned are from Microsoft themselves. I started a case with them from our Microsoft Silver Partner option to open a case and get direct support from Microsoft. If s…
This article investigates the question of whether a computer can really be cleaned once it has been infected, and what the best ways of cleaning a computer might be (in this author's opinion).
In this video, we discuss why the need for additional vertical screen space has become more important in recent years, namely, due to the transition in the marketplace of 4x3 computer screens to 16x9 and 16x10 screens (so-called widescreen format). …
The viewer will learn how to successfully download and install the SARDU utility on Windows 7, without downloading adware.

722 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question