Antivirus - Files converted to application

Our server got two type of virus. a. ransomware asking to pay $250. Otherone, all the files got converted as application (.exe). The server is a file server with 700 GB data on it.
Is there a way to clean and get rid of it?
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

JohnBusiness Consultant (Owner)Commented:
There is no practical way to recover the files except to recover from backup.

Clean up any infected machines and then replace the damaged files with good files from your recent backup.
Peter HutchisonSenior Network Systems SpecialistCommented:
first, stop any network access by users to the server  or change sharing permissions.
Scan server and user PCs for the virus.
Then you need to delete all the affected files, there is no way to decrypt the files unless you pay the ransom to the virus writer (not recommended).
Then restore any deleted files back onto the server from backup.

Antimalwarebytes is a good AV package to remove this malware.|pcrid|8802169902|pkw|%2Bremove%20%2Bransomware|pmt|bb|pdv|c|
Is there a way to clean
that depends on whether the old file extensions were preserved somehow, or not. if for example only .exe was added to the files, it is not very difficult to scan the disk and make it reverse. if the old extension was replaced by .exe you have bad luck. perhaps the malware has stored the old extension in so-called 'alternate data streams' (ADS) to the file. these ADS streams can be added to a ntfs file but are not shown in the explorer. you may download a special viewer to detect such ADS streams, for example at if the old extension was stored somehow, either in ADS or filename, you could try to repair old files. however, you shouldn't do that with the malware still on the server. instead, you should setup a clean system and add the virus-infected disks one by one to the new system. use multiple malware and antivirus scans to check the mbr of the disk and the files. then undo the .exe by a little program which scans any file on the disk and checks whether it has .exe extension, then gets the old extension either from filename or from ADS stream or from somewhere else (perhaps you know the file extensions used in a folder), and finally does the rename and clears the ADS if any.

if all files are restored, you should use a new server and get all good files from restored disks rather than to try to clean the old server os. it is a good chance that they have some more malware installed that would be virulent again when the infected os is running again.

note, if you don't make a backup on your server on a regular base, the data actually are not worth to be restored.


Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Thomas Zucker-ScharffSolution GuideCommented:
Encrypted files are generally not recoverable except from backup. (I also do NOT recommend paying the ransom)

There are instances where the decryption key has been made public, you can check in the comments to my article to see if one of your encrypted files gets decrypted.  Either way, you should rebuild the server.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows Server 2008

From novice to tech pro — start learning today.