Virus breakout on network

About 2 weeks ago users have been getting viruses/spyware left and right. Everytime I remove them they seem to get back in somehow. I have used the following scans: Malware bytes, spybot, adaware, symantec av, trojan remover, symantec vundo removal tool. It appears they all looks well after scan cleans items, then the next morning I see symantec server is still seeing these viruses on about 7 PC's. I also noticed on our soniwall that there are many IP Spoofing alerts in logs.

We are using Symantec  Enterprise AV, Sonicwall TZ170.

Here are most of the viruses that I am seeing in symantec event logs.

Virus Found!Virus name: Downloader in File: C:\System Volume Information\_restore{6878E952-D0C8-4B42-9C1D-8CE4EE7F9B17}\RP371\A0038624.exe by: Realtime Protection scan.  Action: Quarantine succeeded : Access denied

Virus Found!Virus name: Trojan.Fakeavalert.B in File: C:\System Volume Information\_restore{6878E952-D0C8-4B42-9C1D-8CE4EE7F9B17}\RP371\A0038620.dll by: Realtime Protection scan.  Action: Quarantine succeeded : Access denied

Virus Found!Virus name: Trojan.Vundo in File: C:\System Volume Information\_restore{6878E952-D0C8-4B42-9C1D-8CE4EE7F9B17}\RP371\A0038619.dll by: Realtime Protection scan.  Action: Quarantine succeeded : Access denied

Virus Found!Virus name: Trojan.Blusod in File: C:\WINDOWS\system32\phc5rlj0el4r.bmp by: Defwatch scan.  Action: Leave Alone succeeded :

Virus Found!Virus name: Packed.Generic.183 in File: C:\Program Files\rhc1rlj0el4r\Uninstall.exe by: Defwatch scan.  Action: Leave Alone succeeded :

Virus Found!Virus name: Packed.Generic.183 in File: C:\Program Files\rhc1rlj0el4r\Uninstall.exe by: Defwatch scan.  Action: Leave Alone succeeded :

Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Try CounterSpy and / or AVG and / or BitDefender. Install the softwares (there are fully functional trial version), boot the system in safe mode, then scan. You can also plug the infected hard drive to another system and scan from there. After the virus are removed, you need to delete all restore point (cause those restore point contain the virus).
jfilmore3Author Commented:
Since I don't have access to PC's right now, do you know of a way to remove all restore points remotely?
If you can remotely log in as admin, and disable , then enable the system restore function (right click on my computer -> properties -> system restore tab), it will delete all of the restore points. You can then create one good one if you want.

Anyhow, scan, and scan again, make sure you get rid of all the virus on the system. And after you remove all of them + deleted those bad restore points, you might want to investigate how can those virus got into your network at the first place. Perhaps some of those systems need security patches, or perhaps the users need to be inform about what to run on their system.

We got a similar incident, and it turned out that the user (laptop user) used her system as her main system as home, accessing all kind of bad websites .... , and keep getting her system infected with trojan again and again.

Hope this help,

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Redefine Your Security with AI & Machine Learning

The implications of AI and machine learning in cyber security are massive and constantly growing, creating both efficiencies and new challenges across the board. Check out our on-demand webinar to learn more about how AI can help your organization!

Also, you probably will need some anti spyware program for your users' pc (windows defender is a free one). I didn't have good experience with Symantec AV when it come to spyware + malware ...
Those in the System Restore is easily removed as already suggested by turning off  System Restore.
These ones below should've been removed by MalwareBytes, was MalwareBytes updated before you scanned?
Have you also tried manualy deleting them.
C:\WINDOWS\system32\phc5rlj0el4r.bmp <-- this file
C:\Program Files\rhc1rlj0el4r <-- and this folder

You would also need to isolate all infected pcs while those are being cleaned as each one can re-infect the others.
your product is no longer supported and it will not get any more updates.
I would recommend either upgrading the product to a newer version. that would explain why you keep getting infected
The first thing to do is download the tools you will need to remove any malware from the system.  I would save it to a flashdrive because there is a recent virus out there that restricts the use of your CD drive.  Here is what to download:

Combofix (
Smitfraudfix (search google)
superantispyware (
spybot search and destroy (
antivir  (

After the first screen that identifies your PC manufacturer and specs, windows will begin to load.  Before it loads, hit the F8 key repeatedly until you are presented with a boot menu.  You wish to boot to safe mode with networking.  This will allow you to update some of the software.  Windows installer doesn't work in safe mode so you can only run some of the software here.  Please install/run Combofix first.  When that has completed and while still in safe mode, install spybot S&D and update it.  Also run Smitfraudfix while in safe mode.  Smitfraud also offers a DNS hijack fix on its menu, run that as well.

Once those have all run successfully, you should be able to boot into windows the regular way and install anti-vir and superantispyware.  Update and run these as well.  After that, you should be clean, if not, let me know and I'll point you to further procedures.
jfilmore3Author Commented:
Something funny is up with Symantec AV. I noticed that all of the files that symantec is showing as a virus don't even exist anymore. All of those files above are completely off of the system, yet symantec still shows errors that it found a virus in a directory that doesn't even exist anymore.  System Restore is disabled.

I tried clearing virus status in symantec server console, but is always reverts back to virus status 10 minutes later.
We are using symantec corparate edition 8.1. What is going on?

8.1 is no longer supported thats why you keep getting infected new definitions will not be downloaded or deployed.

Symantec Antivirus 8.0 reached its End of Support Life as of November 30, 2005 and Symantec Antivirus 8.1 reached its End of Support Life as of January 31, 2007, as defined in the Symantec Enterprise Technical Support Policy. Therefore virus definition updates are no longer supported for this product.

Symantec Antivirus 9.x will reach its End of Support Life as of March 31, 2009. Virus definition updates for version 9.x will be discontinued on April 1, 2009. Please contact your account manager or reseller for information about our current shipping versions.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Anti-Virus Apps

From novice to tech pro — start learning today.