Expiro Virus
Hi Experts,
In have a network of 20 pc clients. The half of them are using McAffe Virusscan Enterprise v8.5 (I know that it is old version) with the latest updates and the other half has the free Microsoft Security Essentials installed.
The above computers have access to a mapped network drive (f:) and inside him there are some network applications.
The main problem is that Microsoft Security Essentials, after running Full Scan or after accessing the map drive f:, is indicating that there are viruses….
- Win32/Expiro.S
- Win32/Expiro.gen!F
…on some .EXE files. If you select Remove, it removes the executable files causing some applications unable to start.
I have found on the net that Expiro is a malware so I used Malwarebytes [Admin Edit]
Then I suspected three users and I run Malwarebytes and SuperAntispyware to their computers in order to locate the Expiro Virus locally.
The above programs found only backdoors, Trojan cookies, Trojan Downloaders/Agents/FakeMS but not the Expiro Virus.
In two users a pop up window appeared with the name “Windows File Protection” asking to keep this unrecognized file versions or to insert the Windows XP CD.
Using MalwareBytes again I run a full scan to the server’s hard drive (f:) which is mapped to client’s computer.
Once again it didn’t found any Expiro Virus but one Trojan and one I can’t recall (one at the registry and one on the recycle folder of a user) and disinfected them.
After that I removed from one client the Microsoft Security Essentials and I installed the Trial Version of Kaspersky Pure. I performed a full scan to that computer localy and it didn’t found any threats.
Running a full scan from the same computer on the mapped drive using Kaspersky Pure. Kaspersky has found 123 virus.win32.expiro.w threats.
Q1:I don’t know where this malware/virus came from and I don’t know where it lives (on a client, on the server, or both) in order to eliminate it once and for all.
Q2:I am also wondering what the message of Windows File Protection was.
What I know for sure is that all infected files are .EXE files.
Any ideas will be much appreciated!
Regards,
Mamelas
In have a network of 20 pc clients. The half of them are using McAffe Virusscan Enterprise v8.5 (I know that it is old version) with the latest updates and the other half has the free Microsoft Security Essentials installed.
The above computers have access to a mapped network drive (f:) and inside him there are some network applications.
The main problem is that Microsoft Security Essentials, after running Full Scan or after accessing the map drive f:, is indicating that there are viruses….
- Win32/Expiro.S
- Win32/Expiro.gen!F
…on some .EXE files. If you select Remove, it removes the executable files causing some applications unable to start.
I have found on the net that Expiro is a malware so I used Malwarebytes [Admin Edit]
Then I suspected three users and I run Malwarebytes and SuperAntispyware to their computers in order to locate the Expiro Virus locally.
The above programs found only backdoors, Trojan cookies, Trojan Downloaders/Agents/FakeMS but not the Expiro Virus.
In two users a pop up window appeared with the name “Windows File Protection” asking to keep this unrecognized file versions or to insert the Windows XP CD.
Using MalwareBytes again I run a full scan to the server’s hard drive (f:) which is mapped to client’s computer.
Once again it didn’t found any Expiro Virus but one Trojan and one I can’t recall (one at the registry and one on the recycle folder of a user) and disinfected them.
After that I removed from one client the Microsoft Security Essentials and I installed the Trial Version of Kaspersky Pure. I performed a full scan to that computer localy and it didn’t found any threats.
Running a full scan from the same computer on the mapped drive using Kaspersky Pure. Kaspersky has found 123 virus.win32.expiro.w threats.
Q1:I don’t know where this malware/virus came from and I don’t know where it lives (on a client, on the server, or both) in order to eliminate it once and for all.
Q2:I am also wondering what the message of Windows File Protection was.
What I know for sure is that all infected files are .EXE files.
Any ideas will be much appreciated!
Regards,
Mamelas
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Dear Experts,
MalwareBytes was unable to find the Expiro virus so it was unuseful for this type of virus.
