Hello everyone ! :)
2 days ago, i had viruses and i tried to eliminate the maximum of them. I used Spybot and also Hijackthis.
But i had the idea of reinstalling Xp and delete all the hard disk and everything in order to erase the viruses and start from scratch. This is what i did today. Now the computer is completely empty with my new xp. I downloaded Spybot and i found viruses in the scans !!! So that means that those viruses were in my computer before and after i reinstalled xp !!!!
So im sure those viruses are rootkits (for example, there are CasaleMedia, Webtrends live, Statcounter etc) .
Nb: I have Commod as a firewall and asquared and spybot and AVG as antivirus.
Today I used Hijackthis , RootKitRevealer and Gmer with the hope of resolving the problem:
Im going to give you the log of Hijackthis :
Hijackthis______________________________________________
Logfile of HijackThis v1.99.1
Scan saved at 4:39:59 PM, on 6/8/2098
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\Comodo\Firewall\CPF.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\WinZip\WZQKPICK.EXE
c:\program files\a-squared free\a2service.exe
C:\Program Files\Comodo\Firewall\cmdagent.exe
C:\Program Files\Winamp\winamp.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\PROGRA~1\WINZIP\winzip32.exe
C:\Documents and Settings\Administrator\Local Settings\Temp\wz8e57\HijackThis.exe
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [COMODO Firewall Pro] "C:\Program Files\Comodo\Firewall\CPF.exe" /background
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: a-squared Free Service (a2free) - Emsi Software GmbH - c:\program files\a-squared free\a2service.exe
O23 - Service: Comodo Application Agent (CmdAgent) - COMODO - C:\Program Files\Comodo\Firewall\cmdagent.exe
The following text is the log of RootKitRevealer:
RootkitRevealer:______________________________________
HKLM\SECURITY\Policy\Secrets\SAC* 6/8/2098 11:50 AM 0 bytes Key name contains embedded nulls (*)
HKLM\SECURITY\Policy\Secrets\SAI* 6/8/2098 11:50 AM 0 bytes Key name contains embedded nulls (*)
HKLM\SOFTWARE\Microsoft\Cryptography\RNG\Seed 6/8/2098 4:41 PM 80 bytes Data mismatch between Windows API and raw hive data.
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Prefetcher\TracesProcessed 6/8/2098 4:41 PM 4 bytes Data mismatch between Windows API and raw hive data.
HKLM\SOFTWARE\Nico Mak Computing\WinZip\WinIni\UZQF 6/8/2098 4:41 PM 10 bytes Data mismatch between Windows API and raw hive data.
C:\Documents and Settings\Administrator\Local Settings\Temp\jmzrff.exe 6/8/2098 4:42 PM 52.00 KB Hidden from Windows API.
C:\Documents and Settings\Administrator\Local Settings\Temp\mkwdnh.exe 2/22/2007 11:43 AM 52.00 KB Visible in Windows API, but not in MFT or directory index.
H: 0 bytes Error mounting volume
Finally, here is the Gmer log :
Gmer:_________________________________________________
GMER 1.0.12.12244 - http://www.gmer.net
Rootkit scan 2098-06-08 16:51:34
Windows 5.1.2600 Service Pack 2
---- System - GMER 1.0.12 ----
SSDT \SystemRoot\System32\DRIVERS\cmdmon.sys ZwConnectPort
SSDT \SystemRoot\System32\DRIVERS\cmdmon.sys ZwCreateFile
SSDT \SystemRoot\System32\DRIVERS\cmdmon.sys ZwCreatePort
SSDT \SystemRoot\System32\DRIVERS\cmdmon.sys ZwCreateSection
SSDT \SystemRoot\System32\DRIVERS\cmdmon.sys ZwCreateThread
SSDT \SystemRoot\System32\DRIVERS\cmdmon.sys ZwDeleteFile
SSDT \SystemRoot\System32\DRIVERS\cmdmon.sys ZwDeleteKey
SSDT \SystemRoot\System32\DRIVERS\cmdmon.sys ZwDeleteValueKey
SSDT \SystemRoot\System32\DRIVERS\cmdmon.sys ZwOpenProcess
SSDT \SystemRoot\System32\DRIVERS\cmdmon.sys ZwOpenSection
SSDT \SystemRoot\System32\DRIVERS\cmdmon.sys ZwOpenThread
SSDT \SystemRoot\System32\DRIVERS\cmdmon.sys ZwSetContextThread
SSDT \SystemRoot\System32\DRIVERS\cmdmon.sys ZwSetInformationFile
SSDT \SystemRoot\System32\DRIVERS\cmdmon.sys ZwSetValueKey
SSDT \SystemRoot\System32\DRIVERS\cmdmon.sys ZwShutdownSystem
SSDT \SystemRoot\System32\DRIVERS\cmdmon.sys ZwTerminateProcess
SSDT \SystemRoot\System32\DRIVERS\cmdmon.sys ZwWriteFile
SSDT \SystemRoot\System32\DRIVERS\cmdmon.sys ZwWriteFileGather
---- Kernel code sections - GMER 1.0.12 ----
? C:\WINDOWS\system32\DRIVERS\update.sys
? C:\WINDOWS\system32\1.tmp The system cannot find the file specified.
