We received a phone call about a client getting infected with some variant of Cryptowall 3.0
We have seen them before and have good backup. We are able to tell by HTML file it creates who downloaded the virus and what time.
We can tell by web monitoring product in GFI what website did that. We know what PC user was using. Local AV did not see anything. However virus got to some files on server and then disappeared within an hour (infection activity stopped)
Biggest headache is we can't find the actual virus on the desktop. Malewarebytes found c400.tmp file in c:\users%usernmae%\appdata\local\temp\low\ (virus came via IE)
But that's it. No EXE, nothing. User says that he did not see any ransom Pop Up. Infections have stopped. We checked for random exe on that PC
We checked every other PC in that office, this user did not logon to any of them. So this is the PC.
Question is what killed the virus? I have seen Crypto before and it always used random .exe
Is the virus killed? Can it be dormant? Can the virus be executed via website without exe being installed on the PC?