What I have done:
I have removed from every client the antivirus and I used the Kaspersky Internet Security to make the clean-up.
Part of the client computers were infected with Expiro.w virus.
Kaspersky has cleaned the half of them but there were computers with infected explorer.exe and I had to re-install them.
Computers with the Expiro.w virus had mapped drives and users were accessing network applications using the shortcut from their desktops.
I suppose that the Expiro.w virus infected the executable files of one computer and then when the user accessed his network application the mapped drive, where the application lives, was infected too. After that all of the computers who were accessing this mapped drive/network application were infected “locally” too.
As I said kaspersky Internet Security is now indicating that all computers are cleaned.
I have also made a full scan, from a client’s computer using Kaspersky, to all network drives and now there are cleaned too.
The only thing that I didn’t do is a full scan to all physical drives of the 2 file servers.
Parts of them are now cleaned (mapped drives) but I don’t know if the virus is spread to the server’s executable files.
I don’t have any commercial backup solution and I don’t know if it is safe to make a full scan directly to the servers (…uninstalling first the old McAfee 8.5i and installing Kaspersky for Servers).
Q1: Do you suggest me to enable sharing and scan them from a client’s computer (as I did with the mapped drives?)
- Am I safe without making a full scan to the servers?
- Do you suggest something else?
Q2: In order to replace my obsolete Virus Protection, do you suggest Kaspersky or Shopos Endpoint Protection and which version?
Thanks in Advance!
MalwareBytes was unable to find the Expiro virus so it was unuseful for this type of virus.
What I have done:
I have removed from every client the antivirus and I used the Kaspersky Internet Security to make the clean-up.
Part of the client computers were infected with Expiro.w virus.
Kaspersky has cleaned the half of them but there were computers with infected explorer.exe and I had to re-install them.
Computers with the Expiro.w virus had mapped drives and users were accessing network applications using the shortcut from their desktops.
I suppose that the Expiro.w virus infected the executable files of one computer and then when the user accessed his network application the mapped drive, where the application lives, was infected too. After that all of the computers who were accessing this mapped drive/network application were infected “locally” too.
As I said kaspersky Internet Security is now indicating that all computers are cleaned.
I have also made a full scan, from a client’s computer using Kaspersky, to all network drives and now there are cleaned too.
The only thing that I didn’t do is a full scan to all physical drives of the 2 file servers.
Parts of them are now cleaned (mapped drives) but I don’t know if the virus is spread to the server’s executable files.
I don’t have any commercial backup solution and I don’t know if it is safe to make a full scan directly to the servers (…uninstalling first the old McAfee 8.5i and installing Kaspersky for Servers).
Q1: Do you suggest me to enable sharing and scan them from a client’s computer (as I did with the mapped drives?)
- Am I safe without making a full scan to the servers?
- Do you suggest something else?
Q2: In order to replace my obsolete Virus Protection, do you suggest Kaspersky or Shopos Endpoint Protection and which version?
Thanks in Advance!
The variant you have will be removed by proper use of a "rogue process" stopper and an updated version of Malwarebytes.
If you will try the actual steps I've outlined in my Articles - then post the resultant logs - I will continue to try to help you.
If you are willing to do that, let me know.
If you will try the actual steps I've outlined in my Articles - then post the resultant logs - I will continue to try to help you.
If you are willing to do that, let me know.
ASKER
Dear younghv,
Noted with thanks.
I will follow your instructions and I will revert.
Noted with thanks.
I will follow your instructions and I will revert.
ASKER
Dear younghv,
I am attaching you the export reports of the two file servers using RogueKiller and selecting from the menu “1.scan”.
In FileServer2.txt there is a code: NameServer (10.1.1.1,208.67.222.222)
What is this public address?
Should I continue with the MalwareBytes?
FileServer1.txt
FileServer2.txt
I am attaching you the export reports of the two file servers using RogueKiller and selecting from the menu “1.scan”.
