Posted 13 August 2009 - 10:42 AM
About August 10th, one of our interns let us know that their development laptop appeared to be infected with a virus. We were running McAfee on the laptop at the time; however it was disabled (and subsiquently removed while we tried to update it) by the virus. Initially it was displaying a popup 'Windows Antivirus Pro Remover' ad. We were unable to run any EXE files on the system at that time. I downloaded PC Tools Spyware Dr and renamed it so it would install, and it cleaned up several trojans - Trojan-Clicker.VB, Trojan.FakeAlert, and RogueAntiSpyware.Sysguard. After running multiple scans, it seemed to be clean, and stopped locking up, but still couldn't reload McAfee (screen is blank), or access Windows Update (screen is blank). IE also seemed damaged, so I installed version 8, which allowed IE to start working again (had been using FireFox initially for most of the above downloads - however it isn't supported by windows update or McAfee).
At this point I loaded Sophos to scan for rootkits, and it found UAC and SKYNET, which it removed. Some research seemed to indicate that it was operating similarly to the Roodkit.d variant. Still had problems though accessing windows update and McAfee. v4.windowsupdate.microsoft.com not blocked (no blank screen), but it appeared to be blocked from attempting to download the signed ActiveX control.
I was then able to download Malwarebytes and run it. It indicated that Rootkit.TDSS was on the system, and removed it. After that Malwarebytes gave the system a clean bill of health, but still can't run Java applications, or access certain sites. I then loaded autopatcher to download any missing updates to the OS. After that I re-ran Mawarebytes, which still says we are clean - however we still seem to be actively blocked from accessing certain sites. Not sure if this an unknown active infection, or remnants of some of the virus' that have gone through the machine. Let me know if you have any suggestions.