mj5150

The issue is, the HELP_RESTORE text files showed several different owners, so it's hard to tell if all these people got infected at the same time, or if it came from one spot and then spread out to others. I was told by another person once that all you need to do to find the source of the infection is check the owner of the HELP_RESTORE text file. Well, I checked and found at least nine or ten different owners when I checked a few of those files. -Mike

I agree, but how do I found out which computer that was? I have about 25 users, none of them can recall a suspicious e-mail/attachment. At least they aren't admitting it. ESET quarantined the infection, but it is sitting in the C:\Users\<username> folder for a handful of users. -Mike

One of our customers was infected with a couple variants of the ransomware, Win32/Filecoder.EM trojan and Win32/Injector.BYPX trojan. The HELP_RESTORE text files are all over the C: drive on the server they RDP to, dated from 04/17/2015, but the quarantined files are from 04/20/2015 and 04/23/2015. No text files on the network drives on the server. How do I find where this infection came from? I thought checking the owner under properties would tell you the source if the infection. When I checked the properties of a handful of the text files, the owner is the user profile where the file is located. Is there another way to find the source of the infection? -Mike