I have a rootkit problem that just will not go away. I have been reinstalling XP over and over to no avail, using every "clean install" method I can think of, but I seem to be pwned before the installation is even finished.
I ran a session with M0le on the Removal Logs forum and he made sure there was nothing "scannable", e.g. virus/spyware/trojan on the system. We found some evidence of previous trojans that I had cleaned earlier but other than that, the system is clean. Here's the topic:http://www.bleepingcomputer.com/forums/t/293583/infected-with-unknown-rootkit/
M0le suggested I take it to a non-malware forum to see if anyone may have a suggestion. The main issue is that once my "clean install" of XP has completed, when I disable a service, a different version of the same service will run from ControlSet001, usually a ROOT/LEGACY service or device. It seems to run using alternate DLLs from the Side-by-Side folder. And at that point I must admit, I'm out of my depth. I'm not a programmer but I have been trying to figure this out since early December and would really like to get my computer back. Hey, it's MINE.
I run as lean as possible when it comes to services and autorun programs because I use the computer primarily for multitrack audio recording and only need online access for program updates and email. All of the details are in the other topic. I eventually gave up trying to install clean after a dozen attempts or so and spent some time simply fighting it. It disables anti-virus programs upon installation, and seems to hook every process that runs. I use Process Explorer/Handles to see what's happening and I'm pretty sure it sets up tunneling server connections to ????, using older versions of Terminal Services/Remote Desktop. An iis website seems to be installed somewhere as well but I can't find it - only the iis.log file indicating the installation. Even the TCP/IP connections are hidden, at least from TcpView and Wireshark, but I suppose they're hooked like everything else. (I don't sound paranoid, do I?) Lemme tellya - at this point I AM PARANOID! I'm denied access to the Programs folder, different areas of the registry... It's like boxing with a ghost. At this point I'd just like to be able to clean install the OS - no way I can fight it once it's dug in.
If anyone has any suggestions, I'd love to hear from you. If the initial insult is in a BIOS somewhere, I simply don't know how to find it or clean it out.
Oh, one more thing. I never got a chance to thank M0le for his excellent help, so if you see this M0le - THANKS from Zed!