-1

So my clients got hit with the skype malware/virus going around this week. I cleaned everyone up but one client was so bad that their machine actually changed the attributes for my shares on my file server.

I'm trying make them unhidden, but right-clicking -> properties won't let me untick the 'hidden' box. I even made myself owner (as domain admin on the file server) but it still won't let me untick this box.

I tried using the attrib command on the server directly to unhide everything but I keep getting access denied on all the folders. The exact command I used was attrib *. -h /s /d

How can I get my shares unhidden? As well as all their subfolders? Very frustrating!

Thank you!

ItsPronounced
  • 614
  • 4
  • 18
  • 40
  • Probably not, actually, but drpcken should read that question too. – Falcon Momot May 25 '13 at 04:15
  • 1
    @FalconMomot The generally accepted answer for "What do I do after I discover a server is infected?" is *reinstall it* -- "cleaning up" is almost never successful (you can't be sure you removed all the malicious code, and even if you could the amount of time you'll spend trying to put everything back the way it was will almost certainly exceed the time to set it back up from a clean install) – voretaq7 May 25 '13 at 04:26
  • This I know well, but it's not clear that the fileserver is actually infected. He should check it over for this, but I don't know many IR people who will direct you to reimage everything in the environment when you find some infected workstations. Also, I'm curious as to the answer, if there is something up configuration-wise. – Falcon Momot May 25 '13 at 04:27
  • 2
    If your clients got infected by the same bit of malware then this isn't a case of one being hit *worse* than the others by the same malware. Computer viruses don't work like flu in humans with the same bug causing different levels of symptoms in victims, A computer is either running a piece of malicious code or it isn't. So either the machine you suspect got hit by another piece of malware too, or its user has higher access levels to the file share in question **or** something else is happening here. You need to figure out which one of those scenarios applies before doing anything else – Rob Moir May 25 '13 at 04:48

1 Answers1

1

Attrib . -s -r -h /s /d Basically, you have to clean both system, readonly and hidden attributes at the same time. Additioanlly, unhide.exe from bleepingcomputers might help. One note of caution. Typically, Skype Virus behaves the same from all the PCs. So, it might be a case of additional, unknown network worm.

Giedrius
  • 26
  • 1