MrWrighty 6 Posted August 19, 2015 Share Posted August 19, 2015 Hi We have just been hit by the CryptoWall/CryptoLocker virus. We are running Version 5 managed from the Remote Admin Console and fully updated with the latest signatures. ESET did highlight and delete the some of the encryption html/txt files, but the PC that was infected did end up with encrypted files ending in .aaa. Thankfully I was informed quickly and was able to stop it spreading to the network shares. An Exe file was found lurking in the users Temporary Internet folder. The Exe file with a random name such as wnpwfxred.exe was happily running in the background and Eset had not picked it up or attempted to kill the process. Eset had only deleted the html files/txt files containing some encryption coding. I had to run MalwareBytes in order to remove the offending file as it had stopped Task Manager from running so I could not search for the offending file and kill the process myself. Link to comment Share on other sites More sharing options...
Administrators Marcos 5,074 Posted August 19, 2015 Administrators Share Posted August 19, 2015 If you download CloudCar test file from hxxp://www.amtso.org/secfeaturescheck/cloudcar.exe, is it detected on the infected computer? Link to comment Share on other sites More sharing options...
MrWrighty 6 Posted August 19, 2015 Author Share Posted August 19, 2015 I haven't tried but I used Malware Bytes to remove it so I guess it is now gone. My concern is why Eset missed the file and did not attempt to stop it running and delete the file, surely that is what it is supposed to do. According to Eset they have never ever missed an Out in the Wild virus so what happened. Link to comment Share on other sites More sharing options...
Administrators Marcos 5,074 Posted August 19, 2015 Administrators Share Posted August 19, 2015 There is nothing like 100% malware detection, no security solution provides such. First of all, we need to make sure that your ESET product is configured for maximum protection, that's why I asked you if CloudCar is detected on the computer in question. As for MBAM, it often detects registry or file remnants that are innocuous so it'd be good if you could supply us with MBAM's quarantine to analyze what it detected. Link to comment Share on other sites More sharing options...
MrWrighty 6 Posted August 19, 2015 Author Share Posted August 19, 2015 OK when downloading the cloudcar file I was presented with a warning about the file having not been downloaded much and could be harmful. It did let me download and save the file. I also tried the same file on a standalone V5 Installation and it correctly quarantined the file. All machines have Realtime file system protection on, web access protection on and email client protection on, controlled by profiles from ERA. The MalwareBytes log is below, I have replaced the users folder with xxxxxxx for security. Malwarebytes Anti-Malware www.malwarebytes.org Scan Date: 18/08/2015 Scan Time: 14:11:36 Logfile: MBAW.txt Administrator: Yes Version: 2.1.8.1057 Malware Database: v2015.08.18.04 Rootkit Database: v2015.08.16.01 License: Free Malware Protection: Disabled Malicious Website Protection: Disabled Self-protection: Disabled OS: Windows XP Service Pack 3 CPU: x86 File System: NTFS User: Administrator Scan Type: Threat Scan Result: Cancelled Objects Scanned: 38136 Time Elapsed: 4 min, 52 sec Memory: Enabled Startup: Enabled Filesystem: Enabled Archives: Enabled Rootkits: Disabled Heuristics: Enabled PUP: Enabled PUM: Enabled Processes: 1 Trojan.TeslaCrypt, C:\Documents and Settings\xxxxxxxxxxx\Application Data\vcwnpd.exe, 3100, Delete-on-Reboot, [da72cb3f42496dc900bf6bf353ade21e] Modules: 0 (No malicious items detected) Registry Keys: 0 (No malicious items detected) Registry Values: 1 Trojan.TeslaCrypt, HKU\S-1-5-21-3856658756-1690372353-575384576-1163\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN|MSCONFIG, C:\Documents and Settings\xxxxxxxxxx\Application Data\vcwnpd.exe, Quarantined, [da72cb3f42496dc900bf6bf353ade21e] Registry Data: 0 (No malicious items detected) Folders: 0 (No malicious items detected) Files: 1 Trojan.TeslaCrypt, C:\Documents and Settings\xxxxxxxxxx\Application Data\vcwnpd.exe, Delete-on-Reboot, [da72cb3f42496dc900bf6bf353ade21e], Physical Sectors: 0 (No malicious items detected) (end) Link to comment Share on other sites More sharing options...
MrWrighty 6 Posted August 19, 2015 Author Share Posted August 19, 2015 I am confused as I have the same policy for all clients, both XP 32bit and Windows 7 64Bit. I have a policy set up that is rolled out to each client. The policy has all realtime protection features enabled. When I look at the local XP machine settings Scan on file open and Scan on File Execution are set to No but on the Windows 7 Machines is set to Yes. In ERA when I check the configuration via ERA it says Scan on File open No and Scan on file Execution No. Why is the configuration view not reflecting the actual settings on the machine. Link to comment Share on other sites More sharing options...
Administrators Marcos 5,074 Posted August 19, 2015 Administrators Share Posted August 19, 2015 Please compress the content of "C:\ProgramData\Malwarebytes\Malwarebytes' Anti-Malware\Quarantine". Also collect logs using ESET Log Collector on the infected pc as per the instructions at hxxp://kb.eset.com/esetkb/index?page=content&id=SOLN3466. Upload both archives to a safe location and pm me the download link. Link to comment Share on other sites More sharing options...
Recommended Posts