This person was not a local administrator, was fully patched, running Chrome, Vipre AV. We don't allow executables from the profile path either.Did you figure out how it was running? Would a full whitelist (instead of just blacklisting the User profile) have stopped it?
Good question. Before a reinstall of the OS I scanned with 4 different scanners - Vipre, Combofix, Panda, and Comodo. The only thing found was a file named ec77.tmp in their appdata\local\temp folder. Tagged it as a generic trojan. Not sure if it was related or not.
If I had the time I would have installed a new drive in their machine and kept the other one for scanning later on after Vipre had a few more definition updates but things were pretty rushed that day and I just needed to get them back up and running.
Would a whitelist have...