A backdoor / rootkit infection (Ntos) was found on my laptop running XP pro. Kdhbt.exe, _svchost.exe, xpdx files were found and deleted - among others. AV software tools run (in safe mode as req'd) include: rustbfix, sdfix, gmer, combofix, atfcleaner, superantispyware, processexplorer, hijackthis2.2 and adaware. All av software reports that my system is clean of infection - HOWEVER processexplorer continues to show ntoskrnl.exe!KEreleaseMutant+0x13b routines running within the "SYSTEM" process. Previously those routines had been found executing within subordinate processes as well (eg "SERVICES", "SVCHOST" etc) but no longer are found. My guess is that KEreleaseMutant is a base address for an offset datatable where instructions or data are being parsed or stored etc. I have been unable to identify the source of this routine, and have not been able to kill the process directly since it attaches itself to various instructions being executed, killing it when it executes is pointless - rather like running over a dead snake
. Any help with identification or methodology on how to erradicate these instructions/routines would be greatly appreciated. My hope is that someone has seen this before and can id the likely reg keys or files etc that are most suspect - or possibly a specialized av program written to deal with this.
Thanks very much!