We help IT Professionals succeed at work.

How do I get rid of a persistent virus event after a full computer wipe?

SkyFirm
SkyFirm used Ask the Experts™
on
I am having trouble with one employee's computer infected by either a legitimate virus or scare-ware. It is a computer running Windows XP SP3. I have TrendMicro Worry-Free Business anti-virus installed on it. Updates for TrendMicro are pushed out as the arrive from TrendMicro. Windows Updates are done on a weekly basis.

On Monday morning, the employee was unable to log into his computer. After getting through the XP start-up screen, a message box popped up saying there was an invalid object reference. I tracked down the issue and found that he somehow had the Sasser virus. I was unable to boot into Windows even in Safe Mode. I removed the hard drive from the desktop and plugged it into a spare desktop. I ran a scan on the hard drive and it found nothing. I then ran Malwarebyte's Anti-Malware and it didn't find anything. I tried to follow some instructions on removing the Sasser worm and did not succeed since we were hindered by the fact that we could not log in. I am confused on how the Sasser virus even got on the computer in the first place since we have current anti-virus software and the computer is always up-to-date on Windows Updates. And it is not like this is a new virus, it has been well documented and patched by Microsoft since like 2004. I finally decided it was just easier to pull the documents off the hard drive and wipe the computer. We use Exchange, so email wouldn't be lost with erasing the computer.

I reformatted the hard drive and installed Windows XP. I ran all updates, reinstalled TrendMicro. Everything was working fine until today. The same employee called me and said that some program said that he had viruses on his computer. I was not at the office, so I was unable to look at it myself, but he said that it was a software called "Best M Security". (I have searched the internet and couldn't find anything on it.) I told him that it sounded like scare-ware and to not click or install anything. He said that he just closed out of it.

I scanned the computer again and Trend didn't find anything. I am running the Malwarebytes software again and will post the results when it is finished.

My question is this: The only things transferred to the new computer were his documents and his emails. I scanned his documents before transferring them using Trend and Windows Security Essentials and neither caught anything. We have TrendMicro installed on the Exchange server, but could some macro-based virus be lodged in his email? If so, how do I find it and remove it? If not, what should my next course of action be? Thank you for your help, I am lost and confused.
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Commented:
Could also be some malicious website that the user keeps visiting. I would check the history of the brower(s) to see what the user has been looking at.

I had a user get a virus and after cleaning the computer, he went immediately to the same site where they go the virus in the first place. Then cleaned it up again, walked out of the room and walked back in to talk to the user and he was back on the same site.
I suggest looking through browser history. Try to track down the site. Then once found add it to a block access list. As well as this if you AV finds no viruses it might have gone to a system file. This can be hard to handle. I suggest using Combofix on your pc. This will go through and scan your system files for modified/infected files that should not be. It then replaces/Fixes them 100%

ComboFix here with guide
http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Blocking access here is guide
http://www.wikihow.com/Block-a-Website-in-Internet-Explorer-7

Author

Commented:
I thought browser history first, but asked him what sites he had been on and nothing stood out. I just checked his history and nothing seems even remotely suspicious. We are a technical headhunting firm so we receive thousands of emails per day with resume attachments ranging from normal word docs to ZIPs and RARs. That is what makes me think it may somehow be malicious code in an email, maybe? I am so in the dark, I am still confounded that he got the Sasser worm. I will try the ComboFix and see if it picks anything up. I will probably have to wait to do that until tomorrow, but I will post the results as soon as I do it. Thanks for the responses!
Commented:
Did you do a full or quick reformat? Also, it might be better if you went through his email and deleted everything(after it's all been checked of course, all OLD emails). One more thing, if this user is having particular problems, install this http://www1.k9webprotection.com/    on his computer, and set it to the minimal settings. which should keep out viruses, and log a better history .
Yes, I too think that it could be via email attachments or if some other PC on your network is infected with a network worm and it is replicating (or trying to replicate) on the current machine, that would also explain the current scenario.

Probably checking another PC at random might be a good idea as well.

Hope it helps.
You might also ask the user if they are bringing information from home on a USB stick.  Their home computer may be infected, which may mean the stick is infected.  Security Essentials can be set to scan a USB on access.  I would also disable autorun on the computer - double click on attached file.
autorun.reg

Author

Commented:
Thank you for all the responses! I scanned the computer using the ComboFix program. I have attached the results.

jrvzoom: I did a quick reformat. Unfortunately, his email account is far to large to go through and delete old emails. It would take days to do something like that. I will do it, however, if we can determine that it is the source of the problem.

warturtle: I told TrendMicro to run a network wide scan and it came up with no problems. However, I am currently doubting its abilities since it let the Sasser worm get on his computer... I am running Malwarebytes on all the computers and will see what I can find.

tzucker: He said that he hasn't ever brought a USB device to work before so I don't think it is something from his home computer.

charlie-combofixscan.txt
If all else fails I suggest using DBAN:

http://www.dban.org/download

This is a boot image that completely nukes the harddrive.

Commented:
For the emails... You don't necessarily have to delete them, all you have to do is archive them to segregate them from running on the computer. Then they just become files and that should isolate the virus hopefully.

Author

Commented:
Sorry for the delayed response everyone, it has been a busy past couple of days! I have scanned all the computers and haven't found any other infections, thank goodness! If this bug is in the user's Outlook, does anyone know and have experience with a program that can scan and clean an Outlook file?
IIRC, Microsoft distributes an app called scanpst that is supposed to scan and fix errors in pst files.  I don't believe that this will help with a malware infection.
Don't you have a plugin for Outlook that can scan for the email and give you details of the malicious email? I haven't used Trend Micro in enterprise enviroments, so I am not sure if they do provide a plugin within Outlook for such things.



Commented:
I'm pretty sure that if you just archive all your old emails it will isolate, otherwise,
Do you have an antivirus?
AVG free works good and I'm pretty sure it scans your email.

Author

Commented:
I still don't know what happened, but his computer has been acting fine since so I'm hopping it is fine now! Thank you for all your comments!