Disinfecting multiple PCs at school infected with unknown malware

[ttomovcik]

Clean install everything on 115 PC, rest 5 PCs you need to collect samples or run a scan via LiveCD and get to know what type of virus it was. Yeah follow @SHvFl advice.

If you want to continue with trying to remove the malware, rather than reformatting, I recommend doing scans with Zemana AntiMalware and Malwarebytes, as they are both very good at finding infections.

Well, every PC is infected so that sucks. And what the worst thing, some PCs are infected with Jigsaw, WannaCrypt0r and Petya. And the server too which has every students project files from AutoCAD (mechanical and inventor) and system images. I´m plannig to create new Linux file server for this kind of stuff but looks like I´m gonna need some time to decrypt the files on server. I might create at some point (if I´ll have time) snapshot of the system partition from one of the infected machines and do collect some malware files from that.

Off-topic question:
Do you guys think that AutoCAD will run from Linux distro when the license file is shared on school server? (Talking about running Wine on Linux and getting license from another linux server)

 

[brambedkar59]

I´m both student and technician And yup I´m allowed to clean them, basically do whatever I want to.

Did you contacted Eset support?

 

[ttomovcik]

Did you contacted ESET support?

Not yet. But I´m going to do so in about a hour or so because I´m currently working on a project.

 

[brambedkar59]

I´m gonna need some time to decrypt the files on server.

Decrpt how?

 

[ttomovcik]

Decrpt how?

The files on server are encrypted from Jigsaw so I´m gonna try the Jigsaw Decryptor

 

[brambedkar59]

The files on server are encrypted from Jigsaw so I´m gonna try the Jigsaw Decryptor

Ohh yes, decrptor for Jigsaw is available, but not for Wannacry & petya.

 

[ttomovcik]

Ohh yes, decrptor for Jigsaw is available, but not for Wannacry & petya.

The server is thankfully encrypted only with Jigsaw. Also, gonna take the MicrosoftSearchIndexer file, run it in VM and do Regshot and will see what it did.

 

[brambedkar59]

Off-topic question:
Do you guys think that AutoCAD will run from Linux distro when the license file is shared on school server? (Talking about running Wine on Linux and getting license from another linux server)

AutoCAD is not supported on linux. Also Wine support for AutoCAD is not that great since v2008. See here.
There are some free applications like AutoCAD (eg. Draftsight, librecad, medusa, pycad) but they are not that great (in terms compatibility & features), also there is the issue of compatibility with newer versions of AutoCAD.
You could try running windows inside VM on linux, and install AutoCAD on Guest OS.
PS all I did was a Google search.

 

[Game Of Thrones]

we have many malwares like this in our country, since usb flash drives are widely use here, eset is really weak in usb infections, kaspersky bitdefender and norton are way better, bitdefender knows this infection as trojan.symmi i think, bitdefender is detecting this threat at first sight unlike eset and cuts the infection chain, but for having the hidden files back you have to run a cmd command.kaspersky is way better at repairing the flash drive and most of the time you do not need to run the cmd command. norton behaves like bitdefender.
Type the following command in Command prompt: attrib -h -r -s /s /d X:\*.* , (Where, X is the USB drive letter) and press Enter. (For example: If your drive letter is D, then the command is attrib -h -r -s /s /d D:\*.*) Copy all data from USB flash drive to your computer. Format the USB drive.

 

[omidomi]

Try to contact with Eset , they will help you for sure

 

[mekelek]

depending on your school's financial situation, I would switch to an other Endpoint solution after this chaos. Preferably one from Kaspersky, Bitdefender or Symantec.

 

[ttomovcik]

depending on your school's financial situation, I would switch to an other Endpoint solution after this chaos. Preferably one from Kaspersky, Bitdefender or Symantec.

I´m going to make one GNU/Linux file server and will see what can I doo with other PCs. Maybe install Windows 7/10 or any GNU/Linux distro and switch to open-source. Will see. School starts 2nd September, so I´m gonna update this thread if something changes.

 

[WinXPert]

Since you got script worms, try temporarily block wscript.exe ans cscript.exe.

If you want to continue with trying to remove the malware, rather than reformatting, I recommend doing scans with Zemana AntiMalware and Malwarebytes, as they are both very good at finding infections.

Really? for vbs?

Try an updated Avast! and do a boot scan

 

[WinXPert]

For minerd.exe and cpuminer.exe, try blocking them using Runblock.

 

[mekelek]

I´m going to make one GNU/Linux file server and will see what can I doo with other PCs. Maybe install Windows 7/10 or any GNU/Linux distro and switch to open-source. Will see. School starts 2nd September, so I´m gonna update this thread if something changes.

setting them up with a deep freezing software forced to restore to clean state every reboot might be also a good solution (Shadow Defender, Deep Freeze, Rollback RX)

 

[Maxwell Sien]

I´m both student and technician And yup I´m allowed to clean them, basically do whatever I want to.

I don't mean to be arrogant, but my side job is Malware Removal Service. I Feel that i Can Remove all of this (except Ransomware, it need a Dectyptor), absolutely free for your School..

Maybe we cant contact with phone or something else?

 

[ForgottenSeer 58943]

First, what are you protecting the gateway with? It is absolutely, 100% crucial you have a high quality UTM/NGFW on the gateway. Not only will this prevent many/most infections, it will prevent re-infections and outbound dropper grabs. I'm not talking PfSense or Untangle, I mean a real gateway, Fortinet, ZyXEL USG, whatever. If you put a Fortinet on the gateway immediately with all of the botnet, malware and web filtration enabled it would stop the outbound communication immediately. Grab a Fortigate 60E w/UTM bundle from Amazon for $300. (that's my advice)

Also, this sounds a bit like a file-less malware I ran into a few weeks ago. Try Trend Micro House-Call, it captures strange stuff. HitmanPro also finds some crazy stuff.. Also don't neglect Super Anti-Spyware, I've had that actually pick up and remove a couple really odd programs. But do run Adlice Rogue Killer and see what is happening, often you'll find malware re-loading tasks.

 

[WinXPert]

Here's how I deal with unknown malware. I run KillEmAll.

 

[Duotone]

Someone used those PC for mining, you can try this guide CPU Miner Removal Guide
or ask here Malware Removal Assistance for assistance.

 

[roger_m]

Really? for vbs?

I'm not too sure how they work specifically for VBS files. But, they are what I use on infected machines.