Windows Thread, All files on a share become hidden - anyone seen this? in Technical; Last week, at 2 seperate times on the same day, 2 shares had all the folders set to hidden, and ...
5th November 2012, 11:30 AM #1
All files on a share become hidden - anyone seen this?
Last week, at 2 seperate times on the same day, 2 shares had all the folders set to hidden, and a shortcut to every single folder/file created. Had to restore from backup in the end.
At first I thought it was something a staff member had done, as one of the shares was a public area which teachers can write to, but then it happened to another share that only I have access to.
In the end no big deal as all the data was still there, but slightly worried that if it happens to say, a user share, no-one will be able to see their files until I fix it. Just seems really weird. No viruses detected. All the other shares on the affected server were/are fine
IDG Tech News
16th November 2012, 05:14 PM #2
This might well be a virus we have had the same thing to find out that symantec has found a trojan called the trojan.zbot. This done the same thing for us, it hides all folders on mapped drives and then creates shortcuts with a command to launch the shortcut.
I had a look on the symantec website and got the following information? This was a big deal for us and I suggest you scan all server immediately, we have documented and screenshoted the problems that we have had and reported it to RM.
Also look out for shortcuts to .exe and ive seen shortcuts for .doc and ppt!
This happend the same week! I seriousily reccommend you to run a virus scan on all servers and we have been hit by this and it spread pretty quick.
Last edited by JHLEHS; 16th November 2012 at 05:21 PM.
Thanks to JHLEHS from:
sidewinder (30th November 2012)
16th November 2012, 05:17 PM #3
30th November 2012, 10:23 AM #4
Update on this, as nothing else went wrong, I forgot to check this thread, until it happened again this week.
And upon checking the shortcuts, they were launching a command of some sort - so I knew then it was a virus.
I've scanned the share with several tools and sure enough there were a few trojans there, but all cleaned up now. Just to be safe I've moved the share to a brand new VM
30th November 2012, 10:26 AM #5
Yes, what I think happens is that the command launches the same shortcuts put puts it in a command box and then runs a command. The above symantec document explains that when this is clicked the trojon trys to report information back to there servers. This grew to affect all our servers, which AV do you use symantec endpoint?
I would make sure all servers have the latest virus defintions installed and it might be worth sending an email to staff to not launch these shortcuts as that is how the problem for us replicated.
30th November 2012, 12:58 PM #6
We use Sophos, will be setting a full scan over the weekend on all the other servers. Not had anything reported from clients yet. Then again I dont fully trust Sophos..
Shortcuts are all gone now, and luckily it was on a hidden apps share so no-one could click the things (I may have once, probably on the server, which has now been cleaned)
Dread to think what would have happened if it had affected the shared area...
Last edited by sidewinder; 30th November 2012 at 01:00 PM.
14th February 2013, 05:02 PM #7
- Rep Power
We've had the same thing. If you look at the security settings on the shortcut it tells you which user created them. Usually the user who downloaded / opened the virus.
14th February 2013, 05:05 PM #8
Yes indeed, report it to RM as they need to be made aware of it. It was nasty at our place. We had to reboot all our servers and scan them etc, it was a lovely weekend job... Not! When did you get it colacao82?
14th February 2013, 07:31 PM #9
- Rep Power
Well I think we had it in November originally. But have had a couple of cases since!
14th February 2013, 07:57 PM #10
Only thing that found this for me was kaspersky tds killer.
Thanks to glennda from:
colacao82 (14th February 2013)
14th February 2013, 08:28 PM #11
- Rep Power
We've got McAfee but it didn't seem to detect it! What's everyone else using?
14th February 2013, 09:32 PM #12
Yup my client had this, i tried - Sophos command line scanner amongst other things along with a couple of others. All of which didn't detect until Kaspersky did.
Originally Posted by colacao82
14th February 2013, 09:58 PM #13
My sister's USB Pen had this and the Symantec install didnt pick it up, plugged it into my win 7 virtual machine with MSE installed and it picked up the virus in seconds, sorted it out and all i had to do was run the attrib -h command on the drive to get the folder structure unhidden.
annoyingly, she put her pen back into her laptop and the infection returned :/
15th February 2013, 01:57 PM #14
Seems like it is a newish virus. We have symantec endpoint RM's adaption. McAfee always causes problems in my experience with end users. I really do not like McAfee as it really slows down computers. Symantec was able to detect it, the reason why we picked it up in the first place was because are definitions were not updated.
15th February 2013, 02:08 PM #15
Microsoft System Center Endpoint Protection picks this up as Backdoor:Win32/Caphaw.D!lnk and successfully removes it of its own accord. We're seeing it on pensticks here, though the virus gets neutered as soon as it's plugged in to a machine.
By stevenwba in forum AV and Multimedia Related
Last Post: 27th November 2010, 08:48 PM
Last Post: 26th November 2009, 08:29 PM
By mattx in forum General Chat
Last Post: 5th March 2008, 02:05 PM
By Midget in forum Scripts
Last Post: 23rd January 2007, 02:10 PM
Users Browsing this Thread
There are currently 1 users browsing this thread. (0 members and 1 guests)