+ Post New Thread
Page 1 of 2 12 LastLast
Results 1 to 15 of 18
Windows Thread, All files on a share become hidden - anyone seen this? in Technical; Last week, at 2 seperate times on the same day, 2 shares had all the folders set to hidden, and ...
  1. #1

    Join Date
    Jul 2006
    Location
    London
    Posts
    2,962
    Thank Post
    159
    Thanked 152 Times in 116 Posts
    Rep Power
    49

    All files on a share become hidden - anyone seen this?

    Last week, at 2 seperate times on the same day, 2 shares had all the folders set to hidden, and a shortcut to every single folder/file created. Had to restore from backup in the end.
    At first I thought it was something a staff member had done, as one of the shares was a public area which teachers can write to, but then it happened to another share that only I have access to.

    In the end no big deal as all the data was still there, but slightly worried that if it happens to say, a user share, no-one will be able to see their files until I fix it. Just seems really weird. No viruses detected. All the other shares on the affected server were/are fine

    Any ideas?

  2. #2
    JHLEHS's Avatar
    Join Date
    Sep 2012
    Posts
    152
    Thank Post
    15
    Thanked 11 Times in 10 Posts
    Rep Power
    5
    Hello SideWinder,

    This might well be a virus we have had the same thing to find out that symantec has found a trojan called the trojan.zbot. This done the same thing for us, it hides all folders on mapped drives and then creates shortcuts with a command to launch the shortcut.

    I had a look on the symantec website and got the following information? This was a big deal for us and I suggest you scan all server immediately, we have documented and screenshoted the problems that we have had and reported it to RM.

    Also look out for shortcuts to .exe and ive seen shortcuts for .doc and ppt!

    This happend the same week! I seriousily reccommend you to run a virus scan on all servers and we have been hit by this and it spread pretty quick.


    JHLEHS
    Last edited by JHLEHS; 16th November 2012 at 04:21 PM.

  3. Thanks to JHLEHS from:

    sidewinder (30th November 2012)

  4. #3
    JHLEHS's Avatar
    Join Date
    Sep 2012
    Posts
    152
    Thank Post
    15
    Thanked 11 Times in 10 Posts
    Rep Power
    5

  5. #4

    Join Date
    Jul 2006
    Location
    London
    Posts
    2,962
    Thank Post
    159
    Thanked 152 Times in 116 Posts
    Rep Power
    49
    Update on this, as nothing else went wrong, I forgot to check this thread, until it happened again this week.

    And upon checking the shortcuts, they were launching a command of some sort - so I knew then it was a virus.

    I've scanned the share with several tools and sure enough there were a few trojans there, but all cleaned up now. Just to be safe I've moved the share to a brand new VM

  6. #5
    JHLEHS's Avatar
    Join Date
    Sep 2012
    Posts
    152
    Thank Post
    15
    Thanked 11 Times in 10 Posts
    Rep Power
    5
    Yes, what I think happens is that the command launches the same shortcuts put puts it in a command box and then runs a command. The above symantec document explains that when this is clicked the trojon trys to report information back to there servers. This grew to affect all our servers, which AV do you use symantec endpoint?

    I would make sure all servers have the latest virus defintions installed and it might be worth sending an email to staff to not launch these shortcuts as that is how the problem for us replicated.

  7. #6

    Join Date
    Jul 2006
    Location
    London
    Posts
    2,962
    Thank Post
    159
    Thanked 152 Times in 116 Posts
    Rep Power
    49
    We use Sophos, will be setting a full scan over the weekend on all the other servers. Not had anything reported from clients yet. Then again I dont fully trust Sophos..

    Shortcuts are all gone now, and luckily it was on a hidden apps share so no-one could click the things (I may have once, probably on the server, which has now been cleaned)
    Dread to think what would have happened if it had affected the shared area...
    Last edited by sidewinder; 30th November 2012 at 12:00 PM.

  8. #7

    Join Date
    Feb 2010
    Location
    Bedfordshire
    Posts
    31
    Thank Post
    4
    Thanked 3 Times in 3 Posts
    Rep Power
    10
    We've had the same thing. If you look at the security settings on the shortcut it tells you which user created them. Usually the user who downloaded / opened the virus.

