cancel
Showing results for 
Search instead for 
Did you mean: 

Strange issue with doc en XLS files become hidden.

We have a strange issue and it looks like a virus/trojan, but we cannot find anything about it.

The following is happening and is still become a biger issue.

On a network drive; DOC en XLS files become hidden and a  shortcut is placed (tumbs.db2) with same name of the original files. Files cannot been opened anymore.

We use Epo 4.5 and clients are Win XP SP3 with Office 2002 and Mcafee Anitviruscan 8.7 all with the latest version of dat, etc.

Is there anyone who has experience the same problems or is familiar with this kind of issues?

Thx.

E.

117 Replies
Reliable Contributor Peacekeeper
Reliable Contributor
Report Inappropriate Content
Message 2 of 118

Re: Strange issue with doc en XLS files become hidden.

Moved this to business area

also try

McAfee Communities: Anti-Spyware, Malware & Hijacker Tools

Message was edited by: Peacekeeper on 15/08/12 7:29:31 PM

Message was edited by: Peacekeeper on 15/08/12 7:30:08 PM
ikonamark
Level 7
Report Inappropriate Content
Message 3 of 118

Re: Strange issue with doc en XLS files become hidden.

Hi,

A client of mine has had the same thing happen for the last two days, only on a network drive, local files unaffected. If you get any clues/solutions can you please post them here. I will do likewise

TIA

Mark

Message was edited by: ikonamark on 15/08/12 05:31:37 CDT
Highlighted
mjmurra
Level 12
Report Inappropriate Content
Message 4 of 118

Re: Strange issue with doc en XLS files become hidden.

That looks very suss. I suggest running GetSusp on an affected machine:

http://www.mcafee.com/us/downloads/free-tools/getsusp.aspx

Perhaps it's something like: http://blogs.mcafee.com/mcafee-labs/w32xdoccrypt-a-infects-executable-and-doc-files

Message was edited by: mjmurra on 15/08/12 8:48:12 PM

Re: Strange issue with doc en XLS files become hidden.

We have now called Medisoft (Dutch Mcafee support). They gave us the tip for GETSUSP.

They have no other callers about this issue. So please if you come from the Netherlands and have the same problems, call them.

Reliable Contributor Peacekeeper
Reliable Contributor
Report Inappropriate Content
Message 6 of 118

Re: Strange issue with doc en XLS files become hidden.

I also gave getsusp it is in the link I gave you and also run stinger it is updated daily ( a full reinstall required as it does not update itself but worth a look.

When you run getsusp add  your email addy to the preferences so Mcafee can contact you.

I had thought of  that recent malware mjmurra posted but deleted the suggestion as you said the files were hidden . Can they be seen and if so is the file type shown as screen saver type?

Message was edited by: Peacekeeper on 15/08/12 10:37:23 PM

Re: Strange issue with doc en XLS files become hidden.

We ran Getsusp and wait for furhter info from Mcafee.

We also run Stinger and other scanners but it did not show any signals of a virus/trojan.

The current situation is as follow:

The original .doc or .xls files are become hidden.

A new shortcut is placed in the same directory with the same name as the original doc of xls files (example xxxxx.doc.lnk).

The properties of this shortcut refers to a thumbs.db2 file. On the location of the thumbs.db2 file also 2 other files are being placed: $RECmCLE.BIN and desktop.iqi (not recycle.bin or desktop.ini).

out users have no right to start run and cannot see hidden files.

But the original hidden Office file can stil be opened by an administror for example.

As a workaround we now unhide all the files (via Attrib command) and deleted all the lnk files.

Do you have any suggestions.

Reliable Contributor Peacekeeper
Reliable Contributor
Report Inappropriate Content
Message 8 of 118

Re: Strange issue with doc en XLS files become hidden.

As this is a business version of Mcafee should not your support look into this? I thought that was what grant numbers allowed. Ok community mod idea here I am not a business user so guessing. Did getsusp find any suspicious files?

Reliable Contributor exbrit
Reliable Contributor
Report Inappropriate Content
Message 9 of 118

Re: Strange issue with doc en XLS files become hidden.

Just a thought, in your first post you mention Office 2002.   I assume you mean Office 2003 but even that may no longer be supported unless it has all it's updates so you should be looking into the possibility that parts of your setup are simply not functioning because of that..

As Peacekeeper states, I would have thought you could be seeking support through your grant number on this issue.

That said many fake antimalware pests block access to personal files, but I've never heard of one blocking just one specific extension and in any case the malware would be asking you to pay to unhide them, and if that isn't happening then that scenario is unlikely.

Message was edited by: Ex_Brit on 15/08/12 5:04:47 EDT PM
mjmurra
Level 12
Report Inappropriate Content
Message 10 of 118

Re: Strange issue with doc en XLS files become hidden.

mcafee-user wrote:

The original .doc or .xls files are become hidden.

A new shortcut is placed in the same directory with the same name as the original doc of xls files (example xxxxx.doc.lnk).

The properties of this shortcut refers to a thumbs.db2 file. On the location of the thumbs.db2 file also 2 other files are being placed: $RECmCLE.BIN and desktop.iqi (not recycle.bin or desktop.ini).

I assume you've collected all of these files and submitted to McAfee ?

To me, this is looking like virus type behaviour.

Have you checked the owner of the files being written? Perhaps you can then track how the files are being written to the server.

McAfee support should be giving you all of these suggestions.

Community Help Hub

    New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

  • Find Forum FAQs
  • Learn How to Earn Badges
  • Ask for Help
Go to Community Help

Join the Community

    Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

  • Get helpful solutions from McAfee experts.
  • Stay connected to product conversations that matter to you.
  • Participate in product groups led by McAfee employees.
Join the Community
Join the Community