I was recently asked to look at a machine that was part of a SOHO network. The machine had reputable antivirus (AV) software and anti-spyware running and was experiencing random pop ups and sluggish behavior. First I noticed that the Win XP automatic updates option was turned off and secondly, the AV was not up to date ... two cardinal errors.
I got the machine patched and updated and ran an AV scan right after disconnecting it from the Internet. Thirty-two viruses came up in the form of Trojans, Rootkits and Spyware. After rebooting, the same pop ups and slow behavior continued. I ran the scan again, and only six incidents of malware showed up. Cleaned those and ran antispyware and picked up a few more. Even initiated a boot-time scan the next go around and picked up even more!
Despite being disconnected, this machine seemed to be generating new malware with each reboot. I tried another well-known AV product and even more malware was detected yet a reboot showed an infected machine. I downloaded autoruns and peeked into the registry and saw that as soon as I removed the entries, they would immediately pop back in there. The machine only had a single hard disk and the ENTIRE disk was scanned and cleaned yet it continued to be infected.
It seems that the malware was so entrenched in the OS that nothing could remove it. After the fourth or fifth pass of cleaning, the machine started to experience RUN32.DLL errors. Fed up, I simply preformed a repair install of XP using the vendor provided disk and then added back the applications that were added on afterwards. Time consuming to say the least but ultimately the problem was solved and no data was lost during the reinstall. Phew – tenacious buggers!
This story, "Energizer Malware Keeps Going and Going" was originally published by Computerworld.