Solved

Files infected by Virus in MS Safety Scanner

Posted on 2014-04-28
23
3,379 Views
Last Modified: 2014-05-02
Infected File OptionMS Safety Scanner 1MS Safety Scanner 2Hi,
 
 Due to a infected workstation on the network, I decided to run Microsoft Safety Scanner on the domain controller(SBS2011) and it detected over 1,300 files. But, as seen on the screenshots above, they are all from Windows Operating system related folders.

  I am not sure if I should let "Safety Scanner" fix this problem. So I like to get some recommendations. I have seen viruses and its damages many times in the past, but I have not seen it affecting these folders.

 Originally I wanted to install Symantec EndPoint Protection, but it fails to install with the error message "The Windows installer service could not accessed. This can occur if the Windows Installer is not correctly installed. Contact your support personnel for assistance." So I have decided to run MS Safety Scanner instead to check for viruses.

Thanks.
0
Comment
Question by:sglee
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 12
  • 10
23 Comments
 
LVL 77

Expert Comment

by:Rob Williams
ID: 40027495
Personally I would use a backup and restore the server to an ealier date or rebuild and import recent data.  There is no way to ever know if the server is ever clean and secure again.  "Once infected always suspected".
0
 
LVL 19

Expert Comment

by:*** Hopeleonie ***
ID: 40027513
Second RobWill that nobody can give you a 100% garantie, after a Client or Server is infected !
Do you run an Antivirus Software on your Server?
0
 
LVL 77

Assisted Solution

by:Rob Williams
Rob Williams earned 330 total points
ID: 40027551
"Virus:Win32/Expiro.gen!F  is a generic detection for variants of Win32/Expiro, a virus that infects executable files with .EXE extensions in all drives, and collects user credentials from an infected computer. It also allows backdoor access and control to the infected computer, and lowers Internet Explorer settings."
from: http://www.microsoft.com/security/portal/threat/encyclopedia/entry.aspx?Name=Virus:Win32/Expiro.gen!F

Microsoft does recommend using the safety scanner to remove that virus, but I'd make sure you have a full backup first, even if corrupted.

However based on the quote I would wipe the server and generate all new passwords when rebuilt.

I would disconnect it from Internet access right away.
0
Transaction Monitoring Vs. Real User Monitoring

Synthetic Transaction Monitoring Vs. Real User Monitoring: When To Use Each Approach? In this article, we will discuss two major monitoring approaches: Synthetic Transaction and Real User Monitoring.

 
LVL 77

Accepted Solution

by:
Rob Williams earned 330 total points
ID: 40027581
PS- In reading this is an especially nasty virus allowing remote control and key logging specifically looking for credit card information and account passwords.  However I find no reference to it infecting WSUS files.  If it does it would be a heck of a way to infect every PC on the network.  It does affect Windows system files and even breaks the ability to repair some files with system file checker (SFC /scannow).  One thing to look for is .ivr files.  Some versions of this virus replace a legitimate .exe file with an infected one and make a backup of the original with an .ivr file.

You could try another tool to see if it agrees with the infections:
http://free.avg.com/ca-en/remove-win32-expiro
0
 

Author Comment

by:sglee
ID: 40027613
Rob,
  Let me try SFC /scannow.
0
 
LVL 77

Expert Comment

by:Rob Williams
ID: 40027616
As mentioned it may not work, but I would remove the virus first.  SFC won't repair a virus, it just looks for damaged Windows files.  I have also found it can cause problems on a DC.
0
 
LVL 77

Assisted Solution

by:Rob Williams
Rob Williams earned 330 total points
ID: 40027630
If it were me, I would:
-remove it from the network and Internet immediately.
-see if you can find an infected file and determine the installation date
-backup current data and Exchange
-restore the server to a date prior to the virus
-import data, after first scanning it for viruses
-if a rebuild is not an option, backup the entire server and verify successful
-run the Microsoft Security scanner and allow it to clean
-assuming it reboots, re-run Microsoft Security Scanner, download and run TDSSkiller and malware bytes to look for any other infections
-change all passwords both in-house and on sites accessed from the server during the time since installtion
0
 

Author Comment

by:sglee
ID: 40027663
SFC /scannow failed 8% into it.
I looked thru the list of infected folders and I see that WSUS and Windows folders are NOT the only folders. I see all kind of folders  in the infected list.
I will let MS Safety scanner do the repair and go from there.
As you said, I may rebuild the SBS2011 from the scratch.
0
 
LVL 77

Expert Comment

by:Rob Williams
ID: 40027774
I'm not surprised the description states it may lock files protecting them from SFC.
Let us know how you make out.
Make sure you backup data first.

I just noticed above I said .ivr file but should read .vir
0
 

Author Comment

by:sglee
ID: 40027821
I will keep you posted.
For now the plan is to backup the files from the server.
They have old server (SBS2003) with same IP, computer name, and folder structure.
I can copy the files (from the current server) back to the same folder locations on old server.
So it won't be bad.
The problem is how to handle Outlook file. I could create PST from each workstation. That will take a few hours for each PC and then once I disjoin the computer and rejoin the old server, I can simply import PST file. I am not going to use Exchange account on Outlook because it is a temporary plan.
I know that each Outlook 2010 keeps OST file in  C:\Users\%username%\AppData\Local\Microsoft\Outlook folder because it is running in Cache mode. Can I somehow use this OST in Outlook and just add POP account (they use local ISP for email) so that I don't have to export and import after attaching workstations to the old server?

