2 computers in my network got infected, that's bad. Luckilly I got backups, so the files are no problem.
The problem is deleting the infection from the computers. It seems that the infection is still present, because I see a folder with a random string in the %temp% folder after a reboot. These folder contains 2 files, an executable and a .JAR file.
Also, the message that my files are locked keeps returning (not every time, but most of the time).
What I've did:
- Deleted everything in %temp%, and every job in C:\Windows\Tasks
- Scan with malwarebytes (it did find the file with the random name).
- ESET Online Scanner (it did find the file with the random name).
- System Repair (day before the infection and 5 days before the infection).
-> Reboot, it's back :/.
Is it really not going away?
After a few scans with MalwareBytes and ESET, the message that I should pay the guys isn't coming back anymore. But still, I see the files with the random name appearing in my %temp% folder. I Can't delete these, because they are in use by AutoStarter.exe. When I close this process, I can delete the file. When I reboot, it's back.
So its copying frome somewhere else .. :/. Is there a tool that can delete this infection forever, or is there a manual way?
Everytime I scan with ESET Online, I'll find: Win32/Filecoder.DA (Trojan Horse).
I've tried almost everything that I can find on the internet.
Edited by Shattered_, 23 March 2015 - 09:14 AM.