Solved

Virus HELP

Posted on 2014-10-15
8
188 Views
Last Modified: 2014-10-30
We have now gotten hit for a second time by the Cryptowall Ransomware.      We had everything cleaned up (we thought) and was smooth sailing for about 2 weeks.    Then it hit again and the source is the same user PC that had it before.   However, let me say, the original PC was taken offline and he was given a different machine.  

Can this virus "attach" itself to a user profile????

Or is it more likely that he re-visited a website and got it again.  

I want to understand how this can happen again in such a short period of time.
0
Comment
Question by:bankwest
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
8 Comments
 
LVL 81

Expert Comment

by:David Johnson, CD, MVP
ID: 40383201
user probably opened the same attachment.. did you install the cryptowall prevention toolkit?  Don't forget to update it periodically
0
 
LVL 24

Assisted Solution

by:VB ITS
VB ITS earned 167 total points
ID: 40383215
Can this virus "attach" itself to a user profile????
Or is it more likely that he re-visited a website and got it again.
From what I've seen, yes the virus does store itself in the user profile. You said you gave the user a new machine though - did you re-setup his user profile on the new machine? i.e. did you have to copy over his files to his Desktop, set up Outlook again, etc. etc.? Do you guys redirect any folders, such as AppData, Desktop, My Documents, etc.?

If you use roaming profiles or folder redirection then there's a possibility the virus was not entirely removed (depends on what tool you used to remove the virus). I'd say it's more likely though that he was tricked into clicking on something where he re-infected himself. Some people never learn.
0
 
LVL 6

Expert Comment

by:Wylie Bayes
ID: 40383232
I would use Kaspersky Rescue Disk 10 on any machines you suspect have the virus.  

It's a bootable disk that pulls current definitions from the internet and then sweeps the system, including the boot sectors.

http://support.kaspersky.com/4162
0
The Eight Noble Truths of Backup and Recovery

How can IT departments tackle the challenges of a Big Data world? This white paper provides a roadmap to success and helps companies ensure that all their data is safe and secure, no matter if it resides on-premise with physical or virtual machines or in the cloud.

 

Author Comment

by:bankwest
ID: 40383261
I will look at the Cryptowall prevention kit.    

We thought we had virus taken care of.

What should we be using to be sure it is REMOVED completely?
0
 
LVL 50

Assisted Solution

by:jcimarron
jcimarron earned 166 total points
ID: 40383351
bankwest--
It is not easy to get rid of Cryptowall, but here is bleepingcomputer's tutorial on it.
http://www.bleepingcomputer.com/virus-removal/cryptowall-ransomware-information
and from MalwareBytes
https://forums.malwarebytes.org/index.php?/topic/150193-removal-instructions-for-cryptowall/

However, if it is just one PC user, then that user has to be educated not to access sites which cause Cryptowall.
Look at the "How to prevent your computer from becoming infected by CryptoWall" section in the above bleepingcomputer link.  
Should this user be blocked from the internet?
0
 
LVL 18

Accepted Solution

by:
web_tracker earned 167 total points
ID: 40383526
Although many viruses can be transferred by transferring the user's profile to the new computer, but I do not believe this type of malware is transmitted via the user's email attachments or files from their profile. I believe this type of infection is due to a drive by infection, the user is visiting the same site that infected him in the first place.  It may have been a legitimate site, that someone hacked into and infected. I have heard that even MS has had websites infected by hackers in the past.  I would analyse what type of firewall and antimalware/antivirus software you are using. The paid version of malwarebytes does a good job of preventing this type of infection.
0
 

Author Closing Comment

by:bankwest
ID: 40414191
All very good information.   I went with MalwareBytes and appreciate all the other input
0
 
LVL 50

Expert Comment

by:jcimarron
ID: 40414552
bankwest--
Glad to have helped.
0

Featured Post

Threat Trends for MSPs to Watch

See the findings.
Despite its humble beginnings, phishing has come a long way since those first crudely constructed emails. Today, phishing sites can appear and disappear in the length of a coffee break, and it takes more than a little know-how to keep your clients secure.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

You may have a outside contractor who comes in once a week or seasonal to do some work in your office but you only want to give him access to the programs and files he needs and keep privet all other documents and programs, can you do this on a loca…
By default the complete memory dump option is disabled in windows . If we want to enable the complete memory dump for a diagnostic purpose, we have a solution for it. here we are using the registry method to enable this.
This Micro Tutorial will give you basic overview of the control panel section on Windows 7. It will depth in Network and Internet, Hardware and Sound, etc. This will be demonstrated using Windows 7 operating system.
The Task Scheduler is a powerful tool that is built into Windows. It allows you to schedule tasks (actions) on a recurring basis, such as hourly, daily, weekly, monthly, at log on, at startup, on idle, etc. This video Micro Tutorial is a brief intro…

710 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question