Solved

Virus HELP

Posted on 2014-10-15
8
172 Views
Last Modified: 2014-10-30
We have now gotten hit for a second time by the Cryptowall Ransomware.      We had everything cleaned up (we thought) and was smooth sailing for about 2 weeks.    Then it hit again and the source is the same user PC that had it before.   However, let me say, the original PC was taken offline and he was given a different machine.  

Can this virus "attach" itself to a user profile????

Or is it more likely that he re-visited a website and got it again.  

I want to understand how this can happen again in such a short period of time.
0
Comment
Question by:bankwest
8 Comments
 
LVL 78

Expert Comment

by:David Johnson, CD, MVP
Comment Utility
user probably opened the same attachment.. did you install the cryptowall prevention toolkit?  Don't forget to update it periodically
0
 
LVL 24

Assisted Solution

by:VB ITS
VB ITS earned 167 total points
Comment Utility
Can this virus "attach" itself to a user profile????
Or is it more likely that he re-visited a website and got it again.
From what I've seen, yes the virus does store itself in the user profile. You said you gave the user a new machine though - did you re-setup his user profile on the new machine? i.e. did you have to copy over his files to his Desktop, set up Outlook again, etc. etc.? Do you guys redirect any folders, such as AppData, Desktop, My Documents, etc.?

If you use roaming profiles or folder redirection then there's a possibility the virus was not entirely removed (depends on what tool you used to remove the virus). I'd say it's more likely though that he was tricked into clicking on something where he re-infected himself. Some people never learn.
0
 
LVL 6

Expert Comment

by:Wylie Bayes
Comment Utility
I would use Kaspersky Rescue Disk 10 on any machines you suspect have the virus.  

It's a bootable disk that pulls current definitions from the internet and then sweeps the system, including the boot sectors.

http://support.kaspersky.com/4162
0
 

Author Comment

by:bankwest
Comment Utility
I will look at the Cryptowall prevention kit.    

We thought we had virus taken care of.

What should we be using to be sure it is REMOVED completely?
0
Enabling OSINT in Activity Based Intelligence

Activity based intelligence (ABI) requires access to all available sources of data. Recorded Future allows analysts to observe structured data on the open, deep, and dark web.

 
LVL 50

Assisted Solution

by:jcimarron
jcimarron earned 166 total points
Comment Utility
bankwest--
It is not easy to get rid of Cryptowall, but here is bleepingcomputer's tutorial on it.
http://www.bleepingcomputer.com/virus-removal/cryptowall-ransomware-information
and from MalwareBytes
https://forums.malwarebytes.org/index.php?/topic/150193-removal-instructions-for-cryptowall/

However, if it is just one PC user, then that user has to be educated not to access sites which cause Cryptowall.
Look at the "How to prevent your computer from becoming infected by CryptoWall" section in the above bleepingcomputer link.  
Should this user be blocked from the internet?
0
 
LVL 18

Accepted Solution

by:
web_tracker earned 167 total points
Comment Utility
Although many viruses can be transferred by transferring the user's profile to the new computer, but I do not believe this type of malware is transmitted via the user's email attachments or files from their profile. I believe this type of infection is due to a drive by infection, the user is visiting the same site that infected him in the first place.  It may have been a legitimate site, that someone hacked into and infected. I have heard that even MS has had websites infected by hackers in the past.  I would analyse what type of firewall and antimalware/antivirus software you are using. The paid version of malwarebytes does a good job of preventing this type of infection.
0
 

Author Closing Comment

by:bankwest
Comment Utility
All very good information.   I went with MalwareBytes and appreciate all the other input
0
 
LVL 50

Expert Comment

by:jcimarron
Comment Utility
bankwest--
Glad to have helped.
0

Featured Post

6 Surprising Benefits of Threat Intelligence

All sorts of threat intelligence is available on the web. Intelligence you can learn from, and use to anticipate and prepare for future attacks.

Join & Write a Comment

You cannot be 100% sure that you can protect your organization against crypto ransomware but you can lower down the risk and impact of the infection.
The recent Microsoft changes on update philosophy for Windows pre-10 and their impact on existing WSUS implementations.
Windows 8 comes with a dramatically different user interface known as Metro. Notably missing from the new interface is a Start button and Start Menu. Many users do not like it, much preferring the interface of earlier versions — Windows 7, Windows X…
This Micro Tutorial will go in depth within Systems and Security in Windows 7 and will go into detail regarding Action Center, Windows Firewall, System, etc. This will be demonstrated using Windows 7 operating system.

772 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

14 Experts available now in Live!

Get 1:1 Help Now