"Virus" problem around my network computers

Status
Not open for further replies.

vesp3r

Distinguished
Dec 11, 2014
215
0
18,910
Ok so the problem is this: weird virus is creating a.scr file and .rar file with the folder name in every folder. The rar file includes 3 old files from the infected computer + exe file with different name like "SEP BOOK.EXE" and others like that. As a system admin I have tried EVERYTHING i can think of. This includes:
1. Using different AV (MWB-AM, ClamAV, AVG, NOD32)
2. Tried manual removal through safe mode with cmd removing attributes of autorun.inf and other suspicious files.
3. Restore registry/windows IS NOT AN OPTION as i inherited this problem from the previous sys admin. So the problem exist here for over 1 year and I have no way of knowing when it happened
OS reinstall is not an option too as the problem exist on the server machines as well as on stations.
I tried a synchronized cleanup since i figured even if 1 computer remain unclean - on the first file transfer from it the whole network will be infected again) So i have set up all AV in the entire network to scan and clean computers at the same time - still not working

Im opened for suggestions
 
It might be a rootkit or heuristic virus.

Try scanning with Avira free version, Malwarebytes malware scanner, Malwarebytes rootkit scanner and Hitman Pro second opinion scanner. I'd do the rootkit scan first.

MB rootkit scanner: https://www.malwarebytes.org/antirootkit/

Malwarebytes anti-malware: https://www.malwarebytes.org/antimalware/

Hitman Pro: http://www.surfright.nl/en/hitmanpro

Avira free antivirus: http://www.avira.com/en/avira-free-antivirus

As always, before running any of them, after installing check to see that you are up to date with the latest definitions.
 

vesp3r

Distinguished
Dec 11, 2014
215
0
18,910


what steam, dude, im running a supermarket network with computers dedicated for working only with specific programs and transfering files through filezilla. And some of the infected computers are running windows server 2008 r2 others are running windows xp and others windows 7
Also i already stated that i ran scan with malwarebytes :D

Ah ye I forgot to mention they all delete the scr files, i delete rar files manualy... except sysvol.scr and sysvol.rar i cant remove attributes on those
 
Couldn't see Malwarebytes.

Steam users have been getting the same .scr problems.

So far you haven't provided enough info to home in on the problem.

You only just told us its in a supermarket network. How big is the network? How do you know its a virus? Has it got a name?

Is the virus also outside of your supermarket network? Is it actually causing any operational problems?
 

vesp3r

Distinguished
Dec 11, 2014
215
0
18,910
uhm. Ok seems i wasnt clear on few things... network includes 64 computers 11 of which are servers
Not all computers in the network have this issue (unknown how they remained clean)
Also i said "virus" for a reason... at this point i have no idea if it is intentional attack (actual virus) or a system bug but it happens on computers with different OS. I havent found a "name" of the virus, but from the countless googles i found its something to do with a file called WINLODR.SCR which is supposed to be the main problem... so far i havent seen that file on any infected system
As for the issue being outside the network - i had infected files on my flash drive but as soon as plugged it on my home pc the antivirus deleted the files

note: every antivirus i tried delete the files but they still come back periodicaly (usually early morning or around 8 pm every day
Operational problems... i think creating around 19k junk files of 475kb each all the time is eanough as issue on a file server :/
 

vesp3r

Distinguished
Dec 11, 2014
215
0
18,910
ill do that tomorrow to see whats going on. I seriously dont know how this strict network got infected like that. I mean the users have access only to specialized programs and filezilla client... and like 5 ppl including me working with the mail
 

vesp3r

Distinguished
Dec 11, 2014
215
0
18,910
Update:
The deleted files still havent back, I also noticed improvement in my internet stability so i went to ookla`s test and got a surprising result - Before cleaning i had DL speed of 0.3mbps and upload speed of 15mbps, after clean up: DL 1.7mbps UL 93mbps
 
I'd be sure to get antivirus and malware protection installed on each individual workstation and configure them to automatically update their definitions on a daily basis to help minimize the chances of future infections. Unprotected systems are just begging for trouble and firewalls won't protect you from those kinds of threats. All it takes is an employee plugging in a flash drive or going to the wrong website, on ANY of the terminals, and you potentially have a serious issue if an infection is introduced.
 
Malware protection is FAR more relevant than antivirus. Actual viruses are fairly rare these days. For the fifteen dollars per license, or possibly less than that if you purchase a volume license to use on all your workstations and terminals, in addition to any AV protection you have installed, it would be well worth it to get Malwarebytes full version installed on each and every machine that could possibly be a source of future issues.
 
Status
Not open for further replies.