[Last Call] Learn how to a build a cloud-first strategyRegister Now


Virus breakout on network

Posted on 2008-11-12
Medium Priority
Last Modified: 2013-12-09
About 2 weeks ago users have been getting viruses/spyware left and right. Everytime I remove them they seem to get back in somehow. I have used the following scans: Malware bytes, spybot, adaware, symantec av, trojan remover, symantec vundo removal tool. It appears they all looks well after scan cleans items, then the next morning I see symantec server is still seeing these viruses on about 7 PC's. I also noticed on our soniwall that there are many IP Spoofing alerts in logs.

We are using Symantec  Enterprise AV, Sonicwall TZ170.

Here are most of the viruses that I am seeing in symantec event logs.

Virus Found!Virus name: Downloader in File: C:\System Volume Information\_restore{6878E952-D0C8-4B42-9C1D-8CE4EE7F9B17}\RP371\A0038624.exe by: Realtime Protection scan.  Action: Quarantine succeeded : Access denied

Virus Found!Virus name: Trojan.Fakeavalert.B in File: C:\System Volume Information\_restore{6878E952-D0C8-4B42-9C1D-8CE4EE7F9B17}\RP371\A0038620.dll by: Realtime Protection scan.  Action: Quarantine succeeded : Access denied

Virus Found!Virus name: Trojan.Vundo in File: C:\System Volume Information\_restore{6878E952-D0C8-4B42-9C1D-8CE4EE7F9B17}\RP371\A0038619.dll by: Realtime Protection scan.  Action: Quarantine succeeded : Access denied

Virus Found!Virus name: Trojan.Blusod in File: C:\WINDOWS\system32\phc5rlj0el4r.bmp by: Defwatch scan.  Action: Leave Alone succeeded :

Virus Found!Virus name: Packed.Generic.183 in File: C:\Program Files\rhc1rlj0el4r\Uninstall.exe by: Defwatch scan.  Action: Leave Alone succeeded :

Virus Found!Virus name: Packed.Generic.183 in File: C:\Program Files\rhc1rlj0el4r\Uninstall.exe by: Defwatch scan.  Action: Leave Alone succeeded :

Question by:jfilmore3
  • 3
  • 2
  • 2
  • +2

Expert Comment

ID: 22942969
Try CounterSpy and / or AVG and / or BitDefender. Install the softwares (there are fully functional trial version), boot the system in safe mode, then scan. You can also plug the infected hard drive to another system and scan from there. After the virus are removed, you need to delete all restore point (cause those restore point contain the virus).

Author Comment

ID: 22943381
Since I don't have access to PC's right now, do you know of a way to remove all restore points remotely?

Accepted Solution

laquangthong earned 2000 total points
ID: 22946539
If you can remotely log in as admin, and disable , then enable the system restore function (right click on my computer -> properties -> system restore tab), it will delete all of the restore points. You can then create one good one if you want.

Anyhow, scan, and scan again, make sure you get rid of all the virus on the system. And after you remove all of them + deleted those bad restore points, you might want to investigate how can those virus got into your network at the first place. Perhaps some of those systems need security patches, or perhaps the users need to be inform about what to run on their system.

We got a similar incident, and it turned out that the user (laptop user) used her system as her main system as home, accessing all kind of bad websites .... , and keep getting her system infected with trojan again and again.

Hope this help,
Concerto Cloud for Software Providers & ISVs

Can Concerto Cloud Services help you focus on evolving your application offerings, while delivering the best cloud experience to your customers? From DevOps to revenue models and customer support, the answer is yes!

Learn how Concerto can help you.


Expert Comment

ID: 22946877
Also, you probably will need some anti spyware program for your users' pc (windows defender is a free one). I didn't have good experience with Symantec AV when it come to spyware + malware ...
LVL 47

Expert Comment

ID: 22949483
Those in the System Restore is easily removed as already suggested by turning off  System Restore.
These ones below should've been removed by MalwareBytes, was MalwareBytes updated before you scanned?
Have you also tried manualy deleting them.
C:\WINDOWS\system32\phc5rlj0el4r.bmp <-- this file
C:\Program Files\rhc1rlj0el4r <-- and this folder

You would also need to isolate all infected pcs while those are being cleaned as each one can re-infect the others.
LVL 20

Expert Comment

ID: 22954109
your product is no longer supported and it will not get any more updates.
I would recommend either upgrading the product to a newer version. that would explain why you keep getting infected

Expert Comment

ID: 22956879
The first thing to do is download the tools you will need to remove any malware from the system.  I would save it to a flashdrive because there is a recent virus out there that restricts the use of your CD drive.  Here is what to download:

Combofix (bleepingcomputer.com)
Smitfraudfix (search google)
superantispyware (superantispyware.com)
spybot search and destroy (safer-networking.org)
antivir  (free-av.com)

After the first screen that identifies your PC manufacturer and specs, windows will begin to load.  Before it loads, hit the F8 key repeatedly until you are presented with a boot menu.  You wish to boot to safe mode with networking.  This will allow you to update some of the software.  Windows installer doesn't work in safe mode so you can only run some of the software here.  Please install/run Combofix first.  When that has completed and while still in safe mode, install spybot S&D and update it.  Also run Smitfraudfix while in safe mode.  Smitfraud also offers a DNS hijack fix on its menu, run that as well.

Once those have all run successfully, you should be able to boot into windows the regular way and install anti-vir and superantispyware.  Update and run these as well.  After that, you should be clean, if not, let me know and I'll point you to further procedures.

Author Comment

ID: 22957227
Something funny is up with Symantec AV. I noticed that all of the files that symantec is showing as a virus don't even exist anymore. All of those files above are completely off of the system, yet symantec still shows errors that it found a virus in a directory that doesn't even exist anymore.  System Restore is disabled.

I tried clearing virus status in symantec server console, but is always reverts back to virus status 10 minutes later.
We are using symantec corparate edition 8.1. What is going on?

LVL 20

Expert Comment

ID: 22961323
8.1 is no longer supported thats why you keep getting infected new definitions will not be downloaded or deployed.

Symantec Antivirus 8.0 reached its End of Support Life as of November 30, 2005 and Symantec Antivirus 8.1 reached its End of Support Life as of January 31, 2007, as defined in the Symantec Enterprise Technical Support Policy. Therefore virus definition updates are no longer supported for this product.

Symantec Antivirus 9.x will reach its End of Support Life as of March 31, 2009. Virus definition updates for version 9.x will be discontinued on April 1, 2009. Please contact your account manager or reseller for information about our current shipping versions.

Featured Post


Modern healthcare requires a modern cloud. View this brief video to understand how the Concerto Cloud for Healthcare can help your organization.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Some of the most commonly posted questions in the "Virus & Malware" Zones are related to the family of rogue malware with the date "2012" somewhere in the title. Examples: XP Antispyware 2012 XP Antivirus 2012 XP Security 2012   XP Home Sec…
Curious about the latest ransomware attack? Check out our timeline of events surrounding the spread of this new virus along with tips on how to mitigate the damage.
Established in 1997, Technology Architects has become one of the most reputable technology solutions companies in the country. TA have been providing businesses with cost effective state-of-the-art solutions and unparalleled service that is designed…
Email security requires an ever evolving service that stays up to date with counter-evolving threats. The Email Laundry perform Research and Development to ensure their email security service evolves faster than cyber criminals. We apply our Threat…

829 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question