Decrypt virus

Some how a computer on our network got the decrypt virus on it and it started encrypting files on mapped drives to our server. I have done virus checks on every single computer and server and removed the suspect computer from the network.

I have done a shadow copy restore of the files affected, but there are still files in the folder saying Help_Decrypt.html , .png, .txt, and a a web link saying help_decrypt.

Firstly, are these files dangerous? and can I just delete them? How can I make sure this nasty program is off the network?

Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Mark BillExchange, AD, SQL, VMware, HPE, 3PAR, FUD, Anti MS Tekhnet, Pro EE, #1Commented:
just delete them, ensure on your client computers you have the following. especially if these files were not here previously and have nothing to do with the mapped drives content. scan the server it sits on insafe mode with networking later.

no admin rights for users
up to date AV
a proxy
spam filtering that works

these viruses are lethal and can cost you or the MSP you work for your job. need to cut them out at source.
Thomas Zucker-ScharffSolution GuideCommented:
use gpo or similar to push out restriction policies for application areas - see my article on ransomware.
*** Hopeleonie ***IT ManagerCommented:
Which antivirus do you use?
Active Protection takes the fight to cryptojacking

While there were several headline-grabbing ransomware attacks during in 2017, another big threat started appearing at the same time that didn’t get the same coverage – illicit cryptomining.

Thomas Zucker-ScharffSolution GuideCommented:
AntiVirus won't protect you against ransomeware, since it is not really a virus (this article has an explnation).  Use something like cryptoprevent or HitmanPro.Alert, or just make the relevant changes to your registry.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
*** Hopeleonie ***IT ManagerCommented:
Tell me which antivirus you use?
Thomas Zucker-ScharffSolution GuideCommented:
If you are asking me and not the OP, I use MBAM Pro alongside Winpatrol Plus, RUBuotted, HitmanPro.Alert and Windows Firewall, among others. See my article on multilayered security.
*** Hopeleonie ***IT ManagerCommented:
Hi Thomas

No I'm asking nicolausj . Hope you are fine?
Thomas Zucker-ScharffSolution GuideCommented:
yes thanks
nicolausjAuthor Commented:
Symantec Endpoint Protection is what we use... sorry been running around like a crazy person today.
Thomas Zucker-ScharffSolution GuideCommented:
Our institution uses SEP.  Today's version is fairly robust and has less of the overhead of previous versions.  IT still runs a little more resource hungry than other similar apps.
*** Hopeleonie ***IT ManagerCommented:
Don't delete the Malware remnants.

This kind of Malware (Ransomeware) cannot be analyzed in a Forum as we need to make a remote session. You should contact Symantec support:

Otherwise you will be running again in a loop, if another Client get infected.
The Reverse Engineers need to analyze your environment and check for Malware remnants. They give great support, and it is free!
nicolausjAuthor Commented:
Alright so i can delete the files. Can I safely say he virus is removed if I have scanned all the computers/servers and nothing has been found?

Thanks again for the responses, I have never had a problem quite like this before.

I also wanted to add one thing, the computer that was infected didn't have any real symptoms accept it was running slow. It didn't seem to affect any of the computers files either, just the mapped drives.
nicolausjAuthor Commented:
working with support now.
Thomas Zucker-ScharffSolution GuideCommented:
Never heard that one before.  Usually it encrypts both local and network files.
*** Hopeleonie ***IT ManagerCommented:
Alright so i can delete the files.
Did you see my last comment? :-)

Can I safely say he virus is removed if I have scanned all the computers/servers and nothing has been found?
No. See the comment from Thomas:
AntiVirus won't protect you against ransomeware , if it is unknown and not detected by behavioral detection (also called Heuristic analysis or behavioural analysis).
nicolausjAuthor Commented:
Believe it or not i just got off the phone with Symantec and they told me to just delete the files with Help_decrypt. That was basically the extent of the conversation.
*** Hopeleonie ***IT ManagerCommented:
And they send you the Help_decrypt? Or where did you download it?
nicolausjAuthor Commented:
They are the files associated with the virus... each of the folders affected has 4 files in it. HELP_DECRYPT.HTML
nicolausjAuthor Commented:
Thanks for the help
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today

From novice to tech pro — start learning today.