+ Post New Thread
Page 2 of 2 FirstFirst 12
Results 16 to 18 of 18
Windows Thread, All files on a share become hidden - anyone seen this? in Technical; We have been struggling with this on and off for the last week or so. The first time it was ...
  1. #16

    Join Date
    Oct 2011
    Thank Post
    Thanked 0 Times in 0 Posts
    Rep Power
    We have been struggling with this on and off for the last week or so. The first time it was noticed on a relatively open network share, so we just assumed that a user had inadvertantly made the changes. After the second time we set about investigating it, and quickly found the files that the shortcuts were opening along with the "legitimate" target.

    I think a good starting point is to do a full scan of whatever directory is storing the suspect infected files (not the shorcuts, but the "bonus" files these shortcuts are pointing to). They are usually marked as hidden and system files, so you will need to "show hidden" and "not hide system files" to see them. For us, there were half a dozen suspect files in these directories, all created at the same time. If scans of these folders come up clean (ours initially did), submit samples to your AV provider. For any Sophos users, thats here - www.sophos.com/support/samples. For us, this got the files in question classified and within 30 minutes we had IDE updates that could detect and remove it.

    In addition to updating and scanning both servers and end devices, we started running a handy tool from Sophos called Sophos Source of Infection Tool, which gives names, timestamps and IP addresses of files being writted to specified directories. Running this on network fileshares helped us identify and clear infected hosts.
    Last edited by mistersparky; 16th February 2013 at 11:28 PM.

  2. #17

    Join Date
    Jul 2007
    Thank Post
    Thanked 19 Times in 16 Posts
    Rep Power
    We have had this virus. It is spread by memory sticks. First, you need to break the cycle of infection by disabling memory sticks otherwise it just keeps reinfecting every time someone plugs one in. The virus copies two files to the root of a share, if I remember correctly one was an autorun file and other had a random name with exe extension but looked like an msdos logo. You need to delete these from the drives, and depending on how you have set permissions up, it could be everywhere. You may see them pop straight back in there, this is the reinfection and you can look at the file properties to identify who created it and deal with those computers separately. To make your files visible again you need to open a cmd prompt to the folder which is hidden and enter the following command:

    attrib -h -r -s i:\*.* /s /d

    This is taken from this website but there is also a tool to help with this mentioned on the site. I didn't use that. You will need to change the drive letter and path of the command. It was a bit of experimenting but I got there in the end.


    I hope this helps.


  3. #18
    clarky2k3's Avatar
    Join Date
    Nov 2007
    Thank Post
    Thanked 47 Times in 39 Posts
    Rep Power
    Those affected might want to look in the netlogon share as we found that it affected there aswell as one of our other shares!

+ Post New Thread
Page 2 of 2 FirstFirst 12

Similar Threads

  1. Anyone seen this problem before? stripey projection
    By stevenwba in forum AV and Multimedia Related
    Replies: 15
    Last Post: 27th November 2010, 08:48 PM
  2. anyone seen this before?
    By neon in forum Windows
    Replies: 5
    Last Post: 26th November 2009, 08:29 PM
  3. Replies: 2
    Last Post: 5th March 2008, 02:05 PM
  4. Script to get all file on a url
    By Midget in forum Scripts
    Replies: 5
    Last Post: 23rd January 2007, 02:10 PM

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts