Dr. Guard virus

[poohbear_nc]

OK - as if today couldn't become any worse. My boss - who has absolutely NO concept of safe internet surfing and demanded to be exempt from our firewall - today called me in - his PC now has Dr. Guard virus - it has taken over ALL of XP - hijacked the browser, blocked access to Admin functions, disabled all the antivirus & antispyware software, is active even in Safe Mode, blocks access to the CD ports and USB ports so you can't load anything to clean it out ... And it keeps dumping porn site shortcuts onto the desktop and has endless pop-up windows demanding you download more "Protective software".

1. Anyone have experience with this one yet?
2. If so, how do I get rid of it short of wiping the drive & reloading XP?
3. Any job openings for me? (My boss's last words - after I had disconnected him from our network and shut his PC down was: Can I still send email? - I fear I'm going to kill him.

I didn't find much info on Google and I'm a bit hesitant to click on links - apparently this thing loads by masquerading as a "Free Scan to Rid your PC of Viruses" - I'm afraid any removal tool might be more of it. Symantec, TrendMicro, ZDNet, etc didn't have any info as of this afternoon.

Help!

[Nate the great]

If it's allowing even some access to the desktop, then I would reboot the computer, open Windows, and _immediately_ open Task Manager. Make a note of any process you don't recognize. Google them. Force end the ones that you aren't sure are safe, and then search for it and delete it.

The above is what I try before wiping and reinstalling the OS.

[Moejoe]

What this programs does:

Dr. Guard is a rogue anti-spyware program from the same family as Paladin Antivirus. This rogue is promoted and installed through the use of fake alert Trojans that advertise the program on your desktop. This rogue is also known to be bundled with the TDSS, or TDL3, rootkit. As MBAM is not capable of removing this rootkit, you may need to request further assistance in our Virus, Trojan, Spyware, and Malware Removal Logs forum to remove all of the malware on your computer.

Once downloaded and installed, Dr. Guard will attempt to uninstall various security applications in order to protect itself from being removed. The anti-malware programs that it tries to uninstall include:

Malwarebytes' Anti-Malware
F-Secure
NOD32
Norton Internet Security
Avira AntiVir
Agnitum Outpost Security Suite
AVG8
avast!
AntiVir

The program will then load and start to scan your computer for infections. Once the scan is finished it will state that there are numerous infections on your computer, but will not allow you to remove them until you purchase the program. In reality, the infections that it shows are all fake and do not actually exist on your computer. Therefore, please do not purchase this program based upon any of the scan results it shows.

From http://www.bleepingcomputer.com/viru...emove-dr-guard

Includes a full removal guide using malwarebytes software. Hope it's some help.

[daffy4u]

Via Google, I found manual removal instructions (seems to be a very tedious process) and several references to some software called Malwarebytes.

[poohbear_nc]

Quote:

Originally Posted by Nate the great

If it's allowing even some access to the desktop, then I would reboot the computer, open Windows, and _immediately_ open Task Manager. Make a note of any process you don't recognize. Google them. Force end the ones that you aren't sure are safe, and then search for it and delete it.

The above is what I try before wiping and reinstalling the OS.

It blocks access to Task Manager! Even in Safe Mode.

[poohbear_nc]

Thank you all for your suggestions & links. I will try the instructions from the bleepingcomputer site tomorrow (close to collapse tonight). I have Malwarebytes but no way to get it on to the PC - access to USB & CD drives blocked.

[Nate the great]

Quote:

Originally Posted by poohbear_nc

It blocks access to Task Manager! Even in Safe Mode.

I've encountered something similar, and I can open Task manager while Windows is still loading everything. Try it, and see.

[poohbear_nc]

Quote:

Originally Posted by Nate the great

I've encountered something similar, and I can open Task manager while Windows is still loading everything. Try it, and see.

Will do - thanks!

[Moejoe]

Quote:

Originally Posted by poohbear_nc

Thank you all for your suggestions & links. I will try the instructions from the bleepingcomputer site tomorrow (close to collapse tonight). I have Malwarebytes but no way to get it on to the PC - access to USB & CD drives blocked.

Boot from a linux live cd/usb stick and delete program folders associated with Dr.Guard (list of them in original article). Reboot into safe mode, install malwarebytes there. That should work. In the end though, it's probably going to be a reformat, reinstall situation.

[poohbear_nc]

Thanks guys for all your suggestions! The infected PC is being wiped and reloaded - the browser was SO hijacked I couldn't try the bleepingcomputer solution at all. I did forward the fix to our tech support company who will test it.

The key to preventing infections is to block ALL pop-ups - some ask you to click Yes to download antivirus software, and sometimes a pop-up window will appear with no means to close it - this one seems to be embedded in some Yahoo sites - the only recourse is to shut down your PC immediately before it loads. Some folk here who do online gaming using Yahoo have encountered these aggressive pop-ups that load without requiring you to click on anything.

Again:
You guys rock!

[JSWolf]

Also, on your bosses computer, install Firefox and block is access to MSIE. Firefox is a lot more safe and secure then MSIE. Plus you have addons like flashblock and adblock plus you can install and configure.

[poohbear_nc]

Quote:

Originally Posted by JSWolf

Also, on your bosses computer, install Firefox and block is access to MSIE. Firefox is a lot more safe and secure then MSIE. Plus you have addons like flashblock and adblock plus you can install and configure.

Tragically he was running Firefox - he is just too naive to know better than trust those messages claiming to help him. Plus he lets his kids use the company PC (Yeah - the joys of working in a family-owned business).


But - thanks - I will double check his Firefox settings and include the "block" addons.

[dsvick]

I had a bad one here a while ago that sounds very similar, minus the porn links unfortunately , I ended up using http://combofix.net/ to take care of the problem - worked like a charm.

[poohbear_nc]

Quote:

Originally Posted by dsvick

I had a bad one here a while ago that sounds very similar, minus the porn links unfortunately , I ended up using http://combofix.net/ to take care of the problem - worked like a charm.

Thanks for the link - I'll probably be needing it soon!