• Announcements

    • Budfred

      IE 11 copy/paste problem

      It has come to our attention that people using Internet Explorer 11 (IE 11) are having trouble with copy/paste to the forum. If you encounter this problem, using a different browser like Firefox or Chrome seems to get around the problem. We do not know what the problem is, but it seems to be specific to IE 11 and we are hopeful that Microsoft will eventually fix it.
Sign in to follow this  
Followers 0

Infected by ROOTKITS !

2 posts in this topic

Hello everyone !


2 days ago, i had viruses and i tried to eliminate the maximum of them. I used Spybot and also Hijackthis for that.

But i had the idea of reinstalling Xp and delete all the hard disk and everything in order to erase all the viruses and start from scratch. This is what i did today. Now the computer is completely empty with my new xp. I downloaded Spybot and i found viruses in the scans !!! So that means that those viruses were in my computer before and after i reinstalled xp !!!!

So im sure those viruses are rootkits (I got the following viruses: Avenue A,Inc + BlackCore+ CasaleMedia+CurePCSolution+Statcounter+Tradedoubler+Webtrends live+ Zedo) .Those viruses reappear even i delete them with Spybot !

Nb: I have Commod as a firewall and asquared and spybot and AVG as antivirus.

Today I used Hijackthis , RootKitRevealer and Gmer with the hope of resolving the problem



Im going to give you the log of Hijackthis :


Logfile of HijackThis v1.99.1

Scan saved at 7:29:39 PM, on 6/8/2098

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)


Running processes:












C:\Program Files\Winamp\winampa.exe

C:\Program Files\Comodo\Firewall\CPF.exe

C:\Program Files\MSN Messenger\MsnMsgr.Exe

C:\Program Files\WinZip\WZQKPICK.EXE

c:\program files\a-squared free\a2service.exe

C:\Program Files\Comodo\Firewall\cmdagent.exe


C:\Program Files\Skype\Phone\Skype.exe

C:\Program Files\Skype\Plugin Manager\skypePM.exe


C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe

C:\Program Files\DivX\DivX Player\DivX Player.exe

C:\Program Files\WinRAR\WinRAR.exe


C:\Program Files\Hide The IP\HideTheIP.exe


C:\Documents and Settings\Administrator\Local Settings\Temp\wzd35d\HijackThis.exe


R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O4 - HKLM\..\Run: [igfxTray] C:\WINDOWS\system32\igfxtray.exe

O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe


O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe

O4 - HKLM\..\Run: [COMODO Firewall Pro] "C:\Program Files\Comodo\Firewall\CPF.exe" /background

O4 - HKLM\..\Run: [Hide-The-IP] "C:\Program Files\Hide The IP\HideTheIP.exe" /startup

O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background

O4 - HKCU\..\Run: [skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized

O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL

O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL

O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL

O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll

O23 - Service: a-squared Free Service (a2free) - Emsi Software GmbH - c:\program files\a-squared free\a2service.exe

O23 - Service: Comodo Application Agent (CmdAgent) - COMODO - C:\Program Files\Comodo\Firewall\cmdagent.exe



The following text is the log of RootKitRevealer:


HKLM\SECURITY\Policy\Secrets\SAC* 6/8/2098 11:50 AM 0 bytes Key name contains embedded nulls (*)

HKLM\SECURITY\Policy\Secrets\SAI* 6/8/2098 11:50 AM 0 bytes Key name contains embedded nulls (*)

HKLM\SOFTWARE\Microsoft\Cryptography\RNG\Seed 6/8/2098 4:41 PM 80 bytes Data mismatch between Windows API and raw hive data.

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Prefetcher\TracesProcessed 6/8/2098 4:41 PM 4 bytes Data mismatch between Windows API and raw hive data.

HKLM\SOFTWARE\Nico Mak Computing\WinZip\WinIni\UZQF 6/8/2098 4:41 PM 10 bytes Data mismatch between Windows API and raw hive data.

C:\Documents and Settings\Administrator\Local Settings\Temp\jmzrff.exe 6/8/2098 4:42 PM 52.00 KB Hidden from Windows API.