? C:\WINDOWS\system32\Drivers\RKREVEAL150.SYS The system cannot find the file specified.
---- User code sections - GMER 1.0.12 ----
.text C:\Program Files\Comodo\Firewall\cpf.exe[1500] ntdll.dll!LdrLoadDll 7C9161CA 3 Bytes [ FF, 25, 1E ]
.text C:\Program Files\Comodo\Firewall\cpf.exe[1500] ntdll.dll!LdrLoadDll + 4 7C9161CE 2 Bytes [ 05, 5F ]
.text C:\Program Files\Comodo\Firewall\cpf.exe[1500] kernel32.dll!LoadLibraryExW 7C801AF1 6 Bytes JMP 5F08001E
.text C:\Program Files\MSN Messenger\msnmsgr.exe[1516] kernel32.dll!SetUnhandledExceptionFilter 7C810386 5 Bytes JMP 004E12D0 C:\Program Files\MSN Messenger\MsnMsgr.Exe
.text C:\Program Files\a-squared Free\a2service.exe[1916] kernel32.dll!CreateThread + 1A 7C810849 4 Bytes [ E3, CD, C3, 83 ]
.text C:\Program Files\Winamp\winamp.exe[2024] USER32.dll!SetScrollInfo 77D4902C 7 Bytes JMP 01AC9E2D C:\Program Files\Winamp\Plugins\gen_jumpex.dll
.text C:\Program Files\Winamp\winamp.exe[2024] USER32.dll!GetScrollPos 77D4F66F 5 Bytes JMP 01AC9DDD C:\Program Files\Winamp\Plugins\gen_jumpex.dll
.text C:\Program Files\Winamp\winamp.exe[2024] USER32.dll!SetScrollRange 77D4F6BB 5 Bytes JMP 01AC9E83 C:\Program Files\Winamp\Plugins\gen_jumpex.dll
.text C:\Program Files\Winamp\winamp.exe[2024] USER32.dll!SetScrollPos 77D4F780 5 Bytes JMP 01AC9E58 C:\Program Files\Winamp\Plugins\gen_jumpex.dll
.text C:\Program Files\Winamp\winamp.exe[2024] USER32.dll!GetScrollRange 77D4F7B7 5 Bytes JMP 01AC9E02 C:\Program Files\Winamp\Plugins\gen_jumpex.dll
.text C:\Program Files\Winamp\winamp.exe[2024] USER32.dll!ShowScrollBar 77D50142 5 Bytes JMP 01AC9EB1 C:\Program Files\Winamp\Plugins\gen_jumpex.dll
.text C:\Program Files\Winamp\winamp.exe[2024] USER32.dll!GetScrollInfo 77D53A2F 7 Bytes JMP 01AC9DB5 C:\Program Files\Winamp\Plugins\gen_jumpex.dll
.text C:\Program Files\Winamp\winamp.exe[2024] USER32.dll!EnableScrollBar 77D97BAD 7 Bytes JMP 01AC9D8D C:\Program Files\Winamp\Plugins\gen_jumpex.dll
---- EOF - GMER 1.0.12 ----
________________________________________________________
Please i do need your help please! I cannot stand it anymore
I cannot launch for instance Ableton to produce music anymore and Im stuck right now and cannot do anything.
For example, Ableton displays this error message when i launch it :
