Capt.Nemo

My experience with this was all very odd... File extensions were not changed and I never saw the actual ransom request as typically associated with Filecoder/Cryptolocker, et al. It seems as if the trojan/virus/infection never fully completed and somehow got stopped before being fully executed. I ran a couple A/V scans from multiple tools, cleaned everything I could find, and restored from backups rather than pay the ransom. Have had no further issues... There is no doubt it came from a user clicking a .zip attachment in a FedEx, UPS or DHL spoof. As "mattspchelp" stated above, it may be a good idea to implement some kind of security via group policy (or other methods) instead of relying on antivirus to stop this.

Thank you for the quick reply, Marcos. I don't see that file extensions have been added/changed. I am sending you some of the corrupted files via personal message right now. I know the chance for recovery is slim. I just want to find the problem make sure I don't corrupt backups when I try to restore...

It appears that my server (Windows Server 2003 R2) with Eset NOD32 4.x Antivirus installed was compromised last night. Starting at 7:53pm, most .PDF and .XLS(X) files were modified and are now corrupted and cannot be opened. Corrupted files opened in Notepad yield a file full of square blocks... I have backups, so that isn't a problem. However, I would like to know what happened and how I got attacked. Any tips on how to track down the source? One of my workstations quarantined a couple files yesterday and today. It quarantined "Spy.Zbot.AAU" trojan, "Filecoder.BQ" trojan, and "Kryptik.BLTM" trojan. The first one was quarantined 5 hrs. before server files were modified and the next two were 9 hrs. after they were modified. I realize NOD32 is an older version. I have Endpoint Antivirus on all my workstations.