I have seen a lot of viruses, spyware and malware around. Most of them use the same method to keep running, but today I found my computer infested with a new kind of malware I haven’t seen before. It was not listed in the system registry nor anywhere I know to keep it running. After some searching around and rebooting, I found out that the malware was located in c:\Windows\system32. The bad thing is that it starts itself as a DLL with rundll32.exe and even runs in “Safe Mode”. All malware I met before could be removed through going into “Safe Mode” and deleting the program, but not this time. But that wasn’t the only problem. Everytime you shut down Windows, it makes a copy of itself with a new random filename (and keeps a “guard.tmp” as some kind of protection). This way, you will not able to go through the disaster recovery console and delete it, because it changes its filename on every reboot. Of course you could unplug the power while it is still running, take out your harddisk and connect it to a different computer with XP installed and remove it from there. But I was to lazy to do that so I tried a different way.
After locating the infested files, I selected the security settings of those files and denied “SYSTEM” complete access to it. So this time, when I shut down Windows, it won’t be able to copy itself anymore, because it couldn’t access the source files. And this actually worked! After the next reboot, I could easily delete it. Well, it took me 2 hours to get rid of that thing. Next time I’ll know better.