Solved

Files infected by Virus in MS Safety Scanner

Posted on 2014-04-28
23
3,210 Views
Last Modified: 2014-05-02
Infected File OptionMS Safety Scanner 1MS Safety Scanner 2Hi,
 
 Due to a infected workstation on the network, I decided to run Microsoft Safety Scanner on the domain controller(SBS2011) and it detected over 1,300 files. But, as seen on the screenshots above, they are all from Windows Operating system related folders.

  I am not sure if I should let "Safety Scanner" fix this problem. So I like to get some recommendations. I have seen viruses and its damages many times in the past, but I have not seen it affecting these folders.

 Originally I wanted to install Symantec EndPoint Protection, but it fails to install with the error message "The Windows installer service could not accessed. This can occur if the Windows Installer is not correctly installed. Contact your support personnel for assistance." So I have decided to run MS Safety Scanner instead to check for viruses.

Thanks.
0
Comment
Question by:sglee
  • 12
  • 10
23 Comments
 
LVL 77

Expert Comment

by:Rob Williams
Comment Utility
Personally I would use a backup and restore the server to an ealier date or rebuild and import recent data.  There is no way to ever know if the server is ever clean and secure again.  "Once infected always suspected".
0
 
LVL 18

Expert Comment

by:hopeleonie
Comment Utility
Second RobWill that nobody can give you a 100% garantie, after a Client or Server is infected !
Do you run an Antivirus Software on your Server?
0
 
LVL 77

Assisted Solution

by:Rob Williams
Rob Williams earned 330 total points
Comment Utility
"Virus:Win32/Expiro.gen!F  is a generic detection for variants of Win32/Expiro, a virus that infects executable files with .EXE extensions in all drives, and collects user credentials from an infected computer. It also allows backdoor access and control to the infected computer, and lowers Internet Explorer settings."
from: http://www.microsoft.com/security/portal/threat/encyclopedia/entry.aspx?Name=Virus:Win32/Expiro.gen!F

Microsoft does recommend using the safety scanner to remove that virus, but I'd make sure you have a full backup first, even if corrupted.

However based on the quote I would wipe the server and generate all new passwords when rebuilt.

I would disconnect it from Internet access right away.
0
 
LVL 77

Accepted Solution

by:
Rob Williams earned 330 total points
Comment Utility
PS- In reading this is an especially nasty virus allowing remote control and key logging specifically looking for credit card information and account passwords.  However I find no reference to it infecting WSUS files.  If it does it would be a heck of a way to infect every PC on the network.  It does affect Windows system files and even breaks the ability to repair some files with system file checker (SFC /scannow).  One thing to look for is .ivr files.  Some versions of this virus replace a legitimate .exe file with an infected one and make a backup of the original with an .ivr file.

You could try another tool to see if it agrees with the infections:
http://free.avg.com/ca-en/remove-win32-expiro
0
 

Author Comment

by:sglee
Comment Utility
Rob,
  Let me try SFC /scannow.
0
 
LVL 77

Expert Comment

by:Rob Williams
Comment Utility
As mentioned it may not work, but I would remove the virus first.  SFC won't repair a virus, it just looks for damaged Windows files.  I have also found it can cause problems on a DC.
0
 
LVL 77

Assisted Solution

by:Rob Williams
Rob Williams earned 330 total points
Comment Utility
If it were me, I would:
-remove it from the network and Internet immediately.
-see if you can find an infected file and determine the installation date
-backup current data and Exchange
-restore the server to a date prior to the virus
-import data, after first scanning it for viruses
-if a rebuild is not an option, backup the entire server and verify successful
-run the Microsoft Security scanner and allow it to clean
-assuming it reboots, re-run Microsoft Security Scanner, download and run TDSSkiller and malware bytes to look for any other infections
-change all passwords both in-house and on sites accessed from the server during the time since installtion
0
 

Author Comment

by:sglee
Comment Utility
SFC /scannow failed 8% into it.
I looked thru the list of infected folders and I see that WSUS and Windows folders are NOT the only folders. I see all kind of folders  in the infected list.
I will let MS Safety scanner do the repair and go from there.
As you said, I may rebuild the SBS2011 from the scratch.
0
 
LVL 77

Expert Comment

by:Rob Williams
Comment Utility
I'm not surprised the description states it may lock files protecting them from SFC.
Let us know how you make out.
Make sure you backup data first.

I just noticed above I said .ivr file but should read .vir
0
 

Author Comment

by:sglee
Comment Utility
I will keep you posted.
For now the plan is to backup the files from the server.
They have old server (SBS2003) with same IP, computer name, and folder structure.
I can copy the files (from the current server) back to the same folder locations on old server.
So it won't be bad.
The problem is how to handle Outlook file. I could create PST from each workstation. That will take a few hours for each PC and then once I disjoin the computer and rejoin the old server, I can simply import PST file. I am not going to use Exchange account on Outlook because it is a temporary plan.
I know that each Outlook 2010 keeps OST file in  C:\Users\%username%\AppData\Local\Microsoft\Outlook folder because it is running in Cache mode. Can I somehow use this OST in Outlook and just add POP account (they use local ISP for email) so that I don't have to export and import after attaching workstations to the old server?

