pesky malware

["Barros, Jacob" <jkbarros () GRACE EDU>]

We have found a number of machines infected with Trojans and other
malware and are struggling with removal.  It appears that each machine
is infected with a generic downloader which grabs random malware making
each infection different.  Most machines have been Windows XP, all
windows updates applied.  We are using McAfee VirusScan Enterprise, but
at this point, McAfee is not effective at finding and cleaning the
machines.  

So far McAfee has found the Generic!atr Trojan, Generic Downloader.x
Trojan and the Sality.gen.c Virus.  However, there is still something
running on our machines that is not being detected.  We know this by the
existence of a registry entry in HKLM\Software\Microsoft\Windows\Current
Version\Run.  File name is always different but the key calls
'rundll32.exe' at 'c:\windows\randomname.dll'.  Also, most infected
clients are running 'services.exe' which is trying to connect to
multiple hosts outbound on port 25 (which McAfee has blocked).  Other
than that, there is no unusual network activity coming from any of these
machines.  Delete the file and registry key, reboot and it's back.
System restore turned off.  No other invalid services running. Used
HijackThis to examine startup items.

A copy of the dll has been submitted to WebImmune, but we have not heard
back.  We are unsure of the method of infection but it appears to be
contained.  Trouble is, we don't have a consistent way of cleaning it.
At this point, we are not trying to clean faculty and staff machines
anymore but are just pulling the hdd's and giving them new hardware with
a clean image.  I am told the techs have had success on student's
machines with combo's of Malwarebytes, Avira AV, Spybot SD and
SuperAntispware but have not seen those logs yet.

Anyone else finding this type of behavior?  Advice?

Jacob Barros
Network Administrator
Grace College