Solved

I think we have a virus

Posted on 2016-10-07
5
77 Views
Last Modified: 2016-10-07
Hi Experts,

many files on shares are changed to .odin
can you help me out ?
What is the best way to restore or clean all machines ?
0
Comment
Question by:Eprs_Admin
5 Comments
 
LVL 19

Accepted Solution

by:
helpfinder earned 251 total points
ID: 41833167
could be ransomware
the best was would be to unplug all affected machines  from network as soon as possible, reinstall all affected machines and restore all necessary documents from offline backup.
But this works only if you have backups :)

if you want to remove ransomware manually (not 100% sure you will get a rid of it) check this guide
0
 
LVL 68

Assisted Solution

by:Qlemo
Qlemo earned 83 total points
ID: 41833168
First of all, stop the Server service on file servers. If you cannot detect at a glance which department or area of PCs could be responsilble, shut them off all. Then you need to detect which PCs are infected, but that can get difficult. I'm certain other Experts can give you good advice on that.
1
 
LVL 19

Assisted Solution

by:*** Hopeleonie ***
*** Hopeleonie *** earned 83 total points
ID: 41833170
Hi

You are infected with the Locky Ransomware. Disconnect all infected Clients that are locally encrypted and reinstall or reimage them as already recommended. Do you have a valid backup to restore?
1
 
LVL 11

Assisted Solution

by:andreas
andreas earned 83 total points
ID: 41833235
Its a version of the locky ransomware.
Shut down all systems with access to the affected server shares, as any of them could be the source which is running the exncryption malware.

then offline scan all PCs with an anti virus rescue cd/dvd or USB-Pen for the ransomware. Do not scan online on the systems, the malware will continue to encrypt files on network if still accessible and locally on your harddrive.

Also scan the server offline itself too to ensure the malware is not running on the server itself.

To narrow down which client has the malware you can check owner information on encrypted files on the server shares. So you can see under which user account the malware was/is running. Check different files in different directories, maybe several users are involved.

Then track down from which clients the users are working recently.
0
 

Author Comment

by:Eprs_Admin
ID: 41833460
ok thanks so far.
We found the infected machine.
many shares are encrypted but I could use my storage snapshot to recreate all files.
0

Featured Post

PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Encryption for Business Encryption (https://en.wikipedia.org/wiki/Encryption) ensures the safety of our data when sending emails. In most cases, to read an encrypted email you must enter a secret key that will enable you to decrypt the email. T…
How important is it to take extra precautions to protect your online business? These are some steps you can take to make sure you're free of any cyber crime.
This tutorial will walk an individual through the process of configuring basic necessities in order to use the 2010 version of Data Protection Manager. These include storage, agents, and protection jobs. Launch Data Protection Manager from the deskt…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…

929 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

11 Experts available now in Live!

Get 1:1 Help Now