jfilmore3
asked on
Virus breakout on network
About 2 weeks ago users have been getting viruses/spyware left and right. Everytime I remove them they seem to get back in somehow. I have used the following scans: Malware bytes, spybot, adaware, symantec av, trojan remover, symantec vundo removal tool. It appears they all looks well after scan cleans items, then the next morning I see symantec server is still seeing these viruses on about 7 PC's. I also noticed on our soniwall that there are many IP Spoofing alerts in logs.
We are using Symantec Enterprise AV 8.1.0.825, Sonicwall TZ170.
Here are most of the viruses that I am seeing in symantec event logs.
Virus Found!Virus name: Downloader in File: C:\System Volume Information\_restore{6878E
Virus Found!Virus name: Trojan.Fakeavalert.B in File: C:\System Volume Information\_restore{6878E
Virus Found!Virus name: Trojan.Vundo in File: C:\System Volume Information\_restore{6878E
Virus Found!Virus name: Trojan.Blusod in File: C:\WINDOWS\system32\phc5rl
Virus Found!Virus name: Packed.Generic.183 in File: C:\Program Files\rhc1rlj0el4r\Uninsta
Virus Found!Virus name: Packed.Generic.183 in File: C:\Program Files\rhc1rlj0el4r\Uninsta
PLEASE HELP!!!
We are using Symantec Enterprise AV 8.1.0.825, Sonicwall TZ170.
Here are most of the viruses that I am seeing in symantec event logs.
Virus Found!Virus name: Downloader in File: C:\System Volume Information\_restore{6878E
Virus Found!Virus name: Trojan.Fakeavalert.B in File: C:\System Volume Information\_restore{6878E
Virus Found!Virus name: Trojan.Vundo in File: C:\System Volume Information\_restore{6878E
Virus Found!Virus name: Trojan.Blusod in File: C:\WINDOWS\system32\phc5rl
Virus Found!Virus name: Packed.Generic.183 in File: C:\Program Files\rhc1rlj0el4r\Uninsta
Virus Found!Virus name: Packed.Generic.183 in File: C:\Program Files\rhc1rlj0el4r\Uninsta
PLEASE HELP!!!
Try CounterSpy and / or AVG and / or BitDefender. Install the softwares (there are fully functional trial version), boot the system in safe mode, then scan. You can also plug the infected hard drive to another system and scan from there. After the virus are removed, you need to delete all restore point (cause those restore point contain the virus).
ASKER
Since I don't have access to PC's right now, do you know of a way to remove all restore points remotely?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Also, you probably will need some anti spyware program for your users' pc (windows defender is a free one). I didn't have good experience with Symantec AV when it come to spyware + malware ...
Those in the System Restore is easily removed as already suggested by turning off System Restore.
These ones below should've been removed by MalwareBytes, was MalwareBytes updated before you scanned?
Have you also tried manualy deleting them.
C:\WINDOWS\system32\phc5rl
C:\Program Files\rhc1rlj0el4r <-- and this folder
You would also need to isolate all infected pcs while those are being cleaned as each one can re-infect the others.
These ones below should've been removed by MalwareBytes, was MalwareBytes updated before you scanned?
Have you also tried manualy deleting them.
C:\WINDOWS\system32\phc5rl
C:\Program Files\rhc1rlj0el4r <-- and this folder
You would also need to isolate all infected pcs while those are being cleaned as each one can re-infect the others.
your product is no longer supported and it will not get any more updates.
I would recommend either upgrading the product to a newer version. that would explain why you keep getting infected
http://www.symantec.com/business/support/release_details.jsp?pid=51852
I would recommend either upgrading the product to a newer version. that would explain why you keep getting infected
http://www.symantec.com/business/support/release_details.jsp?pid=51852
The first thing to do is download the tools you will need to remove any malware from the system. I would save it to a flashdrive because there is a recent virus out there that restricts the use of your CD drive. Here is what to download:
Combofix (bleepingcomputer.com)
Smitfraudfix (search google)
superantispyware (superantispyware.com)
spybot search and destroy (safer-networking.org)
antivir (free-av.com)
After the first screen that identifies your PC manufacturer and specs, windows will begin to load. Before it loads, hit the F8 key repeatedly until you are presented with a boot menu. You wish to boot to safe mode with networking. This will allow you to update some of the software. Windows installer doesn't work in safe mode so you can only run some of the software here. Please install/run Combofix first. When that has completed and while still in safe mode, install spybot S&D and update it. Also run Smitfraudfix while in safe mode. Smitfraud also offers a DNS hijack fix on its menu, run that as well.
Once those have all run successfully, you should be able to boot into windows the regular way and install anti-vir and superantispyware. Update and run these as well. After that, you should be clean, if not, let me know and I'll point you to further procedures.
Combofix (bleepingcomputer.com)
Smitfraudfix (search google)
superantispyware (superantispyware.com)
spybot search and destroy (safer-networking.org)
antivir (free-av.com)
After the first screen that identifies your PC manufacturer and specs, windows will begin to load. Before it loads, hit the F8 key repeatedly until you are presented with a boot menu. You wish to boot to safe mode with networking. This will allow you to update some of the software. Windows installer doesn't work in safe mode so you can only run some of the software here. Please install/run Combofix first. When that has completed and while still in safe mode, install spybot S&D and update it. Also run Smitfraudfix while in safe mode. Smitfraud also offers a DNS hijack fix on its menu, run that as well.
Once those have all run successfully, you should be able to boot into windows the regular way and install anti-vir and superantispyware. Update and run these as well. After that, you should be clean, if not, let me know and I'll point you to further procedures.
ASKER
Something funny is up with Symantec AV. I noticed that all of the files that symantec is showing as a virus don't even exist anymore. All of those files above are completely off of the system, yet symantec still shows errors that it found a virus in a directory that doesn't even exist anymore. System Restore is disabled.
I tried clearing virus status in symantec server console, but is always reverts back to virus status 10 minutes later.
We are using symantec corparate edition 8.1. What is going on?
I tried clearing virus status in symantec server console, but is always reverts back to virus status 10 minutes later.
We are using symantec corparate edition 8.1. What is going on?
8.1 is no longer supported thats why you keep getting infected new definitions will not be downloaded or deployed.
Symantec Antivirus 8.0 reached its End of Support Life as of November 30, 2005 and Symantec Antivirus 8.1 reached its End of Support Life as of January 31, 2007, as defined in the Symantec Enterprise Technical Support Policy. Therefore virus definition updates are no longer supported for this product.
Symantec Antivirus 9.x will reach its End of Support Life as of March 31, 2009. Virus definition updates for version 9.x will be discontinued on April 1, 2009. Please contact your account manager or reseller for information about our current shipping versions.
http://www.symantec.com/business/security_response/definitions/download/detail.jsp?gid=savce
Symantec Antivirus 8.0 reached its End of Support Life as of November 30, 2005 and Symantec Antivirus 8.1 reached its End of Support Life as of January 31, 2007, as defined in the Symantec Enterprise Technical Support Policy. Therefore virus definition updates are no longer supported for this product.
Symantec Antivirus 9.x will reach its End of Support Life as of March 31, 2009. Virus definition updates for version 9.x will be discontinued on April 1, 2009. Please contact your account manager or reseller for information about our current shipping versions.
http://www.symantec.com/business/security_response/definitions/download/detail.jsp?gid=savce