Steviebone

so I ran gmer... I have no idea what to do with this information: GMER 1.0.12.12244 - http://www.gmer.net Rootkit scan 2007-05-20 17:02:03 Windows 5.1.2600 Service Pack 2 ---- System - GMER 1.0.12 ---- SSDT 82F60CD8 ZwAllocateVirtualMemory SSDT a347bus.sys

ran rustockbfix exe then got this: Rustock.b-ADS attached to the System32-folder: Attempting to remove ADS... Looking for Rustock.b-files in the System32-folder: ECHO is off. ******************* Post-run Status of system ******************* Rustock.b-driver on the system: YOU NEED TO CONSULT MORE ADVANCED TOOLS!! The Gmer-rootkitscanner may be a good place to start. Gmer rootkit-scanner may be found here: http://www.gmer.net Rustock.b-ADS attached to the System32-folder: ECHO is off. You should either run the tool again or consult more advanced tools The Gmer-rootkitscanner may be a good plac

ok, still got a rootkit and the windows installer is still persisting... how can I stop this from running, where in the registry would this be found and how do I stop it from repeatedlt reopening? "Staypuffer" - 2007-05-20 14:18:51 Service Pack 2 ComboFix 07-05.20.9.V - Running from: "J:\Spywaredetector\" Rootkit driver lzx32 is present. A rootkit scan is required ((((((((((((((((((((((((((((((( Files Created from 2007-04-05 to 2007-05-20 )))))))))))))))))))))))))))))))))) 2007-05-20 14:04 49,152 --a------ C:\XP\nircmd.exe 2007-05-20 06:42 2,922 --a------ C:\XP\system32\IE_Backup.reg

ok, combo found a rootkit as I half expected... below is the log after 3 reboots... unfortunately, on every reboot I have an MSI for Visual Foxpro trying to run now... I assume this may be the originally infected file trying to reload... on each reboot, before anything else (even speed startup) starts running, I get repeated message dialogs saying Windows Installer is preparing install for VFP9. I keep hitting cancel as quickly as possible but the window pops right back up... takes about 8 or 10 cancels to make it stay away... I fear this program will not give up perhaps until it has reinfec

Here is an updated log after running spydetector: C:\XP\System32\smss.exe C:\XP\system32\winlogon.exe C:\XP\system32\services.exe C:\XP\system32\lsass.exe C:\XP\system32\svchost.exe C:\XP\System32\svchost.exe C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe C:\Program Files\Alwil Software\Avast4\ashServ.exe C:\XP\system32\spoolsv.exe C:\Program Files\Acronis\BackupServer\backupserver.exe C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe C:\Program Files\Eset\nod32krn.exe C:\XP\system32\nvsvc32.exe C:\Program Files\SpywareDetector\SDService.exe C:\XP\System32\svchost.exe C:\Progra

Below is a hijack this log... the computer in question has been scanned by SpyBOT S&D, Spy Sweeper, Avast Pro (boot time) and NOD32. Whenever the computer starts up, even before log in syslog shows continuous various outbound traffic to rogue destination ip adresses. The traffic is continuous and eats up anywhere from 4 to 85% of the CPU power according to task manager. The only thing showing consumption in task manager however is System Idle Process. At semi periodic intervals I get errors in services.exe result code 0 and a forced NT Authority Shutdown/Reboot. As there are over 70 progra