New Malware Infection

Had a client with a system that was infected with an new strain of malware. It was identified as Trojan.Win32.Genome.arbx and was infecting the svchost.exe.

The system was running Windows XP Kaspesky Antivirus 2011. The client complaint was that the system had been locking up and running slow. Initial contact with the system was remotely.  Initial check show that the Kaspersky was was running and the database were up to date.

I checked  the task manager and found 6 iexplorer processes running without a user interface. Attempts to kill the process would restart a new process.  I updated Malwarebytes, Ran a scan and found 155 infected objects, deleted those objects and restarted the system.  After the reboot, Kaspersky popped a message stating the svchost.exe was infected with the Trojan, and in would only allow it to be ignored.

I checked the task manager and the iexplorer processes were still running.  I check the setting in Kasperky and found the the setting to ignore the svchost.exe removed it from the expetion list, only to have it return.

Ran Malwarebytes full scan and did not locate any malware. At this point I shutdown the system and told the client I wold pickit up when I got back into town. I picked up the system and took it to the office I ran my tools in safe mode and did not find the malware.  I finally did a repair install of WinXP that got rid of the trojan.

After patching the system. Kaspersky would not start it protective services on boot, I had to start them manually. I tried updating to 2012 and still had the same problem. I finally un-installed Kaspersky and scrubbed the registry and residual  keys, after reinstalling everything was working properly.