C:\Documents and Settings\Administrator\Local Settings\Temp\mkwdnh.exe 2/22/2007 11:43 AM 52.00 KB Visible in Windows API, but not in MFT or directory index.

H: 0 bytes Error mounting volume


Finally, here is the Gmer log :


GMER - http://www.gmer.net

Rootkit scan 2098-06-08 19:33:49

Windows 5.1.2600 Service Pack 2



---- System - GMER 1.0.12 ----


SSDT \SystemRoot\System32\DRIVERS\cmdmon.sys ZwConnectPort

SSDT \SystemRoot\System32\DRIVERS\cmdmon.sys ZwCreateFile

SSDT \SystemRoot\System32\DRIVERS\cmdmon.sys ZwCreatePort

SSDT \SystemRoot\System32\DRIVERS\cmdmon.sys ZwCreateSection

SSDT \SystemRoot\System32\DRIVERS\cmdmon.sys ZwCreateThread

SSDT \SystemRoot\System32\DRIVERS\cmdmon.sys ZwDeleteFile

SSDT \SystemRoot\System32\DRIVERS\cmdmon.sys ZwDeleteKey

SSDT \SystemRoot\System32\DRIVERS\cmdmon.sys ZwDeleteValueKey

SSDT \SystemRoot\System32\DRIVERS\cmdmon.sys ZwOpenProcess

SSDT \SystemRoot\System32\DRIVERS\cmdmon.sys ZwOpenSection

SSDT \SystemRoot\System32\DRIVERS\cmdmon.sys ZwOpenThread

SSDT \SystemRoot\System32\DRIVERS\cmdmon.sys ZwSetContextThread

SSDT \SystemRoot\System32\DRIVERS\cmdmon.sys ZwSetInformationFile

SSDT \SystemRoot\System32\DRIVERS\cmdmon.sys ZwSetValueKey

SSDT \SystemRoot\System32\DRIVERS\cmdmon.sys ZwShutdownSystem

SSDT \SystemRoot\System32\DRIVERS\cmdmon.sys ZwTerminateProcess

SSDT \SystemRoot\System32\DRIVERS\cmdmon.sys ZwWriteFile

SSDT \SystemRoot\System32\DRIVERS\cmdmon.sys ZwWriteFileGather


---- Kernel code sections - GMER 1.0.12 ----


? C:\WINDOWS\system32\DRIVERS\update.sys

? C:\WINDOWS\system32\1.tmp The system cannot find the file specified.

? C:\WINDOWS\system32\Drivers\RKREVEAL150.SYS The system cannot find the file specified.


---- User code sections - GMER 1.0.12 ----


.text C:\Program Files\Comodo\Firewall\cpf.exe[1500] ntdll.dll!LdrLoadDll 7C9161CA 3 Bytes [ FF, 25, 1E ]

.text C:\Program Files\Comodo\Firewall\cpf.exe[1500] ntdll.dll!LdrLoadDll + 4 7C9161CE 2 Bytes [ 05, 5F ]

.text C:\Program Files\Comodo\Firewall\cpf.exe[1500] kernel32.dll!LoadLibraryExW 7C801AF1 6 Bytes JMP 5F08001E

.text C:\Program Files\MSN Messenger\msnmsgr.exe[1516] kernel32.dll!SetUnhandledExceptionFilter 7C810386 5 Bytes JMP 004E12D0 C:\Program Files\MSN Messenger\MsnMsgr.Exe

.text C:\Program Files\a-squared Free\a2service.exe[1916] kernel32.dll!CreateThread + 1A 7C810849 4 Bytes [ E3, CD, C3, 83 ]


---- EOF - GMER 1.0.12 ----





Please i do need your help please! I cannot stand it anymore

I cannot launch for instance Ableton to produce music anymore and Im stuck right now and cannot do anything.

For example, Ableton displays this error message when i launch it :


Edited by flowzen

Share this post

Link to post
Share on other sites

Welcome to SWI. We apologize for the delay; our helpers have been very busy.

If you have not received help after 3 days, please CLICK HERE, and post a link to your log and the date it was originally posted.


Thank you for your patience.


[this is an automated reply]

Share this post

Link to post
Share on other sites
Sign in to follow this  
Followers 0