Posted 19 July 2010 - 05:23 AM
I have a unique situation. I have an aging laptop that I cannot wipe clean, as it has some expensive development tools on it, the CD is inoperable, AND has no USB boot support.
The thing is, I have contracted a HORRIBLY RESILLIANT root kit (bad site maybe, but I rarely stray out of my known site list). It infected my entire home network (5 Windows XP Pro boxes and this old laptop). A few boxes showed TSS.ROOTKIT under Malware Bytes (among several other trojans, etc.), but some showed nothing, yet had the same symptoms... which were:
1). IE page redirects on each search.
2). VERY slow performance (CPU usage of 20-40%, though task manager showed System Idle at 97-99%) That would randomly start when connected to the I-Net and last for maybe 15-20 minutes, then dissapear).
3). Shuts off most anti-virus/malware scanners or randomly disallows installation.
4). COMPLETELY disabled windows firewall (even the setupapi trick wouldn't work), though it runs in safe mode.
5). Blue screened when I ran CMC; GMer detects no hidden ANYTHING, deletes all desktop icons for SysProt (which shows many hooks and hiddens, but cannot clean) and TDL3 Razor (which shows no infection when run), and RootKitty blue screens.
6). MBRWiz detects hidden partitions ONLY when booted from a Win XP boot CD (Ultimate Win Boot CD)... and NOT on the root drives (only secondaries).
7). Does NOT seem to infect or hinder any USB stick drives (thank God).
8). Shows a bunch of additional malware and such which comes back after cleaning as soon as I connect to the internet.
I wiped all my drives clean and reinstalled and restored backups from last month... EXCEPT this laptop, as the VS 2005 tools I use on this laptop cannot be restored from backup, but MUST be installed via their web install (yes I have tried before with their tech support). I use it ONLY to compile apps that use these tools.
The problem is, I have a current contract using these tools and they are MAD expensive and integrated throughout the 160+ screen app, so I cannot lose the ability to compile it right now.
I managed to disable the main functionality of the root kit by disabling various Windows services and killing explorer (the whole shell), yet every time I attempt to connect to the internet, open Services or several other Windows cpl's I get a Windows Installer pop-up. The few times I was unable to click the cancel button quickly enough, I was immediately reinfected with the redirects and such.
I have been pulling my hair out for a solid WEEK with this damn laptop. I was able to block the outgoing by creative NAT-ing and inserting a local software proxy server in between IE and the outside connection, but it only works on my PCMCIA Sprint card (3G dial-up connection).
I am assuming it is a TLD3 variant (as some detect it as TDL3 or TSS), but damned if I can clear it off. I can't even unhide the partition, because I cannot SEE it with anything I have.
I am fairly certain it has infected the ATAPI driver in conjunction with a hidden driver or two, but am still uncertain, and the only hidden registry entries are DUMP_ATAPI.sys and DUMP_WMILIB.sys, which is normal... SO WHAT THE HELL!?
Lots of hooks... too smart to fall for renaming tools... WELL protected.
This is OBVIOUSLY a root kit... but I can't get the damn thing off. Hell, I can't even see it completely!
If you think it will help, I'll get myself a 2.5" USB drive enclosure and try detecting/cleaning from a throw-away workstation.
If ANYONE can assist in this, I will forever sing your praises and be in your debt! Hell, I might be inclined to fly to your city and treat you to dinner at a five-star of your choice!
I am new to this forum and have a SLEW of logs from different SW, so let me know what you want and I'll send it along.