Ok. The VM Primary is backup and online. The IT Admin is able login with 'his' credentials. He had to fix the clock sync issue that just happened to crop up.
Since it is only the Admin account that this is happening on taking the following course of action(s): 1. When the Admin is logged in with his credentials, for example John Doe login would be ServerName\jdoe, since John has admin rights, and is not logging in as ServerName\Administrator, Will rename the Administrator Folder to dAdministrator 2. login with the administrator login, which is ServerName\Administrator, 3. Keep eye on Remote Desktop Screen and see if anything comes up. I know changing the Administrator Folder name may be a longshot, but, so far, nothing has come up when he logs in with the Administrator Credentials. But we still believe that this server is suspect. As well as their backups. Keep you all updated. Thanks for your input. Daniel On Fri, Jun 12, 2015 at 3:09 PM, J- P <[email protected]> wrote: > DISCONNECT/DISABLE the lan at the very least, if nothing on it is needed > kiil it. > > If it someway somehow accesses a file server or worse a NAS/SAN , have > fun this weekend :) > > > > > ------------------------------ > Date: Fri, 12 Jun 2015 14:49:09 -0500 > Subject: Re: [NTSysADM] OT(perhaps) But need direction > From: [email protected] > To: [email protected] > > Single DC.... > > But!!! > > Found out that this server is on a VM. So, we can reboot this server. It > seems that this issue is only happening in my Remote Desktop Session. The > server is slow, as the Admin is able to login with his own credentials and > get into that same server. It is running extremely slow and my session is > taking up a lot of system resources. > > We are going to reboot that VM and see where that leaves us when it comes > back up. > > keep you informed. > > Daniel > > On Fri, Jun 12, 2015 at 1:42 PM, J- P <[email protected]> wrote: > > shut it down, the longer its on the more files its going to encrypt. > > hopefully it's just a DC and not a file server. > > If nothing is needed from the server, wipe and reinstall. > > Then the fun begins, finding what computer is the source. > > > ------------------------------ > Date: Fri, 12 Jun 2015 13:34:52 -0500 > Subject: Re: [NTSysADM] OT(perhaps) But need direction > From: [email protected] > To: [email protected] > > Oops?!? > > What do you mean 'Oops'!?! > > Nothing good comes after 'Oops'! > > On the DC Server. > > On Fri, Jun 12, 2015 at 1:31 PM, David McSpadden <[email protected]> wrote: > > Was the popup on your laptop of the DC. > CRYPTO attacked each mapped drive on the infected device. > If it was the DC. That is not good. > If it was the laptop, still not good but just wipe and restore. > > > *From:* [email protected] [mailto: > [email protected]] *On Behalf Of *D R > *Sent:* Friday, June 12, 2015 2:26 PM > *To:* ntsysadm > *Subject:* [NTSysADM] OT(perhaps) But need direction > > I am currently onsite working with the IT Admin about a new online > ticketing system. > > Around 12:45pm, I was logged in to the Primary DC via a remote desktop > connection from a company provided laptop, wasn't doing a thing, > (seriously, I didn't have anything open, had just logged into the server, > and I see a window pop-up that looked like a CMD/DOS window, and on the > title of that window, in capital letters, it read CRYPTOWALL HAS TAKEN > OVER, and then it looks like File Manager screens start popping up and the > server starts running to a crawl. > > I have dealt with this Cryptowall Virus before And the only resolution > was to reinstall Windows Server and restore from backup. > > Is this still the 'fix' for this issue? Or is there something else that > can be done. > > Not in the position to try anything. Just need to know where to go from > here so we can help them with this issue. > > > -- > Daniel Rodriguez > [email protected] > This e-mail and any files transmitted with it are property of Indiana > Members Credit Union, are confidential, and are intended solely for the use > of the individual or entity to whom this e-mail is addressed. If you are > not one of the named recipient(s) or otherwise have reason to believe that > you have received this message in error, please notify the sender and > delete this message immediately from your computer. Any other use, > retention, dissemination, forwarding, printing, or copying of this email is > strictly prohibited. > > Please consider the environment before printing this email. > > > > > -- > Daniel Rodriguez > [email protected] > > > > > -- > Daniel Rodriguez > [email protected] > -- Daniel Rodriguez [email protected]
