Inactive network infected with Parite.A and A-O

[Inactive] network infected with Parite.A and A-O

Hi guys,

We have been having an issue with random occurrances of Parite-A and A-O popping up everyday in some location, whether it be a PC or a server. It seems to occur when an executable is prompted to install, we will start getting Trend-Micro pop-ups informing us that the file has been blocked or quarantined. This happens daily. I am not sure how to pinpoint a location or how to clean this. Obviously, it is on the network, but trend-micro is not cleaning it effectively. We seem to get hit by it when accessing a windows share that everyone in the company has access to.

So my question is, where do I start tracking this down, or how. What can I run to clean Parite.A or A-O. Obviously we are dealing with some servers, so we can't exactly bring them down at a minutes notice.

Can you guys assist, or tell me the first step. What do I need to run where?

thanks you guys are always so helpful.
Scratching our heads over this one...

mtaffer

 

What do we use to scan the servers. We are the IT guys, it's just that this kind of snuck up on us. We have enterprise trend-micro active on all servers and PC's, but even though it says it quarantines files, apparently it's not working. If we run a malware scan with say malware bytes, it doesn't find anything...maybe because it's already be quarantined by trend-micro? The thing is, it just keeps coming back.

 

We are not sure it is from the servers. Our thought is that it somewhere on the shared drive, as it is available from everywhere (including servers). The most ironic thing is that we usually see it when we go to install trend-micro on a new machine. We access the .exe to start the install. We have trend-micro set up to send us e-mail when it encounters issues. Earlier today I did a trend-micro install and got 11 warnings that Parite A or A-O were found.

File: C:\Users\ADMINI~1\AppData\Local\Temp\zfa3AFD.tmp
File: C:\Apps\osmedia\support\migwiz\migwiz.exe
File: C:\Apps\osmedia\support\migwiz\postmig.exe
File: C:\Apps\osmedia\support\migwiz\cable\cableinst.exe
File: C:\Apps\osmedia\support\tools\gbunicnv.exe
File: C:\Apps\osmedia\upgrade\netfx\netfxupdate.exe
File: C:\Apps\osmedia\support\migwiz\migsetup.exe
File: C:\Drivers\audio\R252390\Vista\RtlUpd.exe
File: C:\Drivers\audio\R252390\Vista\RtDCpl.exe

All of these files were tagged by trend-micro as being infected with PE-PARITE.A and supposedly "cleaned ".
The PC was a brand new Dell straight out of the box. I did not get any of these warnings before accessing the shared drive to install the trend-micro client. As soon as I clicked the .exe, all these warnings appeared. So come to think of it, it is from the shared drive that we notice these pop-ups.

So, how do I scan that drive? And with what...
Sorry I did not make that more clear to begin with.

mtaffer

 

thanks for the suggestion.

This is the only file that got tagged
File: C:\Drivers\audio\R252390\Vista\RtlUpd.exe

VirusTotal - Free Online Virus, Malware and URL Scanner
VT Community


"Antivirus ", "Version ", "Last update ", "Result"
"AhnLab-V3 ", "2011.01.14.00 ", "2011.01.13 ", "-"
"AntiVir ", "7.11.1.122 ", "2011.01.13 ", "-"
"Antiy-AVL ", "2.0.3.7 ", "2011.01.13 ", "Trojan/Win32.Agent.gen"
"Avast ", "4.8.1351.0 ", "2011.01.13 ", "-"
"Avast5 ", "5.0.677.0 ", "2011.01.13 ", "-"
"AVG ", "10.0.0.1190 ", "2011.01.13 ", "-"
"BitDefender ", "7.2 ", "2011.01.13 ", "-"
"CAT-QuickHeal ", "11.00 ", "2011.01.13 ", "Trojan.Agent.fggk"
"ClamAV ", "0.96.4.0 ", "2011.01.13 ", "-"
"Command ", "5.2.11.5 ", "2011.01.13 ", "-"
"Comodo ", "7381 ", "2011.01.13 ", "UnclassifiedMalware"
"DrWeb ", "5.0.2.03300 ", "2011.01.13 ", "-"
"Emsisoft ", "5.1.0.1 ", "2011.01.13 ", "Virus.Win32.Sality!IK"
"eSafe ", "7.0.17.0 ", "2011.01.13 ", "-"
"eTrust-Vet ", "36.1.8097 ", "2011.01.13 ", "-"
"F-Prot ", "4.6.2.117 ", "2011.01.13 ", "-"
"F-Secure ", "9.0.16160.0 ", "2011.01.13 ", "-"
"Fortinet ", "4.2.254.0 ", "2011.01.13 ", "W32/Agent.FGGK!tr"
"GData ", "21 ", "2011.01.13 ", "-"
"Ikarus ", "T3.1.1.97.0 ", "2011.01.13 ", "Virus.Win32.Sality"
"Jiangmin ", "13.0.900 ", "2011.01.13 ", "-"
"K7AntiVirus ", "9.75.3535 ", "2011.01.13 ", "-"
"Kaspersky ", "7.0.0.125 ", "2011.01.13 ", "Trojan.Win32.Agent.fggk"
"McAfee ", "5.400.0.1158 ", "2011.01.13 ", "Artemis!B78F4CAA4BC8"
"McAfee-GW-Edition ", "2010.1C ", "2011.01.13 ", "Artemis!B78F4CAA4BC8"
"Microsoft ", "1.6402 ", "2011.01.13 ", "-"
"NOD32 ", "5785 ", "2011.01.13 ", "probably a variant of Win32/Agent.NLSUUZI"
"Norman ", "6.06.12 ", "2011.01.13 ", "-"
"nProtect ", "2011-01-13.01 ", "2011.01.13 ", "-"
"Panda ", "10.0.2.7 ", "2011.01.13 ", "-"
"PCTools ", "7.0.3.5 ", "2011.01.13 ", "-"
"Prevx ", "3.0 ", "2011.01.13 ", "-"
"Rising ", "22.82.03.04 ", "2011.01.13 ", "-"
"Sophos ", "4.61.0 ", "2011.01.13 ", "-"
"SUPERAntiSpyware ", "4.40.0.1006 ", "2011.01.13 ", "-"
"Symantec ", "20101.3.0.103 ", "2011.01.13 ", "-"
"TheHacker ", "6.7.0.1.114 ", "2011.01.13 ", "Trojan/Agent.fggk"
"TrendMicro ", "9.120.0.1004 ", "2011.01.13 ", "-"
"TrendMicro-HouseCall ", "9.120.0.1004 ", "2011.01.13 ", "-"
"VBA32 ", "3.12.14.2 ", "2011.01.13 ", "Trojan.Agent.fggk"
"VIPRE ", "8063 ", "2011.01.13 ", "Trojan.Win32.Generic!BT"
"ViRobot ", "2011.1.13.4252 ", "2011.01.13 ", "-"
"VirusBuster ", "13.6.144.0 ", "2011.01.13 ", "-"
"MD5 ", "b78f4caa4bc815b36d77d6f924f8add2"
"SHA1 ", "3df8a94fe15c5e1ff8f2a3963ccfccc8b457f9f3"
"SHA256 ", "76f823b5301bd6becdfa067a2ddbb09c25c942e7755ffb36249eced6f938bf89"
"File size ", "1482752 bytes"
"Scan date ", "2011-01-13 21:23:46 (UTC) "