virus got through the network, infected one pc and put us on the blacklist

Posted on 2008-10-17
Medium Priority
Last Modified: 2013-12-09
On tuesday, one of my sites that I look after,  got infected with a number of viruses. Specifically, just one system was infected but after the virus came in, it started running some kind of spam engine. When I notified by the user that something strange was going on, I imediately pulled the network cable. There were hundreds of Symantec message send errors on the screen and there must have been a large number that got sent out because shortly after that, the users started getting some non delivery emails on some of the messages that they were sending out.

Anyway, all the computers are running the same version of SAV v10.0 including the windows 2003 server. The server has the workstations locked down to prevent disabling of the services. We are running our in-house email using exchange 2003 and the SAV is also configured for that. Updates are done every 4 hours

The users are running the same version of antivirus. This particular pc is running the latest version of Spybot also with the Teatimer in the tray.
So with these two programs running, I would expect that the user should not have had any issues with viruses but she did. It started when she opened an attachment regarding a plane ticket - E-ticket.zip. That is when her computer started to go crazy. (Someone in her office had booked her a plane ticket to Ottawa and she thought that this was the confirmation - an innocent mistake)

This morning, I just loaded an evaluation program of GFI MailSecurity. GFI MailEssentials is already installed. With the GFI MS, it is supposed to stop all viral attachments before they hit the users email.

I have all the log files from the infections if you would like to see them but the users computer is all cleaned up.

So my questions are;
1. with what she has running on her pc, should the antivirus program have caught this before it was too late?
2. should I be looking at a different corporate program?
3. this is the 2nd time that I have seen this happen so what can I do to reduce the possibility of this happening again.
Question by:johnbowden
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 6
  • 4
LVL 10

Expert Comment

ID: 22740407
1. Maybe, maybe not, without any more information it's hard to tell that.

2. Yes change your infrastructure, try open source, you will not have more virus. Or Keep your infrastructure and love be virused.

3. This is the only 2nd time that you see virus ?


Author Comment

ID: 22740429
1. let me know if you would like to see the logs
2. please tell me more about the open source.
3. 2nd time that a network has been blacklisted because a pc on the network was infected with a spam program sending out 1000's of emails
LVL 10

Expert Comment

ID: 22740521
1. Yes please give me the logs (the symantec log)

2. Virus don't work many time on open source because they don't have many users that use open source.

If you do a virus it's for targeting a lot of people, is for that, that the virus is targeted to outlook, etc, and will not work on other software.

The only think if you don't want more virus is to change for linux, the easy way without change for linux is to use open source software.

For the mail you have thunderbird.

3. You can use smtp autentification maybe he will block spam program, or just change the SMPT port to something that the spam program don't know.

Threat Trends for MSPs to Watch

See the findings.
Despite its humble beginnings, phishing has come a long way since those first crudely constructed emails. Today, phishing sites can appear and disappear in the length of a coffee break, and it takes more than a little know-how to keep your clients secure.


Author Comment

ID: 22741626
Here are the logs. Computer is clean according to Spybot, Symantec Antivirus and F-Secure online scan

Event Log
Event,Computer,User,Logged By,Date
Definition File Loaded,D1633WD1,SYSTEM,System,10/16/2008 9:04:39 AM
Definition File Loaded,D1633WD1,SYSTEM,System,10/16/2008 9:04:31 AM
Symantec AntiVirus Startup,D1633WD1,SYSTEM,System,10/16/2008 9:02:52 AM
Definition File Loaded,D1633WD1,SYSTEM,System,10/16/2008 9:02:44 AM
Symantec AntiVirus Shutdown,D1633WD1,SYSTEM,System,10/15/2008 4:20:28 PM
Definition File Loaded,D1633WD1,CFS\SYSTEM,System,10/15/2008 9:19:54 AM
Definition File Loaded,D1633WD1,CFS\tstonge,System,10/15/2008 9:19:47 AM
Symantec AntiVirus Startup,D1633WD1,SYSTEM,System,10/15/2008 9:14:43 AM
Definition File Loaded,D1633WD1,SYSTEM,System,10/15/2008 9:14:35 AM
Symantec AntiVirus Shutdown,D1633WD1,SYSTEM,System,10/15/2008 6:28:08 AM

