How to Prevent Virus from Changing Read-Only and Hidden Attributes on Files Folders?

On Tue, 17 Jan 2012 01:49:56 -0800, "W"
wrote:

We have our Windows 2003 servers fairly locked down by NTFS, and when a user
browses the Internet they are logged in as an ordinary user with minimal
access to the file system. So imagine my horror to see that a virus was
able to change every single file and folder on the file system to be
read-only and hidden, apparently using the attributes for files that are
affected by the ATTRIB commandline command.

Is there any utility that would restore any critical system files and
folders to their original attributes?

It sounds like you might need a tool called unhide.exe.
<http://www.bleepingcomputer.com/for...9.html>

Crossposted from microsoft.public.windows.server.general


"W" wrote in message
news:

We have our Windows 2003 servers fairly locked down by NTFS, and when a user
browses the Internet they are logged in as an ordinary user with minimal access to
the file system. So imagine my horror to see that a virus was able to change
every single file and folder on the file system to be read-only and hidden,
apparently using the attributes for files that are affected by the ATTRIB
commandline command.

Is the ability to use ATTRIB controlled by NTFS permissions? Or is this the
Write Attributes permission in NTFS? Unfortunately we probably did enable that
because it was generating too many false positive audit messages.

The command

attrib -h -r *.* /s /d

apparently does NOT affect all folders under the current folder. Is there a
command that can be used that would change every file and folder from the current
location and down all subtrees?

Is there any utility that would restore any critical system files and folders to
their original attributes?

W

From: "Peter Foldes"

| Crossposted from microsoft.public.windows.server.general
|
| "W" wrote in message
| news:

We have our Windows 2003 servers fairly locked down by NTFS, and when a
user browses the Internet they are logged in as an ordinary user with
minimal access to the file system. So imagine my horror to see that a
virus was able to change every single file and folder on the file system
to be read-only and hidden, apparently using the attributes for files
that are affected by the ATTRIB commandline command.

Is the ability to use ATTRIB controlled by NTFS permissions? Or is this
the Write Attributes permission in NTFS? Unfortunately we probably did
enable that because it was generating too many false positive audit
messages.

The command

attrib -h -r *.* /s /d

apparently does NOT affect all folders under the current folder. Is
there a command that can be used that would change every file and folder
from the current location and down all subtrees?

Is there any utility that would restore any critical system files and
folders to their original attributes?

A virus didn't hide files and folders, a System Fix trojan or other rogue
malware did.

If I understand this post, a user was ALLOWED to browse the Internet from
the POC of the Win2003 Server. If that was the case that was the mistake.
Nobody, users or administrators should be browsing on a server platform.
This is disrepecting the role of the server. A System Fix type trojan is
bad enough but that kind of behavioour (which should never be alloewd on a
server) coold have had more disaterous effects.

The first think to do is find and eliminate the System Fix type trojan and
then use Lawrence Abrams' (aka; Grinler) Unhide utility.
http://download.bleepingcomputer.co...unhide.exe

The Server may have to be booted in Safe Mode such that the trojan isn't
loaded. Note also do NOT dump TEMP folders prior to running Unhide. Unhide
may also be executed in Safe Mode.


Dave
Multi-AV Scanning Tool - http://multi-av.thespykiller.co.uk
http://www.pctipp.ch/downloads/dl/35905.asp

In message someone
claiming to be "David H. Lipman" <DLipman~nospam~@Verizon.Net> typed:

If I understand this post, a user was ALLOWED to browse the Internet from
the POC of the Win2003 Server. If that was the case that was the mistake.
Nobody, users or administrators should be browsing on a server platform.
This is disrepecting the role of the server.

It really depends on the role of this particular server. If it's a
terminal server, then this could be well within it's designed usage
scope.

From: "Dave Warren"

| In message someone
| claiming to be "David H. Lipman" <DLipman~nospam~@Verizon.Net> typed:
|

If I understand this post, a user was ALLOWED to browse the Internet from
the POC of the Win2003 Server. If that was the case that was the
mistake.
Nobody, users or administrators should be browsing on a server platform.
This is disrepecting the role of the server.

|
| It really depends on the role of this particular server. If it's a
| terminal server, then this could be well within it's designed usage
| scope.

Browsing the Internet should not be within an accepted scope of the use of a
Terminal Server session.

Dave
Multi-AV Scanning Tool - http://multi-av.thespykiller.co.uk
http://www.pctipp.ch/downloads/dl/35905.asp