Tech Support Guy banner
  • IMPORTANT: Only authorized members may reply to threads in this forum due to the complexity of the malware removal process. Authorized members include Malware Specialists and Trainees, Administrators, Moderators, and Trusted Advisors. Regular members are not permitted to reply, and any such posts will be deleted without notice or further explanation. Notice
Status
Not open for further replies.
1 - 12 of 12 Posts

·
Registered
Joined
·
9 Posts
Discussion Starter · #1 ·
whats up guys my computer keeps telling me that it cant delete this spyware program called XCP.Sony.Rootkit I was wondering if there was any way I can find this spyware and delete it myself. Thanks for the help guys really appreciate it.
 

·
Registered
Joined
·
309 Posts
Click here to download HJTsetup.exe
  • Save HJTsetup.exe to your desktop.
  • Double click on the HJTsetup.exe icon on your desktop.
  • By default it will install to C:\Program Files\Hijack This.
  • Continue to click Next in the setup dialogue boxes until you get to the Select Additional Tasks dialogue.
  • Put a check by Create a desktop icon then click Next again.
  • Continue to follow the rest of the prompts from there.
  • At the final dialogue box click Finish and it will launch Hijack This.
  • Click on the Do a system scan and save a log file button. It will scan and then ask you to save the log.
  • Click Save to save the log file and then the log will open in notepad.
  • Click on "Edit > Select All" then click on "Edit > Copy" to copy the entire contents of the log.
  • Come back here to this thread and Paste the log in your next reply.
  • DO NOT have Hijack This fix anything yet. Most of what it finds will be harmless or even required.
 

·
Gone but Never Forgotten
Joined
·
17,735 Posts
Hi, Might want to read about the Sony "rootkit" a bit.

[webquote=http://www.symantec.com/security_response/writeup.jsp?docid=2005-110615-2710-99&tabid=3]Manual Removal
WARNING: Removing this security risk manually may damage the compromised computer's operating system and may violate the manufacturer's end-user license agreement.

Symantec Security Response strongly recommends installing the software update provided by the manufacturer. The latest version removes the security risk from the compromised computer and replaces it with an updated version of the XCP software. This update is available at the following URL:

http://cp.sonybmg.com/xcp/english/updates.html
[/webquote]

If you do the above fix, that is, get the new updated vesion from Sony, you should be able to continue to
play Sony protected CDs that were made with the old XCP installer....if you Uninstall the XCP you won't be
able to play those Sony CDs. (Just letting you know. More info below and in links. )

[webquote=http://cp.sonybmg.com/xcp/english/updates.html]

CDs containing XCP content protection software developed by First4Internet for SONY BMG may increase the vulnerability of your computer to certain computer viruses. To address these concerns, we are providing you with a software tool for download that offers you two options.

You may either:

Update the XCP software on your computer.
This option installs an update which removes the component of the XCP software that has been the subject of public attention and will alleviate concerns you may have about the software posing potential security vulnerabilities. It will also enable you to continue using the protected disc(s) on your computer. Please note that, if you wish to continue using the content protection software on your computer, you should not only download this software update, but you should check back regularly for the latest updates.

Completely uninstall the XCP software and associated content protection files.
This option will remove all XCP and associated content protection files, including service/processes, registry entries and folders from your computer. Note that once you delete the XCP content protection software, if you wish to play a CD protected with XCP it will be necessary to reinstall the XCP software in accordance with that CD's End User License Agreement after you insert the disc into your computer.

Please note that you must reboot your computer after running the software tool.

Be advised that after running the uninstaller Windows may automatically make a backup of certain XCP associated registry keys. Such backup files are typically pre-pended with 'Legacy_'. The presence of these keys does not indicate that the XCP content protection software has not been successfully removed. These Windows backup files should eventually be deleted as Windows refreshes this backup store.

Note, this uninstaller will not remove the detection tool itself. The detection tool can be deleted manually in the normal manner.

If you have previously uninstalled the XCP software using the Sony BMG customer support website, and you are concerned about security issues relating to the delivery of ActiveX controls, both options will result in the deletion of these controls.

For users who have previously uninstalled XCP software using the uninstaller made available prior to November 18, 2005, we recommend that you run the currently available uninstaller, to eliminate a potential security vulnerability presented by the earlier uninstaller that was brought to our attention.

Please note that uninstalling from your computer the XCP software and associated content protection files loaded from an XCP-protected CD will NOT delete or affect your use of any audio files that you have previously transferred from an XCP-protected CD. Such files remain subject to the digital rights management rules in the End User License Agreement: namely that you may rip the audio into the secure formats provided on the disc, move these tracks to compatible portable devices, and make up to three copies of each track on to CD-Rs.