Scan History
Computer,Status,Total files,Infected,Logged By,Started On,Completed
D1633WD1,Scan Complete,23723,0,Startup,10/16/2008 9:26:43 AM,10/16/2008 9:27:57 AM
D1633WD1,Scan Complete,913,0,Defwatch Scan,10/16/2008 9:04:36 AM,10/16/2008 9:05:35 AM
D1633WD1,Scan Complete,917,0,Defwatch Scan,10/15/2008 9:19:50 AM,10/15/2008 9:20:42 AM
D1633WD1,Scan Complete,23662,0,Startup,10/15/2008 9:15:35 AM,10/15/2008 9:19:08 AM

Backed Up Items
Risk,Filename,Original Location,Status,Date
Hacktool.Rootkit,rdl1.tmp,C:\Documents and Settings\user\Local Settings\Temp\,Infected,10/14/2008 1:56:24 PM
??????,RN67761263.zip,Mail System,Still contains 1 infected items,9/2/2008 12:18:50 PM
??????,98676512.zip,Mail System,Still contains 1 infected items,9/5/2008 10:04:50 AM
Packed.Generic.182,rldC3.tmp,C:\WINDOWS\Temp\,Infected,10/14/2008 1:53:53 PM
Hacktool.Rootkit,figaro.sys,C:\WINDOWS\system32\dllcache\,Infected,10/14/2008 1:53:53 PM
??????,E-ticket.zip,Mail System,Still contains 1 infected items,10/15/2008 1:22:59 PM
??????,Binaries2[1].cab,C:\Documents and Settings\user\Local Settings\Temporary Internet Files\Content.IE5\AW563DXJ\,Still contains 1 infected items,10/14/2008 3:45:17 PM
??????,Binaries2.cab3,C:\Documents and Settings\user\Local Settings\Temp\,Still contains 1 infected items,10/14/2008 3:43:45 PM
??????,UPS_E9712.zip,Mail System,Still contains 1 infected items,8/5/2008 12:21:27 PM
??????,WW_671282.zip,Mail System,Still contains 1 infected items,8/13/2008 10:31:43 AM

Risk,Filename,Original Location,Status,Date
??????,RN67761263.zip,Mail System,Still contains 1 infected items,9/2/2008 12:18:50 PM
??????,98676512.zip,Mail System,Still contains 1 infected items,9/5/2008 10:04:50 AM
Trojan Horse,rldBE.tmp,C:\WINDOWS\TEMP\,Infected,10/14/2008 1:53:53 PM
??????,E-ticket.zip,Mail System,Still contains 1 infected items,10/15/2008 1:23:23 PM
XPAntivirus,uninstall.exe,c:\program files\rhc9wej0ejdt\,Infected,9/10/2008 10:22:38 AM
Trojan.Pandex,lspr[1].exe,C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\W9I7S5IJ\,Infected,10/14/2008 3:58:21 PM
Trojan.Blusod,scan[1].exe,C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\8PMNOHMN\,Infected,10/14/2008 3:58:16 PM
Trojan.Blusod,scan[1].exe,C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\4PUB8XIJ\,Infected,10/14/2008 3:58:10 PM
Trojan.Pandex,lspr[1].exe,C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\3YY4PQJQ\,Infected,10/14/2008 3:58:04 PM
??????,Binaries2[1].cab,C:\Documents and Settings\tstonge\Local Settings\Temporary Internet Files\Content.IE5\AW563DXJ\,Still contains 1 infected items,10/14/2008 3:45:17 PM
??????,Binaries2.cab3,C:\Documents and Settings\tstonge\Local Settings\Temp\,Still contains 1 infected items,10/14/2008 3:43:46 PM
??????,UPS_E9712.zip,Mail System,Still contains 1 infected items,8/5/2008 12:21:27 PM
XPAntivirus,pphccwej0ejdt.exe,c:\windows\system32\,Infected,8/14/2008 8:19:08 PM
??????,WW_671282.zip,Mail System,Still contains 1 infected items,8/13/2008 10:31:43 AM

