• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 3773
  • Last Modified:

Shortcut Virus on File Server

Hi Folks, got an issue with our file server - some office files have been replaced by a shortcut with target pointing to the following

C:\WINDOWS\system32\cmd.exe /C start cmd.exe /C if exist \thumbs.dbh start \thumbs.dbh && start "" excel.exe "name of file"

Have run Mbytes and windows scan as well as onboard AV scan. Running unhide.exe reveals the files again but virus kicks in a shortwhile later and files are hidden again. If I recover from backup files are ok for a while then problem reoccurs.

Any help appreciated.

3 Solutions
Sushil SonawaneCommented:
Run the antivirus scan in safe mode.
Pete LongConsultantCommented:
Reported at McAfee as BackDoor-FHI (ED)

Update your AV definitions and rescan
Sikhumbuzo NtsadaCommented:
Looks like your on board AV is compromised, I would suggest you install another one even if it's trail mode.

Also check for any unknown start up files and remove them manually using "HijackThis"

I would check your firewall access to see if you have any open ports that aren't supposed to be there. Check when those files were replaced and if so, by whom.

If you can take your FS off line- boot to safe mode- run rKill.exe, run full scan of malware bytes and spybot, (you can run these at the same time), reboot into regular mode, run TDSSkiller and cure/delete.)
Run HiJackThis and terminate any rouge processes.
Take offline (unplug from Internet)
Uninstall your current full anti virus using removal tool provided by the website. (if you are hesitant from being without antivirus during this process, I suggest Microsoft Security Essentials, its small and quick and easy install and uninstall when you get your server grade one back.)
Reinstall Antivirus with updates and then on demand scan or what have you.
Take off MSE. And plug back in Internet (may have more updates for anti virus to install)

Check firewall settings and network back up.

Let me know what happens then.
Had this with a client 2 weeks ago on 1 desktop.  Simply installed Sophos (can try trial) and it removed it.  To clean server files, use another machine (even if you think the original machine is clean) to remote onto server (or use server console) and right click data folder, left click properties. Tick hidden and OK.  Then repeat but untick hidden and when asked if you wish to apply to all sub folders and sub files then OK.  Now you have your original files unhidden.  Then run a search for *.lnk - you will see hundreds of these is sub folders.  I cut them and put in new folder D:\Virus\<date time>  (or C:\Virus\<date time>) for those with similar time date (they will differ by seconds or 2 or 3 minutes).  You should not have any that are recent if virus removed.  Best to cut than delete in case you choose real shortcuts.  Job done.

Featured Post

When ransomware hits your clients, what do you do?

MSPs: Endpoint security isn’t enough to prevent ransomware.
As the impact and severity of crypto ransomware attacks has grown, Webroot has fought back, not just by building a next-gen endpoint solution capable of preventing ransomware attacks but also by being a thought leader.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now