Posted 20 September 2009 - 10:56 AM
Sorry to say I fixed it on my own (sorry because you gave me such a great guide I could have used instead!)
To summarize what I did though. I used ComboFix (renamed so it could launch) this didn't remove everything, but did get rid of whatever was stopping certain apps to run. (A bunch of rootkits)
After that I ran SDFix, which got rid of more stuff, and after that I ran MalwareBytes' Anti-Malware which seemed to get the rest. However I had a few issues left over as scars. The registry has one subkey that was locked (It had "NT AUTHORITY\SYSTEM" Set as the owner by the viruses). When trying to install AVG, it needs access to that, and it gave me an error.
So I spent a few hours but figured out how to fix it. It was not a null byte in the name or anything, but it's owner was "NT AUTHORITY\SYSTEM". So I found a guide on how to run a command prompt window as NT AUTHORITY\SYSTEM, the first method (a scheduled task set to launch the cmd window) did not work, I assume windows has patched that vulnerability. The second method worked though, using a tool called autoexnt, which is a service from the server2003 tool kit. It simply executes a batch command at startup. Since services run as NT AUTHORITY\SYSTEM, having it launch a cmd window gave me control. So I ran regedit from that cmd window, and was then able to set the propper owner of the keys.
I will be remembering this trick, as I have had simmilar issues on client's PCs before that mode me backup their files, wipe the PC, restore the files. Which I always hate doing. People spend weeks getting everything back to how it was.
Thank you for that guide, I will certainly keep that handy for the future. And I hope this tidbit about NT AUTHORITY\SYSTEM helps someone else out.
I find it funny that I basically had to run regedit in the same fashion a virus had before, just to get control back. I just hope no one finds my tip, and uses this access in a bad way. That is certainly a lot of power.