Immovable Embedded registry keys

Hello all,
Thank you for the welcome,

I have a problem that is getting worse day by day.
It started with 4 registry keys, that during a rootkit scan using sophos revealed 4 registry keys that were hidden and immovable.
Every time I did a system restore they seemed to replicate. These keys were to my limited knowledge Microsoft system keys.

I scanned the system with 3 or 4 online virus scanners, only one found a problem saying they could not scan various Windows updates. I had installed them not very long ago, but when I looked in software distribution the keys had been backed up in a folder, away from the other updates, my software distribution folder had gone from 250 Mbs to 134 Mbs. I tried to reinstall them but got a message, There is no path, datainf.dll is not available. Then I discovered that my hardrive would not defrag using windows defrag. I downloaded the product Auslogic disc defrag, it went so far, then it stopped.

I installed a program called Iobit smart defrag and system optimizer, I tried to defrag with that and used the setting of defrag and deep optimize on my pc.

To my dismay, I saw maybe 20 black squares, and lots of free space in between. I tried this program over and over again, and it came up with the same result. Then more black squares embeddded keys began to run in different places on my drive
I ran Sohpos root kit scanner again and it said I had 216 hidden embedded registry keys. and that they were all immovable.
Some were from porn sites, and gambling sites, but I am not sure if they are Spybots sites. There are * wildcards in lots of keys, and these keys are in Domain-Escdomains key as default, 1-S-5-18. This key is also in a subfolder of winsys 32 as protected.

I have a custom system, Asus motherboard, genuine intel core 2, core duo processor, 2 gigs of ddr 667 rm, and 775 socket. I recently had to replace windows and so at the moment I have an oem version of XP Home, but I intended to upgrade to XP Professional as I have the cd that I purchased some time ago.

Windows was installed by the technician who serviced and re installed all updates for service pack 2 and I have kept current security update since then. I have not installed Service Pack 3 mainly because I am not on the internet much with this pc. It is used for graphics only. I do not use Ie, messenger, msn, windows media, or any other program, and I get my emails from my ISP web mail, so no email program either. Now I am thinking I may have to have it reformatted again. Sigh............

I have zone alarm pro as my software firewall, and a Netgear miniport, router for my 2 computers. They are not networked as they are used for different programs,. This pc runs only Photoshop CS3 and Photoshop Elements 7, and a few security programs. Spybot, Avast antivirus, Sophos rootkit scanner, and I use sandboxie for the web.

I have run a log through Hijack this, which if you please can help me with this problem I will be happy to post it.
I now have immovable blocks all through my C drive, and some are 20 Mbs, as they clump together. I have not deleted anything from the registry, as I am not sure what is malware and what is spybots files. However every one of these files has now become embedded, showing a total of 1600 embedded files., according to Sophos scans and Iobit defrag, which only defrags to the first black square.

No matter which Antivirus I use, also Spybot, say my system has no spyware and no virus. However there was a virus found a few days ago, win 32 -Hacko, which was deleted, I had been using Avira antivirus, but changed to Avast which found the win 32-Hacko.
I removed all restore points, hoping that would solve all problems, but the immovable embedded registry keys are still there, this morning when I booted the system, Avast was not running, even though it was set to do a boot scan every day.
Help some one please.

Lina

 

Hello Tim

Thank you for your reply.
As I have run all the tests, except combofix, which to be honest I was a bit afraid of going there. I will attach the logs that I got from the other tests, but I think my problem is so difficult to fix, that my best option, is to reformat and start over clean.

These keys can not be moved, and they change from time to time, Seems that some malware has infected my registry and has removed some dll files and security updates and has has changed some other files that I am not aware of. There are many folders that are now empty, and I have started to clean out my external drives, to have them flattened, so that I do not reinfect my system. to me the logs look ok, but there are now still many many keys that are all through my c drive, and no way will it defrag.

Sophos is the only program that detects these keys, but not as rootkits, as embedded immovable keys. I have released all system resatore points almost every day, but it has not helped.

Because I do not have net framework the highjackthis log stopped prematurely. I did a scan of the system again today, same result, nothing found.
It is most confusing.
Thank you
Lina

 

Hi Tim,
Thank you so much for looking at my logs, I apeciate all the help that you give to people for no cost.

Re my pc, as there are many dll files missing, and Windows Installer refuses to work, also pc still will not defrag, I have decided to bite the bullet, and have my hard drive scrubbed along with all my external drives.

Perhaps the last install was not a good one, so all partitions are being replaced, and all drives flattened.

I have backed up my data to many, many dvd,s and I know it is a major chore, but once it is done, I will feel more secure.

THank you so much for your help.
Lina