• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 3846
  • Last Modified:

Shortcut Virus on File Server

Hi Folks, got an issue with our file server - some office files have been replaced by a shortcut with target pointing to the following

C:\WINDOWS\system32\cmd.exe /C start cmd.exe /C if exist \thumbs.dbh start \thumbs.dbh && start "" excel.exe "name of file"

Have run Mbytes and windows scan as well as onboard AV scan. Running unhide.exe reveals the files again but virus kicks in a shortwhile later and files are hidden again. If I recover from backup files are ok for a while then problem reoccurs.

Any help appreciated.

3 Solutions
Sushil SonawaneCommented:
Run the antivirus scan in safe mode.
Pete LongTechnical ConsultantCommented:
Reported at McAfee as BackDoor-FHI (ED)

Update your AV definitions and rescan
Sikhumbuzo NtsadaSenior IT TechnicianCommented:
Looks like your on board AV is compromised, I would suggest you install another one even if it's trail mode.

Also check for any unknown start up files and remove them manually using "HijackThis"

I would check your firewall access to see if you have any open ports that aren't supposed to be there. Check when those files were replaced and if so, by whom.

If you can take your FS off line- boot to safe mode- run rKill.exe, run full scan of malware bytes and spybot, (you can run these at the same time), reboot into regular mode, run TDSSkiller and cure/delete.)
Run HiJackThis and terminate any rouge processes.
Take offline (unplug from Internet)
Uninstall your current full anti virus using removal tool provided by the website. (if you are hesitant from being without antivirus during this process, I suggest Microsoft Security Essentials, its small and quick and easy install and uninstall when you get your server grade one back.)
Reinstall Antivirus with updates and then on demand scan or what have you.
Take off MSE. And plug back in Internet (may have more updates for anti virus to install)

Check firewall settings and network back up.

Let me know what happens then.
Had this with a client 2 weeks ago on 1 desktop.  Simply installed Sophos (can try trial) and it removed it.  To clean server files, use another machine (even if you think the original machine is clean) to remote onto server (or use server console) and right click data folder, left click properties. Tick hidden and OK.  Then repeat but untick hidden and when asked if you wish to apply to all sub folders and sub files then OK.  Now you have your original files unhidden.  Then run a search for *.lnk - you will see hundreds of these is sub folders.  I cut them and put in new folder D:\Virus\<date time>  (or C:\Virus\<date time>) for those with similar time date (they will differ by seconds or 2 or 3 minutes).  You should not have any that are recent if virus removed.  Best to cut than delete in case you choose real shortcuts.  Job done.
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Live Q & A: Securing Your Wi-Fi for Summer Travel

Traveling this summer? Join us on June 18, 2018 for a live stream to learn about the importance of Wi-Fi security and 3 easy measures you can start taking immediately to protect your private data while using public Wi-Fi. Follow us today to learn more!

Tackle projects and never again get stuck behind a technical roadblock.
Join Now