Computer virus help

[itsacrispy]

Hi guys,

So an employee in our office opened a greeting card email. She clicked on the attached file and lo, a virus was installed. On top of that, a fake antivirus window popped up and she clicked on that as well.

Now, after almost 2 days of non-stop (and unsuccessful) scanning and virus removal, I'm at a loss as to what to do. I have tried AVG, Avast!, Symantec, BitDefender, Panda Security, MicroTrend, Spybot, and various other malware/virus removal software, but nothing is working. Everytime I reboot the computer, a whole slew of .exe files show up in the temp folder of her computer. Spybot TeaTimer pops up every second with a new registry change. It's rendered her machine totally unusuable.

I was wondering if anyone would be able to give me some advice as to what I can do to salvage this computer. She has numerous important documents on the computer, so the ideal situation is to be able to remove all traces of the virus and get her back to her station. If that's not possible, how do I transfer the documents without infecting her replacement computer?

Any advice is WELCOME!
Mike

 

[badbread]

Which virus is it?

I have been battling a lot of those stupid Antivirus 2009 malware programs for a couple weeks now. My solution is to just re-image the machine, if it's Vundo your f'd, there is no way to totally get rid of it.

Try malwarebytes.org if you haven't already, that program seems pretty solid, though it still will not get rid of some of the shitter malware out there.

 

[phishphood]

(Un?)fortunately, it's been a while since I've dealt with virus removals, esp from windows. At the very least, I think that booting into safe mode and transferring things to a usb flash drive is a valid solution. However, it's been a while and it'd be best to get that verified before you tried it. Also, most all AV and virus removal programs can/should be run from safe mode and/or before windows even loads. It's times like these that I wonder if System Restore works well enough.

 

[itsacrispy]

Ah crap, it's "vundo". AV programs also found "metajuan", "tiny-II", and various other trojans. Is that it for this computer?

Symantec seems to believe that removal of "Vundo" is easy ???

 

[badbread]

Do a search for Symantec's Vundo remover tool, it's worth a try but in the 10 or so computers I tried it on, it didn't work.

 

[phishphood]

So would it be a good idea to disconnect the comp from the network now?

 

[itsacrispy]

[quote author=phishphood link=topic=6596.msg85031#msg85031 date=1235755720]
So would it be a good idea to disconnect the comp from the network now?
[/quote]

Doh, good idea. I kept it connected to d/l the removal tools.

 

[badbread]

Yes, when I got the first one I had it hooked up to our network, about 1 minute later I got a call from our Network folks saying they got over 3000 Symantec warnings about this computer trying to spread it around.

 

[itsacrispy]

[quote author=badbread link=topic=6596.msg85038#msg85038 date=1235755851]
Yes, when I got the first one I had it hooked up to our network, about 1 minute later I got a call from our Network folks saying they got over 3000 Symantec warnings about this computer trying to spread it around.
[/quote]

GREAT! No notices on my system yet. We just have a file server, do you think I'm OK? Or will this virus still be able to access other systems?

 

[GreshamH]

[quote author=badbread link=topic=6596.msg85030#msg85030 date=1235755662]
Do a search for Symantec's Vundo remover tool, it's worth a try but in the 10 or so computers I tried it on, it didn't work.
[/quote]

My IT guy said it usually fails as people can't find all the hidden files it send out that can re-install it

System Restore is the quickest way to get the virus back. It saves a copy of the virus in past restore points. You have to give the hackers credit, that's a trick most will fall for

 

[GreshamH]

[quote author=itsacrispy link=topic=6596.msg85043#msg85043 date=1235756069]
[quote author=badbread link=topic=6596.msg85038#msg85038 date=1235755851]
Yes, when I got the first one I had it hooked up to our network, about 1 minute later I got a call from our Network folks saying they got over 3000 Symantec warnings about this computer trying to spread it around.
[/quote]

GREAT! No notices on my system yet. We just have a file server, do you think I'm OK? Or will this virus still be able to access other systems?
[/quote]
It can spread, disconnect ASAP.

 

[badbread]

You'll be ok actually, I think the warnings were from other Virii.

Here's the wiki on Vundo:
http://en.wikipedia.org/wiki/Vundo

 

[Elite]

I hate that damn Antivirus 2009 > ..

Sorry itsacrispy, couldn't help you out since I haven't deal with that virus yet. But if you see a machine infected with Antivirus 2009, it's faster to re-image the WS.

 

[GreshamH]

The screensaver may be changed to the Blue Screen of Death.

That's a cold trick.

 

[itsacrispy]

Thanks guys. I guess I bought the farm on this one. You guys have been a great help and I should've posted this sooner. If you guys can help me with one last thing, I'd really appreciate it.

What would be the best course of action now, to reformat the computer? The employee does not have her installation CD's, unfortunately. I know there are third party programs out there that totally nuke everything in the HD, should I go that route or just install a new OS on the computer?

Thanks again guys.
Mike

 

[badbread]

Vundo is a nasty, nasty little app.

Yea gresham, it creates dynamic names, it adapts, f'ing virus.

Peerguardian is a great app for the mildly tech'y people, it's mostly used as a way to block corporations and law enforcements from detecting you doing P2P but also blocks out stuff like the internet addresses this virus would use to communicate back home, etc...

 

[badbread]

[quote author=itsacrispy link=topic=6596.msg85055#msg85055 date=1235756559]
Thanks guys. I guess I bought the farm on this one. You guys have been a great help and I should've posted this sooner. If you guys can help me with one last thing, I'd really appreciate it.

What would be the best course of action now, to reformat the computer? The employee does not have her installation CD's, unfortunately. I know there are third party programs out there that totally nuke everything in the HD, should I go that route or just install a new OS on the computer?

Thanks again guys.
Mike
[/quote]

That's what I've done but its a hell of a lot easier at my company. We have all roaming profiles, prebuilt images with most apps, automated scripts to install any special apps, etc...

I think you should if possible.

 

[Ibn]

Find yourself an antivirus that runs from the DOS prompt instead so that it doesn't boot into Windows (e.g. Sophos command line interface). Then run a registry cleaner.

If that doesn't work, then reimage the machine (that's if you have an image).

 

[itsacrispy]

Argh. So for special docs that she needs, how do I transfer them to a new system? I can't seem to start in safe mode, unfortunately.

 

[itsacrispy]

[quote author=Ibn link=topic=6596.msg85070#msg85070 date=1235757451]
Find yourself an antivirus that runs from the DOS prompt instead so that it doesn't boot into Windows (e.g. Sophos command line interface). Then run a registry cleaner.

If that doesn't work, then reimage the machine (that's if you have an image).
[/quote]

Thanks ibn. Avast! has a boot-time scan that I've been using. Does that count?