HijackThis log assistance please

By hanaleia
Jun 22, 2006
Topic Status:
Not open for further replies.
  1. Please check my HJT log. I think I have some Malwhere or viruses or something, My computer is slow and I noticed some weird programs running in task manager like, $sys$DRMServer.exe and CDProxyServ.exe. I ran my AVG and found multiple trojans in the quarantine vault. I deleted them from the vault then I ran all my spyware protection stuff, Adaware,spybot,Xoftspy,I found some spyware but then Windows Defender popped up and said I should block F41Rootkit but when I did my cd and dvdburner disappeared from MY COMPUTER. In Device Manager they now show up with a yellow excalmation point over them, I tried to uninstall and reinstall (add hardware wizard) and I get the message "Windows cannot start this hardware device because its configuration information (in the registry) is incomplete or damaged. (Code 19)" I still have not figured out what to do.
    I ran the online scanners as suggested first and they said I had viruses in some Restore files and in Firefox(I saved the reports) I think they were able to remove them cause when I ran AVG again they were not there.
    I have an old copy(last year) of Hijack This when everything was just fine and there are some odd things showing up now. Could you please help me? Attached is a copy of the hijack this file. if a copy of the Kaspersy and Bitdefender report would be helpful let me know(Trend Micro could not find anything) I also ran rootkitrevealer and all it said there was a data mismatch between windows API and raw hive data. Thank you so much for your help with this.
    Sherry
  2. howard_hopkinso

    howard_hopkinso Newcomer, in training Posts: 25,948   +19

    Your system is infected with the Sony drm rootkit.

    Go HERE and download and run this removal tool. Follow the instructions.

    Then, post a fresh HJT log.

    Regards Howard :)
  3. hanaleia

    hanaleia Newcomer, in training Topic Starter Posts: 43

    Fresh HJT log

    Thanks for your swift help! I ran aries remover and have attached the new log. Sherry
  4. howard_hopkinso

    howard_hopkinso Newcomer, in training Posts: 25,948   +19

    It dosen`t look like that has worked.

    Go HERE and download and run the Microsoft malicious software removal tool. Hopefully that`ll kill it.

    Follow the instructions carefully.

    Then post a fresh HJT log.

    Regards Howard :)
  5. tomrca

    tomrca Newcomer, in training Posts: 1,051

    found this here:http://www.f-secure.com/v-descs/xcp_drm.shtml.
    it is only a snip of it. dont know how up to date is though.

    Removing

    Uninstallation of the DRM software can currently only be done by sending an uninstallation request to Sony through their customer support. The form can be found here:

    http://cp.sonybmg.com/xcp/english/form14.html

    Sony has also released an update the disables the hiding features. The updates can be found here:

    http://cp.sonybmg.com/xcp/english/updates.html

    Please note that the uninstallation of the software will require using Internet Explorer and accepting an ActiveX component that might pose additional security problems. The uncloaking update is also available as a standalone executable. This update will not uninstall the whole DRM software but the software will no longer be hidden.
  6. howard_hopkinso

    howard_hopkinso Newcomer, in training Posts: 25,948   +19

    Thanks for the info tomrca.

    Regards Howard :)
  7. hanaleia

    hanaleia Newcomer, in training Topic Starter Posts: 43

    You guys rock!

    Thanks both of you for your help, tomcra, the sony uninstall went great and I even have both my roms back showing up in MY COMPUTER again. You guys are the Knights in Shining Armor of Cyberspace. tell me where to send my donation. hooah! thanks again!
  8. howard_hopkinso

    howard_hopkinso Newcomer, in training Posts: 25,948   +19

    No donation necessary lol.

    Glad we could help.

    I`d still like you to post a fresh HJT log, as the Sony drm rootkit wasn`t your only problem.

    Regards Howard :)
  9. hanaleia

    hanaleia Newcomer, in training Topic Starter Posts: 43

    Fresh HJT log

    Thanks for checking this again. Oh ,and did I tell you you guys rock?
    Sherry
  10. howard_hopkinso

    howard_hopkinso Newcomer, in training Posts: 25,948   +19

    Boot into safe mode. See how HERE. http://www.bleepingcomputer.com/forums/tutorial61.html

    Turn off system restore.(XP/ME only) See how HERE. http://www.bleepingcomputer.com/forums/tutorial56.html

    Run HJT with no other programmes open. Have HJT fix the following, by placing a tick in the little box next to(if there).

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = mozilla.com
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = mozilla.com
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\SYSTEM\OOBE\BLANK.HTM
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\SYSTEM\OOBE\BLANK.HTM

    O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
    O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab31267.cab
    O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
    O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
    O16 - DPF: {F04A8AE2-A59D-11D2-8792-00C04F8EF29D} (Hotmail Attachments Control) - http://by104fd.bay104.hotmail.msn.com/activex/HMAtchmt.ocx

    Click on the fix checked button.

    Close HJT.

    Reboot into normal mode and turn system restore back on.

    Post a fresh HJT log.


    Regards Howard :)
  11. hanaleia

    hanaleia Newcomer, in training Topic Starter Posts: 43

    Fresh log

    Thanks again for your help. Attached is the fresh log. A quick question please. I just tried to copy music from My Music to a dvd for backup, when I start up DVDCopy it says "cannot connect to hardware access layer" This never happned before I had the DRM rootkit and i suspect it has caused some damage or has something to do with it. Which forum should I post this problem in? Is it a continuation of this thread or should I start a new one somewhere else?Thanks so much.
    Sherryt
     
  12. howard_hopkinso

    howard_hopkinso Newcomer, in training Posts: 25,948   +19

    Have HJT fix the following entries.

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = mozilla.com[<Fix this if you have not set this home page yourself.[/b]


    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\SYSTEM\OOBE\BLANK.HTM

    Other than the above, your HJT log is clean.

    As to your music copy problem, try uninstalling and reinstalling your DVDcopy programme. See if that helps.

    If not, open a new thread in the Audio and Video forum.

    Regards Howard :)
Topic Status:
Not open for further replies.


Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...


Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.