Leadtheway
asked on
Shortcuts and start menu apps disappeared
Have windows 2012 server that was running fine, also has exchange. Reported by users no email working. Try to log into rdp and took creds but took to blank start page..accessed through Vcenter console and was able to get in and to desktop. Noticed bubble notification saying it had files to write to disk write away. But its a vm with no optical. tried to open anything on task bar. (start menu, server manager, services) start menu opens up but all blank. But i try to open the shortcuts it says " Can't open this item. It many have been moved renamed or deleted, do you want to remove this item.
I can right click on task bar and open up manager and run apps by typing the exe.
I can right click on task bar and open up manager and run apps by typing the exe.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
I would also shut down that PC and copy off any important data folders A.S.A.P. to minimize any potential data loss. Do not connect your backup media to the PC while booted from the infected OS. Copy it off by using an alternate boot device (preferably a boot DVD (can't get written on) or by yanking the hard drive and connecting it to a test system, If it is indeed infected with ransomware, the ransomware is running any time that OS is running. The longer it runs, the more it encrypts.
ASKER
it looks like everything was already encrypted with ETH. The infection was cleared but the encryption remains
The following may help with this infection:
https://support.eset.com/kb6274/?locale=en_US&viewlocale=en_US
https://www.symantec.com/security-center/writeup/2016-060920-2315-99
here are some decryption tools
https://www.nomoreransom.org/en/decryption-tools.html
https://support.eset.com/kb6274/?locale=en_US&viewlocale=en_US
https://www.symantec.com/security-center/writeup/2016-060920-2315-99
here are some decryption tools
https://www.nomoreransom.org/en/decryption-tools.html
Run a scan at the antivirus level, to validate if it detects a virus or malware on the server.
Validate the event viewer to see what errors you have.
You can share images to see it better.
Greetings.