Hi guys
Please could you check out my HJT log? And also i was reading about Sony's rootkits in their DRM cds. It looks like they put one on my computer, but there doesn't seem to be an easy way to get rid of it. I'm waiting on a response from Sony but if any knows how to do it that'd be much appreciated. So here are the 2 logs.
Logfile of HijackThis v1.99.1
Scan saved at 12:42:02, on 03/11/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\CDProxyServ.exe
C:\WINDOWS\system32\cisvc.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Creative\SB Live! 24-bit\Surround Mixer\CTSysVol.exe
C:\WINDOWS\system32\rundll32.exe
C:\PROGRA~1\Mouse\Amoumain.exe
C:\WINDOWS\system32\LVCOMSX.EXE
C:\Program Files\Logitech\Video\LogiTray.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\NETGEAR\WG111T Configuration Utility\wlan111t.exe
C:\Program Files\Logitech\Video\FxSvr2.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\system32\cidaemon.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\AcroRd32.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\inetsrv\DavCData.exe
C:\Program Files\HijackThis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.scan.co.uk
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.bbc.co.uk/news
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O4 - HKLM\..\Run: [MsmqIntCert] regsvr32 /s mqrt.dll
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SB Live! 24-bit\Surround Mixer\CTSysVol.exe /r
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [WheelMouse] C:\PROGRA~1\Mouse\Amoumain.exe
O4 - HKLM\..\Run: [LVCOMSX] C:\WINDOWS\system32\LVCOMSX.EXE
O4 - HKLM\..\Run: [LogitechVideoRepair] C:\Program Files\Logitech\Video\ISStart.exe
O4 - HKLM\..\Run: [LogitechVideoTray] C:\Program Files\Logitech\Video\LogiTray.exe
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: NETGEAR WG111T Smart Wizard.lnk = ?
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm (file missing)
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE (file missing)
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE (file missing)
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {4D7F48C0-CB49-4EA6-97D4-04F4EACC2F3B} (InstallShield Setup Player 2K2) - http://sib1.od2.com/common/Member/ClientInstall/10.20.0002/OCI/setup.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1126782964750
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1126786322859
O16 - DPF: {712362BF-E411-4F43-99D2-EB15F80AF1DB} - http://entimg.msn.com/client/msnediag3313.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O16 - DPF: {F04A8AE2-A59D-11D2-8792-00C04F8EF29D} (Hotmail Attachments Control) - http://by101fd.bay101.hotmail.msn.com/activex/HMAtchmt.ocx
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O23 - Service: XCP CD Proxy (CD_Proxy) - Unknown owner - C:\WINDOWS\CDProxyServ.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: TuneUp WinStyler Theme Service (TUWinStylerThemeSvc) - TuneUp Software GmbH - C:\Program Files\TuneUp Utilities 2006\WinStylerThemeSvc.exe
HKLM\SOFTWARE\$sys$reference 10/18/2005 10:28 0 bytes Hidden from Windows API.
HKLM\SYSTEM\ControlSet002\Services\$sys$aries 11/3/2005 10:46 0 bytes Hidden from Windows API.
HKLM\SYSTEM\ControlSet002\Services\$sys$cor 11/3/2005 10:46 0 bytes Hidden from Windows API.
HKLM\SYSTEM\ControlSet002\Services\$sys$crater 11/3/2005 10:46 0 bytes Hidden from Windows API.
HKLM\SYSTEM\ControlSet002\Services\$sys$DRMServer 11/3/2005 10:46 0 bytes Hidden from Windows API.
HKLM\SYSTEM\ControlSet003\Services\$sys$aries 11/3/2005 10:46 0 bytes Hidden from Windows API.
HKLM\SYSTEM\ControlSet003\Services\$sys$cor 11/3/2005 10:46 0 bytes Hidden from Windows API.
HKLM\SYSTEM\ControlSet003\Services\$sys$crater 11/3/2005 10:46 0 bytes Hidden from Windows API.
HKLM\SYSTEM\ControlSet003\Services\$sys$DRMServer 11/3/2005 10:46 0 bytes Hidden from Windows API.
C:\WINDOWS\system32\$sys$caj.dll 10/18/2005 10:27 88.00 KB Hidden from Windows API.
C:\WINDOWS\system32\$sys$filesystem 10/18/2005 10:28 0 bytes Hidden from Windows API.
C:\WINDOWS\system32\$sys$filesystem\$sys$DRMServer.exe 10/18/2005 10:27 300.00 KB Hidden from Windows API.
C:\WINDOWS\system32\$sys$filesystem\$sys$parking 10/18/2005 10:28 2.26 KB Hidden from Windows API.
C:\WINDOWS\system32\$sys$filesystem\aries.sys 10/18/2005 10:27 6.50 KB Hidden from Windows API.
C:\WINDOWS\system32\$sys$filesystem\crater.sys 10/18/2005 10:27 11.63 KB Hidden from Windows API.
C:\WINDOWS\system32\$sys$filesystem\DbgHelp.dll 10/18/2005 10:27 747.50 KB Hidden from Windows API.
C:\WINDOWS\system32\$sys$filesystem\lim.sys 10/18/2005 10:27 17.50 KB Hidden from Windows API.
C:\WINDOWS\system32\$sys$filesystem\oct.sys 10/18/2005 10:27 11.75 KB Hidden from Windows API.
C:\WINDOWS\system32\$sys$filesystem\Unicows.dll 10/18/2005 10:27 240.65 KB Hidden from Windows API.
C:\WINDOWS\system32\$sys$upgtool.exe 10/18/2005 10:27 76.00 KB Hidden from Windows API.
C:\WINDOWS\system32\drivers\$sys$cor.sys 10/18/2005 10:27 18.00 KB Hidden from Windows API.
Please could you check out my HJT log? And also i was reading about Sony's rootkits in their DRM cds. It looks like they put one on my computer, but there doesn't seem to be an easy way to get rid of it. I'm waiting on a response from Sony but if any knows how to do it that'd be much appreciated. So here are the 2 logs.
Logfile of HijackThis v1.99.1
Scan saved at 12:42:02, on 03/11/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\CDProxyServ.exe
C:\WINDOWS\system32\cisvc.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Creative\SB Live! 24-bit\Surround Mixer\CTSysVol.exe
C:\WINDOWS\system32\rundll32.exe
C:\PROGRA~1\Mouse\Amoumain.exe
C:\WINDOWS\system32\LVCOMSX.EXE
C:\Program Files\Logitech\Video\LogiTray.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\NETGEAR\WG111T Configuration Utility\wlan111t.exe
C:\Program Files\Logitech\Video\FxSvr2.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\system32\cidaemon.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\AcroRd32.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\inetsrv\DavCData.exe
C:\Program Files\HijackThis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.scan.co.uk
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.bbc.co.uk/news
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O4 - HKLM\..\Run: [MsmqIntCert] regsvr32 /s mqrt.dll
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SB Live! 24-bit\Surround Mixer\CTSysVol.exe /r
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [WheelMouse] C:\PROGRA~1\Mouse\Amoumain.exe
O4 - HKLM\..\Run: [LVCOMSX] C:\WINDOWS\system32\LVCOMSX.EXE
O4 - HKLM\..\Run: [LogitechVideoRepair] C:\Program Files\Logitech\Video\ISStart.exe
O4 - HKLM\..\Run: [LogitechVideoTray] C:\Program Files\Logitech\Video\LogiTray.exe
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: NETGEAR WG111T Smart Wizard.lnk = ?
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm (file missing)
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE (file missing)
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE (file missing)
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {4D7F48C0-CB49-4EA6-97D4-04F4EACC2F3B} (InstallShield Setup Player 2K2) - http://sib1.od2.com/common/Member/ClientInstall/10.20.0002/OCI/setup.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1126782964750
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1126786322859
O16 - DPF: {712362BF-E411-4F43-99D2-EB15F80AF1DB} - http://entimg.msn.com/client/msnediag3313.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O16 - DPF: {F04A8AE2-A59D-11D2-8792-00C04F8EF29D} (Hotmail Attachments Control) - http://by101fd.bay101.hotmail.msn.com/activex/HMAtchmt.ocx
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O23 - Service: XCP CD Proxy (CD_Proxy) - Unknown owner - C:\WINDOWS\CDProxyServ.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: TuneUp WinStyler Theme Service (TUWinStylerThemeSvc) - TuneUp Software GmbH - C:\Program Files\TuneUp Utilities 2006\WinStylerThemeSvc.exe
HKLM\SOFTWARE\$sys$reference 10/18/2005 10:28 0 bytes Hidden from Windows API.
HKLM\SYSTEM\ControlSet002\Services\$sys$aries 11/3/2005 10:46 0 bytes Hidden from Windows API.
HKLM\SYSTEM\ControlSet002\Services\$sys$cor 11/3/2005 10:46 0 bytes Hidden from Windows API.
HKLM\SYSTEM\ControlSet002\Services\$sys$crater 11/3/2005 10:46 0 bytes Hidden from Windows API.
HKLM\SYSTEM\ControlSet002\Services\$sys$DRMServer 11/3/2005 10:46 0 bytes Hidden from Windows API.
HKLM\SYSTEM\ControlSet003\Services\$sys$aries 11/3/2005 10:46 0 bytes Hidden from Windows API.
HKLM\SYSTEM\ControlSet003\Services\$sys$cor 11/3/2005 10:46 0 bytes Hidden from Windows API.
HKLM\SYSTEM\ControlSet003\Services\$sys$crater 11/3/2005 10:46 0 bytes Hidden from Windows API.
HKLM\SYSTEM\ControlSet003\Services\$sys$DRMServer 11/3/2005 10:46 0 bytes Hidden from Windows API.
C:\WINDOWS\system32\$sys$caj.dll 10/18/2005 10:27 88.00 KB Hidden from Windows API.
C:\WINDOWS\system32\$sys$filesystem 10/18/2005 10:28 0 bytes Hidden from Windows API.
C:\WINDOWS\system32\$sys$filesystem\$sys$DRMServer.exe 10/18/2005 10:27 300.00 KB Hidden from Windows API.
C:\WINDOWS\system32\$sys$filesystem\$sys$parking 10/18/2005 10:28 2.26 KB Hidden from Windows API.
C:\WINDOWS\system32\$sys$filesystem\aries.sys 10/18/2005 10:27 6.50 KB Hidden from Windows API.
C:\WINDOWS\system32\$sys$filesystem\crater.sys 10/18/2005 10:27 11.63 KB Hidden from Windows API.
C:\WINDOWS\system32\$sys$filesystem\DbgHelp.dll 10/18/2005 10:27 747.50 KB Hidden from Windows API.
C:\WINDOWS\system32\$sys$filesystem\lim.sys 10/18/2005 10:27 17.50 KB Hidden from Windows API.
C:\WINDOWS\system32\$sys$filesystem\oct.sys 10/18/2005 10:27 11.75 KB Hidden from Windows API.
C:\WINDOWS\system32\$sys$filesystem\Unicows.dll 10/18/2005 10:27 240.65 KB Hidden from Windows API.
C:\WINDOWS\system32\$sys$upgtool.exe 10/18/2005 10:27 76.00 KB Hidden from Windows API.
C:\WINDOWS\system32\drivers\$sys$cor.sys 10/18/2005 10:27 18.00 KB Hidden from Windows API.
