So far the above link provides the best details on what needs to be done, but it is also the most depressing (zero out drive the re-format) OMG what do I tell my clients?

They may as well buy a new computer and transfer their data “only”. By the time I mirror their drive (no backups of course) zero out the drive, reload Win OS w/necessary drivers (owners never have the disks anymore [thank you Dell]) install remaining 43 (minimum) security updates, and a reliable AV software. Then migrate their data back to their system and tell them all they have to do is reload their applications. I get a deadpan stare and a cold verbal response when I give them a bill for 3 hours work. Heaven help me if the get reinfected within the week. Plus I still have to zero out the drive I mirrored to before I can start on the next client.

How can I now be sure we got the whole virus eradicated? We have (we think) experienced where our “flash drive” utilities have been compromized (Avast’s install EXE, WinSockXPFix, etc. for example) by the Vitro.

If I connect the infected drive as a USB slave to the fresh “clean” drive (system) to move “only data” will the BIOS or Driver install move the infection back?

Things I do know:
the EXE files in the SYSTEM32 are the first to go. If the dates and sizes have all been updated you’ve been had.

Most infections start as an iFrame infection from a compromised web site. During the iFrame clean – the EXE parasite attacks at full force.

I will add more related to symptoms once my high blood pressure subsides and do some more testing.

Tom