Crypto Virus

I have 2 folders that I know are infected with Crypto Randsom Virus. the shares have been stopped and computers disconnected.  I'm desperatly trying to delete these folders. But I can't.  Please help.
WellingtonISAsked:
Who is Participating?
 
Chris HConnect With a Mentor Infrastructure ManagerCommented:
IF Crypto is still active, do an offline scan immediately with Kaspersky or AVAST.

but if I do that won't the virus infect everything else?
I can't answer that question as I have no idea why you don't have access to that directory.  You make it sound like it is imperative to delete those two directories.  I was telling you how to correct the access permissions.  Crypto runs as you, the user.  It uses your permissions, so yes, if you set implicit EVERYONE permission for an item, crypto will have access.  

First step, kill crypto.  Which will require an offline scan.  PERIOD>

Second step, if those directories still exist, follow my instructions above.

ANy files that were encrypted with crypto will more than likely have to be unencrypted with the key which is usually sold by the hacker who padded the malware to begin with. Don't rule out that if you need those files back, and don't have a good backup, and it's the new version of crypto which doesn't have the keys published, you're gonna have to pay...
0
 
Chris HInfrastructure ManagerCommented:
Have you tried an offline/parallel boot?  You could use a live linux distro like knoppix or you could boot with the windows reocvery disk/ installation media and access a command prompt.
0
 
WellingtonISAuthor Commented:
I can get to the command prompt I just can't delete the files or folder
0
Has Powershell sent you back into the Stone Age?

If managing Active Directory using Windows Powershell® is making you feel like you stepped back in time, you are not alone.  For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why.

 
Paul MacDonaldDirector, Information SystemsCommented:
What stops you?  Do you get an error message?
0
 
Chris HInfrastructure ManagerCommented:
Have you tried using the cacls command?

Can you cd into the directory or do you get access denied?
0
 
Chris HInfrastructure ManagerCommented:
icacls "C:\DIRECTORY" /grant everyone:F
0
 
WellingtonISAuthor Commented:
I"m getting access denied when I try to delete from command prompt
0
 
Chris HInfrastructure ManagerCommented:
What is the drive and directory name.  I'll give you the icacls command to run
0
 
WellingtonISAuthor Commented:
d:\welshare\hr and humanres..  What will this command do?
0
 
Chris HInfrastructure ManagerCommented:
icacls "d:\welshare\hr" /grant everyone:F             (this should get you into the dir)

then

d: (Change to d drive)
cd\welshare\hr (change to directory)
cacls *.* /g everyone:F
attrib *.* -s -h -r
0
 
Chris HInfrastructure ManagerCommented:
repeat for the other directory
0
 
WellingtonISAuthor Commented:
but if I do that won't the virus infect everything else?
0
 
WellingtonISAuthor Commented:
I'm deleting these two files becuase they are infected.  I shut them down and need to get them off the server
0
 
Chris HInfrastructure ManagerCommented:
The two files, one is in each directory, right?

Also, what are the file names?

ie

D:\welshare\hr\cyrpto.doc
D:\welshare\humanres\crypto.doc

I need the full path

You do have access to the directories, right?
0
 
WellingtonISAuthor Commented:
don' t know I don't want to access the folders
I'm afraid if I access I'll infect everything.  The PC which had rights to these folders was infected.
0
 
WellingtonISAuthor Commented:
I"m downloading AVAST now
0
 
WellingtonISAuthor Commented:
ok how do I change attributes to the file and folders in there?  Theres a folder called HUMANRES inside is a folder call NANCY and I need to delete that and I can not
0
 
WellingtonISConnect With a Mentor Author Commented:
i finally got it - Here's what I did.  I copied the file to a machine with a guest account.  I gave that Guest account control over that folder.  Once I had the folder moved, and it was a battle, I was able to delete it. Once I did that.  I scanned and restored the data.
0
 
Chris HInfrastructure ManagerCommented:
Sweet!

I recommend using the boot-time scan function on AVAST one last time.  You can't trust windows anymore.  Malware, for lack of a better word, is never clean after one pass from one av, IMO.  Download and install malwarebytes too.  You can get it from www.filehippo.com

Good luck!
0
 
WellingtonISAuthor Commented:
Thanks. Will do
0
 
WellingtonISAuthor Commented:
I figured out if I can get the file moved then I can deleted it.  Which basically is what I did then I follwed the directions and scanned and made sure nothing else was infected. Thank you all for you comments
0
All Courses

From novice to tech pro — start learning today.