The latest infections have gone beyond perhaps anybody's ability to undo, short of a clean install. In two cases, I did a paralell install of XP, and the new install also featured the same hooked entries, implying to me at least that the infection might be in the BIOS or the boot record itslef.
The symptoms are always the same, and I can undo most of them, however, the NtConnectPort is hooked by an unknown module, it's address has been offset from the kernel. I have even booted from CD and replaced the kernel file with a known clean versioin, but upon reboot, the modification is back, leading me to believe that I have a rootkit running from within an encryption engine that controls the system modifications at reboot, and since the suspected infection is encrypted, it is invisible to the OS. The infections I have observed likely came from infected banner adds as I have examined the browsing habits of the infected users, and they do not surf unsafetly, rather, they visit known websites like CNN or MSNBC and somehow get infected there , not meaning to lay blame on them specifically.
So I read and read and read. One post on a popular rootkit creation site even comments that if it were not for the SSDT hooks, we wouldn't even know they were there at all, and a group of evildoers are proceeding with ideaology about how to hide the SSDT hooks themselves and render themselves invisible.
I have one such infected computer here in my lab, disconnected from the internet, and no tool I have found or been presented with reverses the hooks permanently, nor does any known scanner appear to find the unknown module. Please help. I will gladly donate money for good advice.
Mod Edit: Topic moved from HJT to more appropriate forum~ TMacK
Edited by TMacK, 28 July 2009 - 09:59 AM.