Solved

Files infected by Virus in MS Safety Scanner

Posted on 2014-04-28
23
3,253 Views
Last Modified: 2014-05-02
Infected File OptionMS Safety Scanner 1MS Safety Scanner 2Hi,
 
 Due to a infected workstation on the network, I decided to run Microsoft Safety Scanner on the domain controller(SBS2011) and it detected over 1,300 files. But, as seen on the screenshots above, they are all from Windows Operating system related folders.

  I am not sure if I should let "Safety Scanner" fix this problem. So I like to get some recommendations. I have seen viruses and its damages many times in the past, but I have not seen it affecting these folders.

 Originally I wanted to install Symantec EndPoint Protection, but it fails to install with the error message "The Windows installer service could not accessed. This can occur if the Windows Installer is not correctly installed. Contact your support personnel for assistance." So I have decided to run MS Safety Scanner instead to check for viruses.

Thanks.
0
Comment
Question by:sglee
  • 12
  • 10
23 Comments
 
LVL 77

Expert Comment

by:Rob Williams
ID: 40027495
Personally I would use a backup and restore the server to an ealier date or rebuild and import recent data.  There is no way to ever know if the server is ever clean and secure again.  "Once infected always suspected".
0
 
LVL 19

Expert Comment

by:*** Hopeleonie ***
ID: 40027513
Second RobWill that nobody can give you a 100% garantie, after a Client or Server is infected !
Do you run an Antivirus Software on your Server?
0
 
LVL 77

Assisted Solution

by:Rob Williams
Rob Williams earned 330 total points
ID: 40027551
"Virus:Win32/Expiro.gen!F  is a generic detection for variants of Win32/Expiro, a virus that infects executable files with .EXE extensions in all drives, and collects user credentials from an infected computer. It also allows backdoor access and control to the infected computer, and lowers Internet Explorer settings."
from: http://www.microsoft.com/security/portal/threat/encyclopedia/entry.aspx?Name=Virus:Win32/Expiro.gen!F

Microsoft does recommend using the safety scanner to remove that virus, but I'd make sure you have a full backup first, even if corrupted.

However based on the quote I would wipe the server and generate all new passwords when rebuilt.

I would disconnect it from Internet access right away.
0
 
LVL 77

Accepted Solution

by:
Rob Williams earned 330 total points
ID: 40027581
PS- In reading this is an especially nasty virus allowing remote control and key logging specifically looking for credit card information and account passwords.  However I find no reference to it infecting WSUS files.  If it does it would be a heck of a way to infect every PC on the network.  It does affect Windows system files and even breaks the ability to repair some files with system file checker (SFC /scannow).  One thing to look for is .ivr files.  Some versions of this virus replace a legitimate .exe file with an infected one and make a backup of the original with an .ivr file.

You could try another tool to see if it agrees with the infections:
http://free.avg.com/ca-en/remove-win32-expiro
0
 

Author Comment

by:sglee
ID: 40027613
Rob,
  Let me try SFC /scannow.
0
 
LVL 77

Expert Comment

by:Rob Williams
ID: 40027616
As mentioned it may not work, but I would remove the virus first.  SFC won't repair a virus, it just looks for damaged Windows files.  I have also found it can cause problems on a DC.
0
 
LVL 77

Assisted Solution

by:Rob Williams
Rob Williams earned 330 total points
ID: 40027630
If it were me, I would:
-remove it from the network and Internet immediately.
-see if you can find an infected file and determine the installation date
-backup current data and Exchange
-restore the server to a date prior to the virus
-import data, after first scanning it for viruses
-if a rebuild is not an option, backup the entire server and verify successful
-run the Microsoft Security scanner and allow it to clean
-assuming it reboots, re-run Microsoft Security Scanner, download and run TDSSkiller and malware bytes to look for any other infections
-change all passwords both in-house and on sites accessed from the server during the time since installtion
0
 

Author Comment

by:sglee
ID: 40027663
SFC /scannow failed 8% into it.
I looked thru the list of infected folders and I see that WSUS and Windows folders are NOT the only folders. I see all kind of folders  in the infected list.
I will let MS Safety scanner do the repair and go from there.
As you said, I may rebuild the SBS2011 from the scratch.
0
 
LVL 77

Expert Comment

by:Rob Williams
ID: 40027774
I'm not surprised the description states it may lock files protecting them from SFC.
Let us know how you make out.
Make sure you backup data first.

I just noticed above I said .ivr file but should read .vir
0
 

Author Comment

by:sglee
ID: 40027821
I will keep you posted.
For now the plan is to backup the files from the server.
They have old server (SBS2003) with same IP, computer name, and folder structure.
I can copy the files (from the current server) back to the same folder locations on old server.
So it won't be bad.
The problem is how to handle Outlook file. I could create PST from each workstation. That will take a few hours for each PC and then once I disjoin the computer and rejoin the old server, I can simply import PST file. I am not going to use Exchange account on Outlook because it is a temporary plan.
I know that each Outlook 2010 keeps OST file in  C:\Users\%username%\AppData\Local\Microsoft\Outlook folder because it is running in Cache mode. Can I somehow use this OST in Outlook and just add POP account (they use local ISP for email) so that I don't have to export and import after attaching workstations to the old server?

