Posted on 2011-04-20
In have a network of 20 pc clients. The half of them are using McAffe Virusscan Enterprise v8.5 (I know that it is old version) with the latest updates and the other half has the free Microsoft Security Essentials installed.
The above computers have access to a mapped network drive (f:) and inside him there are some network applications.
The main problem is that Microsoft Security Essentials, after running Full Scan or after accessing the map drive f:, is indicating that there are viruses….
…on some .EXE files. If you select Remove, it removes the executable files causing some applications unable to start.
I have found on the net that Expiro is a malware so I used Malwarebytes [Admin Edit]
Then I suspected three users and I run Malwarebytes and SuperAntispyware to their computers in order to locate the Expiro Virus locally.
The above programs found only backdoors, Trojan cookies, Trojan Downloaders/Agents/FakeMS but not the Expiro Virus.
In two users a pop up window appeared with the name “Windows File Protection” asking to keep this unrecognized file versions or to insert the Windows XP CD.
Using MalwareBytes again I run a full scan to the server’s hard drive (f:) which is mapped to client’s computer.
Once again it didn’t found any Expiro Virus but one Trojan and one I can’t recall (one at the registry and one on the recycle folder of a user) and disinfected them.
After that I removed from one client the Microsoft Security Essentials and I installed the Trial Version of Kaspersky Pure. I performed a full scan to that computer localy and it didn’t found any threats.
Running a full scan from the same computer on the mapped drive using Kaspersky Pure. Kaspersky has found 123 virus.win32.expiro.w threats.
Q1:I don’t know where this malware/virus came from and I don’t know where it lives (on a client, on the server, or both) in order to eliminate it once and for all.
Q2:I am also wondering what the message of Windows File Protection was.
What I know for sure is that all infected files are .EXE files.
Any ideas will be much appreciated!