Rustbfix.exe disn't find anything unfortunately. However, I am thinking my problem is the xpdt rootkit, see the xpdt entries in the rootkitreveal log below:
HKLM\SECURITY\Policy\Secrets\SAC* 9/7/2005 3:30 PM 0 bytes Key name contains embedded nulls (*)
HKLM\SECURITY\Policy\Secrets\SAI* 9/7/2005 3:30 PM 0 bytes Key name contains embedded nulls (*)
HKLM\SYSTEM\ControlSet001\Services\xpdt 5/27/2007 12:38 PM 0 bytes Hidden from Windows API.
HKLM\SYSTEM\ControlSet002\Services\xpdt 5/28/2007 12:20 PM 0 bytes Hidden from Windows API.HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\s0 11/26/2005 11:14 PM 4 bytes Hidden from Windows API.
HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\s1 11/26/2005 11:14 PM 4 bytes Hidden from Windows API.
HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\s2 11/26/2005 11:14 PM 4 bytes Hidden from Windows API.
HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\g0 11/26/2005 11:14 PM 32 bytes Hidden from Windows API.
HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\h0 11/26/2005 11:14 PM 4 bytes Hidden from Windows API.
HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4 8/26/2006 12:45 PM 0 bytes Hidden from Windows API.
HKLM\SYSTEM\ControlSet003\Services\Vax347s\Config\jdgg40 10/6/2006 10:15 PM 0 bytes Hidden from Windows API.
H
KLM\SYSTEM\ControlSet003\Services\xpdt 5/28/2007 12:20 PM 0 bytes Hidden from Windows API.I tried to delete these entries from the registry but it won't let me, it says 'error while opening key' when I try to click on or delete the xpdt folder. I also have an xpdt.sys entry in my system32 folder but when I try to delete that it says 'cannot find the specified file'.
I ran SDFix from safe mode and it said in the logfile it detected the xpdt rootkit but it didn't actually delete it and says to use a rootkit scanner. I have tried avg rootkit scanner but that doesn't detect any rootkits on my system.
Surely this xpdt must be the problem but I just can't get rid of it!!!
I have put a hijackthis log below also:
Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 14:24:50, on 28/05/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\Raxco\PerfectDisk\PDSched.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\Archives\Utilities\HijackThis\HiJackThis_v2.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,First Home Page =
http://go.microsoft.com/fwlink/?LinkId=54843O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: FlashFXP Helper for Internet Explorer - {E5A1691B-D188-4419-AD02-90002030B8EE} - C:\PROGRA~1\FlashFXP\IEFlash.dll
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [NvCplDaemon] "RUNDLL32.EXE" C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{D1375BD9-73D3-49A3-943E-0AB1A0C2C274}: NameServer = 212.87.64.7,212.87.64.10
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PDEngine - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk\PDEngine.exe
O23 - Service: PDScheduler (PDSched) - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk\PDSched.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
--
End of file - 3667 bytes