The domain name on the old server is different from new server.
That means a new profile will be created; therefore OST file created/maintained by current server may not be usable.
0
 
LVL 77

Expert Comment

by:Rob Williams
ID: 40027843
All pc's will have to be disjoined from the network and joined to the new.  When you do so the .ost file will no longer be accessible or usable, without a 3rd party tool.
Best to export the ost to pst before removing from the existing domain.  You do not have to be connected to the server to do so, you can use cached credentials until disjoined.
Note: Outlook 2013 only stores recent e-mail locally by default.  There is an option in the account settings to extend or select all.

You could leave things as they are for now and not join the SBS 2003 domain, and just map a drive using different credentials to the 2003 server data, assuming you can deal with e-mail.
0
 

Author Comment

by:sglee
ID: 40027854
"When you do so the .ost file will no longer be accessible or usable, without a 3rd party tool.
" ---> That is what I thought.
OK. I will export PST from each workstation and once I replace current server with old server, I will simply use a workgroup on each workstation, import PST back to their outlook (not connected to EXCH SBS2003) & add POP account, and use mapped drives.

How about NK2 FIle? Outlook 2010 does not keep. Should I create NK2 file manaully from current Outlook 2010?
0
 
LVL 77

Expert Comment

by:Rob Williams
ID: 40027929
With Outlook 2010 you can move the auto-complete information using the following:
In the old/existing profile go to:
-C:\Users\%username%\AppData\Local\Microsoft\Outlook\RoamCache
-Locate the file named  Stream_Autocomplete<a bunch of numbers>.dat
-Save/copy this file.
-Using the new profile open Outlook and send one e-mail by typing in an address.  This will force the creation of an autocomplete file
-Close Outlook and locate the Stream_Autocomplete file in the new profile.
-Rename it by changing the suffix to something like .old
-Copy to the same location the file copied from the old profile
-Rename it EXACTLY the same as the one on which you changed the suffix, now using the .dat extension.
0
 

Author Comment

by:sglee
ID: 40029807
Update:
Since users are able to access files and folders, emails ... etc., I am going to reboot the server at the end of today, check out the server health status and make the next move based on that.
0
 
LVL 77

Expert Comment

by:Rob Williams
ID: 40029878
Accessing files on the infected server?  If so that could be very risky.
0
 

Author Comment

by:sglee
ID: 40030041
I know, but I will find out after 5PM today whether redoing the server is necessary.
After reboot, I will try to scan again and keep you posted.
0
 
LVL 77

Expert Comment

by:Rob Williams
ID: 40030050
I would at least disconnect the internet,  That virus gives someone remote access to your server and key logging capability.
0
 

Author Comment

by:sglee
ID: 40030070
got you.
0
 

Author Comment

by:sglee
ID: 40034861
After numerous scan by AVG and reboot, finally the virus infection situation seems to be "Somewhat" under control. The virus scan finds less and less.
Finally I was able to install my End Point Protection and I am going to scan it.
If repeated virus scan does not find any more infected, I am going to keep the server as it is.
0
 
LVL 77

Expert Comment

by:Rob Williams
ID: 40034983
I can appreciate why, but the virus gave the intruder the ability to do things like create his own system account and such.  
I have seen systems where someone tried to disguise an admin account by making it look like an HP system account.
Make sure you scan for root kits as well.
Glad to hear you have it under control.
0
 

Author Comment

by:sglee
ID: 40038022
Symantec Real Time ProtectionUpdate:
AVG scanner has not detected any infected files during last two scans and the server is running pretty smooth with CPU utilization under 50% at all times.
Although Symantec EndPoint Protection that I have installed several days ago keeps catching some stuff in real time.
But I am not 100% sure if it really a virus or false alarm.
0
 
LVL 77

Expert Comment

by:Rob Williams
ID: 40038418
Hard to say.  As mentioned "once infected always suspected".

There are a lot of other potential issues than viruses with which to be concerned, such as unknown user accounts, legitimate remote management tools, telnet enable and router configured....
0
 

Author Closing Comment

by:sglee
ID: 40038527
Repeated Scan using AVG (http://free.avg.com/ca-en/remove-win32-expir) was instrumental in resotring the OS to the usable stage.
0

Featured Post

Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

The articles for turning off the Client firewall policy on the internet are for SBS 2008 and don't really help for SBS 2011. They actually moved the Client firewall policy. In 2011, the client firewall policy has moved to the SBS computers conta…
An introduction to the wonderful sport of Scam Baiting.  Learn how to help fight scammers by beating them at their own game. This great pass time helps the world, while providing an endless source of entertainment. Enjoy!
Established in 1997, Technology Architects has become one of the most reputable technology solutions companies in the country. TA have been providing businesses with cost effective state-of-the-art solutions and unparalleled service that is designed…
Email security requires an ever evolving service that stays up to date with counter-evolving threats. The Email Laundry perform Research and Development to ensure their email security service evolves faster than cyber criminals. We apply our Threat…

687 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question