Hi all, I've been struggling with a rootkit for a couple of days now. I've searched for these specific Reg entries on EE, but I can only see them as a smaller part of people's scan logs where they are not addressed specifically.
ComboFix detects the rootkit and the entire computer freezes up. So I downloaded and ran GMER 188.8.131.5241. On my first scan, the Rootkit/Malware tab showed the following entries:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\DeviceNotSelectedTimeout SZ 15
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\GDIProcessHandleQuota DWORD 00002710
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\Spooler SZ yes
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\swapdisk SZ
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\TransmissionRetryTimeout SZ 90
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\USERProcessHandleQuota DWORD 00002710
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs SZ
It didn't say that what the problem was with them if any. I went to the registry and noticed that HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows was denying me (Administrator) access to the key. So I took ownership and gave Administrators permissions.
After granting the permissions to the key, I ran a scan with GMER again and it found a bunch of Temporary Internet files that are infected, but it no longer mentioned those registry keys.
My question: Was GMER complaining simply because it didn't have access to those keys? Or are these keys that I should be backing up/deleting? Obviously I don't want to do anything to cause me a BSOD here.