all scans say fine but nasty files locked in registry?

[buggedupchompie]

hi, i know something is on my system due to odd behaviour; numerous home page redirects, cpu usage showing as 0-5% usage in task manager but the "working" light on the pc is going crazy and the pc is slow.

I have as standard on my machine, Anti-malware, Norton system works, Spybot S&D, these have recently found a few trojans etc, but nothing major. so then dl'ed ad-aware (i know not compatible with spybot) kaspersky tool and sophos , which all found nothing.

downloaded mbr which ran and showed everything was fine.

HJT log also afaiaa shows nothing. but it was when i ran GMER that i found a group of files in the registry under rootkit/malware all with the title of GEYEK (followed by a string of gibberish)

when i went to the supposed location of these keys/values in regedit there was only one value showing, and it was uneditable, however when i browsed the same area in GMER it showed lots of sub folders (all shown in RED) with a lot of exe's, dll's totaling about 20 different keys/values. but this also cannot edit or remove the geyek files.

i can paste a HJT log if necessary but the log that shows the file in question is the GMER log so here it is;

oh and i also tried running rootrepeal but it just hangs until it has to be forcefully ended, and combofix did not remove the files.

GMER LOG

GMER 1.0.15.15220 - http://www.gmer.net

Rootkit scan 2009-11-12 18:49:42

Windows 5.1.2600 Service Pack 3

Running: gmer.exe; Driver: C:\DOCUME~1\Richard\LOCALS~1\Temp\fxtdapoc.sys

---- System - GMER 1.0.15 ----

SSDT 8A606240 ZwConnectPort

SSDT Lbd.sys (Boot Driver/Lavasoft AB) ZwCreateKey [0xF76C787E]

SSDT SnopFree.sys ZwCreateProcessEx [0xF789B9E4]

SSDT Lbd.sys (Boot Driver/Lavasoft AB) ZwSetValueKey [0xF76C7BFE]

SSDT SnopFree.sys ZwTerminateProcess [0xF789B9F4]

---- Kernel code sections - GMER 1.0.15 ----

? C:\WINDOWS\system32\drivers\SnopFree.sys The process cannot access the file because it is being used by another process.

? Combo-Fix.sys The system cannot find the file specified. !

? C:\Combo-Fix\catchme.sys The system cannot find the file specified. !

? C:\WINDOWS\system32\Drivers\PROCEXP113.SYS The system cannot find the file specified. !

? C:\DOCUME~1\Richard\LOCALS~1\Temp\mbr.sys The system cannot find the file specified. !

? C:\WINDOWS\system32\drivers\rootrepeal.sys The system cannot find the file specified. !

---- User code sections - GMER 1.0.15 ----

? C:\WINDOWS\system32\winlogon.exe[932] C:\WINDOWS\system32\ntdll.dll image checksum mismatch; number of sections mismatch; time/date stamp mismatch; unknown module: WINMM.dllunknown module: MSGINA.dllunknown module: RASAPI32.dllunknown module: MPR.dllunknown module: AUTHZ.dllunknown module: NDdeApi.dllunknown module: PROFMAP.dllunknown module: SETUPAPI.dllunknown module: VERSION.dllunknown module: WINSTA.dllunknown module: WINTRUST.dll

.text C:\Program Files\Webroot\Washer\WasherSvc.exe[3172] kernel32.dll!CreateThread + 1A 7C8106F1 4 Bytes CALL 0008ED99 C:\Program Files\Webroot\Washer\WasherSvc.exe (Window Washer Engine/Webroot Software, Inc.)

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Ntfs \Ntfs SymSnap.sys (StorageCraft Volume Snap-Shot/StorageCraft)

AttachedDevice \FileSystem\Ntfs \Ntfs SYMEVENT.SYS (Symantec Event Library/Symantec Corporation)

AttachedDevice \Driver\Tcpip \Device\Ip SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)

AttachedDevice \Driver\Tcpip \Device\Tcp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)

AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume1 SymSnap.sys (StorageCraft Volume Snap-Shot/StorageCraft)

AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume1 SYMEVENT.SYS (Symantec Event Library/Symantec Corporation)

AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume2 SymSnap.sys (StorageCraft Volume Snap-Shot/StorageCraft)

AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume2 SYMEVENT.SYS (Symantec Event Library/Symantec Corporation)

AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume3 SymSnap.sys (StorageCraft Volume Snap-Shot/StorageCraft)

AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume3 SYMEVENT.SYS (Symantec Event Library/Symantec Corporation)

AttachedDevice \Driver\Tcpip \Device\Udp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)

AttachedDevice \Driver\Tcpip \Device\RawIp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)

Device mrxsmb.sys (Windows NT SMB Minirdr/Microsoft Corporation)

Device AFE67D20

AttachedDevice fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\ControlSet001\Services\geyekruhylkjba@start 1

Reg HKLM\SYSTEM\ControlSet001\Services\geyekruhylkjba@type 1

Reg HKLM\SYSTEM\ControlSet001\Services\geyekruhylkjba@group file system

Reg HKLM\SYSTEM\ControlSet001\Services\geyekruhylkjba@imagepath \systemroot\system32\drivers\geyekritbijhgt.sys

Reg HKLM\SYSTEM\ControlSet001\Services\geyekruhylkjba\main (not active ControlSet)

Reg HKLM\SYSTEM\ControlSet001\Services\geyekruhylkjba\main@aid 10002

Reg HKLM\SYSTEM\ControlSet001\Services\geyekruhylkjba\main@sid 0

Reg HKLM\SYSTEM\ControlSet001\Services\geyekruhylkjba\main\delete (not active ControlSet)

Reg HKLM\SYSTEM\ControlSet001\Services\geyekruhylkjba\main\delete@C:\DOCUME~1\Richard\LOCALS~1\Temp\geyekrtixtbqftih.tmp

Reg HKLM\SYSTEM\ControlSet001\Services\geyekruhylkjba\main\injector (not active ControlSet)

Reg HKLM\SYSTEM\ControlSet001\Services\geyekruhylkjba\main\injector@* geyekrwsp.dll

Reg HKLM\SYSTEM\ControlSet001\Services\geyekruhylkjba\main\tasks (not active ControlSet)

Reg HKLM\SYSTEM\ControlSet001\Services\geyekruhylkjba\modules (not active ControlSet)

Reg HKLM\SYSTEM\ControlSet001\Services\geyekruhylkjba\modules@geyekrrk.sys \systemroot\system32\drivers\geyekritbijhgt.sys

Reg HKLM\SYSTEM\ControlSet001\Services\geyekruhylkjba\modules@geyekrcmd.dll \systemroot\system32\geyekrkeamnksq.dll

Reg HKLM\SYSTEM\ControlSet001\Services\geyekruhylkjba\modules@geyekrlog.dat \systemroot\system32\geyekrgakftpvx.dat

Reg HKLM\SYSTEM\ControlSet001\Services\geyekruhylkjba\modules@geyekrwsp.dll \systemroot\system32\geyekrogjdwwxm.dll

Reg HKLM\SYSTEM\ControlSet001\Services\geyekruhylkjba\modules@geyekr.dat \systemroot\system32\geyekrhflbyggi.dat

Reg HKLM\SYSTEM\ControlSet001\Services\UACd.sys@start 1

Reg HKLM\SYSTEM\ControlSet001\Services\UACd.sys@type 1

Reg HKLM\SYSTEM\ControlSet001\Services\UACd.sys@imagepath

Reg HKLM\SYSTEM\ControlSet001\Services\UACd.sys@group file system

Reg HKLM\SYSTEM\ControlSet001\Services\UACd.sys\modules (not active ControlSet)

Reg HKLM\SYSTEM\ControlSet001\Services\UACd.sys\modules@UACd

Reg HKLM\SYSTEM\ControlSet001\Services\UACd.sys\modules@UACc

Reg HKLM\SYSTEM\ControlSet001\Services\UACd.sys\modules@uacbbr

Reg HKLM\SYSTEM\ControlSet001\Services\UACd.sys\modules@uacsr

Reg HKLM\SYSTEM\ControlSet001\Services\UACd.sys\modules@uacmal

Reg HKLM\SYSTEM\ControlSet001\Services\UACd.sys\modules@uacrem

Reg HKLM\SYSTEM\ControlSet001\Services\UACd.sys\modules@uacmask

Reg HKLM\SYSTEM\ControlSet001\Services\UACd.sys\modules@uacserf

Reg HKCU\Software\Microsoft\Windows Live Mail@SqmSrvLastFailTime POP3 3511218

---- EOF - GMER 1.0.15 ----

they may not be active but i would still like them removed from my system for peace of mind.

thanks for any help