BleepingComputer.com: How I got rid of the "unable to reach windows updates" rootkit

Hi everyone,
Thank you everyone your contributions to BeepingComputer has helped me many times in the past. I hope I now can contribute.

I was cleaning up a computer virus and came across interesting and maybe useful information. I hope this can help someone in the future.
___________________
Computer: Dell Volstro, Windows XP HOME (32bit) with SP3
___________________
Issue: Many IExplorer redirects, unable to reach windows update web site.
___________________
Discovery (reduced to the essential steps):

Removed all the system temporary files, prefetch entries, and old restore points before beginning cleanup.

Avira AntiVir Rescue System boot and scan - found and removed TDDS rootkit from MBR & several other virus infections.

Reboot
Can reach most web sites.
Fewer IExplorer redirects, but still a few.
Unable to reach Windows Update web site

Kaspersky TDDSKiller scan - found and removed TSSD rootkit from MBR

Reboot
Unable to reach Windows Update web site

SuperSpyware scan - found and removed variant of TDDS rootkit from MBR

Reboot
Unable to reach Windows Update web site

HitmanPro scan - found & removed MBR rootkit

TrojanRemover scan - find MDF rootkit. unable to remove

BartPE boot
Run MBRFIX (it is in the program list) & replace MBR with
clean copy
note: could have also used Windows R Console
For details, GOOGLE "MBR repair"

Reboot
Reach Windows Update web site
Windows Updates download and install properly
Regular virus scan - nothing found.
___________________
Summary:
I suspect there is a new variant of TDDS Rootkit that is able to replace itself in the MDF as the rootkit is clean by the scanning tools. The only way to get ahead of this rootkit is to
- boot to something beside the infected hard drive
- replace the MDF with a good copy

I hope this helps someone in the future.

WoodyS

Hello.

First, let me say that we are glad that you have resolved your issue.

However, some of the methods you used (particularly the rewriting of the MBR), are not something we recommend that inexperienced users do without expert supervision. There are a number of scenarios in which the use of commands such as 'fixmbr' can have a wide variety of unintended consequences. In some circumstances (for example, an encrypted drive), the machine may no longer be able to boot at all after executing the command.

For assistance with removing this and other tricky malware infections, the best route to take is to submit a help request to our Malware Removal Team by following this guide: http://www.bleepingcomputer.com/forums/topic34773.html

~Blade

Hi,
Thank you for pointing that out. I forgot to consider the encrypted drive issue.
I can always count on BleeepingComputer for the best education.

Best wishes,
WoodyS