Hey, to be breif, ive recently noticed my PC behaving strangely with certain things, for example, my SpyBot S&D will not open. I used google and found i have a RootKit and need help removing it. I have a HiJackThis log, and a RootAlyzer log(deep scan).

HiJack This log:

---------------------------------------------------------------------
---------------------------------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 23:21:48, on 18/04/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\Program Files\Webroot\WebrootSecurity\WRConsumerService.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\BUFFALO\Client Manager3\bwsvc\bwsvc.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\TalkTalk\bin\sprtsvc.exe
c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\Program Files\Common Files\Supportsoft\bin\tgsrvc.exe
C:\Program Files\TortoiseSVN\bin\TSVNCache.exe
C:\windows\system\hpsysdrv.exe
C:\Program Files\HP\Digital Imaging\Unload\hpqcmon.exe
C:\WINDOWS\System32\hphmon05.exe
C:\Program Files\Multimedia Card Reader\shwicon2k.exe
C:\Program Files\TalkTalk\bin\sprtcmd.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\HP\KBD\KBD.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Maxthon2\Maxthon.exe
C:\Program Files\BUFFALO\Client Manager3\cm3_tray.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

O2 - BHO: btorbit.com - {000123B4-9B42-4900-B3F7-F4B073EFC214} - C:\Program Files\Orbitdownloader\orbitcth.dll
O2 - BHO: Thunder AtOnce - {01443AEC-0FD1-40fd-9C87-E93D1494C233} - C:\Program Files\Thunder Network\Thunder\ComDlls\TDAtOnce_Now.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: ThunderBHO - {889D2FEB-5411-4565-8998-1DD2C5261283} - C:\Program Files\Thunder Network\Thunder\ComDlls\xunleiBHO_Now.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: HP View - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - c:\Program Files\HP\Digital Imaging\bin\hpdtlk02.dll
O3 - Toolbar: Grab Pro - {C55BBCD6-41AD-48AD-9953-3609C48EACC7} - C:\Program Files\Orbitdownloader\GrabPro.dll
O4 - HKLM\..\Run: [hpsysdrv] "c:\windows\system\hpsysdrv.exe"
O4 - HKLM\..\Run: [HotKeysCmds] "C:\WINDOWS\System32\hkcmd.exe"
O4 - HKLM\..\Run: [CamMonitor] "c:\Program Files\HP\Digital Imaging\Unload\hpqcmon.exe"
O4 - HKLM\..\Run: [HPHmon05] "C:\WINDOWS\System32\hphmon05.exe"
O4 - HKLM\..\Run: [Recguard] "C:\WINDOWS\SMINST\RECGUARD.EXE"
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [Sunkist2k] "C:\Program Files\Multimedia Card Reader\shwicon2k.exe"
O4 - HKLM\..\Run: [NvCplDaemon] "RUNDLL32.EXE" C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] "nwiz.exe" /install
O4 - HKLM\..\Run: [NvMediaCenter] "RUNDLL32.EXE" C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [TalkTalk] "C:\Program Files\TalkTalk\bin\sprtcmd.exe" /P TalkTalk
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [AlcxMonitor] "ALCXMNTR.EXE"
O4 - HKLM\..\Run: [KBD] "C:\HP\KBD\KBD.EXE"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\WebrootSecurity\SpySweeperUI.exe" /startintray
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [IMEKRMIG6.1] C:\WINDOWS\ime\imkr6_1\IMEKRMIG.EXE
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [Pareto_SC] "C:\Program Files\ParetoLogic\Spam Controls\Pareto_SC.exe" -hideui
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [ParetoLogic Anti-Spyware] "C:\Program Files\ParetoLogic\Anti-Spyware\Pareto_AS.exe" -NM -hidesplash
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O4 - Global Startup: ClientManager3.lnk = C:\Program Files\BUFFALO\Client Manager3\cm3_tray.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe

---------------------------------------------------------------------
---------------------------------------------------------------------

Heres the RootAlyzer Log:

---------------------------------------------------------------------
---------------------------------------------------------------------

// info: Rootkit removal help file
// copyright: (c) 2008 Safer Networking Ltd. All rights reserved.

