Help needed, PC infected

[psp83]

Hi All..

I need some advice.

One of my work colleague did a google image search and manage to get the PC infected.

MSE wouldn't remove the infection, I've tried 4 other AV's and 3 Malware removers and none touched it.

So, I've reformatted the PC today buy tapping F8 to get into recovery mode (has a recovery partition, its a dell pc) did a restore to factory image..

I've re installed the AV, Installed firefox, done a google search and everytime I click on a link, I get taken to a random website.. So, it looks like the PC is still infected after a reformat..

Any ideas what to do next?

[Rik]

Have you tried safe mode and an AV scan from there, Paul?

[psp83]

Yep. Couldn't load half the programs in safe mode & when we got one loading it still couldn't remove it.

The infection set most things to be hidden as well.

[psp83]

I think a complete wipe of the hard drive and re install is needed 

[Simon]

I nearly fell foul of one of those searching for a simple birthday gif image.  Luckily, F-Secure caught it.  Have you tried their online scanner?

[psp83]

I nearly fell foul of one of those searching for a simple birthday gif image.  Luckily, F-Secure caught it.  Have you tried their online scanner?

I'll give it a try but doubt it will work..

The computer is not letting window update install updates as well 

[Simon]

Can you backup the data?  Sometimes a full format and reinstall is quicker than fiddling about trying to fix things. 

[Simon]

Oh, just a point, have you deleted the system restore folder, in case the virus is lodged in there?

[psp83]

Where is the system restore folder on windows 7?

Also, Would an OEM key / licencse work on a full Windows 7 disc bought from a shop?

These computers didn't come with any discs, all the recovery options are on a partition, I tried re install from the partition and its still infected 

[Simon]

Can't answer either of those questions, sorry. 

[Glenn]

You can recover the existing licence key from the pc using SIW from http://www.gtopala.com/

The recovery partition is normally a hidden partition on the drive, have you tried formatting the C drive, then re-installing from the recovery partition?

[tehidyman]

Are you getting a message to tell you it is infected ? It may be it is really one that tries to sell you a removal program.  If so a Google search of the message may lead to a route to get rid of it. I recovered from such an episode (MS Removal) with help from Idnetters.  If you post the message help may arrive.

http://www.idnetters.co.uk/forums/index.php/board,19.0.html

http://www.idnetters.co.uk/forums/index.php/topic,25537.msg607303.html#msg607303

[psp83]

You can recover the existing licence key from the pc using SIW from http://www.gtopala.com/

The recovery partition is normally a hidden partition on the drive, have you tried formatting the C drive, then re-installing from the recovery partition?

I've found the sticker on the back of the PC with the Key on now, hopefully that should work if I have to use my own Windows 7 disc from home.

If f-secure doesn't work I'll try just reformatting C drive.

[psp83]

Are you getting a message to tell you it is infected ? It may be it is really one that tries to sell you a removal program.  If so a Google search of the message may lead to a route to get rid of it. I recovered from such an episode (MS Removal) with help from Idnetters.  If you post the message help may arrive.

http://www.idnetters.co.uk/forums/index.php/board,19.0.html

MSE reported Win32.FakeSysdef & another one that I can't remember.

[tehidyman]

May be worth a look

http://www.spotnblog.com/solution-how-to-remove-infection-win32fakesysdef/

[psp83]

May be worth a look

http://www.spotnblog.com/solution-how-to-remove-infection-win32fakesysdef/

We run Malwarebytes at work already, had no luck with it, but I will run NPE and see what that comes up with. 

[Simon]

Prevex might be worth a try too.

[psp83]

MSE has reported this now : Trojan: DOS/Aureon.c

[Technical Ben]

Here is the details for the removal of the other one you posted. One of the problems it, it's a "rootkit" and can hide very well.
http://support.kaspersky.com/viruses/solutions?qid=208280684

The Alureon.c seems to be of a related family of Trojans. So it might get caught by the same search.

The quickest and easiest way, is to backup documents/folders/files needed to an external drive. Completely formate or restore to a previous (clean) system image, and start again. Make sure to scan the old documents as well.

[sobranie]

Sounds like that 'MS Removal Tool does it not.
I'd love to get my hands around the neck of the instigator
See here also:
http://www.wiki-security.com/wiki/Parasite/MSRemovalTool

[psp83]

Finally got the PC clean..

It took F-Secure online scanner and Norton Power Eraser to do it.

Norton Power Eraser also repaired the MBR and removed the proxy details it added to the PC.

So............. What's a good AV? as MSE doesn't seem to be doing its job. I personally use NOD32 but that's gone down hill..

[Simon]

I use F-Secure, hence my recommendation. 

[Gary]

Prevx as as paid version, maybe something like Avira, although it does have some high false positives it is good, but using something like Sandboxie would work wonders.

[Technical Ben]

Finally got the PC clean..

It took F-Secure online scanner and Norton Power Eraser to do it.

Norton Power Eraser also repaired the MBR and removed the proxy details it added to the PC.

So............. What's a good AV? as MSE doesn't seem to be doing its job. I personally use NOD32 but that's gone down hill..

That's why the virus is soooooo nasty. It hides in places like the MBR (forbidden territory to most programs). It's like a thief turning up with scuba gear, and hiding in your hot water tank!

Prevx as as paid version, maybe something like Avira, although it does have some high false positives it is good, but using something like Sandboxie would work wonders.

PS, does sandboxie work on Win7? I've yet to find one? (Although Win 7 is "suppose" to sand box software. I guess the likes of IE gets elevated privileges anyhow...    )