This is my work computer, so I don't have total control over it. I do have the administrator password. Windows 7 Pro SP1, it's one of 3 terminals connected to a Windows Server 2008 server. This contains the database for the business (small hotel).
So today I get to work to find the MSE icon orange. I open it, and it's asking me to restart the computer to complete the cleanup. I go to History, and find multiple entries of these:
Under the "Ransom" entries, the only file listed is HELP_DECRYPT.HTML. When I go to the folders, there is that file, and there are two more: HELP_DECRYPT.TXT and HELP_DECRYPT.PNG.
All our files though, appear to be OK, unencrypted and healthy.
I understand these files themselves are not the ransomware, but I am wondering how they got copied to all the folders. Is it possible for this trojan to run without adminsitrative privileges (i.e. someone had to enter the password)? If not, how could these HTML, PNG and TXT files have been copied to the PC?
I'm also trying to figure out how this might have happened. We have security cameras covering the front desk, and at the time the files are indicating on the "date created" "date accessed" "date modified" fields, which is the same date and time, no one was apparently using a browser. The resolution on the video is bad, but I think I can see a popup from the lower right corner of the computer monitor, might be the AV. No one was attending the computer at that time though.
We have Firefox 40.0.3 and Chrome 45.0.2454.85 m. I don't know which browser was used. Firefox is set to always use private mode, but the history in Chrome shows one suspicious item at about the time the files indicate:
There is no web address associated with that entry that I can tell. The icon is LastPass's icon. Not sure if that is Lastpass's doing, cause it's installed in these 2 browsers, but no one uses it but me.
Thanks, any help will be much appreciated.
Edited by andy o, 05 September 2015 - 02:11 AM.