"Virus" problem around my network computers

[vesp3r]

Ok so the problem is this: weird virus is creating a.scr file and .rar file with the folder name in every folder. The rar file includes 3 old files from the infected computer + exe file with different name like "SEP BOOK.EXE" and others like that. As a system admin I have tried EVERYTHING i can think of. This includes:
1. Using different AV (MWB-AM, ClamAV, AVG, NOD32)
2. Tried manual removal through safe mode with cmd removing attributes of autorun.inf and other suspicious files.
3. Restore registry/windows IS NOT AN OPTION as i inherited this problem from the previous sys admin. So the problem exist here for over 1 year and I have no way of knowing when it happened
OS reinstall is not an option too as the problem exist on the server machines as well as on stations.
I tried a synchronized cleanup since i figured even if 1 computer remain unclean - on the first file transfer from it the whole network will be infected again) So i have set up all AV in the entire network to scan and clean computers at the same time - still not working

Im opened for suggestions

 

[darkbreeze]

It might be a rootkit or heuristic virus.

Try scanning with Avira free version, Malwarebytes malware scanner, Malwarebytes rootkit scanner and Hitman Pro second opinion scanner. I'd do the rootkit scan first.

MB rootkit scanner: https/www.malwarebytes.org/antirootkit/

Malwarebytes anti-malware: https/www.malwarebytes.org/antimalware/

Hitman Pro: http/www.surfright.nl/en/hitmanpro

Avira free antivirus: http/www.avira.com/en/avira-free-antivirus

As always, before running any of them, after installing check to see that you are up to date with the latest definitions.

 

[i7Baby]

Try Malwarebytes (free)

Virus from Steam? http/www.securityweek.com/malware-distributed-steam-chat-scr-file

 

[vesp3r]

Try Malwarebytes (free)

Virus from Steam? http/www.securityweek.com/malware-distributed-steam-chat-scr-file

what steam, dude, im running a supermarket network with computers dedicated for working only with specific programs and transfering files through filezilla. And some of the infected computers are running windows server 2008 r2 others are running windows xp and others windows 7
Also i already stated that i ran scan with malwarebytes 😀

Ah ye I forgot to mention they all delete the scr files, i delete rar files manualy... except sysvol.scr and sysvol.rar i cant remove attributes on those

 

[i7Baby]

Couldn't see Malwarebytes.

Steam users have been getting the same .scr problems.

So far you haven't provided enough info to home in on the problem.

You only just told us its in a supermarket network. How big is the network? How do you know its a virus? Has it got a name?

Is the virus also outside of your supermarket network? Is it actually causing any operational problems?

 

[vesp3r]

uhm. Ok seems i wasnt clear on few things... network includes 64 computers 11 of which are servers
Not all computers in the network have this issue (unknown how they remained clean)
Also i said "virus" for a reason... at this point i have no idea if it is intentional attack (actual virus) or a system bug but it happens on computers with different OS. I havent found a "name" of the virus, but from the countless googles i found its something to do with a file called WINLODR.SCR which is supposed to be the main problem... so far i havent seen that file on any infected system
As for the issue being outside the network - i had infected files on my flash drive but as soon as plugged it on my home pc the antivirus deleted the files

note: every antivirus i tried delete the files but they still come back periodicaly (usually early morning or around 8 pm every day
Operational problems... i think creating around 19k junk files of 475kb each all the time is eanough as issue on a file server

 

[darkbreeze]

I'd run the Rootkit scanner and Hitman Pro, to see what they detect.

 

[vesp3r]

ill do that tomorrow to see whats going on. I seriously dont know how this strict network got infected like that. I mean the users have access only to specialized programs and filezilla client... and like 5 ppl including me working with the mail

 

[darkbreeze]

You'd be surprised.

 

[vesp3r]

just ran both scanners... HitmanPro found some leftovers of Ask and some AdvSysProtection... will see how it goes today and post again the result

 

[darkbreeze]

A few more things to try:

http/www.tomshardware.com/forum/8263-63-simple-free-guide-removing-malware


And if all else fails, these guys REALLY know what they're doing when it comes to viral and malware infestations, and what to do about it, since that's what they do:

http/spywarehammer.com/index.php?PHPSESSID=a3ff1d6c4f2266f86f21a40d291d719f&

 

[vesp3r]

Update:
The deleted files still havent back, I also noticed improvement in my internet stability so i went to ookla`s test and got a surprising result - Before cleaning i had DL speed of 0.3mbps and upload speed of 15mbps, after clean up: DL 1.7mbps UL 93mbps

 

[darkbreeze]

Well, that's certainly an improvement. I'd be vigilant about keeping on the lookout for recurrences though and make sure that every machine is clean or the process is likely to start all over again.

 

[vesp3r]

yes im trying to make the cleanups before any transfer so the problem gets limited. I will see tomorrow again if the network is clean. And I guess I have to work on the firewall aswell

 

[darkbreeze]

I'd be sure to get antivirus and malware protection installed on each individual workstation and configure them to automatically update their definitions on a daily basis to help minimize the chances of future infections. Unprotected systems are just begging for trouble and firewalls won't protect you from those kinds of threats. All it takes is an employee plugging in a flash drive or going to the wrong website, on ANY of the terminals, and you potentially have a serious issue if an infection is introduced.

 

[vesp3r]

the thing is they have AV... some use avira, others AVG or MSE... there are few pc`s that dont have AV but i guess they cant help much

 

[darkbreeze]

Malware protection is FAR more relevant than antivirus. Actual viruses are fairly rare these days. For the fifteen dollars per license, or possibly less than that if you purchase a volume license to use on all your workstations and terminals, in addition to any AV protection you have installed, it would be well worth it to get Malwarebytes full version installed on each and every machine that could possibly be a source of future issues.

 

[vesp3r]

looks like HitmanPro succeeded where everything else i tryed failed!
3rd day now with no unwanted scr, rar, exe and tmp files 😀

 

[darkbreeze]

Nice. Glad to hear it.