need some help with rootkit infection

AVG has been popping up a window on my son's PC for a week or so indicating an infected file avpe32.dll, but I could not find the file anywhere. I did some searching on the AVG forums and found that this file is an indication of a rootkit infection. I did some searching here and found some other threads that suggested downloading and running rootkit revealer. I ran the program and saved the log so that I could post it here in hopes that I can get some help in getting rid of this pest. Any help would be greatly appreciated. Here is the log from rootkit revealer;

C:\WINDOWS\Prefetch\CMD.EXE-087B4001.pf 1/10/2006 7:43 PM 13.97 KB Hidden from Windows API.
C:\WINDOWS\SYSTEM32\AVPE32.DLL 8/23/2001 12:00 PM 39.10 KB Hidden from Windows API.
C:\WINDOWS\SYSTEM32\AVPE64.SYS 8/23/2001 12:00 PM 21.30 KB Hidden from Windows API.
C:\WINDOWS\SYSTEM32\klgcptini.dat 12/6/2005 11:35 AM 0 bytes Hidden from Windows API.
C:\WINDOWS\SYSTEM32\QZ.DLL 8/23/2001 12:00 PM 39.10 KB Hidden from Windows API.
C:\WINDOWS\SYSTEM32\QZ.SYS 8/23/2001 12:00 PM 21.30 KB Hidden from Windows API.
C:\WINDOWS\SYSTEM32\STT82.INI 12/6/2005 11:35 AM 320 bytes Hidden from Windows API.

 

Hello BillB,

What I would suggest is to ask at the Sysinternals forum > RKR Logs.

http://www.sysinternals.com/Forum/default.asp

Regards - Charles

 

Thanks for the replies, I opened a thread in the sysinternals forum and have been provided some suggestions there. I'm going to finish going through them tonight. One thing though, one of the cleanup steps is to turn off system restore. When I try to do this I get the message that system restore has encountered an error trying to enable/disable restore points, reboot the machine and try again. Rebooting doesn't do any good, nor does it work in Safe Mode. Does anyone have any ideas what would cause this?

I'll post back with steps taken to rid the PC of this pest when I'm done.

 

Hi Bill,

This is the first time I've seen this, might very well be one of the effects of the infection - thanks for the heads up on that.

This might be of help:

How to reinstall SR
http://bertk.mvps.org/html/tips.html#ReinstallSR

Also keep in mind that the infection in SR's RP's are inert, and as long as no restore done, they'll not have any affect on the system even though they are reported on. So I would concentrate on cleaning the "live" files first and then go about fixing/cleaning out SR's RP's.

Regards - Charles

 

Thanks Arie, I'll follow up on that one.