Shortcut Virus on File Server

Posted on 2012-08-17
Last Modified: 2013-11-22
Hi Folks, got an issue with our file server - some office files have been replaced by a shortcut with target pointing to the following

C:\WINDOWS\system32\cmd.exe /C start cmd.exe /C if exist \thumbs.dbh start \thumbs.dbh && start "" excel.exe "name of file"

Have run Mbytes and windows scan as well as onboard AV scan. Running unhide.exe reveals the files again but virus kicks in a shortwhile later and files are hidden again. If I recover from backup files are ok for a while then problem reoccurs.

Any help appreciated.

Question by:jovonn
    LVL 18

    Expert Comment

    by:Sushil Sonawane
    Run the antivirus scan in safe mode.
    LVL 57

    Accepted Solution

    Reported at McAfee as BackDoor-FHI (ED)

    Update your AV definitions and rescan
    LVL 17

    Expert Comment

    by:Sikhumbuzo Ntsada
    Looks like your on board AV is compromised, I would suggest you install another one even if it's trail mode.

    Also check for any unknown start up files and remove them manually using "HijackThis"
    LVL 2

    Assisted Solution

    I would check your firewall access to see if you have any open ports that aren't supposed to be there. Check when those files were replaced and if so, by whom.

    If you can take your FS off line- boot to safe mode- run rKill.exe, run full scan of malware bytes and spybot, (you can run these at the same time), reboot into regular mode, run TDSSkiller and cure/delete.)
    Run HiJackThis and terminate any rouge processes.
    Take offline (unplug from Internet)
    Uninstall your current full anti virus using removal tool provided by the website. (if you are hesitant from being without antivirus during this process, I suggest Microsoft Security Essentials, its small and quick and easy install and uninstall when you get your server grade one back.)
    Reinstall Antivirus with updates and then on demand scan or what have you.
    Take off MSE. And plug back in Internet (may have more updates for anti virus to install)

    Check firewall settings and network back up.

    Let me know what happens then.

    Assisted Solution

    Had this with a client 2 weeks ago on 1 desktop.  Simply installed Sophos (can try trial) and it removed it.  To clean server files, use another machine (even if you think the original machine is clean) to remote onto server (or use server console) and right click data folder, left click properties. Tick hidden and OK.  Then repeat but untick hidden and when asked if you wish to apply to all sub folders and sub files then OK.  Now you have your original files unhidden.  Then run a search for *.lnk - you will see hundreds of these is sub folders.  I cut them and put in new folder D:\Virus\<date time>  (or C:\Virus\<date time>) for those with similar time date (they will differ by seconds or 2 or 3 minutes).  You should not have any that are recent if virus removed.  Best to cut than delete in case you choose real shortcuts.  Job done.

    Write Comment

    Please enter a first name

    Please enter a last name

    We will never share this with anyone.

    Featured Post

    Highfive + Dolby Voice = No More Audio Complaints!

    Poor audio quality is one of the top reasons people don’t use video conferencing. Get the crispest, clearest audio powered by Dolby Voice in every meeting. Highfive and Dolby Voice deliver the best video conferencing and audio experience for every meeting and every room.

    This is a little timesaver I have been using for setting up Microsoft Small Business Server (SBS) in the simplest possible way. It may not be appropriate for every customer. However, when you get a situation where the person who owns the server is i…
    Malware seems to be getting smarter and smarter. If you are having trouble being able to launch your malware removal tools such as (and recommended): MalwareBytes, HiJackThis, ComboFix, etc. you can try some of the workarounds listed below. 1. Ma…
    This video Micro Tutorial explains how to clone a hard drive using a commercial software product for Windows systems called Casper from Future Systems Solutions (FSS). Cloning makes an exact, complete copy of one hard disk drive (HDD) onto another d…
    With the advent of Windows 10, Microsoft is pushing a Get Windows 10 icon into the notification area (system tray) of qualifying computers. There are many reasons for wanting to remove this icon. This two-part Experts Exchange video Micro Tutorial s…

    737 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    21 Experts available now in Live!

    Get 1:1 Help Now