Microsoft recommends their Malicious Software removal Tool to detect and remove common viruses, worms, and other types of infections from Microsoft software. I tested their tool against a common virus with a long history. The Microsoft tool failed to notice.
The test computer is a plain old computer running the common Windows XP 64 with a small number of applications. The computer was used to browse the Web using the relatively safe Firefox 3.6. Unfortunately Java was installed for one application and Java infected Firefox. Nobody noticed Java was activated in Firefox because the people using the computer did not know Java could hook itself into a browser without you noticing.
One of the users visited IMDB to read about a film, selected a link to an actor to find other movies that actor appeared in then selected some external links to read reviews and look at images from those movies. Somewhere along the way, the user selected an advertisement instead of legitimate content. The screen lit up with Java icons and pop under windows. The user carefully exited everything without selecting anything and restarted the computer. After the restart, the computer was clearly infected with one of the many viruses that replace Microsoft's rundll32 with something else.
The Microsoft Malicious Software Removal Tool was switched on to full scan and let loose. The tool did not find a single infection.
Rundll32 infections have a long history. They were common back in 2008 and before that. Microsoft's tool could not detect a virus more than two years old.
rundll32 is a basic target for many infections. Microsoft could make their tool perform a simple size check to see the infection but no, they used some other method that is completely useless.
I give up. Every year Microsoft bleet about being better in the area of security but they cannot prevent an incredibly simple attack. With years of practice, they cannot detect one of the most common attacks. That Windows based computer will be phased out with an Ubuntu based computer taking up the workload.
Linux to the rescue
Diagnosing the problem was helped by having Linux based computer next to the infected Windows computer. You can use a Windows computer to help an infected Windows computer but if they both share the same network, there is a big chance of cross infection. Some viruses do infect Linux but a virus designed to attack Windows is unlikely to infect Linux.
The original infection was through Java and could use Java on any computer, including Linux, but Java does not run exactly the same on every computer which makes a Java based cross infection less likely plus Java is not installed on the Linux machine. The Linux machine should be safe.
Uninstalling Java on the infected machine was a big priority to prevent reinfection. The standard Java removal process appears to work reliably on an infected machine. Java is used only to infect the machine. The actual virus does not use Java because Java is too unreliable. Instead the virus uses modern and efficient programming languages to spread the infection and do whatever nasty things the virus wants to do.
ClamWin is free open antivirus software based on the popular ClamAV. I downloaded ClamWin and AVG Anti-Virus Free Edition onto a CD using the Linux machine and tested ClamWin against the virus on the XP machine. ClamWin offered to install a proprietary toolbar with the default set to yes, an offer I rejected because I do not like antivirus software installing viruses. ClamWin chewed up 1597 seconds, over 23 minutes, scanning 44547 files for 816918 viruses but did not find the obvious one sitting in a common place for viruses.
AVG is popular antivirus software with a free edition. Compare the editions at www.avgfree.com.au.
AVG scans processes then the Windows registry then files. During installation AVG annoyingly tries to sneak in a Yahoo toolbar then it downloads a lot of data, which explains why the original download is so small. There are some other annoyances. You have to read all the messages carefully. I set AVG for a one off scan, not an automated scan that will slow down the computer at unexpected times.
AVG found two infections that have no ongoing effect and found some possible infections in temporary files that are dropped at the end of a browsing session, often without activation. Unfortunately AVG did not find the common obvious virus infection.
You cannot trust antivirus software to stop new infections and Microsoft Malicious Software Removal Tool removes only a very small set of old viruses. Stay away from Java to stop many of the common attacks. Switch to Linux to reduce the range of infections that will work.