I have a network with a MS 2008 server, running a mix of WinXP and Win7 computers. On Thursday, I got a call from the users that there were duplicate directories at the root of their shared drive, they were folder name.exe files, and then would disappear if clicked. Then the users noticed that all .pdf, .xls(x), .doc(x), and ppt(x) files also had .exe at the end of the files.
So clearly they had an infection, and it was not caught by the symantec endpoint protection on the computers or server. I ran malwarebytes, sophos antivirus, Combofix, AVG, TDSSKiller, and Symantec Help 2.1, and none of them could identify the virus.
It placed an executable in the windows\system32 directory, and I was able to kill the process, and delete the file. So we thought the virus was "contained". Unfortunately, on Friday morning the symptoms reoccurred on the server. So we shut down, and late yesterday I found that one of the machines had one of the 2 server shared drives "mounted" even though the network cable was unplugged. So I researched and found that the infection was residing in the Windows\CSC directory for offline files. It looks like that is the way that the server is getting reinfected.
So, since none of the AV programs are able to identify this as a threat, but it clearly is, I would like to know how to proceed. I have copies of the files, and can post them here if requested. I just don't want to post a virus without authorization.
I will attach the logs for the FRST scan, but I have already removed the virus, and turned off the offline sync within the control panels so I don't know if the logs will help.
Thanks so much, I feel like I'm patient zero on this infection.