Here's my company's unfortunate situation:
- 1 Windows 2003 Server with many shared (to a group of 31 users) folders, all shared folders' files untouched (Symantec AV).
- 30 Windows XP SP3 machines, "protected" only by MS Security Essentials, all their shared folders' files encrypted and renamed to "firstname.lastname@example.org".
All "My Documents" folders' contents are OK on the PCS, just a "common" shared folder that each PC has, with RW rights for the Group of 31 users, is infected
- 1 Windows XP machine with ALL files encrypted (thus I suspect this is the guilty PC that started the infection on the network).
The only thing I've been able to do so far was logging as admin to all 100 PCs and un-sharing the 'common' folder (there are actually 100 PCs, 31 is the number of the infected ones).
The virus remains.
The need for sharing files remains.
I'm really stuck and do not know how to begin the repairing process and get them to a working state again.
-What is the exact name of the virus?
-Where does the virus hide?
-What antivirus should I use to clean the PCs?
-The .com suffix means that when clicked the file will re-spread the virus or is it just an email address that the ransomware team uses?
-Does removing the infected files or deleting the whole "common" folder solve the problem for the 30 PCs? or the virus is "hidden" somewhere in the OS making it possible for it to re-trigger itself again in the future?
-Will I have to format all 31 PCs?
I realize it's impossible to retrieve the infected files without paying (not an option).
Any help cleaning this mess will be really appreciated
ps: sorry for my bad english, obviously it's not my native language