How do I get rid of this email virus?
August 14, 2006 6:39 AM   Subscribe

I'm at my wit's end trying to remove this virus!

My boss brought in his computer (WinXP Pro SP2) for me to work on, complaining of popups and such. I ran scans with Norton, AVG, Avast!, AntiVir, Spybot, AdAware, and Stinger, but it's still infected with something. I even tried creating a new profile and copying over his documents... that didn't work either.

Within minutes of plugging in a network connection, it attempts to email hundreds, if not thousands, of emails. Most of these are being sent to hotmail accounts, and they seem to have a subject line of "fledge". I wouldn't even know these emails were being sent if he didn't have Symantec Email Proxy installed. I could uninstall it, and it would fix the popup issue, but the computer would still be infected with something.

I've tried to find a site where you can search viruses by symptom, but so far I haven't been able to find one. Does anyone have any suggestions for either removal or where I could research this further?
posted by fvox13 to Computers & Internet (12 answers total) 5 users marked this as a favorite
 
Does the admin account have a password? If not, make one. It's random and may not help with this, but it's a good general guideline.
posted by needs more cowbell at 6:48 AM on August 14, 2006 [1 favorite]


first things first. Hit ctrl-Alt-DEl and bring up the processes tab.

Use a second computer and google each running process (type in the full name of the .exe) file which should help identify what some scummy bastard managed to get sneak onto your bosses machine whilst he was surfing those "illicit" sites.

This trick works great and usually you can pick the winner straight away. Look for file names that look the same or are completely out of place.
posted by Funmonkey1 at 6:48 AM on August 14, 2006


Good tips cowbell and monkey, but I've already tried that - and I've removed everything suspicious using HijackThis! As far as the eye can see, it's clean....
posted by fvox13 at 6:58 AM on August 14, 2006


Similarly, you can download and run HijackThis, which identifies hidden processes and then Google the results or submit them to an anti-spyware forum where someone can analyze the log for you and tell you what is going on.
posted by briank at 6:59 AM on August 14, 2006


oops, posting finger was one moment too late, but I see you've already gone that route.
posted by briank at 7:00 AM on August 14, 2006


have you used sysinternals root kit revealer? It is free and catches everything listed on rootkit.com and more.

My suggestion if it reaches the point where rootkit revealer comes up empty and hijack this come up empty, might be time for your boss to reformat.
posted by Funmonkey1 at 7:02 AM on August 14, 2006


Have you watched the TCP/IP connections with netstat ?

Open a console window, type netstat -b to see a list of processes spawning TCP/IP connections. Any suspect processes are candidates for investigation, particularly any that are trying to establish SMTP connections on port 25.

The netstat command has a number of useful options for monitoring connections; type netstat /? to see the full list.
posted by paulsc at 7:13 AM on August 14, 2006 [1 favorite]


This is one of many security guides that would tell you that the only way to be sure you are clean is to reformat and reinstall (see point 4).

If this is difficult, now is a good time to learn to keep your data backed up and in a directory structure that makes it easy to start again, and also a good time to make an image of a known clean system with all the driver hassles etc. sorted out.

In my opinion virus software and software for detecting other sorts of malware are only useful for detecting, or cleanup when restoring from backups is impossible (because you're away on a trip with a laptop for instance). The rest of the time just start over.

It seems that in this case you are pretty sure something is there. You've effectively detected it, even if you don't know what it is, so now is the time to wipe the computer.
posted by edd at 7:28 AM on August 14, 2006


Reformat it, as you should for any non-trivial infection.
posted by malevolent at 7:36 AM on August 14, 2006


Does he have Windows System Restore enabled? I've gotten rid of viruses by going back to a System Restore from before the virus.
posted by TheOnlyCoolTim at 7:47 AM on August 14, 2006


Try running the scans you listed above while in Safe Mode.
posted by banshee at 7:57 AM on August 14, 2006


Once you know you have been compromised, you MUST, in essence, nuke it from orbit. Unless you mount the drive in another machine, and have the capability of examining every file on the drive and determining whether it has been trojaned, you can't be sure it's clean. Very few people have that capability. Even Microsoft itself has seen machines screwed up so bad that they can't fix them without a reinstall.

Back up documents, email, and favorites, and nuke it.

You should also look into why it's been compromised. If he's just browsing squirrely sites, it's probably no biggie. If he insists he's been good, you'll need to check every other computer on the same network.

You would be wise to block outbound port 25 on your firewall. This will prevent spam trojans from working. If your mailserver is outside the firewall (unusual, but possible), you can unblock from your network to that IP. If the mailserver is in the DMZ (good) or in your internal network (bad), you'll need to unblock that IP to the whole world.

In general, there's no reason for end-user computers to send mail directly. Blocking them is a good idea.
posted by Malor at 8:35 AM on August 14, 2006


« Older I'm looking for a take-no-pris...   |  What can I do about weak and p... Newer »
This thread is closed to new comments.