Go Premium for a chance to win a PS4. Enter to Win

x
?
Solved

Virus HELP

Posted on 2014-10-15
8
Medium Priority
?
191 Views
Last Modified: 2014-10-30
We have now gotten hit for a second time by the Cryptowall Ransomware.      We had everything cleaned up (we thought) and was smooth sailing for about 2 weeks.    Then it hit again and the source is the same user PC that had it before.   However, let me say, the original PC was taken offline and he was given a different machine.  

Can this virus "attach" itself to a user profile????

Or is it more likely that he re-visited a website and got it again.  

I want to understand how this can happen again in such a short period of time.
0
Comment
Question by:bankwest
8 Comments
 
LVL 84

Expert Comment

by:David Johnson, CD, MVP
ID: 40383201
user probably opened the same attachment.. did you install the cryptowall prevention toolkit?  Don't forget to update it periodically
0
 
LVL 24

Assisted Solution

by:VB ITS
VB ITS earned 668 total points
ID: 40383215
Can this virus "attach" itself to a user profile????
Or is it more likely that he re-visited a website and got it again.
From what I've seen, yes the virus does store itself in the user profile. You said you gave the user a new machine though - did you re-setup his user profile on the new machine? i.e. did you have to copy over his files to his Desktop, set up Outlook again, etc. etc.? Do you guys redirect any folders, such as AppData, Desktop, My Documents, etc.?

If you use roaming profiles or folder redirection then there's a possibility the virus was not entirely removed (depends on what tool you used to remove the virus). I'd say it's more likely though that he was tricked into clicking on something where he re-infected himself. Some people never learn.
0
 
LVL 6

Expert Comment

by:Wylie Bayes
ID: 40383232
I would use Kaspersky Rescue Disk 10 on any machines you suspect have the virus.  

It's a bootable disk that pulls current definitions from the internet and then sweeps the system, including the boot sectors.

http://support.kaspersky.com/4162
0
Ready for your healthcare security check-up?

In the past few years, healthcare organizations have become a prime target for advanced attacks. Does your organization have what it needs to defend itself? Schedule your healthcare security check-up today and download our free Healthcare Security Resource Kit today!

 

Author Comment

by:bankwest
ID: 40383261
I will look at the Cryptowall prevention kit.    

We thought we had virus taken care of.

What should we be using to be sure it is REMOVED completely?
0
 
LVL 50

Assisted Solution

by:jcimarron
jcimarron earned 664 total points
ID: 40383351
bankwest--
It is not easy to get rid of Cryptowall, but here is bleepingcomputer's tutorial on it.
http://www.bleepingcomputer.com/virus-removal/cryptowall-ransomware-information
and from MalwareBytes
https://forums.malwarebytes.org/index.php?/topic/150193-removal-instructions-for-cryptowall/

However, if it is just one PC user, then that user has to be educated not to access sites which cause Cryptowall.
Look at the "How to prevent your computer from becoming infected by CryptoWall" section in the above bleepingcomputer link.  
Should this user be blocked from the internet?
0
 
LVL 18

Accepted Solution

by:
web_tracker earned 668 total points
ID: 40383526
Although many viruses can be transferred by transferring the user's profile to the new computer, but I do not believe this type of malware is transmitted via the user's email attachments or files from their profile. I believe this type of infection is due to a drive by infection, the user is visiting the same site that infected him in the first place.  It may have been a legitimate site, that someone hacked into and infected. I have heard that even MS has had websites infected by hackers in the past.  I would analyse what type of firewall and antimalware/antivirus software you are using. The paid version of malwarebytes does a good job of preventing this type of infection.
0
 

Author Closing Comment

by:bankwest
ID: 40414191
All very good information.   I went with MalwareBytes and appreciate all the other input
0
 
LVL 50

Expert Comment

by:jcimarron
ID: 40414552
bankwest--
Glad to have helped.
0

Featured Post

Ready for your healthcare security check-up?

In the past few years, healthcare organizations have become a prime target for advanced attacks. Does your organization have what it needs to defend itself? Schedule your healthcare security check-up today and download our free Healthcare Security Resource Kit today!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

If you thought ransomware was bad, think again! Doxware has the potential to be even more damaging.
The Windows functions GetTickCount and timeGetTime retrieve the number of milliseconds since the system was started. However, the value is stored in a DWORD, which means that it wraps around to zero every 49.7 days. This article shows how to solve t…
In this Micro Tutorial viewers will learn how to use Boot Corrector from Paragon Rescue Kit Free to identify and fix the boot problems of Windows 7/8/2012R2 etc. As an example is used Windows 2012R2 which lost its active partition flag (often happen…
This Micro Tutorial will give you a basic overview of Windows DVD Burner through its features and interface. This will be demonstrated using Windows 7 operating system.

971 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question