In FileServer2.txt there is a code: NameServer (10.1.1.1,208.67.222.222)
What is this public address?
Should I continue with the MalwareBytes?
FileServer1.txt
FileServer2.txt
Yes, the second step is to scan with a fully updated Malwarebytes.
Did you download MBAM to a clean computer and 'renamne' the executable file before saving it to that computer?
Did you download MBAM to a clean computer and 'renamne' the executable file before saving it to that computer?
ASKER
Yes I have downloaded the Free version, I have rename the executable file to temp.exe, I have updated the malware database and now MalwareBytes runs a Full Scan.
It has already found 2 Infected objects...I will revert when it is finished.
ASKER
Dear younghv,
I am attaching you the complete scan report of MalwareBytes for the 2 File Servers.
First Server took more than 5 hours to complete and I don’t have the time to
repeat the Full Scan for both servers after rebooting is finished.
Finally I will use CCleaner to clean temp's folder.
As I have posted while opening the Question, I used MalwareBytes to
scan the mapped drives of Servers (it found only 2 viruses but not Expiro)
Scanning the Mapped drives later on with Kaspersky found Expiro virus.
Now the attached logs are indicating that there is no any Expiro Virus.
My Question is...am I free of Malwares and Expiro now ?
(because for my case Expiro virus ,living on the mapped drives,
were identified and cleaned by Kaspersky)
MB-Server1.txt
MB-Server2.txt
I am attaching you the complete scan report of MalwareBytes for the 2 File Servers.
First Server took more than 5 hours to complete and I don’t have the time to
repeat the Full Scan for both servers after rebooting is finished.
Finally I will use CCleaner to clean temp's folder.
As I have posted while opening the Question, I used MalwareBytes to
scan the mapped drives of Servers (it found only 2 viruses but not Expiro)
Scanning the Mapped drives later on with Kaspersky found Expiro virus.
Now the attached logs are indicating that there is no any Expiro Virus.
My Question is...am I free of Malwares and Expiro now ?
(because for my case Expiro virus ,living on the mapped drives,
were identified and cleaned by Kaspersky)
MB-Server1.txt
MB-Server2.txt
ASKER
Dear younghv,
After rebooting the Server, I was unable to run MS Exchange-POP3 Service.
I rebooted the Server again and now under services there are only:
- Microsoft Exchange Event
- Microsoft Exchange Management
- Microsoft Exchange Routing Engine
PLS Help!
I am also attaching some of Warning and Error messages of Application of the Event Viewer! EventViewer.txt
After rebooting the Server, I was unable to run MS Exchange-POP3 Service.
I rebooted the Server again and now under services there are only:
- Microsoft Exchange Event
- Microsoft Exchange Management
- Microsoft Exchange Routing Engine
PLS Help!
I am also attaching some of Warning and Error messages of Application of the Event Viewer! EventViewer.txt
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Dear Melannk24,
My Mail Server is now disconnected, should i restore this "infected dlls"??
What do you suggest in order to recover temporary the connection of my Mail Server?
My Mail Server is now disconnected, should i restore this "infected dlls"??
What do you suggest in order to recover temporary the connection of my Mail Server?
ASKER
Please note that I have opened the below question in order to solve Exchange's Server connection error:
https://www.experts-exchange.com/questions/26973878/Error-Connecting-to-Exchange-Server-after-eliminating-Malwares.html
https://www.experts-exchange.com/questions/26973878/Error-Connecting-to-Exchange-Server-after-eliminating-Malwares.html
Those files are NOT associated with Exchange, restoring the infected .dlls won't help the issue. I'm guessing because the original malware is one that is noted to overwrite .exes with its own code, that the Exchange issues you are experiencing are related to corrupt files.
You've had a massive infection across your entire network, server side included. In this situation, I would recommend re-image of all infected machines and restore servers to baseline and then restore server/user data from a safe date prior to infection via tape or other media.
