My questions are:
1. The computer doesn't seem to have any of the tell tale signs detailed in the article of a ramsomware. I can't find any ransom note, the user says he never saw one, I don't see the files mentioned either. This machine has a current, corporate version of TrendMicro OfficeScan and it appears to have cleaned the virus from the machine but the files remain encrypted. Is that possible?
2. he does not have administrative rights to this machine...none of my users have admin. Is this able to run without admin rights?
Update: He did find a file and we were able to unencrypt his files.