Thanks Dachew, the root repeal found it
I had 4 or 5 other rootkit finders and several spyware finders like spybot s&d ,Microsoft's MRT, and various antivirus programs, and none of them found the hjgruixuexhesb.sys file.
the rootkit repeal found this:
I grabbed my ax (haha) and booted from linux disk, and made a copy of it, saved it and named a .dll the same name deleted the original hjgruixuexhesb.sys and pasted a copy of the renamed .dll in the folder, rebooted in safe mode, set its permissioms to read only, and rebooted in windows xp normally, and all things hidden before were visible again..
I did that because in the early part of my battle I just deleted all them I could find, and when I rebooted in windows, it replaced them and did all the damage again, .. so I started Replacing them with renamed inert files, used .dlls as they were handy.
Here is the files I found :
HKLM\SYSTEM\ControlSet001\Services\hjgruiylthespy 0 bytes Hidden from Windows API. <- embebbed nulls ;)
HKLM\SYSTEM\ControlSet002\Services\hjgruiylthespy 0 bytes Hidden from Windows API.
C:\windows\drivers\hjgruixuexhesb.sys <- the main demon that was hiding the reg entries etc. was only 66 kb, I disassembled it to see how it did So much damage, and in hex view it is Wierd, like it has some crazy poetry or something, here is an excerpt:
ROSENCRANTZ.art.so.die.not.dread.shall.obey.lose.they.good.will.shall.patient.of.never.book like I said, wierd...
But when it first appeared, the virus deleted hal.dll, removed the cdrom from the registry, uninstalled the sound card, and the oem monitor driver, windows media player, and made hidden files and folders not be able to show no matter how you set it from tools/folder options/show hidden, it would set itself back and never show any hidden folders or files, (registry) I had to manually fix that and add a few missing keys, a dword or two, and maybe a cussword or two as well, to get them working again.
The HKLM\SYSTEM\ControlSet001\Services\hjgruiylthespy entries had an embedded null */ followed by binary info, for example one translated to hjgruidunrfoax.dll , they were a bit hard to delete, had to keep getting ownership as I found them , etc. but now All is ok, in fact I am online now on that box, and have rebooted it several times
THANKS again Dachew
Edited by cherokeeguitar, 04 August 2009 - 10:56 PM.