Jump to content


Infected by ROOTKITS !

  • Please log in to reply
1 reply to this topic

#1 flowzen



  • New Member
  • Pip
  • 1 posts

Posted 08 June 2007 - 06:32 PM

Hello everyone !

2 days ago, i had viruses and i tried to eliminate the maximum of them. I used Spybot and also Hijackthis for that.
But i had the idea of reinstalling Xp and delete all the hard disk and everything in order to erase all the viruses and start from scratch. This is what i did today. Now the computer is completely empty with my new xp. I downloaded Spybot and i found viruses in the scans !!! So that means that those viruses were in my computer before and after i reinstalled xp !!!!
So im sure those viruses are rootkits (I got the following viruses: Avenue A,Inc + BlackCore+ CasaleMedia+CurePCSolution+Statcounter+Tradedoubler+Webtrends live+ Zedo) .Those viruses reappear even i delete them with Spybot !
Nb: I have Commod as a firewall and asquared and spybot and AVG as antivirus.
Today I used Hijackthis , RootKitRevealer and Gmer with the hope of resolving the problem

Im going to give you the log of Hijackthis :
Logfile of HijackThis v1.99.1
Scan saved at 7:29:39 PM, on 6/8/2098
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\Program Files\Winamp\winampa.exe
C:\Program Files\Comodo\Firewall\CPF.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\WinZip\WZQKPICK.EXE
c:\program files\a-squared free\a2service.exe
C:\Program Files\Comodo\Firewall\cmdagent.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\Skype\Plugin Manager\skypePM.exe
C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
C:\Program Files\DivX\DivX Player\DivX Player.exe
C:\Program Files\WinRAR\WinRAR.exe
C:\Program Files\Hide The IP\HideTheIP.exe
C:\Documents and Settings\Administrator\Local Settings\Temp\wzd35d\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [COMODO Firewall Pro] "C:\Program Files\Comodo\Firewall\CPF.exe" /background
O4 - HKLM\..\Run: [Hide-The-IP] "C:\Program Files\Hide The IP\HideTheIP.exe" /startup
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: a-squared Free Service (a2free) - Emsi Software GmbH - c:\program files\a-squared free\a2service.exe
O23 - Service: Comodo Application Agent (CmdAgent) - COMODO - C:\Program Files\Comodo\Firewall\cmdagent.exe

The following text is the log of RootKitRevealer:
HKLM\SECURITY\Policy\Secrets\SAC* 6/8/2098 11:50 AM 0 bytes Key name contains embedded nulls (*)
HKLM\SECURITY\Policy\Secrets\SAI* 6/8/2098 11:50 AM 0 bytes Key name contains embedded nulls (*)
HKLM\SOFTWARE\Microsoft\Cryptography\RNG\Seed 6/8/2098 4:41 PM 80 bytes Data mismatch between Windows API and raw hive data.
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Prefetcher\TracesProcessed 6/8/2098 4:41 PM 4 bytes Data mismatch between Windows API and raw hive data.
HKLM\SOFTWARE\Nico Mak Computing\WinZip\WinIni\UZQF 6/8/2098 4:41 PM 10 bytes Data mismatch between Windows API and raw hive data.
C:\Documents and Settings\Administrator\Local Settings\Temp\jmzrff.exe 6/8/2098 4:42 PM 52.00 KB Hidden from Windows API.
C:\Documents and Settings\Administrator\Local Settings\Temp\mkwdnh.exe 2/22/2007 11:43 AM 52.00 KB Visible in Windows API, but not in MFT or directory index.
H: 0 bytes Error mounting volume

Finally, here is the Gmer log :
GMER - http://www.gmer.net
Rootkit scan 2098-06-08 19:33:49
Windows 5.1.2600 Service Pack 2

