Trojan/Virus on Fileserver

One of our folders on fileserver running Windows 2008 R2, is infected with Trojan/Virus, the server is running Sophos, but its not able to clean it, I cant access this folder, it says I need higher privileges, even though I have Domain admin rights, I cant install any other antivirus software, it says I need admin access.
How can I clean and unlock this folder?

Thanks.
LVL 8
LeoAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

andreasSystem AdminCommented:
Whats the name of the folder. Based on your not so detailed description I'm guessing it could be the Systems Volume Information folder. This folder is only accessible with system rights and contains the Shadow Copy Volume Snapshots. To remove files there just delete all affected shadow copy snapshots.

If its not this folder, whats the name of the folder the virus is in AND very important what is the name of the virus sophos tells you?

Did you right click and choose run as administrator when installing the other AV-product?

Be careful to install 2 AV-Scanners at the same time. it might go wrong and damage your server badly or renders one or both of them not functioning properly. So uninstall sophos first before installing another AV-scanner.
LeoAuthor Commented:
Its a shared folder, means all staff put there folders and content under this folder.
Staff can access this folder, they are mapped to this folder...
name of the virus is Troj/Bladabi-D and Virus/spyware Mal/MSIL-GL...

I tried running the other Antivirus by right clicking on it, and running it as Admin, but it shows the same message..

The path which is affected is;

E:\Data\Shares\SSO_Share\Report\!My Pictures.SCR

When Sophos tries to clean this path, it produces an error "The user does not have the rights to perform the action on the infected file" or  Unknown Error 0*80070020
andreasSystem AdminCommented:
Can you please post some screenshots of the permissions of that file/folder? Maybe this gives a clue.
Who is owner of that file/folder?

About the missing admin rights when installing another AV, I'm currently out of ideas. Never have seen something like this before.
Determine the Perfect Price for Your IT Services

Do you wonder if your IT business is truly profitable or if you should raise your prices? Learn how to calculate your overhead burden with our free interactive tool and use it to determine the right price for your IT services. Download your free eBook now!

LeoAuthor Commented:
Cant view the permissions, it gives errors, see screenshot.
Permissions.jpg
andreasSystem AdminCommented:
Does this error only appear on this very one directory with the malware or on ALL directories on the affected server?

If on all directories then try following below:

is this the only AD server on your network? if no can you still access the permissions tab with this login on another server?

If no it seems your Domainadmin account seems have some problems. You might try to create a 2nd one and try with another account. If your current domain admin account works properly on other Server server then the problem is either really with the folder an really strange permissions on it. Or with the server operatig system itself.

DO NOT USE DOMAIN ADMIN on normal workstations and not from remote.
LeoAuthor Commented:
Only one folder is affected...means on other folders on this server i can see permissions...when i run sophos scan on just this affected folder....it doesnt find anything. ..when i try to see permissions of this folder from different computers..it doesn't show anything. ...and this server is a file server....
Two domain controllers in the forest
rindiCommented:
I'd check the workstations, it is more likely at least one of them is infected rather than the server. Then try deleting the scr file from that workstation. You could also try booting the server into safe mode and then deleting that file.
Sudeep SharmaTechnical DesignerCommented:
Did you tried running any software using the "system" privilidges?

You can use psexec which is part of sysinternal tools from microsoft.

psexec -s -i explorer.exe

Or you may also try to access the same folder from remote system and see the permissions?

May be it not working from the server but it may from remote system?

Sudeep
MereteCommented:
Have you checked the task manager processes to see if it is running?
Description from symantecs includes removal tools
Trojan.Bladabindi
https://www.symantec.com/security_response/writeup.jsp?docid=2013-072415-3728-99&tabid=2
Try the removal steps here as well,  includes deleting registry keys that may help you determine if it is present on the server.
Ways to Remove/ Delete Trojan/Dldr.Bladabindi.D.23 Virus Completely
http://www.whgspc.com/ways-to-remove-delete-trojandldr-bladabindi-d-23-virus-completely/
It also includes
Remove Trojan/Dldr.Bladabindi.D.23 by Using Removal Tool SpyHunter
Davis McCarnOwnerCommented:
That SCR file is a screensaver and has no business being on a server in the first place!  All of the hits and posted links for what Sophos is calling the guy are from 2010 to 2014 which means they are old and probably inaccurate instructions.
Personally, I'd invoke a CMD window as the system account, then either use it to delete the entire folder or invoke explorer so I could see and change the permissions.  Read this: http://blogs.technet.com/b/askds/archive/2008/10/22/getting-a-cmd-prompt-as-system-in-windows-vista-and-windows-server-2008.aspx
btanExec ConsultantCommented:
use runas to elevate the running for admin rights, but the thing is not about another AV as two AV may make it worse and even the Trojan may be disabling the machine. Can try to run in safe mode (e.g. Safe Mode with Networking ) and see if any error popped up. Also try running TDSSKiller, Rkill and Hitman Pro ( does not need to be installed. Can be run straight from a USB flash drive.)
http://www.surfright.nl/en/hitmanpro
https://malwaretips.com/blogs/malware-removal-guide-for-windows/
LeoAuthor Commented:
Its a Virtual machine, I have tried running it in safe mode, it didn't make any difference, I will try other suggestions and report back.
thanks.
Michael-BestCommented:
If you suspect malware.
Download these free cleaning tools.
Boot the PC in safe mode then run each of these free cleaning tools until the problem has beed removed:
 

1. Malwarebytes http://www.malwarebytes.org/

2. Combo Fix http://www.bleepingcomputer.com/download/search/?keyword=combofix

3. Rogue Killer http://www.bleepingcomputer.com/download/roguekiller/

4. Hitman Pro http://www.surfright.nl/en/hitmanpro/

5. TDS Killer http://www.bleepingcomputer.com/download/tdsskiller/

6. SuperAntiSpyware www.superantispyware.com

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Anti-Virus Apps

From novice to tech pro — start learning today.