Trojan/Virus on Fileserver

One of our folders on fileserver running Windows 2008 R2, is infected with Trojan/Virus, the server is running Sophos, but its not able to clean it, I cant access this folder, it says I need higher privileges, even though I have Domain admin rights, I cant install any other antivirus software, it says I need admin access.
How can I clean and unlock this folder?

Thanks.
LVL 8
LeoAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

andreasSystem AdminCommented:
Whats the name of the folder. Based on your not so detailed description I'm guessing it could be the Systems Volume Information folder. This folder is only accessible with system rights and contains the Shadow Copy Volume Snapshots. To remove files there just delete all affected shadow copy snapshots.

If its not this folder, whats the name of the folder the virus is in AND very important what is the name of the virus sophos tells you?

Did you right click and choose run as administrator when installing the other AV-product?

Be careful to install 2 AV-Scanners at the same time. it might go wrong and damage your server badly or renders one or both of them not functioning properly. So uninstall sophos first before installing another AV-scanner.
0
LeoAuthor Commented:
Its a shared folder, means all staff put there folders and content under this folder.
Staff can access this folder, they are mapped to this folder...
name of the virus is Troj/Bladabi-D and Virus/spyware Mal/MSIL-GL...

I tried running the other Antivirus by right clicking on it, and running it as Admin, but it shows the same message..

The path which is affected is;

E:\Data\Shares\SSO_Share\Report\!My Pictures.SCR

When Sophos tries to clean this path, it produces an error "The user does not have the rights to perform the action on the infected file" or  Unknown Error 0*80070020
0
andreasSystem AdminCommented:
Can you please post some screenshots of the permissions of that file/folder? Maybe this gives a clue.
Who is owner of that file/folder?

About the missing admin rights when installing another AV, I'm currently out of ideas. Never have seen something like this before.
0
The Lifecycle Approach to Managing Security Policy

Managing application connectivity and security policies can be achieved more effectively when following a framework that automates repeatable processes and ensures that the right activities are performed in the right order.

LeoAuthor Commented:
Cant view the permissions, it gives errors, see screenshot.
Permissions.jpg
0
andreasSystem AdminCommented:
Does this error only appear on this very one directory with the malware or on ALL directories on the affected server?

If on all directories then try following below:

is this the only AD server on your network? if no can you still access the permissions tab with this login on another server?

If no it seems your Domainadmin account seems have some problems. You might try to create a 2nd one and try with another account. If your current domain admin account works properly on other Server server then the problem is either really with the folder an really strange permissions on it. Or with the server operatig system itself.

DO NOT USE DOMAIN ADMIN on normal workstations and not from remote.
0
LeoAuthor Commented:
Only one folder is affected...means on other folders on this server i can see permissions...when i run sophos scan on just this affected folder....it doesnt find anything. ..when i try to see permissions of this folder from different computers..it doesn't show anything. ...and this server is a file server....
Two domain controllers in the forest
0
rindiCommented:
I'd check the workstations, it is more likely at least one of them is infected rather than the server. Then try deleting the scr file from that workstation. You could also try booting the server into safe mode and then deleting that file.
0
Sudeep SharmaTechnical DesignerCommented:
Did you tried running any software using the "system" privilidges?

You can use psexec which is part of sysinternal tools from microsoft.

psexec -s -i explorer.exe

Or you may also try to access the same folder from remote system and see the permissions?

May be it not working from the server but it may from remote system?

Sudeep
0
MereteCommented:
Have you checked the task manager processes to see if it is running?
Description from symantecs includes removal tools
Trojan.Bladabindi
https://www.symantec.com/security_response/writeup.jsp?docid=2013-072415-3728-99&tabid=2
Try the removal steps here as well,  includes deleting registry keys that may help you determine if it is present on the server.
Ways to Remove/ Delete Trojan/Dldr.Bladabindi.D.23 Virus Completely
http://www.whgspc.com/ways-to-remove-delete-trojandldr-bladabindi-d-23-virus-completely/
It also includes
Remove Trojan/Dldr.Bladabindi.D.23 by Using Removal Tool SpyHunter
0
Davis McCarnOwnerCommented:
That SCR file is a screensaver and has no business being on a server in the first place!  All of the hits and posted links for what Sophos is calling the guy are from 2010 to 2014 which means they are old and probably inaccurate instructions.
Personally, I'd invoke a CMD window as the system account, then either use it to delete the entire folder or invoke explorer so I could see and change the permissions.  Read this: http://blogs.technet.com/b/askds/archive/2008/10/22/getting-a-cmd-prompt-as-system-in-windows-vista-and-windows-server-2008.aspx
0
btanExec ConsultantCommented:
use runas to elevate the running for admin rights, but the thing is not about another AV as two AV may make it worse and even the Trojan may be disabling the machine. Can try to run in safe mode (e.g. Safe Mode with Networking ) and see if any error popped up. Also try running TDSSKiller, Rkill and Hitman Pro ( does not need to be installed. Can be run straight from a USB flash drive.)
http://www.surfright.nl/en/hitmanpro
https://malwaretips.com/blogs/malware-removal-guide-for-windows/
0
LeoAuthor Commented:
Its a Virtual machine, I have tried running it in safe mode, it didn't make any difference, I will try other suggestions and report back.
thanks.
0
Michael-BestCommented:
If you suspect malware.
Download these free cleaning tools.
Boot the PC in safe mode then run each of these free cleaning tools until the problem has beed removed:
 

1. Malwarebytes http://www.malwarebytes.org/

2. Combo Fix http://www.bleepingcomputer.com/download/search/?keyword=combofix

3. Rogue Killer http://www.bleepingcomputer.com/download/roguekiller/

4. Hitman Pro http://www.surfright.nl/en/hitmanpro/

5. TDS Killer http://www.bleepingcomputer.com/download/tdsskiller/

6. SuperAntiSpyware www.superantispyware.com
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Anti-Virus Apps

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.