Please be advised that this program is protected by all applicable intellectual property and unfair competition laws, including patent, copyright and trade secret laws, and that all uses, including reverse engineering, in violation thereof are prohibited.

The XCP software tool is available for download here as an EXECUTABLE (2.3 MB) or ZIP FILE (1.03 MB)[/webquote]

http://news.com.com/Microsoft+will+wipe+Sonys+rootkit/2100-1002_3-5949041.html
 

·
Registered
Joined
·
9 Posts
Discussion Starter · #4 ·
Logfile of HijackThis v1.99.1
Scan saved at 4:41:03 PM, on 1/12/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0011)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Verizon\Verizon Internet Security Suite\fws.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Digital Media Reader\readericon45G.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe
C:\Program Files\Verizon\Servicepoint\VerizonServicepoint.exe
C:\PROGRA~1\VERIZO~1\HELPSU~1\VERIZO~1.EXE
C:\PROGRA~1\VERIZO~1\HELPSU~1\SMARTB~1\MotiveSB.exe
C:\Program Files\Verizon\Verizon Internet Security Suite\Rps.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.908.5008\GoogleToolbarNotifier.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Verizon Online\ConnMgr\cmisrv.exe
C:\Program Files\BigFix\BigFix.exe
C:\Program Files\Common Files\Command Software\dvpapi.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\WINDOWS\system32\svchost.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\Common Files\Verizon Online\AppMgr\vzOpenUIServer.exe
C:\Program Files\Common Files\MotiveBrowser\MotiveBrowser.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\Program Files\Hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://wapp.verizon.net/bookmarks/bmredir.asp?region=all&bw=dsl&cd=7.0MSN&bm=ms_home
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Pop-Up Blocker BHO - {3C060EA2-E6A9-4E49-A530-D4657B8C449A} - C:\Program Files\Verizon\Verizon Internet Security Suite\pkR.dll
O2 - BHO: Verizon Broadband Toolbar - {4E7BD74F-2B8D-469E-D0FC-E57AF4D5FA7D} - C:\WINDOWS\DOWNLO~1\vzbb.dll
O2 - BHO: Form Filler BHO - {56071E0D-C61B-11D3-B41C-00E02927A304} - C:\Program Files\Verizon\Verizon Internet Security Suite\FBHR.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O3 - Toolbar: Verizon Broadband Toolbar - {4E7BD74F-2B8D-469E-D0FC-E57AF4D5FA7D} - C:\WINDOWS\DOWNLO~1\vzbb.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [readericon] C:\Program Files\Digital Media Reader\readericon45G.exe
O4 - HKLM\..\Run: [Recguard] %WINDIR%\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [OpwareSE2] "C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe"
O4 - HKLM\..\Run: [VerizonServicepoint.exe] C:\Program Files\Verizon\Servicepoint\VerizonServicepoint.exe
O4 - HKLM\..\Run: [A Verizon App] C:\PROGRA~1\VERIZO~1\HELPSU~1\VERIZO~1.EXE
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\VERIZO~1\HELPSU~1\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [Verizon Internet Security Suite] "C:\Program Files\Verizon\Verizon Internet Security Suite\Rps.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [NBJ] "C:\Program Files\Ahead\Nero BackItUp\NBJ.exe"
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.908.5008\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: BigFix.lnk = C:\Program Files\BigFix\BigFix.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/mcfscan/2,1,0,4881/mcfscan.cab
O23 - Service: DvpApi (dvpapi) - Command Software Systems, Inc. - C:\Program Files\Common Files\Command Software\dvpapi.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
O23 - Service: Verizon Internet Security Suite Firewall (RP_FWS) - Radialpoint Inc. - C:\Program Files\Verizon\Verizon Internet Security Suite\fws.exe
 