  9. #8
    JHLEHS's Avatar
    Join Date
    Sep 2012
    Posts
    152
    Thank Post
    15
    Thanked 11 Times in 10 Posts
    Rep Power
    5
    Yes indeed, report it to RM as they need to be made aware of it. It was nasty at our place. We had to reboot all our servers and scan them etc, it was a lovely weekend job... Not! When did you get it colacao82?

  10. #9

    Join Date
    Feb 2010
    Location
    Bedfordshire
    Posts
    31
    Thank Post
    4
    Thanked 3 Times in 3 Posts
    Rep Power
    10
    Well I think we had it in November originally. But have had a couple of cases since!

  11. #10

    glennda's Avatar
    Join Date
    Jun 2009
    Location
    Sussex
    Posts
    7,810
    Thank Post
    272
    Thanked 1,135 Times in 1,031 Posts
    Rep Power
    349
    Only thing that found this for me was kaspersky tds killer.

  12. Thanks to glennda from:

    colacao82 (14th February 2013)

  13. #11

    Join Date
    Feb 2010
    Location
    Bedfordshire
    Posts
    31
    Thank Post
    4
    Thanked 3 Times in 3 Posts
    Rep Power
    10
    We've got McAfee but it didn't seem to detect it! What's everyone else using?

  14. #12

    glennda's Avatar
    Join Date
    Jun 2009
    Location
    Sussex
    Posts
    7,810
    Thank Post
    272
    Thanked 1,135 Times in 1,031 Posts
    Rep Power
    349
    Quote Originally Posted by colacao82 View Post
    We've got McAfee but it didn't seem to detect it! What's everyone else using?
    Yup my client had this, i tried - Sophos command line scanner amongst other things along with a couple of others. All of which didn't detect until Kaspersky did.

  15. #13
    sister_annex's Avatar
    Join Date
    Jan 2009
    Location
    Wolverhampton
    Posts
    594
    Thank Post
    99
    Thanked 136 Times in 120 Posts
    Rep Power
    49
    My sister's USB Pen had this and the Symantec install didnt pick it up, plugged it into my win 7 virtual machine with MSE installed and it picked up the virus in seconds, sorted it out and all i had to do was run the attrib -h command on the drive to get the folder structure unhidden.

    annoyingly, she put her pen back into her laptop and the infection returned :/

  16. #14
    JHLEHS's Avatar
    Join Date
    Sep 2012
    Posts
    152
    Thank Post
    15
    Thanked 11 Times in 10 Posts
    Rep Power
    5
    Seems like it is a newish virus. We have symantec endpoint RM's adaption. McAfee always causes problems in my experience with end users. I really do not like McAfee as it really slows down computers. Symantec was able to detect it, the reason why we picked it up in the first place was because are definitions were not updated.

  17. #15

    sonofsanta's Avatar
    Join Date
    Dec 2009
    Location
    Lincolnshire, UK
    Posts
    4,957
    Thank Post
    862
    Thanked 1,444 Times in 991 Posts
    Blog Entries
    47
    Rep Power
    617
    Microsoft System Center Endpoint Protection picks this up as Backdoor:Win32/Caphaw.D!lnk and successfully removes it of its own accord. We're seeing it on pensticks here, though the virus gets neutered as soon as it's plugged in to a machine.

SHARE:
+ Post New Thread
Page 1 of 2 12 LastLast

Similar Threads

  1. Anyone seen this problem before? stripey projection
    By stevenwba in forum AV and Multimedia Related
    Replies: 15
    Last Post: 27th November 2010, 07:48 PM
  2. anyone seen this before?
    By neon in forum Windows
    Replies: 5
    Last Post: 26th November 2009, 07:29 PM
  3. Replies: 2
    Last Post: 5th March 2008, 01:05 PM
  4. Script to get all file on a url
    By Midget in forum Scripts
    Replies: 5
    Last Post: 23rd January 2007, 01:10 PM

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •