ComputerForum.com ComputerForum.com  
TigerDirect
  
Go Back   Computer Forum > Computer Software > Computer Security
HijackThis Log and Rootkit Reveal HijackThis Log and Rootkit Reveal
Register FAQ Members List Calendar Mark Forums Read

Reply
 
LinkBack Thread Tools Display Modes
Old 11-03-2005, 01:54 PM   #1 (permalink)
Bronze Member
 
Join Date: Oct 2005
Location: London
Age: 25
Posts: 25
Post HijackThis Log and Rootkit Reveal
Hi guys

Please could you check out my HJT log? And also i was reading about Sony's rootkits in their DRM cds. It looks like they put one on my computer, but there doesn't seem to be an easy way to get rid of it. I'm waiting on a response from Sony but if any knows how to do it that'd be much appreciated. So here are the 2 logs.

Logfile of HijackThis v1.99.1
Scan saved at 12:42:02, on 03/11/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\CDProxyServ.exe
C:\WINDOWS\system32\cisvc.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Creative\SB Live! 24-bit\Surround Mixer\CTSysVol.exe
C:\WINDOWS\system32\rundll32.exe
C:\PROGRA~1\Mouse\Amoumain.exe
C:\WINDOWS\system32\LVCOMSX.EXE
C:\Program Files\Logitech\Video\LogiTray.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\NETGEAR\WG111T Configuration Utility\wlan111t.exe
C:\Program Files\Logitech\Video\FxSvr2.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\system32\cidaemon.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\AcroRd32.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\inetsrv\DavCData.exe
C:\Program Files\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.scan.co.uk
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.bbc.co.uk/news
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O4 - HKLM\..\Run: [MsmqIntCert] regsvr32 /s mqrt.dll
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SB Live! 24-bit\Surround Mixer\CTSysVol.exe /r
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [WheelMouse] C:\PROGRA~1\Mouse\Amoumain.exe
O4 - HKLM\..\Run: [LVCOMSX] C:\WINDOWS\system32\LVCOMSX.EXE
O4 - HKLM\..\Run: [LogitechVideoRepair] C:\Program Files\Logitech\Video\ISStart.exe
O4 - HKLM\..\Run: [LogitechVideoTray] C:\Program Files\Logitech\Video\LogiTray.exe
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: NETGEAR WG111T Smart Wizard.lnk = ?
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm (file missing)
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE (file missing)
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE (file missing)
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {4D7F48C0-CB49-4EA6-97D4-04F4EACC2F3B} (InstallShield Setup Player 2K2) - http://sib1.od2.com/common/Member/Cl.../OCI/setup.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsu...?1126782964750
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1126786322859
O16 - DPF: {712362BF-E411-4F43-99D2-EB15F80AF1DB} - http://entimg.msn.com/client/msnediag3313.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/Ms...Downloader.cab
O16 - DPF: {F04A8AE2-A59D-11D2-8792-00C04F8EF29D} (Hotmail Attachments Control) - http://by101fd.bay101.hotmail.msn.co...x/HMAtchmt.ocx
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O23 - Service: XCP CD Proxy (CD_Proxy) - Unknown owner - C:\WINDOWS\CDProxyServ.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: TuneUp WinStyler Theme Service (TUWinStylerThemeSvc) - TuneUp Software GmbH - C:\Program Files\TuneUp Utilities 2006\WinStylerThemeSvc.exe

HKLM\SOFTWARE\$sys$reference 10/18/2005 10:28 0 bytes Hidden from Windows API.
HKLM\SYSTEM\ControlSet002\Services\$sys$aries 11/3/2005 10:46 0 bytes Hidden from Windows API.
HKLM\SYSTEM\ControlSet002\Services\$sys$cor 11/3/2005 10:46 0 bytes Hidden from Windows API.
HKLM\SYSTEM\ControlSet002\Services\$sys$crater 11/3/2005 10:46 0 bytes Hidden from Windows API.
HKLM\SYSTEM\ControlSet002\Services\$sys$DRMServer 11/3/2005 10:46 0 bytes Hidden from Windows API.
HKLM\SYSTEM\ControlSet003\Services\$sys$aries 11/3/2005 10:46 0 bytes Hidden from Windows API.
HKLM\SYSTEM\ControlSet003\Services\$sys$cor 11/3/2005 10:46 0 bytes Hidden from Windows API.
HKLM\SYSTEM\ControlSet003\Services\$sys$crater 11/3/2005 10:46 0 bytes Hidden from Windows API.
HKLM\SYSTEM\ControlSet003\Services\$sys$DRMServer 11/3/2005 10:46 0 bytes Hidden from Windows API.
C:\WINDOWS\system32\$sys$caj.dll 10/18/2005 10:27 88.00 KB Hidden from Windows API.
C:\WINDOWS\system32\$sys$filesystem 10/18/2005 10:28 0 bytes Hidden from Windows API.
C:\WINDOWS\system32\$sys$filesystem\$sys$DRMServer .exe 10/18/2005 10:27 300.00 KB Hidden from Windows API.
C:\WINDOWS\system32\$sys$filesystem\$sys$parking 10/18/2005 10:28 2.26 KB Hidden from Windows API.
C:\WINDOWS\system32\$sys$filesystem\aries.sys 10/18/2005 10:27 6.50 KB Hidden from Windows API.
C:\WINDOWS\system32\$sys$filesystem\crater.sys 10/18/2005 10:27 11.63 KB Hidden from Windows API.
C:\WINDOWS\system32\$sys$filesystem\DbgHelp.dll 10/18/2005 10:27 747.50 KB Hidden from Windows API.
C:\WINDOWS\system32\$sys$filesystem\lim.sys 10/18/2005 10:27 17.50 KB Hidden from Windows API.
C:\WINDOWS\system32\$sys$filesystem\oct.sys 10/18/2005 10:27 11.75 KB Hidden from Windows API.
C:\WINDOWS\system32\$sys$filesystem\Unicows.dll 10/18/2005 10:27 240.65 KB Hidden from Windows API.
C:\WINDOWS\system32\$sys$upgtool.exe 10/18/2005 10:27 76.00 KB Hidden from Windows API.
C:\WINDOWS\system32\drivers\$sys$cor.sys 10/18/2005 10:27 18.00 KB Hidden from Windows API.
__________________
Windows MCE 2005
Asus K8N-E Deluxe
Athlon 64 3700+
Corsair XMS 2GB [2x1GB]
SATA Maxtor Diamondmax 200GB
XFX GeForce 7800GS XT 256MB
woody is offline   Reply With Quote


Old 11-03-2005, 02:26 PM   #2 (permalink)
Digaredd
 
Buzz1927's Avatar
 
Join Date: May 2005
Location: Melbourne AU
Posts: 6,104
Default
There are ways to remove the rootkit, but doing it could render your cd player unusable. Best to get it from sony, did you use this link?
http://cp.sonybmg.com/xcp/english/form14.html
__________________
The Grim Reaper - Son of Glyndwr
"To Hell or Connacht" may you burn in Hell tonight!
Buzz1927 is offline   Reply With Quote
Old 11-03-2005, 02:34 PM   #3 (permalink)
Bronze Member
 
Join Date: Oct 2005
Location: London
Age: 25
Posts: 25
Default
Hi Buzz

Yeah i'm in the process of getting it done with Sony. Bloody DRM!

Is the HJT alright?
__________________
Windows MCE 2005
Asus K8N-E Deluxe
Athlon 64 3700+
Corsair XMS 2GB [2x1GB]
SATA Maxtor Diamondmax 200GB
XFX GeForce 7800GS XT 256MB
woody is offline   Reply With Quote
Old 11-03-2005, 02:46 PM   #4 (permalink)
Digaredd
 
Buzz1927's Avatar
 
Join Date: May 2005
Location: Melbourne AU
Posts: 6,104
Default
Hey woody.

Your log's ok.

Fix these
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm (file missing)
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm (file missing)

And delete the file, if it's still there.
C:\WINDOWS\web\related.htm
__________________
The Grim Reaper - Son of Glyndwr
"To Hell or Connacht" may you burn in Hell tonight!
Buzz1927 is offline   Reply With Quote
Reply

« Previous Thread | Next Thread »
Thread Tools
Display Modes
Linear Mode Linear Mode

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are On


All times are GMT +1. The time now is 03:19 PM.

Contact Us - Computer Forum - Sitemap - Top

Powered by: vBulletin Version 3.7.3
Copyright ©2000 - 2008, Jelsoft Enterprises Ltd.
SEO by vBSEO 3.2.0 ©2008, Crawlability, Inc.
Copyright © 2002-2007 Computer Forum and Web Design Forum