The office manager of a small electric service provider was overseeing their network while her boss was out of the country, when she noticed that the server was running extremely slowly. In troubleshooting the problem she discovered that an email account was sending out thousands of emails. Suspecting a virus, she tried to open Symantec AntiVirus to check their definitions and review their scans, but she was unable to open the program because it wouldn't accept her password. She contacted Symantec tech support after she realized the server had suffered a major crash.
John, a senior tech support engineer, suggested that the customer try using the default username and password (which is the same for all Symantec products), but this didn't work either. John then had her try to open the Symantec System Centerconsole to see if she could change the password, but this produced an error saying the server could not communicate with the server group. At this point John knew they were dealing with a pervasive virus.
Getting closer to a fix
Although the customer thought they were using Symantec AntiVirus version 10.1.5, (the current version at the time), John was surprised to find that it was actually version 8.1.
John then performed some remediation tasks to get the customer's virus definitions up to date. "It was really difficult to fix," he says. "Her system was running so slowly and there was a lot going on that we couldn't see yet. But suddenly Autoprotect started going crazy and we were getting lots of notification windows." The notifications indicated a generic backdoor Trojan, giving the location where it could be found. The customer tried to quarantine the file to submit it as a virus sample, but it kept being detected over and over again, and within a short time there had been more than 400 detections.
Rescue from afar
John had the customer try to make a copy of the infected file, but suddenly Windows locked up and all the desktop icons disappeared. "At this point I started having her look at other computers in her environment," says John. "I told her she should install the latest version on a client and use that installation to scan the hard drive on her server. I didn't know how severe the infection was, but I hoped we'd be able to get the server cleaned up enough so they could migrate to version 10.1.6, which was the latest version."
Threat detections were still piling up on the server and nothing was working. John had the customer reboot the server in safe mode, thinking they would be able to run a scan and get it cleaned up a little. But rebooting took a long time and AntiVirus still wouldn't open.
John then had the customer locate the files that AntiVirus Autoprotect had identified as being defective, and she made copies to submit for evaluation and then deleted them. She tried rebooting again in normal Windows mode, but the computer hung at restart and kept applying settings, and remained in that state for the rest of the time she was on the phone. She told John she would have their IT consultant come in the following day and map a drive to the client where the new version of AntiVirus had been installed, so she could then use that machine to scan the server.
The next day when John called the customer, she told him that she had booted up in safe mode again and had successfully run a scan on the C drive just by right-clicking and starting the scan from the pop-up menu. "This is where we came up with a lot of detections," says John. "Infostealer, lots of backdoor Trojans, and then serious system-level viruses—hacktool.root.kit and Trojan.dropper. I suggested that the best course of action was a total reformat, to guarantee that all the viruses were removed."
"This started out with an obvious issue where they were infected," John explains. "Usually we help customers get current definitions and get a scan going, but this situation wasn't that simple. It was like peeling back layers of an onion. But we had a really positive outcome for sure."
The customer was so pleased with John's help that she wrote a glowing letter to Symantec saying, "Thank you for employing people who care about people. It really makes customer service mean something!"