:: RootAlyzer Results
File:"Hidden file","C:\WINDOWS\system32\gaopdxcounter"
File:"Hidden file","C:\WINDOWS\system32\gaopdxpdmixmtxowflngqajxdqhnsaokavoedw.dll"
File:"Invisible to Win32","C:\WINDOWS\system32\gaopdxcounter"
File:"Invisible to Win32","C:\WINDOWS\system32\gaopdxpdmixmtxowflngqajxdqhnsaokavoedw.dll"
File:"Invisible to Win32","C:\WINDOWS\system32\drivers\gaopdxbobvphwcmevdlvbbaewkpbitttyqjvby.sys"
Directory:"No admin in ACL","C:\WINDOWS\Internet Logs"

----- The following is the same log but in a diffent log mode -----

Comment:
File created using RootAlyzer to help your get rid of a rootkit.

Files to delete:
C:\WINDOWS\system32\gaopdxcounter
C:\WINDOWS\system32\gaopdxpdmixmtxowflngqajxdqhnsaokavoedw.dll
C:\WINDOWS\system32\gaopdxcounter
C:\WINDOWS\system32\gaopdxpdmixmtxowflngqajxdqhnsaokavoedw.dll
C:\WINDOWS\system32\drivers\gaopdxbobvphwcmevdlvbbaewkpbitttyqjvby.sys

Folders to delete:
C:\WINDOWS\Internet Logs

Registry keys to delete:

Registry values to delete:

---------------------------------------------------------------------
---------------------------------------------------------------------

Ive done a NOD32 scan, a ParetoLogic Anti-Virus scan and claned my computer using CCleaner.. I did all this prior to getting the logs. I took the logs about 30 mins ago, and plan on not doing other scans unless you ask of it ofcourse.

Ive also provided the suspicious files found by RootAlyzer (using the Pack Suspicious Files button after the Deep Scan)..

Thanks ALOT in advance, hope you guys know how to sort this..
If you need any other logs, i'll be fine with it ^^ Just want this RootKit gone. BTW Nothing else was found on my PC when i scanned with NOD32. ParetoLogics did remove some cookies though, if that helps xD. I was hoping to do a S&D scan but apparently this RootKit is stopping it form opening and oter things 9so ive been told).

Sorry for double posting, couldnt see the edit button.

Heres the suspicious files which were found by RooAlyzer.
Had to change it to .zip (was .cab origonally)

---------------------------------------------------------------------------------------------------------
"BEFORE you POST"(READ this Procedure BEFORE Requesting Assistance) (http://forums.spybot.info/showthread.php?t=288)

Please do not attach or link to infected files! For the safety of our members they will be removed.
If an analyst requests files s/he will give you a link to upload them.
Can I edit my own posts?

In the Spybot-S&D forum, there is a 15 minute time frame to edit one's post.
In the Malware Removal Forum, members may not edit their posts. A helper may already be analysing the information given.

Oh i see, sorry.. The SpyBot Team asked me to attach the suspicious files which RootAlyzer found.. When i uninstalled S&D, the uninstaller sent them an e-mail which i wrote inside the uninstaller, and they said i was infected weith a rootkit. Now i think they meant send the files through e-mail though xD

Welcome to Safer Networking, I wish to be sure you have viewed and understand this information.
"BEFORE you POST" (READ this Procedure before Requesting Assistance) http://forums.spybot.info/showthread.php?t=288
All advice given is taken at your own risk.
Please make sure you have read this information so we are on the same page.

You must have read and followed the "Before you Post" instructions, anything else will waste your time and mine.
Appears you missed the information pinned (sticky) to the top of this forum?

Do NOT run 'FIXES' before helpers have analyzed the HJT log
http://forums.spybot.info/showthread.php?t=16806

Posting additional comments or logs before a volunteer responds, can push you back instead of forward, because your thread ends up with a newer date. Also, helpers may think you are already being assisted because of the post count.

You also did not post a complete HJT log and I do not know the situation now since you ran tools and I am not sure what was removed and what was not removed.

If you still believe you need help with malware, post a complete HJT log like this: HJT > Notepad > Edit > Select All > copy/paste the highlited information to your thread using Post Reply.

Tell me about any issues. If you not longer have issues, post to let me know and I will close this thread.

Thanks

Due to the lack of feedback this Topic is closed.

If you need this topic reopened, please request this by sending the moderating team
a PM with the address of the thread. This applies only to the original topic starter.

If it has been four days or more since your last post, and the helper assisting you posted a response to that post to which you did not reply, your topic will not be reopened. At that point, if you still require help, please start a new topic and include a fresh HijackThis log and a link to your previous thread.

If it has been less than four days since your last response and you need the thread re-opened, please send me or your helper a private message (pm). A valid, working link to the closed topic is required.

Everyone else please begin a New Topic.