I wouldn't restore until I had found the culprit...
*ASB **http://XeeMe.com/AndrewBaker* <http://xeeme.com/AndrewBaker> *Providing Virtual CIO Services (IT Operations & Information Security) for the SMB market...* On Thu, May 28, 2015 at 12:27 PM, David McSpadden <[email protected]> wrote: > Or I could use open files in shares on the server that was affected. > > Look at the files as they were being reencrypted after I restored them. > > Go that the workstation that was associated with it and find the stupid > cryptolocker whatever laying there playing me for an idoit. > > > > > > *From:* [email protected] [mailto: > [email protected]] *On Behalf Of *Jonathan Link > *Sent:* Thursday, May 28, 2015 11:37 AM > *To:* [email protected] > *Subject:* Re: [NTSysADM] Cryptlocker > > > > The text files created should indicate the affected user with the Owner > attribute, no? > > > > > > On Thu, May 28, 2015 at 11:30 AM, David McSpadden <[email protected]> wrote: > > I am pretty sure I have pc with this on it in my network. > > I have ran scans on workstations. > > I still do not see it but I have the tell tale signs. > > The HELP_DECRYPT files in network folders. > > The word and excel files not being able to be opened etc. > > How do I remove something that Trend is not seeing? > > Nor Windows Endpoint protection? > > > > > > *David McSpadden* > > Systems Administrator > > Indiana Members Credit Union > > P: 317.554.8190 | F: 317.554.8106 > > [image: Description: imcu email icon] <http://imcu.com/> [image: > Description: facebook email icon] > <https://www.facebook.com/IndianaMembersCU> [image: Description: twitter > email icon] <https://twitter.com/IndMembersCU> > > > > [image: Description: email logo] > > [image: mcp2] > > > > This e-mail and any files transmitted with it are property of Indiana > Members Credit Union, are confidential, and are intended solely for the use > of the individual or entity to whom this e-mail is addressed. If you are > not one of the named recipient(s) or otherwise have reason to believe that > you have received this message in error, please notify the sender and > delete this message immediately from your computer. Any other use, > retention, dissemination, forwarding, printing, or copying of this email is > strictly prohibited. > > > > Please consider the environment before printing this email. > > > > This e-mail and any files transmitted with it are property of Indiana > Members Credit Union, are confidential, and are intended solely for the use > of the individual or entity to whom this e-mail is addressed. If you are > not one of the named recipient(s) or otherwise have reason to believe that > you have received this message in error, please notify the sender and > delete this message immediately from your computer. Any other use, > retention, dissemination, forwarding, printing, or copying of this email is > strictly prohibited. > > Please consider the environment before printing this email. >
