I powered on my computer this morning, and after stepping away for a few minutes, I noticed that my shared network folders had vanished. The shortcuts that appeared looked suspicious: C:\Windows\system32\cscript.exe "sef468we54rer\wwww.vbs" "SRI" w12x.
I managed to delete these shortcuts and the suspicious 'sef468we54rer' folder, but not long after, the folders went hidden again, and the shortcuts plus the folder reappeared. Just to clarify: the N: drive is my external HDD I use for images at my company branch; L: and M: are the actual server drives that run ERP apps for remote branches, while K: is my friend's PC I use for backups. Interestingly, when I moved the external HDD to K:, the folders stayed visible. However, L: and M: are still problematic after multiple attempts to unhide them. By the way, please excuse my English—it's not my first language!
1 Answer
It sounds like you might be dealing with some sort of malware. I'd recommend not double-clicking on any affected folders, as that could trigger the virus again. Instead, try browsing through the left panel to search for *.exe files, sort them by size, and delete any that seem suspicious and small. Also, consider using Autoruns from the Sysinternals suite to check all your startup items. From what you described, this seems like an old virus that spreads easily, especially via USB drives, so it's strange that your antivirus didn't catch it.
Where do you think it came from? Did a user do something suspicious, or does it just attack the server on its own? By the way, the server port 3389 is open.