Rootkit.Agent saga, help needed!

[PineMarten]

Hi I've had an infection from Rootkit.Agent that I've been trying to remove over the past couple of days. I think I may have cracked it but need some help with possible registry changes. It started when I was looking at an image a couple of days ago, got a popup telling me Acrobat Reader couldn't be opened, and from my next reboot the PC would barely boot to the desktop, explorer not loading at all. After getting in in safe mode and scanning with Malwarebytes Anti-Malware, which I've used for some years, it detected a keylog.txt, three registry entries and some dodgy named executables. It said it had cleaned it and the next scan was clean with my PC running as normal, but 24 hours later I got the same problems and it was back.

After reading quite a bit about it on various forums (thanks google) I installed and used HijackThis, ComboFix and a couple of rootkit removal tools. Anti-Malware and ComboFix repeatedly detected various exe's, a keylog.txt and three registry key changes. Each time they were removed but would return upon reboot.

A brief summary of the logs to show what was detected (happy to post the full ones if required).

Malwarebytes' Anti-Malware 1.44
Database version: 3830
Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702
...
Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\option_1 (Rootkit.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\option_2 (Rootkit.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\option_3 (Rootkit.Agent) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Malware.Packer) -> Data: system32\ovevdwj.exe -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Malware.Packer) -> Data: \systemroot\system32\ovevdwj.exe -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\OVeVdWj.exe (Malware.Packer) -> Quarantined and deleted successfully.
C:\Program Files\Common Files\keylog.txt (Malware.Trace) -> Quarantined and deleted successfully.

Malwarebytes' Anti-Malware 1.44
Database version: 3836
Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702
...
Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\option_1 (Rootkit.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\option_2 (Rootkit.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\option_3 (Rootkit.Agent) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Program Files\Common Files\keylog.txt (Malware.Trace) -> Quarantined and deleted successfully.

ComboFix 10-03-07.05 - Eddy 08/03/2010  12:27:10.1.2 - x86
Microsoft Windows XP Professional  5.1.2600.3.1252.44.1033.18.2046.1631 [GMT 0:00]
Running from: c:\documents and settings\Eddy\Desktop\ComboFix.exe
.

(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Eddy\Application Data\inst.exe
c:\program files\Common Files\keylog.txt
c:\windows\system32\3xjB17O.exe
c:\windows\system32\45fca34d.exe
c:\windows\system32\4kHQw6d.exe

.
(((((((((((((((((((((((((   Files Created from 2010-02-08 to 2010-03-08  )))))))))))))))))))))))))))))))
.

2010-03-08 12:16 . 2010-03-08 12:16	84992	----a-w-	c:\windows\system32\SQJc3Ww.exe
2010-03-08 12:13 . 2010-03-08 12:13	84992	----a-w-	c:\windows\system32\yUZlNCj.exe
2010-03-08 12:10 . 2010-03-08 12:10	388096	----a-r-	c:\documents and settings\Eddy\Application Data\Microsoft\Installer\{0761C9A8-8F3A-4216-B4A7-B7AFBF24A24A}\HiJackThis.exe
2010-03-08 12:10 . 2010-03-08 12:10	--------	d-----w-	c:\program files\TrendMicro
2010-03-08 12:07 . 2010-03-08 12:07	84992	----a-w-	c:\windows\system32\xYAo4PJ.exe
2010-03-08 11:58 . 2010-03-08 11:58	84992	----a-w-	c:\windows\system32\BmiehDx.exe
2010-03-08 02:36 . 2010-03-08 02:36	84992	----a-w-	c:\windows\system32\o1yXDjA.exe
2010-03-08 01:56 . 2010-03-08 12:02	--------	d-----w-	c:\program files\Panda Security
2010-03-08 01:31 . 2010-03-08 01:31	--------	d-----w-	c:\program files\Sophos
2010-03-08 01:07 . 2010-03-08 01:07	84992	----a-w-	c:\windows\system32\eMBa79f.exe
2010-03-08 00:52 . 2010-03-08 00:52	503808	----a-w-	c:\documents and settings\Eddy\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-121a27fc-n\msvcp71.dll
2010-03-08 00:52 . 2010-03-08 00:52	499712	----a-w-	c:\documents and settings\Eddy\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-121a27fc-n\jmc.dll
2010-03-08 00:52 . 2010-03-08 00:52	348160	----a-w-	c:\documents and settings\Eddy\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-121a27fc-n\msvcr71.dll
2010-03-08 00:52 . 2010-03-08 00:52	61440	----a-w-	c:\documents and settings\Eddy\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-6b3b1bc9-n\decora-sse.dll
2010-03-08 00:52 . 2010-03-08 00:52	12800	----a-w-	c:\documents and settings\Eddy\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-6b3b1bc9-n\decora-d3d.dll
2010-03-08 00:42 . 2010-03-08 00:42	84992	----a-w-	c:\windows\system32\xlLOoM7.exe
2010-03-08 00:40 . 2010-03-08 00:40	84992	----a-w-	c:\windows\system32\CYO9NDA.exe
2010-03-07 21:18 . 2010-03-07 21:18	84992	----a-w-	c:\windows\system32\ViEQpjf.exe
2010-03-07 21:16 . 2010-03-07 21:16	77312	----a-w-	c:\windows\system32\lviJFk5.exe
2010-03-06 23:24 . 2010-02-12 10:03	293376	------w-	c:\windows\system32\browserchoice.exe
2010-03-06 23:22 . 2009-11-21 15:51	471552	-c----w-	c:\windows\system32\dllcache\aclayers.dll
2010-03-06 23:21 . 2009-06-21 21:44	153088	-c----w-	c:\windows\system32\dllcache\triedit.dll
2010-03-06 23:20 . 2009-07-10 13:27	1315328	-c----w-	c:\windows\system32\dllcache\msoe.dll
2010-03-06 20:16 . 2010-03-06 20:16	74752	----a-w-	c:\windows\system32\w9ImU9T.exe
2010-03-06 01:25 . 2010-03-06 01:25	76288	----a-w-	c:\windows\system32\YL8TmZU.exe
2010-03-06 01:25 . 2010-03-06 01:25	--------	d-----w-	c:\program files\Common Files\wm
2010-03-06 01:25 . 2010-03-06 01:25	--------	d-sh--w-	c:\windows\system32\config\systemprofile\IETldCache
2010-03-05 11:51 . 2008-04-14 00:12	26624	----a-w-	c:\documents and settings\LocalService\Application Data\Microsoft\UPnP Device Host\upnphost\udhisapi.dll
2010-02-23 01:04 . 2008-12-04 11:34	27784	----a-w-	c:\windows\system32\drivers\point32.sys
2010-02-23 01:04 . 2010-02-23 01:04	--------	d-----w-	c:\program files\Microsoft IntelliPoint

I forgot to save the HijackThis log.

Anyway, I was pretty resigned to having to reformat and reinstall windows, so being rather cheesed off I thought I had nothing to lose and decided to look for and delete some of the suspicious files manually. To my surprise in windows/system32, when ordering files by date created, a whole load of suspiciously named ones were sitting near the end having been created recently. As can be seen in the logs, thay had very random looking names. I deleted them all, about nine of them, in SpybotS&D secure shredder, rebooted and seem to have got rid of it. 3 or 4 reboots and scans later I'm coming up clean on Anti-Malware.

A current HijackThis log shows:

Logfile of Trend Micro HijackThis v2.0.3 (BETA)
Scan saved at 16:18:29, on 08/03/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\TrendMicro\HiJackThis\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\45fca34d.exe,\\?\globalroot\systemroot\,\\?\globalroot\systemroot\system32\lviJFk5.exe,
O4 - HKLM\..\Run: [amd_dc_opt] C:\Program Files\AMD\Dual-Core Optimizer\amd_dc_opt.exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\ipoint.exe"
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\System32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\System32\browseui.dll
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: MSCSPTISRV - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: NVIDIA Display Driver Service (nvsvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PACSPTISVR - Unknown owner - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: SonicStage Back-End Service - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SsBeSvc.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: SonicStage SCSI Service (SSScsiSV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SSScsiSV.exe

--
End of file - 3569 bytes

If anyone could suggest anything else and tell me if that log is clean it would be much appreciated. I'd be amazed if the basic manual deletion of those files in an act of desperation had been successful where all these progams weren't, but it seems to be the case?

Also, when navigating to the affected keys that kept being detected, it looked like this. With the problems seemingly fixed and a clean scan from Anti-Malware it looks like this. Should the key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft actually look like that? The text of the other entries looks a bit suspicious like the dodgy entries from the first image. I'm using Win XP 32bit Service Pack 3 by the way.

Any help would be much appreciated,

Thanks a lot.