[Webinar] Streamline your web hosting managementRegister Today

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 115
  • Last Modified:

I think we have a virus

Hi Experts,

many files on shares are changed to .odin
can you help me out ?
What is the best way to restore or clean all machines ?
0
Eprs_Admin
Asked:
Eprs_Admin
4 Solutions
 
helpfinderIT ConsultantCommented:
could be ransomware
the best was would be to unplug all affected machines  from network as soon as possible, reinstall all affected machines and restore all necessary documents from offline backup.
But this works only if you have backups :)

if you want to remove ransomware manually (not 100% sure you will get a rid of it) check this guide
0
 
QlemoDeveloperCommented:
First of all, stop the Server service on file servers. If you cannot detect at a glance which department or area of PCs could be responsilble, shut them off all. Then you need to detect which PCs are infected, but that can get difficult. I'm certain other Experts can give you good advice on that.
1
 
*** Hopeleonie ***IT ManagerCommented:
Hi

You are infected with the Locky Ransomware. Disconnect all infected Clients that are locally encrypted and reinstall or reimage them as already recommended. Do you have a valid backup to restore?
1
 
andreasSystem AdminCommented:
Its a version of the locky ransomware.
Shut down all systems with access to the affected server shares, as any of them could be the source which is running the exncryption malware.

then offline scan all PCs with an anti virus rescue cd/dvd or USB-Pen for the ransomware. Do not scan online on the systems, the malware will continue to encrypt files on network if still accessible and locally on your harddrive.

Also scan the server offline itself too to ensure the malware is not running on the server itself.

To narrow down which client has the malware you can check owner information on encrypted files on the server shares. So you can see under which user account the malware was/is running. Check different files in different directories, maybe several users are involved.

Then track down from which clients the users are working recently.
0
 
Eprs_AdminSystem ArchitectAuthor Commented:
ok thanks so far.
We found the infected machine.
many shares are encrypted but I could use my storage snapshot to recreate all files.
0

Featured Post

Firewall Management 201 with Professor Wool

In this whiteboard video, Professor Wool highlights the challenges, benefits and trade-offs of utilizing zero-touch automation for security policy change management. Watch and Learn!

Tackle projects and never again get stuck behind a technical roadblock.
Join Now