·
Registered
Joined
·
9 Posts
Discussion Starter · #5 ·
Logfile of HijackThis v1.99.1
Scan saved at 4:58:19 PM, on 1/12/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0011)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Verizon\Verizon Internet Security Suite\fws.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Digital Media Reader\readericon45G.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe
C:\Program Files\Verizon\Servicepoint\VerizonServicepoint.exe
C:\PROGRA~1\VERIZO~1\HELPSU~1\VERIZO~1.EXE
C:\PROGRA~1\VERIZO~1\HELPSU~1\SMARTB~1\MotiveSB.exe
C:\Program Files\Verizon\Verizon Internet Security Suite\Rps.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.908.5008\GoogleToolbarNotifier.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Verizon Online\ConnMgr\cmisrv.exe
C:\Program Files\BigFix\BigFix.exe
C:\Program Files\Common Files\Command Software\dvpapi.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\WINDOWS\system32\svchost.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\Common Files\Verizon Online\AppMgr\vzOpenUIServer.exe
C:\Program Files\Common Files\MotiveBrowser\MotiveBrowser.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\Program Files\Hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://wapp.verizon.net/bookmarks/bmredir.asp?region=all&bw=dsl&cd=7.0MSN&bm=ms_home
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Pop-Up Blocker BHO - {3C060EA2-E6A9-4E49-A530-D4657B8C449A} - C:\Program Files\Verizon\Verizon Internet Security Suite\pkR.dll
O2 - BHO: Verizon Broadband Toolbar - {4E7BD74F-2B8D-469E-D0FC-E57AF4D5FA7D} - C:\WINDOWS\DOWNLO~1\vzbb.dll
O2 - BHO: Form Filler BHO - {56071E0D-C61B-11D3-B41C-00E02927A304} - C:\Program Files\Verizon\Verizon Internet Security Suite\FBHR.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O3 - Toolbar: Verizon Broadband Toolbar - {4E7BD74F-2B8D-469E-D0FC-E57AF4D5FA7D} - C:\WINDOWS\DOWNLO~1\vzbb.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [readericon] C:\Program Files\Digital Media Reader\readericon45G.exe
O4 - HKLM\..\Run: [Recguard] %WINDIR%\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [OpwareSE2] "C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe"
O4 - HKLM\..\Run: [VerizonServicepoint.exe] C:\Program Files\Verizon\Servicepoint\VerizonServicepoint.exe
O4 - HKLM\..\Run: [A Verizon App] C:\PROGRA~1\VERIZO~1\HELPSU~1\VERIZO~1.EXE
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\VERIZO~1\HELPSU~1\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [Verizon Internet Security Suite] "C:\Program Files\Verizon\Verizon Internet Security Suite\Rps.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [NBJ] "C:\Program Files\Ahead\Nero BackItUp\NBJ.exe"
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.908.5008\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: BigFix.lnk = C:\Program Files\BigFix\BigFix.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/mcfscan/2,1,0,4881/mcfscan.cab
O23 - Service: DvpApi (dvpapi) - Command Software Systems, Inc. - C:\Program Files\Common Files\Command Software\dvpapi.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
O23 - Service: Verizon Internet Security Suite Firewall (RP_FWS) - Radialpoint Inc. - C:\Program Files\Verizon\Verizon Internet Security Suite\fws.exe
 

·
Gone but Never Forgotten
Joined
·
17,735 Posts
Hi stacker275

Mind if I ask you if you did anything from my reply about the Sony Rootkit, the new update or anything?
 

·
Registered
Joined
·
9 Posts
Discussion Starter · #7 ·
Hello Byteman,

No I have not tried your reply yet I was going to wait and see if the other one would work and if not then I was going to give yours a try. I am a little nervous about messing up my computer
 

·
Gone but Never Forgotten
Joined
·
17,735 Posts
Hi, Well, there is no malware showing in your log.

Hijackthis is not a remover, like SpyBot> it is not automated, we post items for you to remove manually.

It does make backups, but please do NOT attempt to fool around with Hijackthis, most of what it shows is good.

Teck is not yet qualified to assist with HJT item removal here at TSG, though for all I know he may be super
with fixing malware....
At TSG, anyone with a gold shield next to their TSG username is.

The Sony program which is actually a form of rootkit, can easily be taken care of by performing the Sony update as I posted.
If there is any part of the steps you question, please respond and I will try to help with it.

The downloadable .exe or .zip file at the Sony link in my previous post is one way to remove the original rootkit, that was installed when you first played one of their older CDs> that immediately installed the copy protection software/rootkit, and it will stay there until removed.
I don't know if any of the good security suites or antispyware programs completely or safely remove the rootkit, it is difficult to even spot them by their nature, they hide well.
Sony recalled all those bad CDs, but of course there are some still around....
Only checking your computer will tell you, looks like you have already found the original rootkit but I cannot be sure about that until you post something that showed what was found.

Hijackthis does not do that.

If you have XP you have System Restore, and you can put the computer back to before you do anything.

You can make a Restore Point just before you do whatever....

I dont see the SONY XCP thing in your HJT log, but it would be in the program you used to find it originally, can you post the log or the part that shows the Sony XCP?

If you do have the original XCP problem, then have used the original web update from Sony, that update created a bigger hole than the original rootkit! Sony issued a downloadable .zip file to fix that issue...
If you have NEVER patched the original rootkit> there is some malware that can take advantage of it
and it needs to be fixed. I am not sure which XCP issue you have.

Here is how to find out if you did get the XCP Uninstaller (the update Sony first issued to remove their rootkit)

How to search your system for the codesupport files:

Because XP will not always show you hidden files and folders by default, Go to Start > Search>Files and Folders>> and under "More advanced search options".
Make sure there is a check by "Search System Folders" and "Search hidden files and folders" and "Search system subfolders"

1. Click Start
2. