Anyway, I tried to use Spybot, Systernals Autoruns, Gmers, Malwarebytes, and many other tools for viruses, rootkits, and malware and they were all shut down by the rootkit. Gmer actually worked a bit but after letting it scan for some time, it was forcefully shutdown so Gmers only worked if you don't scan so the registry, modules, and etcetera still works. The only one that worked was SuperAntispyware and AVG so I used that and removed many spyware and malware that I was hit with including quite a bit of viruses. I then proceed to use SIW or System Information for Windows since it's one of those apps that was not affected by the rootkit and it seems that all of the apps so far that have been shutdown all had a library file that is located at \\?\globalroot\device\__max++>\*random8characters*.x86.dll attatched to them and it is also the only one that the name changed whenever I tried to mess around with it using avenger2 scripts but avenger2 does not seem to work with unc path because it returns "an object cannot have this name". Now I no longer know what I need to do and would really like a way to get access to that unc directory or something to remove it. I am not sure of where the loading point of it is also. Thank you.
Sadly, I can't really post the dds log because it seems that the rootkit blocks it as well. Instead, I will post logs that is made using SIW (System Information for WIndows) that shows the loaded DLL only as well as a full log of my computer if asked. I actuall have a log from Gmer as well but that was made by scanning each part by part because that's the only way which prevents Gmer from being killed by the rootkit.
What is interesting about this rootkit is that if you run any of the security software or rootkit revealers, it will then forfully close that application and then hide the application executable from the system. Therefore, if it's in the program folder, you won't find the executable anymore unless you use gmer to show the hidden file or use ubuntu live cd. If it's on the desktop already, then you can still see it but can't acccess it displaying an error about can't finding the file or something about no permission to access the file. When I first start fighting the rootkit, i had many executable on my desktops that were not longer usable as they were all forcefully closed and hidden so I had to use ubuntu, Avenger2, or ComboFix script to remove them and clear up some spaces. I now use a flash drive which as a read only switch on it to prevent the rootkit from hiding the file although it still forcefully closes the program when run even after I renamed it randomly on a different computer.
Edited by Enternal, 28 July 2009 - 02:23 PM.