Threat History
Risk,Action,Count,Filename,Threat Type,Original Location,Computer,User,Status,Current Location,Primary Action,Secondary Action,Logged By,Action Description,Date
??????,Quarantined,1,E-ticket.zip,Compressed file,Mail System,D1633WD1,CFS\User,Still contains 1 infected items,Quarantine,Quarantine,Leave alone (log only),Auto-Protect scan,The file was quarantined successfully.,10/15/2008 1:23:23 PM
W32.Auraax,Quarantined,1,e-ticket.doc.exe,File; Compressed file,Mail System,D1633WD1,CFS\User,Infected,Quarantine,Clean security risk,Quarantine,Auto-Protect scan,The file was quarantined successfully.,10/15/2008 1:22:59 PM

Author Comment

ID: 22741717
Again, these were cleaned and the system had been scanned twice after this and shows clean

Spybot Report
14.10.2008 19:01:24 - ##### check started #####
14.10.2008 19:01:24 - ### Version: 1.6.0
14.10.2008 19:01:24 - ### Date: 10/14/2008 7:01:24 PM
14.10.2008 19:01:26 - ##### checking bots #####
14.10.2008 19:03:34 - found: Fraud.Antivirus2008 Uninstall settings
14.10.2008 19:06:30 - found: Delf.Spool.cn  Executable
14.10.2008 19:15:54 - ##### check finished #####

Fraud.Antivirus2008: [SBI $507892C0] Uninstall settings (Registry key, nothing done)

Delf.Spool.cn: [SBI $D357F13F]  Executable (File, nothing done)

--- Spybot - Search & Destroy version: 1.6.0  (build: 20080707) ---

Author Comment

ID: 22741740
I also have the Autoruns and Hijackthis log files
LVL 10

Expert Comment

ID: 22747357

I think that the best way is to clean all with ghost or something that restore your hard disk.

Just in case that the virus have change some file system.

Maybe not, but it's the fastest way, and the secure way.

You can't have trust of symantec or any antivirus.

Author Comment

ID: 22748426
I did some reading on the open source antivirus software and it's pretty negative.
I'm just wondering if I need to change from Symantec to another product. I really haven't tried anything other than the CA product (and I really didn't like that software) so I'm hoping that I can get some suggestions as to alternatives to Symantec Corp Edition that would be easy to manage, be able to push down the software through a GPO, small foot print etc.

Author Comment

ID: 22839515
I have opened a case with Symantec on this issue. As far as I'm concerned, I've taken all the correct steps to preventing this problem from happening, especially with the known viruses that infected the computer

Just an FYI, I had another machine at a different site get infected with Trojan.Metajuan and to get rid of it, I loaded the free version of AVG. Also, to confirm that it was gone, I went to the F-Secure site and ran a scan.

Why is the corp version of SAV not picking this up?

So, again, is there a better alternative than Symantec?

What about Kaspersky?
LVL 10

Accepted Solution

Tobias earned 500 total points
ID: 22840149
Hi !

Yes Symantec is the worst antivirus. I didn't like that always symantec detect only false positive virus like tool "hack" like superscan etc. But not real virus. I don't have choice symantec is used in my company :(
In Last 2weeks someone have get the e-ticket virus that's old but symantec don't have detect it.

And like I say. If you use open source program but not the antivirus, for the client mail or for the web, and for the firewall. Maybe the virus can do some problem, but the firewall will block. And maybe the open source software will block the virus because the virus will use for example one exploit in microsoft outlook then if you don't use outlook it's safe.


You could also find the best antivirus with comparative test :



Best Regards

Featured Post

Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

The purpose of this Article is to provide information for a newly released variant of malware – with the assumption that many EE Members will have need of the information. According to “Computerworld”, well over one million web sites have been co…
Ransomware continues to be a growing problem for both personal and business users alike and Antivirus companies are still struggling to find a reliable way to protect you from this dangerous threat.
Established in 1997, Technology Architects has become one of the most reputable technology solutions companies in the country. TA have been providing businesses with cost effective state-of-the-art solutions and unparalleled service that is designed…
Email security requires an ever evolving service that stays up to date with counter-evolving threats. The Email Laundry perform Research and Development to ensure their email security service evolves faster than cyber criminals. We apply our Threat…

770 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question