As soon as I find it. Off the network and down to me. Re-image or dispose depending on the age.
-----Original Message----- From: [email protected] [mailto:[email protected]] On Behalf Of Michael Leone Sent: Thursday, May 28, 2015 12:07 PM To: [email protected] Subject: Re: [NTSysADM] Cryptlocker Oh, and we re-imaged the PC that was infected. Completely overwrote the HD. The only way to be sure. On Thu, May 28, 2015 at 12:05 PM, Michael Leone <[email protected]> wrote: > We just had that happen last week. My boss ran scans with our > Kaspersky Enterprise AV to clean the PC in question; scanned > everything else, and I restored files from last week's backups. > > On Thu, May 28, 2015 at 11:44 AM, Susan Bradley <[email protected]> wrote: >> First off be aware that the only way to really make sure something is >> gone from an impacted machine is to rebuilt it. >> >> Cryptolocker (and it's variants) want to encrypt data, so how's your >> backups as you'll need to restore that data and shadowcopies may be gone. >> >> http://www.bleepingcomputer.com/virus-removal/cryptowall-ransomware-i >> nformation >> >> *_What should you do when you discover your computer is infected with >> CryptoWall_* >> >> If you discover that your computer is infected with CryptoWall you >> should immediately scan your computer with an anti-virus or anti-malware >> program. >> Unfortunately, most people do not realize CryptoWall is on their >> computer until it displays the ransom note and your files have >> already been encrypted. The scans, though, will at least detect and >> remove any other malware that may have been installed along with CryptoWall. >> >> Some of the files where associated malware have been found are: >> >> *%Temp% >> C:\<random>\<random>.exe >> %AppData% >> %LocalAppData% >> %ProgramData% >> * >> >> * >> * >> >> If trend is coming back with nothing, use malwarelbytes or even a >> boot under the OS a/v tool to scan that system. >> >> >> >> MS wants feedback on patching: http://tinyurl.com/patchingsurvey On >> 5/28/2015 8:30 AM, David McSpadden wrote: >>> >>> >>> I am pretty sure I have pc with this on it in my network. >>> >>> I have ran scans on workstations. >>> >>> I still do not see it but I have the tell tale signs. >>> >>> The HELP_DECRYPT files in network folders. >>> >>> The word and excel files not being able to be opened etc. >>> >>> How do I remove something that Trend is not seeing? >>> >>> Nor Windows Endpoint protection? >>> >>> *David McSpadden* >>> >>> Systems Administrator >>> >>> Indiana Members Credit Union >>> >>> P: 317.554.8190 |F: 317.554.8106 >>> >>> Description: imcu email icon <http://imcu.com/> Description: >>> facebook email icon <https://www.facebook.com/IndianaMembersCU> >>> Description: twitter email icon <https://twitter.com/IndMembersCU> >>> >>> Description: email logo >>> >>> mcp2 >>> >>> This e-mail and any files transmitted with it are property of >>> Indiana Members Credit Union, are confidential, and are intended >>> solely for the use of the individual or entity to whom this e-mail >>> is addressed. If you are not one of the named recipient(s) or >>> otherwise have reason to believe that you have received this message >>> in error, please notify the sender and delete this message >>> immediately from your computer. Any other use, retention, >>> dissemination, forwarding, printing, or copying of this email is strictly >>> prohibited. >>> >>> >>> Please consider the environment before printing this email. >>> >> >> >> This e-mail and any files transmitted with it are property of Indiana Members Credit Union, are confidential, and are intended solely for the use of the individual or entity to whom this e-mail is addressed. If you are not one of the named recipient(s) or otherwise have reason to believe that you have received this message in error, please notify the sender and delete this message immediately from your computer. Any other use, retention, dissemination, forwarding, printing, or copying of this email is strictly prohibited. Please consider the environment before printing this email.