The domain name on the old server is different from new server.
That means a new profile will be created; therefore OST file created/maintained by current server may not be usable.
0
 
LVL 77

Expert Comment

by:Rob Williams
ID: 40027843
All pc's will have to be disjoined from the network and joined to the new.  When you do so the .ost file will no longer be accessible or usable, without a 3rd party tool.
Best to export the ost to pst before removing from the existing domain.  You do not have to be connected to the server to do so, you can use cached credentials until disjoined.
Note: Outlook 2013 only stores recent e-mail locally by default.  There is an option in the account settings to extend or select all.

You could leave things as they are for now and not join the SBS 2003 domain, and just map a drive using different credentials to the 2003 server data, assuming you can deal with e-mail.
0
Control application downtime with dependency maps

Visualize the interdependencies between application components better with Applications Manager's automated application discovery and dependency mapping feature. Resolve performance issues faster by quickly isolating problematic components.

 

Author Comment

by:sglee
ID: 40027854
"When you do so the .ost file will no longer be accessible or usable, without a 3rd party tool.
" ---> That is what I thought.
OK. I will export PST from each workstation and once I replace current server with old server, I will simply use a workgroup on each workstation, import PST back to their outlook (not connected to EXCH SBS2003) & add POP account, and use mapped drives.

How about NK2 FIle? Outlook 2010 does not keep. Should I create NK2 file manaully from current Outlook 2010?
0
 
LVL 77

Expert Comment

by:Rob Williams
ID: 40027929
With Outlook 2010 you can move the auto-complete information using the following:
In the old/existing profile go to:
-C:\Users\%username%\AppData\Local\Microsoft\Outlook\RoamCache
-Locate the file named  Stream_Autocomplete<a bunch of numbers>.dat
-Save/copy this file.
-Using the new profile open Outlook and send one e-mail by typing in an address.  This will force the creation of an autocomplete file
-Close Outlook and locate the Stream_Autocomplete file in the new profile.
-Rename it by changing the suffix to something like .old
-Copy to the same location the file copied from the old profile
-Rename it EXACTLY the same as the one on which you changed the suffix, now using the .dat extension.
0
 

Author Comment

by:sglee
ID: 40029807
Update:
Since users are able to access files and folders, emails ... etc., I am going to reboot the server at the end of today, check out the server health status and make the next move based on that.
0
 
LVL 77

Expert Comment

by:Rob Williams
ID: 40029878
Accessing files on the infected server?  If so that could be very risky.
0
 

Author Comment

by:sglee
ID: 40030041
I know, but I will find out after 5PM today whether redoing the server is necessary.
After reboot, I will try to scan again and keep you posted.
0
 
LVL 77

Expert Comment

by:Rob Williams
ID: 40030050
I would at least disconnect the internet,  That virus gives someone remote access to your server and key logging capability.
0
 

Author Comment

by:sglee
ID: 40030070
got you.
0
 

Author Comment

by:sglee
ID: 40034861
After numerous scan by AVG and reboot, finally the virus infection situation seems to be "Somewhat" under control. The virus scan finds less and less.
Finally I was able to install my End Point Protection and I am going to scan it.
If repeated virus scan does not find any more infected, I am going to keep the server as it is.
0
 
LVL 77

Expert Comment

by:Rob Williams
ID: 40034983
I can appreciate why, but the virus gave the intruder the ability to do things like create his own system account and such.  
I have seen systems where someone tried to disguise an admin account by making it look like an HP system account.
Make sure you scan for root kits as well.
Glad to hear you have it under control.
0
 

Author Comment

by:sglee
ID: 40038022
Symantec Real Time ProtectionUpdate:
AVG scanner has not detected any infected files during last two scans and the server is running pretty smooth with CPU utilization under 50% at all times.
Although Symantec EndPoint Protection that I have installed several days ago keeps catching some stuff in real time.
But I am not 100% sure if it really a virus or false alarm.
0
 
LVL 77

Expert Comment

by:Rob Williams
ID: 40038418
Hard to say.  As mentioned "once infected always suspected".

There are a lot of other potential issues than viruses with which to be concerned, such as unknown user accounts, legitimate remote management tools, telnet enable and router configured....
0
 

Author Closing Comment

by:sglee
ID: 40038527
Repeated Scan using AVG (http://free.avg.com/ca-en/remove-win32-expir) was instrumental in resotring the OS to the usable stage.
0

Featured Post

Is Your Active Directory as Secure as You Think?

More than 75% of all records are compromised because of the loss or theft of a privileged credential. Experts have been exploring Active Directory infrastructure to identify key threats and establish best practices for keeping data safe. Attend this month’s webinar to learn more.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

The problem of the system drive in SBS 2003 getting full continues to be an issue, even though SBS 2008 and SBS 2011 are both in the market place.  There are several solutions to this, including adding additional drive space or using third party uti…
I work for a company that primarily works with small businesses as their outsourced IT vendor. As such the majority of these customers utilize some version of Small Business Server. Due to the economics of running a small business, many of these cus…
This Micro Tutorial demonstrates using Microsoft Excel pivot tables, how to reverse engineer competitors' marketing strategies through backlinks.
Internet Business Fax to Email Made Easy - With eFax Corporate (http://www.enterprise.efax.com), you'll receive a dedicated online fax number, which is used the same way as a typical analog fax number. You'll receive secure faxes in your email, fr…

895 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

14 Experts available now in Live!

Get 1:1 Help Now