There's definitely somehting there protecting them now, we'll have to keep looking until we can find it.
GMER didn't find the rootkit I thought it might, but lets check another way to make sure it isn't there.
Copy everything from the following box into Notepad
Code:
@echo off
echo.REGEDIT4>!reg.reg
echo.>>!reg.reg
echo.[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\pe386]>>!reg.reg
regedit.exe /s !reg.reg
regedit /a check.txt "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\pe386"
echo.[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\pe386]>>!reg.reg
regedit.exe /s !reg.reg
del !reg.reg
if not exist check.txt echo pe386 exist's!!!!!!!>report.txt
start notepad report.txt
Save the file as look.bat and double click on it to run it. It should popup with a report in Notepad.
Download and Save
Blacklight to your desktop:
Double-click
blbeta.exe then accept the agreement, leave [X]scan through Windows Explorer checked, click > scan then > next
You'll see a list of all items found. There will also be a log on your desktop with the name fsbl.xxxxxxx.log (the xxxxxxx stand for numbers).
Copy and paste this log in your next reply. Don't choose the rename option yet! I want to see the log first, because legitimate items can also be present there, such as "wbemtest.exe"
Open HijackThis and Click the
"Open Misc Tools Section" tab.
Select Generate StartUpList log and make sure that both Boxes beside it are checked:
Put a check by:
List all minor sections(Full)
and
List Empty Sections(Complete)
It will produce a NotePad Page,I need you to copy the entire contents of that page to the next reply.