Very true...
*ASB **http://XeeMe.com/AndrewBaker* <http://xeeme.com/AndrewBaker> *Providing Virtual CIO Services (IT Operations & Information Security) for the SMB market...* On Thu, May 28, 2015 at 12:52 PM, Jonathan Link <[email protected]> wrote: > Sure, if you run with everyone has admin rights. > If you run without admin rights, the extent of infection is really low. > And then there's the fact that you can check which user account is > encrypting the files... > > On Thu, May 28, 2015 at 12:43 PM, HANK ARNOLD <[email protected]> > wrote: > >> I'm dubious that the problem is retracted to a single computer. These >> "crypto" packages are fast and furious about infecting any hard drive it >> can access. >> >> Hank Arnold >> Microsoft MVP - Consumer Securiy >> >> >> On Thu, May 28, 2015 at 12:11 PM, David McSpadden wrote: >> >> > As soon as I find it. >> >>> Off the network and down to me. >>> Re-image or dispose depending on the age. >>> >>> >>> -----Original Message----- >>> From: [email protected] [mailto: >>> [email protected]] On Behalf Of Michael Leone >>> Sent: Thursday, May 28, 2015 12:07 PM >>> To: [email protected] >>> Subject: Re: [NTSysADM] Cryptlocker >>> >>> Oh, and we re-imaged the PC that was infected. Completely overwrote the >>> HD. The only way to be sure. >>> >>> On Thu, May 28, 2015 at 12:05 PM, Michael Leone wrote: >>> >>>> We just had that happen last week. My boss ran scans with our Kaspersky >>>> Enterprise AV to clean the PC in question; scanned everything else, and I >>>> restored files from last week's backups. >>>> >>>> On Thu, May 28, 2015 at 11:44 AM, Susan Bradley wrote: >>>> >>>>> First off be aware that the only way to really make sure something is >>>>> gone from an impacted machine is to rebuilt it. >>>>> >>>>> Cryptolocker (and it's variants) want to encrypt data, so how's your >>>>> backups as you'll need to restore that data and shadowcopies may be gone. >>>>> >>>>> >>>>> http://www.bleepingcomputer.com/virus-removal/cryptowall-ransomware-i >>>>> nformation >>>>> >>>>> *_What should you do when you discover your computer is infected with >>>>> CryptoWall_* >>>>> >>>>> If you discover that your computer is infected with CryptoWall you >>>>> should immediately scan your computer with an anti-virus or anti-malware >>>>> program. >>>>> Unfortunately, most people do not realize CryptoWall is on their >>>>> computer until it displays the ransom note and your files have already >>>>> been >>>>> encrypted. The scans, though, will at least detect and remove any other >>>>> malware that may have been installed along with CryptoWall. >>>>> >>>>> Some of the files where associated malware have been found are: >>>>> >>>>> *%Temp% >>>>> C:\\.exe >>>>> %AppData% >>>>> %LocalAppData% >>>>> %ProgramData% >>>>> * >>>>> >>>>> * >>>>> * >>>>> >>>>> If trend is coming back with nothing, use malwarelbytes or even a >>>>> boot under the OS a/v tool to scan that system. >>>>> >>>>> >>>>> >>>>> MS wants feedback on patching: http://tinyurl.com/patchingsurvey On >>>>> 5/28/2015 8:30 AM, David McSpadden wrote: >>>>> >>>>>> >>>>>> >>>>>> I am pretty sure I have pc with this on it in my network. >>>>>> >>>>>> I have ran scans on workstations. >>>>>> >>>>>> I still do not see it but I have the tell tale signs. >>>>>> >>>>>> The HELP_DECRYPT files in network folders. >>>>>> >>>>>> The word and excel files not being able to be opened etc. >>>>>> >>>>>> How do I remove something that Trend is not seeing? >>>>>> >>>>>> Nor Windows Endpoint protection? >>>>>> >>>>>> *David McSpadden* >>>>>> >>>>>> Systems Administrator >>>>>> >>>>>> Indiana Members Credit Union >>>>>> >>>>>> P: 317.554.8190 |F: 317.554.8106 >>>>>> >>>>>> Description: imcu email icon Description: facebook email icon >>>>>> Description: twitter email icon >>>>>> Description: email logo >>>>>> >>>>>> mcp2 >>>>>> >>>>>> This e-mail and any files transmitted with it are property of Indiana >>>>>> Members Credit Union, are confidential, and are intended solely for the >>>>>> use >>>>>> of the individual or entity to whom this e-mail is addressed. If you are >>>>>> not one of the named recipient(s) or otherwise have reason to believe >>>>>> that >>>>>> you have received this message in error, please notify the sender and >>>>>> delete this message immediately from your computer. Any other use, >>>>>> retention, dissemination, forwarding, printing, or copying of this email >>>>>> is >>>>>> strictly prohibited. >>>>>> >>>>>> >>>>>> Please consider the environment before printing this email. >>>>>> >>>>>> >>>>> >>>>> >>>>> >>> >>> This e-mail and any files transmitted with it are property of Indiana >>> Members Credit Union, are confidential, and are intended solely for the use >>> of the individual or entity to whom this e-mail is addressed. If you are >>> not one of the named recipient(s) or otherwise have reason to believe that >>> you have received this message in error, please notify the sender and >>> delete this message immediately from your computer. Any other use, >>> retention, dissemination, forwarding, printing, or copying of this email is >>> strictly prohibited. >>> >>> Please consider the environment before printing this email. >>> >>> >> >> >
