• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1459
  • Last Modified:

Virus breakout on network

About 2 weeks ago users have been getting viruses/spyware left and right. Everytime I remove them they seem to get back in somehow. I have used the following scans: Malware bytes, spybot, adaware, symantec av, trojan remover, symantec vundo removal tool. It appears they all looks well after scan cleans items, then the next morning I see symantec server is still seeing these viruses on about 7 PC's. I also noticed on our soniwall that there are many IP Spoofing alerts in logs.

We are using Symantec  Enterprise AV 8.1.0.825, Sonicwall TZ170.

Here are most of the viruses that I am seeing in symantec event logs.

Virus Found!Virus name: Downloader in File: C:\System Volume Information\_restore{6878E952-D0C8-4B42-9C1D-8CE4EE7F9B17}\RP371\A0038624.exe by: Realtime Protection scan.  Action: Quarantine succeeded : Access denied

Virus Found!Virus name: Trojan.Fakeavalert.B in File: C:\System Volume Information\_restore{6878E952-D0C8-4B42-9C1D-8CE4EE7F9B17}\RP371\A0038620.dll by: Realtime Protection scan.  Action: Quarantine succeeded : Access denied

Virus Found!Virus name: Trojan.Vundo in File: C:\System Volume Information\_restore{6878E952-D0C8-4B42-9C1D-8CE4EE7F9B17}\RP371\A0038619.dll by: Realtime Protection scan.  Action: Quarantine succeeded : Access denied

Virus Found!Virus name: Trojan.Blusod in File: C:\WINDOWS\system32\phc5rlj0el4r.bmp by: Defwatch scan.  Action: Leave Alone succeeded :

Virus Found!Virus name: Packed.Generic.183 in File: C:\Program Files\rhc1rlj0el4r\Uninstall.exe by: Defwatch scan.  Action: Leave Alone succeeded :

Virus Found!Virus name: Packed.Generic.183 in File: C:\Program Files\rhc1rlj0el4r\Uninstall.exe by: Defwatch scan.  Action: Leave Alone succeeded :


PLEASE HELP!!!
0
jfilmore3
Asked:
jfilmore3
  • 3
  • 2
  • 2
  • +2
1 Solution
 
laquangthongCommented:
Try CounterSpy and / or AVG and / or BitDefender. Install the softwares (there are fully functional trial version), boot the system in safe mode, then scan. You can also plug the infected hard drive to another system and scan from there. After the virus are removed, you need to delete all restore point (cause those restore point contain the virus).
0
 
jfilmore3Author Commented:
Since I don't have access to PC's right now, do you know of a way to remove all restore points remotely?
0
 
laquangthongCommented:
If you can remotely log in as admin, and disable , then enable the system restore function (right click on my computer -> properties -> system restore tab), it will delete all of the restore points. You can then create one good one if you want.

Anyhow, scan, and scan again, make sure you get rid of all the virus on the system. And after you remove all of them + deleted those bad restore points, you might want to investigate how can those virus got into your network at the first place. Perhaps some of those systems need security patches, or perhaps the users need to be inform about what to run on their system.

We got a similar incident, and it turned out that the user (laptop user) used her system as her main system as home, accessing all kind of bad websites .... , and keep getting her system infected with trojan again and again.

Hope this help,
0
Improved Protection from Phishing Attacks

WatchGuard DNSWatch reduces malware infections by detecting and blocking malicious DNS requests, improving your ability to protect employees from phishing attacks. Learn more about our newest service included in Total Security Suite today!

 
laquangthongCommented:
Also, you probably will need some anti spyware program for your users' pc (windows defender is a free one). I didn't have good experience with Symantec AV when it come to spyware + malware ...
0
 
rpggamergirlCommented:
Those in the System Restore is easily removed as already suggested by turning off  System Restore.
These ones below should've been removed by MalwareBytes, was MalwareBytes updated before you scanned?
Have you also tried manualy deleting them.
C:\WINDOWS\system32\phc5rlj0el4r.bmp <-- this file
C:\Program Files\rhc1rlj0el4r <-- and this folder


You would also need to isolate all infected pcs while those are being cleaned as each one can re-infect the others.
0
 
jimmymcp02Commented:
your product is no longer supported and it will not get any more updates.
I would recommend either upgrading the product to a newer version. that would explain why you keep getting infected
http://www.symantec.com/business/support/release_details.jsp?pid=51852
0
 
originalbiffmalibuCommented:
The first thing to do is download the tools you will need to remove any malware from the system.  I would save it to a flashdrive because there is a recent virus out there that restricts the use of your CD drive.  Here is what to download:

Combofix (bleepingcomputer.com)
Smitfraudfix (search google)
superantispyware (superantispyware.com)
spybot search and destroy (safer-networking.org)
antivir  (free-av.com)

After the first screen that identifies your PC manufacturer and specs, windows will begin to load.  Before it loads, hit the F8 key repeatedly until you are presented with a boot menu.  You wish to boot to safe mode with networking.  This will allow you to update some of the software.  Windows installer doesn't work in safe mode so you can only run some of the software here.  Please install/run Combofix first.  When that has completed and while still in safe mode, install spybot S&D and update it.  Also run Smitfraudfix while in safe mode.  Smitfraud also offers a DNS hijack fix on its menu, run that as well.

Once those have all run successfully, you should be able to boot into windows the regular way and install anti-vir and superantispyware.  Update and run these as well.  After that, you should be clean, if not, let me know and I'll point you to further procedures.
0
 
jfilmore3Author Commented:
Something funny is up with Symantec AV. I noticed that all of the files that symantec is showing as a virus don't even exist anymore. All of those files above are completely off of the system, yet symantec still shows errors that it found a virus in a directory that doesn't even exist anymore.  System Restore is disabled.

I tried clearing virus status in symantec server console, but is always reverts back to virus status 10 minutes later.
 
We are using symantec corparate edition 8.1. What is going on?



0
 
jimmymcp02Commented:
8.1 is no longer supported thats why you keep getting infected new definitions will not be downloaded or deployed.


Symantec Antivirus 8.0 reached its End of Support Life as of November 30, 2005 and Symantec Antivirus 8.1 reached its End of Support Life as of January 31, 2007, as defined in the Symantec Enterprise Technical Support Policy. Therefore virus definition updates are no longer supported for this product.

Symantec Antivirus 9.x will reach its End of Support Life as of March 31, 2009. Virus definition updates for version 9.x will be discontinued on April 1, 2009. Please contact your account manager or reseller for information about our current shipping versions.
http://www.symantec.com/business/security_response/definitions/download/detail.jsp?gid=savce
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Cloud Class® Course: Microsoft Office 2010

This course will introduce you to the interfaces and features of Microsoft Office 2010 Word, Excel, PowerPoint, Outlook, and Access. You will learn about the features that are shared between all products in the Office suite, as well as the new features that are product specific.

  • 3
  • 2
  • 2
  • +2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now