We have had following problem on our Windows2003 server for weeks now, every day the folder on our share are being made hidden and replaced by .exe files with the same names as the original folders. I can "Un-hide" them and hide or remove the .exe "folders" but it keeps coming back within some hours. Windows is fully updated, we do a "thorough" virus scan (F-Prot) every night with no detections, and SpyBot S&D (recommended by F-Prot support tech) only detects 3 "Tracking cookies" which does not sound likely to hide folders.
We do have presence of "W32/Conficker" in the network which is not a very nice one, so of course cleaning clients is a high priority, but I don't know which is the more likely – that it is hiding on the server or keep coming from a client attaching to the Share.
Any advice is most appreciated!
Best Answer
you have a worm infection on your network server and or client pcs. this worm hides your original folders by changing its attributes. the first thing you need to do as scan your entire server , especially the shares. there have been reports that antiviral software don't pick up the infection. out of my own experience i have found that Microsoft security essentials does a good job of cleaning the infection. once cleaned you will have to delete all the exe folders on your drives, and then change all the attributes of the drives, to show the hidden folders. in a personal capacity this works best , on a company server i would suggest that you install a script to do the manual labour for you as this can be a time consuming project. the following script seems to do the trick , an edit needs to be done on the path and drive locations though.
Where “e” is the drive where hidden folders resides
That should do it.
a sample of the script follows below.
attrib -s -h -r autorun.inf del autorun.inf md autorun.inf attrib +s +h +r autorun.inf attrib -s -h -r RECYCLER rd /s RECYCLER copy /y NUL RECYCLER attrib +s +h +r RECYCLER cacls /P autorun.inf everyone:N cacls /P RECYCLER everyone:N