---- System - GMER 1.0.12 ----

SSDT \SystemRoot\System32\DRIVERS\cmdmon.sys ZwConnectPort
SSDT \SystemRoot\System32\DRIVERS\cmdmon.sys ZwCreateFile
SSDT \SystemRoot\System32\DRIVERS\cmdmon.sys ZwCreatePort
SSDT \SystemRoot\System32\DRIVERS\cmdmon.sys ZwCreateSection
SSDT \SystemRoot\System32\DRIVERS\cmdmon.sys ZwCreateThread
SSDT \SystemRoot\System32\DRIVERS\cmdmon.sys ZwDeleteFile
SSDT \SystemRoot\System32\DRIVERS\cmdmon.sys ZwDeleteKey
SSDT \SystemRoot\System32\DRIVERS\cmdmon.sys ZwDeleteValueKey
SSDT \SystemRoot\System32\DRIVERS\cmdmon.sys ZwOpenProcess
SSDT \SystemRoot\System32\DRIVERS\cmdmon.sys ZwOpenSection
SSDT \SystemRoot\System32\DRIVERS\cmdmon.sys ZwOpenThread
SSDT \SystemRoot\System32\DRIVERS\cmdmon.sys ZwSetContextThread
SSDT \SystemRoot\System32\DRIVERS\cmdmon.sys ZwSetInformationFile
SSDT \SystemRoot\System32\DRIVERS\cmdmon.sys ZwSetValueKey
SSDT \SystemRoot\System32\DRIVERS\cmdmon.sys ZwShutdownSystem
SSDT \SystemRoot\System32\DRIVERS\cmdmon.sys ZwTerminateProcess
SSDT \SystemRoot\System32\DRIVERS\cmdmon.sys ZwWriteFile
SSDT \SystemRoot\System32\DRIVERS\cmdmon.sys ZwWriteFileGather

---- Kernel code sections - GMER 1.0.12 ----

? C:\WINDOWS\system32\DRIVERS\update.sys
? C:\WINDOWS\system32\1.tmp The system cannot find the file specified.
? C:\WINDOWS\system32\Drivers\RKREVEAL150.SYS The system cannot find the file specified.

---- User code sections - GMER 1.0.12 ----

.text C:\Program Files\Comodo\Firewall\cpf.exe[1500] ntdll.dll!LdrLoadDll 7C9161CA 3 Bytes [ FF, 25, 1E ]
.text C:\Program Files\Comodo\Firewall\cpf.exe[1500] ntdll.dll!LdrLoadDll + 4 7C9161CE 2 Bytes [ 05, 5F ]
.text C:\Program Files\Comodo\Firewall\cpf.exe[1500] kernel32.dll!LoadLibraryExW 7C801AF1 6 Bytes JMP 5F08001E
.text C:\Program Files\MSN Messenger\msnmsgr.exe[1516] kernel32.dll!SetUnhandledExceptionFilter 7C810386 5 Bytes JMP 004E12D0 C:\Program Files\MSN Messenger\MsnMsgr.Exe
.text C:\Program Files\a-squared Free\a2service.exe[1916] kernel32.dll!CreateThread + 1A 7C810849 4 Bytes [ E3, CD, C3, 83 ]

---- EOF - GMER 1.0.12 ----

Please i do need your help please! I cannot stand it anymore
I cannot launch for instance Ableton to produce music anymore and Im stuck right now and cannot do anything.
For example, Ableton displays this error message when i launch it :

Posted Image

Edited by flowzen, 08 June 2007 - 06:34 PM.

#2 SWI Support Robot

SWI Support Robot

    Helper robot

  • SWI Bot
  • PipPipPipPipPip
  • 23,522 posts

Posted 11 June 2007 - 06:30 AM

Welcome to SWI. We apologize for the delay; our helpers have been very busy.
If you have not received help after 3 days, please CLICK HERE, and post a link to your log and the date it was originally posted.

Thank you for your patience.

[this is an automated reply]
This is an automated message. It does not count as help.

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Member of ASAP and UNITE
Support SpywareInfo Forum - click the button