You've had a massive infection across your entire network, server side included. In this situation, I would recommend re-image of all infected machines and restore servers to baseline and then restore server/user data from a safe date prior to infection via tape or other media.
ASKER
Dear Melannk24,
Thanks for your response.
As i said to younghv i don't have any commercial backup solution.
So it would be wiser to keep the Server as it was and plan a future
re-installation of the Servers.
Yesterday maybe I was infected but the systems were working.
Now my Mail Server is out of order and I have less than 2 days to make it work.
Thanks for your response.
As i said to younghv i don't have any commercial backup solution.
So it would be wiser to keep the Server as it was and plan a future
re-installation of the Servers.
Yesterday maybe I was infected but the systems were working.
Now my Mail Server is out of order and I have less than 2 days to make it work.
The .dlls could be a dependency of the RAT Tool causing system errors, but they are not part of an original Exchange installation.
I disagree on keeping the server as is, but this is your network. I've dealt with many, many virus/malware infections and once they hit a server and it can spread, I've found it's safer to re-install. Malware tends to download other malicious programs like Remote Access Control apps, keyloggers, dialers, etc. Some of these have a low detection rate too and not all AV companies have seen all variants to have signatures updated. Thus, the recommendation to re-install and start clean. I wish you luck and if there is anything else I can recommend or assist with, please don't bother to ask!
Good luck.
I disagree on keeping the server as is, but this is your network. I've dealt with many, many virus/malware infections and once they hit a server and it can spread, I've found it's safer to re-install. Malware tends to download other malicious programs like Remote Access Control apps, keyloggers, dialers, etc. Some of these have a low detection rate too and not all AV companies have seen all variants to have signatures updated. Thus, the recommendation to re-install and start clean. I wish you luck and if there is anything else I can recommend or assist with, please don't bother to ask!
Good luck.
ASKER
Dear Melannk24, thanks for your support.
The infected Mail/File Server must be up and running. There are users that are connected to him every day. I don't have a spare computer and in case of re-installation the downtime would be a big trouble for all.
I am also planning a new Server and Backup solution next Month.
That's why if you see my earlier post I was reluctant to scan the Server.
What I need for now is to keep my data cleaned in a safe place and restore my Mail Server to its previous state as soon as possible...
Any idea of achieving that will be welcome!!
The infected Mail/File Server must be up and running. There are users that are connected to him every day. I don't have a spare computer and in case of re-installation the downtime would be a big trouble for all.
I am also planning a new Server and Backup solution next Month.
That's why if you see my earlier post I was reluctant to scan the Server.
What I need for now is to keep my data cleaned in a safe place and restore my Mail Server to its previous state as soon as possible...
Any idea of achieving that will be welcome!!
I assume that the mail server is separate from the file server..... based on your malwarebytes log? Both physical servers, any virtual?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
What it worked for me:
Most of the clients were cleaned using Kaspersky Internet Security.
Part of them i had to make a clean re-installation.
Servers were also cleaned using Kaspersky Antivirus for Servers.
Regarding the Exchange Services, a re-installation over the current
installation, solved the problem.
Most of the clients were cleaned using Kaspersky Internet Security.
Part of them i had to make a clean re-installation.
Servers were also cleaned using Kaspersky Antivirus for Servers.
Regarding the Exchange Services, a re-installation over the current
installation, solved the problem.
ASKER
PARTIALLY ANSWERED
AVG also has an expiro removal tool.. I don't know how well it works.
http://free.avg.com/us-en/win32-expiro
http://free.avg.com/us-en/win32-expiro
ASKER
@wk3
Thanks for the comment.
I will keep in mind.
Thanks for the comment.
I will keep in mind.
Take a look at these two EE Articles, download the tools you need and run them in the order described:
https://www.experts-exchange.com/A_5124.html (Stop-the-Bleeding-First-A
https://www.experts-exchange.com/A_1940.html (Basic Malware Troubleshooting)