Really dumb. But here it is: In the Group policy startup area. Checkforstuff.bat
C: CD.. CD.. DIR *HELP_DECRYPT* /s>>\\server\servershare\%computername%.log<file:///\\server\servershare\%25computername%25.log> Exit Then review the servershare later for logs to appear. From: [email protected] [mailto:[email protected]] On Behalf Of Maglinger, Paul Sent: Thursday, May 28, 2015 1:08 PM To: '[email protected]' Subject: RE: [NTSysADM] Cryptlocker Would you care to share the script once things settle down? From: [email protected]<mailto:[email protected]> [mailto:[email protected]] On Behalf Of David McSpadden Sent: Thursday, May 28, 2015 11:57 AM To: '[email protected]' Subject: RE: [NTSysADM] Cryptlocker So far I think I have found it. I have trend running on all machines in the network. I am also setting up a script to detect HELP_DECRYPT and write a file if found with the computer name. If I find any more they will be shutdown and replaced as well. From: [email protected]<mailto:[email protected]> [mailto:[email protected]] On Behalf Of Andrew S. Baker Sent: Thursday, May 28, 2015 12:54 PM To: ntsysadm Subject: Re: [NTSysADM] Cryptlocker I wouldn't restore until I had found the culprit... ASB http://XeeMe.com/AndrewBaker<http://xeeme.com/AndrewBaker> Providing Virtual CIO Services (IT Operations & Information Security) for the SMB market... On Thu, May 28, 2015 at 12:27 PM, David McSpadden <[email protected]<mailto:[email protected]>> wrote: Or I could use open files in shares on the server that was affected. Look at the files as they were being reencrypted after I restored them. Go that the workstation that was associated with it and find the stupid cryptolocker whatever laying there playing me for an idoit. From: [email protected]<mailto:[email protected]> [mailto:[email protected]<mailto:[email protected]>] On Behalf Of Jonathan Link Sent: Thursday, May 28, 2015 11:37 AM To: [email protected]<mailto:[email protected]> Subject: Re: [NTSysADM] Cryptlocker The text files created should indicate the affected user with the Owner attribute, no? On Thu, May 28, 2015 at 11:30 AM, David McSpadden <[email protected]<mailto:[email protected]>> wrote: I am pretty sure I have pc with this on it in my network. I have ran scans on workstations. I still do not see it but I have the tell tale signs. The HELP_DECRYPT files in network folders. The word and excel files not being able to be opened etc. How do I remove something that Trend is not seeing? Nor Windows Endpoint protection? David McSpadden Systems Administrator Indiana Members Credit Union P: 317.554.8190<tel:317.554.8190> | F: 317.554.8106<tel:317.554.8106> [Description: imcu email icon]<http://imcu.com/> [Description: facebook email icon] <https://www.facebook.com/IndianaMembersCU> [Description: twitter email icon] <https://twitter.com/IndMembersCU> [Description: email logo] [mcp2] This e-mail and any files transmitted with it are property of Indiana Members Credit Union, are confidential, and are intended solely for the use of the individual or entity to whom this e-mail is addressed. If you are not one of the named recipient(s) or otherwise have reason to believe that you have received this message in error, please notify the sender and delete this message immediately from your computer. Any other use, retention, dissemination, forwarding, printing, or copying of this email is strictly prohibited. Please consider the environment before printing this email. This e-mail and any files transmitted with it are property of Indiana Members Credit Union, are confidential, and are intended solely for the use of the individual or entity to whom this e-mail is addressed. If you are not one of the named recipient(s) or otherwise have reason to believe that you have received this message in error, please notify the sender and delete this message immediately from your computer. Any other use, retention, dissemination, forwarding, printing, or copying of this email is strictly prohibited. Please consider the environment before printing this email. This e-mail and any files transmitted with it are property of Indiana Members Credit Union, are confidential, and are intended solely for the use of the individual or entity to whom this e-mail is addressed. If you are not one of the named recipient(s) or otherwise have reason to believe that you have received this message in error, please notify the sender and delete this message immediately from your computer. Any other use, retention, dissemination, forwarding, printing, or copying of this email is strictly prohibited. Please consider the environment before printing this email. This e-mail and any files transmitted with it are property of Indiana Members Credit Union, are confidential, and are intended solely for the use of the individual or entity to whom this e-mail is addressed. If you are not one of the named recipient(s) or otherwise have reason to believe that you have received this message in error, please notify the sender and delete this message immediately from your computer. Any other use, retention, dissemination, forwarding, printing, or copying of this email is strictly prohibited. Please consider the environment before printing this email.
