I have a persistent rootkit that can be temporarily cleaned with TSDSSKiller or Hitman, but it keeps coming back. Thank you in advance for any help. -Matt
Logs attached. Long story begins here:
System: Dell laptop running Windows XP Pro SP3
Problem: Browser redirect rootkit, interference with Windows updates
Getting random redirects and popups from Google. Problem appears in IE and in clean installations of Firefox. Also getting error popups from Windows, such as the following:
"Generic Host Process for Win32 Services has encountered a problem and needs to close... etc" Some technical details of error message are:
szAppName : svchost.exe
szAppVer : 5.1.2600.5512
szModName : ntdll.dll
szModVer : 5.1.2600.5755
offset : 00023845
The rootkit is undetected by AVG, Microsoft Security Essentials, and Malwarebytes. It is detected but not killed by Kaspersky TSDSSKiller and Hitman Pro.
It seems the problems started about two weeks ago when I used an untrusted USB flash drive. At the time I had AVG (free version) which complained about malware on the drive. Unplugged the drive, and saw no obvious problems right away. Shortly therafter the laptop got Thinkpoint. Ran AVG scan, and it seemed to clean up the Thinkpoint OK - have not had any more occurence of thinkpoint.
A day or so after this the redirects started. Ran AVG and it did not detect any problems. Unistalled AVG, installed Microsoft Security Essentials. MSE could not download the definitions - had to download and install manually. When finally able to run MSE it found a few things and cleaned them.
Recent runs of MSE with updated definitions do not turn up anything new. Malwarebytes does not detect problems either.
After reading about some experiences posted by others, I tried TDSSKiller from Kaspersky. It can detect and clean, but the rootkit comes back in short order.
A scan with TDSSKiller turns up: Rootkit.Win32.TDSS.tdl4
Next up tried Hitman (free version). A scan with Hitman Pro 3.5.7 - Build 117 returns results like this:
Possible variant of the TDL3 (alias Alureon) rootkit detected
Master Boot Record (Sector 0) Rootkit
These above scans are in normal mode, not safe mode, by-the-way.
Both TDSSKiller and Hitman will clean the objects, and there is temporary success. However, the problems (browser redirects, update interference) return after a short while. Immediately after reboot things are good - browser works fine. But after a few minutes, the problem magically returns.
Maybe this can be fixed by repairing the Master Boot Record?? But unfortunately I think I lost the Windows Install disk...