_NEMTY_LVMHFKO_-DECRYPT
What is this? I have several files with names ending with this: _NEMTY_LVMHFKO_-DECRYPT. Some are .xlsx files, some are .docx files. Each has the _NEMTY_LVMHFKO_-DECRYPT following the file name. We can't find the original Excel or Word files, only these files with _NEMTY_LVMHFKO_-DECRYPT tagged onto the end. The file won't open with any program, but if we navigate to it in Excel and open it, Excel will convert it from a text doc to a jumbled up excel doc.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
It would be prudent to declare the system a loss, erase the drive using DBAN or equivalent, and restore it from the last known clean backup per David's comment above.
Once a system has been infected that drive can never be trusted again unless it is completely erased. Polymorphic viruses are exceedingly clever; they can hide in "unused" areas of a drive and pop up again months later. In addition to that, there is no telling what else the infection downloaded into the machine for later use.
Attempting to recover files from this system runs the risk of dragging the infection right back into the erased and restored system, which puts you even further back than you are now.
Once a system has been infected that drive can never be trusted again unless it is completely erased. Polymorphic viruses are exceedingly clever; they can hide in "unused" areas of a drive and pop up again months later. In addition to that, there is no telling what else the infection downloaded into the machine for later use.
Attempting to recover files from this system runs the risk of dragging the infection right back into the erased and restored system, which puts you even further back than you are now.
ASKER
How do I check files saved on a Shared drive on the server?
clicking on a link on an email is the primary culprit. Inserting a "found" usb drive in the parking lot is another
ASKER
I emailed csirt@tesorion.nl for the decryptor. Wonder how long it takes to get it? Seems like they have to email a link, it isn't downloadable from their page.
ASKER
Found some encrypted files on our file server. Seems to have encrypted all files on the employees user on her machine, but not other users on that machine...and, it started encrypting files on the "shared" drive on our server. That started at 2:19 and stopped at 3:41. I assume it stopped at 3:41 because that was when she asked me to look at strangeness on her machine and we had rebooted it.
So, what should I do now? I plan to keep her machine isolated. What to do on the server? For the moment I have moved all the encrypted files to an area where no other employees can get to them, and, I have all employees not logging on to the server. I also scanned all other workstations and none have the _NEMTY virus. It was only the one employee machine.
So, what should I do now? I plan to keep her machine isolated. What to do on the server? For the moment I have moved all the encrypted files to an area where no other employees can get to them, and, I have all employees not logging on to the server. I also scanned all other workstations and none have the _NEMTY virus. It was only the one employee machine.
ASKER