New virus going around office need help/ideas!

[Tazman2]

I work as a IT tech and normally we can remove most threats with Malwarebytes, etc. since its mainly some form of Malware. Unfortunately all we have for AV is Norton (bleh!) sooo yeah. Anyways. Around mid week last week we had a few computers infected with the usual fake anti virus. At our various sites I just did a complete reformat, etc. as I couldn't remove it. But now at the main office where we are on a domain we did have one person infected and I thought I managed to get rid of most of it as the fake AV was gone and the weird warnings that became her background on the desktop along with her saying she had some porn popups too. Now a few days later I saw her login name logged onto another machine which she did not recall doing. I figured okay maybe just forgot. Well come in today and same thing on another machine. WTF! Clearly this thing is trying to spread! WTF came out or activated last week that could be doing this?!

PS: One of the sites maybe even here can't recall had this thing running.

http://removal-tool.com/virus-sheild-2009/

 

[YeOldeStonecat]

I've come across that one...
Refer to the excellent thread stickied atop this forum that Captain Colo made. MalwareBytes is great...but need to toss a few more tools at it (nothing beats a shotgun approach!)

Which version of Symantec AV?

 

[marley1]

whee spyware.

boot into safemode
kill system restore
run Cleanup or CCleaner
run Combofix, may have to rename it to run
boot into normal windows, let combofix finish
run Mbam
run Avira or some antivirus scanner
re enable system restore
run ccleaner to finish

 

[Mizugori]

where should you download combofix from, can anyone provide a legit link

 

[|CMF|SoulAssassin]

where should you download combofix from, can anyone provide a legit link

here you go..

http://www.combofix.org/

also here is a little tutorial How to use ComboFix

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

 

[Captain Colonoscopy]

reliable links to the software listed above can be found in my sticky. don't forget to turn off system restore. I added screenshots on how to do that yesterday.
Posted via [H] Mobile Device

 

[Mizugori]

then why is it that when you run combofix, it pops up a box saying "www.combofix.org" (and a few other sites) are not affiliated with combofix .... ??

 

[chrispycrunch]

Try this.
It worked for me:

1) Stop the following service using Ctrl+Alt+Delete and Task Manager:
sysguard.exe. This will stop the popups and the fictious scanning of
the PC by the rouge antivirus.

2) Do a search for the sysguard.exe file on your PC (make sure you can
see hidden files) and delete any file with that name, including the
prefetch file. This will avoid it from reloading when you restart your
PC.

3) Control Panel-->Internet Option-->Advanced Tab-->Click on Reset
button to reset Internet Explorer to default settings. This will remove
any Plug Ins/Ad-Ons that the program loaded to Internet Explorer. Also,
it will default the home page to factory settings.

4) Control Panel-->Internet Option-->General Tab-->Delete all temporary
files, paswords, etc.

5) Microsoft® Windows® Malicious Software Removal Tool
(KB890830)http://www.microsoft.com/downloads/details.aspx?familyid=ad724ae0-e72...

6) Run the tool to scan and remove the spyware.

7) Control Panel-->Internet Option-->Advanced Tab-->Click on Restore
Advanced Settings. This will restore factory default security settings
for your Internet Explorer.

8) Restart your PC. At this point, when you log back in, you should no
longer have sysguard service that runs the SWP2009 virus will no longer
load. You should also be able to open internet explorer to factory
default page and be able to return your costumized home page as you want
under the Control Panel-->Internet Option-->General Tab and entering
the website of your choosing.