Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people, just like you, are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
Solved

Crypto Virus

Posted on 2015-02-20
21
108 Views
Last Modified: 2015-02-26
I have 2 folders that I know are infected with Crypto Randsom Virus. the shares have been stopped and computers disconnected.  I'm desperatly trying to delete these folders. But I can't.  Please help.
0
Comment
Question by:WellingtonIS
  • 11
  • 9
21 Comments
 
LVL 16

Expert Comment

by:choward16980
ID: 40621648
Have you tried an offline/parallel boot?  You could use a live linux distro like knoppix or you could boot with the windows reocvery disk/ installation media and access a command prompt.
0
 

Author Comment

by:WellingtonIS
ID: 40621659
I can get to the command prompt I just can't delete the files or folder
0
 
LVL 34

Expert Comment

by:Paul MacDonald
ID: 40621670
What stops you?  Do you get an error message?
0
Best Practices: Disaster Recovery Testing

Besides backup, any IT division should have a disaster recovery plan. You will find a few tips below relating to the development of such a plan and to what issues one should pay special attention in the course of backup planning.

 
LVL 16

Expert Comment

by:choward16980
ID: 40621673
Have you tried using the cacls command?

Can you cd into the directory or do you get access denied?
0
 
LVL 16

Expert Comment

by:choward16980
ID: 40621676
icacls "C:\DIRECTORY" /grant everyone:F
0
 

Author Comment

by:WellingtonIS
ID: 40621677
I"m getting access denied when I try to delete from command prompt
0
 
LVL 16

Expert Comment

by:choward16980
ID: 40621683
What is the drive and directory name.  I'll give you the icacls command to run
0
 

Author Comment

by:WellingtonIS
ID: 40621688
d:\welshare\hr and humanres..  What will this command do?
0
 
LVL 16

Expert Comment

by:choward16980
ID: 40621693
icacls "d:\welshare\hr" /grant everyone:F             (this should get you into the dir)

then

d: (Change to d drive)
cd\welshare\hr (change to directory)
cacls *.* /g everyone:F
attrib *.* -s -h -r
0
 
LVL 16

Expert Comment

by:choward16980
ID: 40621698
repeat for the other directory
0
 

Author Comment

by:WellingtonIS
ID: 40621702
but if I do that won't the virus infect everything else?
0
 
LVL 16

Accepted Solution

by:
choward16980 earned 500 total points
ID: 40621735
IF Crypto is still active, do an offline scan immediately with Kaspersky or AVAST.

but if I do that won't the virus infect everything else?
I can't answer that question as I have no idea why you don't have access to that directory.  You make it sound like it is imperative to delete those two directories.  I was telling you how to correct the access permissions.  Crypto runs as you, the user.  It uses your permissions, so yes, if you set implicit EVERYONE permission for an item, crypto will have access.  

First step, kill crypto.  Which will require an offline scan.  PERIOD>

Second step, if those directories still exist, follow my instructions above.

ANy files that were encrypted with crypto will more than likely have to be unencrypted with the key which is usually sold by the hacker who padded the malware to begin with. Don't rule out that if you need those files back, and don't have a good backup, and it's the new version of crypto which doesn't have the keys published, you're gonna have to pay...
0
 

Author Comment

by:WellingtonIS
ID: 40621750
I'm deleting these two files becuase they are infected.  I shut them down and need to get them off the server
0
 
LVL 16

Expert Comment

by:choward16980
ID: 40621763
The two files, one is in each directory, right?

Also, what are the file names?

ie

D:\welshare\hr\cyrpto.doc
D:\welshare\humanres\crypto.doc

I need the full path

You do have access to the directories, right?
0
 

Author Comment

by:WellingtonIS
ID: 40621766
don' t know I don't want to access the folders
I'm afraid if I access I'll infect everything.  The PC which had rights to these folders was infected.
0
 

Author Comment

by:WellingtonIS
ID: 40621776
I"m downloading AVAST now
0
 

Author Comment

by:WellingtonIS
ID: 40621826
ok how do I change attributes to the file and folders in there?  Theres a folder called HUMANRES inside is a folder call NANCY and I need to delete that and I can not
0
 

Assisted Solution

by:WellingtonIS
WellingtonIS earned 0 total points
ID: 40621880
i finally got it - Here's what I did.  I copied the file to a machine with a guest account.  I gave that Guest account control over that folder.  Once I had the folder moved, and it was a battle, I was able to delete it. Once I did that.  I scanned and restored the data.
0
 
LVL 16

Expert Comment

by:choward16980
ID: 40622039
Sweet!

I recommend using the boot-time scan function on AVAST one last time.  You can't trust windows anymore.  Malware, for lack of a better word, is never clean after one pass from one av, IMO.  Download and install malwarebytes too.  You can get it from www.filehippo.com

Good luck!
0
 

Author Comment

by:WellingtonIS
ID: 40622048
Thanks. Will do
0
 

Author Closing Comment

by:WellingtonIS
ID: 40632682
I figured out if I can get the file moved then I can deleted it.  Which basically is what I did then I follwed the directions and scanned and made sure nothing else was infected. Thank you all for you comments
0

Featured Post

Ransomware-A Revenue Bonanza for Service Providers

Ransomware – malware that gets on your customers’ computers, encrypts their data, and extorts a hefty ransom for the decryption keys – is a surging new threat.  The purpose of this eBook is to educate the reader about ransomware attacks.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Admin account lockout 10 52
Windows Password recovery 7 52
How to change Site name without affecting Exchange? 7 34
How to Disable screen lock using group policy 10 40
To effectively work with Diskpart on a Server Core, it is necessary to write some small batch script's, because you can't execute diskpart in a remote powershell session. To get startet, place the Diskpart batch script's into a share on your loca…
I had a question today where the user wanted to know how to delete an SSL Certificate, so I thought that I would quickly add this How to! Article for your reference. WHY WOULD YOU WANT TO DELETE A CERTIFICATE? 1. If an incorrect certificate was …
This tutorial will give a an overview on how to deploy remote agents in Backup Exec 2012 to new servers. Click on the Backup Exec button in the upper left corner. From here, are global settings for the application such as connecting to a remote Back…
This Micro Tutorial hows how you can integrate  Mac OSX to a Windows Active Directory Domain. Apple has made it easy to allow users to bind their macs to a windows domain with relative ease. The following video show how to bind OSX Mavericks to …

791 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question