The domain name on the old server is different from new server.
That means a new profile will be created; therefore OST file created/maintained by current server may not be usable.
0
 
LVL 77

Expert Comment

by:Rob Williams
Comment Utility
All pc's will have to be disjoined from the network and joined to the new.  When you do so the .ost file will no longer be accessible or usable, without a 3rd party tool.
Best to export the ost to pst before removing from the existing domain.  You do not have to be connected to the server to do so, you can use cached credentials until disjoined.
Note: Outlook 2013 only stores recent e-mail locally by default.  There is an option in the account settings to extend or select all.

You could leave things as they are for now and not join the SBS 2003 domain, and just map a drive using different credentials to the 2003 server data, assuming you can deal with e-mail.
0
Highfive Gives IT Their Time Back

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

 

Author Comment

by:sglee
Comment Utility
"When you do so the .ost file will no longer be accessible or usable, without a 3rd party tool.
" ---> That is what I thought.
OK. I will export PST from each workstation and once I replace current server with old server, I will simply use a workgroup on each workstation, import PST back to their outlook (not connected to EXCH SBS2003) & add POP account, and use mapped drives.

How about NK2 FIle? Outlook 2010 does not keep. Should I create NK2 file manaully from current Outlook 2010?
0
 
LVL 77

Expert Comment

by:Rob Williams
Comment Utility
With Outlook 2010 you can move the auto-complete information using the following:
In the old/existing profile go to:
-C:\Users\%username%\AppData\Local\Microsoft\Outlook\RoamCache
-Locate the file named  Stream_Autocomplete<a bunch of numbers>.dat
-Save/copy this file.
-Using the new profile open Outlook and send one e-mail by typing in an address.  This will force the creation of an autocomplete file
-Close Outlook and locate the Stream_Autocomplete file in the new profile.
-Rename it by changing the suffix to something like .old
-Copy to the same location the file copied from the old profile
-Rename it EXACTLY the same as the one on which you changed the suffix, now using the .dat extension.
0
 

Author Comment

by:sglee
Comment Utility
Update:
Since users are able to access files and folders, emails ... etc., I am going to reboot the server at the end of today, check out the server health status and make the next move based on that.
0
 
LVL 77

Expert Comment

by:Rob Williams
Comment Utility
Accessing files on the infected server?  If so that could be very risky.
0
 

Author Comment

by:sglee
Comment Utility
I know, but I will find out after 5PM today whether redoing the server is necessary.
After reboot, I will try to scan again and keep you posted.
0
 
LVL 77

Expert Comment

by:Rob Williams
Comment Utility
I would at least disconnect the internet,  That virus gives someone remote access to your server and key logging capability.
0
 

Author Comment

by:sglee
Comment Utility
got you.
0
 

Author Comment

by:sglee
Comment Utility
After numerous scan by AVG and reboot, finally the virus infection situation seems to be "Somewhat" under control. The virus scan finds less and less.
Finally I was able to install my End Point Protection and I am going to scan it.
If repeated virus scan does not find any more infected, I am going to keep the server as it is.
0
 
LVL 77

Expert Comment

by:Rob Williams
Comment Utility
I can appreciate why, but the virus gave the intruder the ability to do things like create his own system account and such.  
I have seen systems where someone tried to disguise an admin account by making it look like an HP system account.
Make sure you scan for root kits as well.
Glad to hear you have it under control.
0
 

Author Comment

by:sglee
Comment Utility
Symantec Real Time ProtectionUpdate:
AVG scanner has not detected any infected files during last two scans and the server is running pretty smooth with CPU utilization under 50% at all times.
Although Symantec EndPoint Protection that I have installed several days ago keeps catching some stuff in real time.
But I am not 100% sure if it really a virus or false alarm.
0
 
LVL 77

Expert Comment

by:Rob Williams
Comment Utility
Hard to say.  As mentioned "once infected always suspected".

There are a lot of other potential issues than viruses with which to be concerned, such as unknown user accounts, legitimate remote management tools, telnet enable and router configured....
0
 

Author Closing Comment

by:sglee
Comment Utility
Repeated Scan using AVG (http://free.avg.com/ca-en/remove-win32-expir) was instrumental in resotring the OS to the usable stage.
0

Featured Post

How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

Join & Write a Comment

Suggested Solutions

Title # Comments Views Activity
Mircosoft Exchange Server 12 44
Anti-virus for Linux Server 15 84
Sophos EC migration to Cloud. 1 42
Windows 10 VPN? 6 41
These are on the increase and getting more common these days. Users who use the Google search engine may complain of having their search redirected to unwanted sites, regardless of what browser is used. This happens when the system is infected with…
Ransomware continues to be a growing problem for both personal and business users alike and Antivirus companies are still struggling to find a reliable way to protect you from this dangerous threat.
This demo shows you how to set up the containerized NetScaler CPX with NetScaler Management and Analytics System in a non-routable Mesos/Marathon environment for use with Micro-Services applications.
This video explains how to create simple products associated to Magento configurable product and offers fast way of their generation with Store Manager for Magento tool.

743 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

19 Experts available now in Live!

Get 1:1 Help Now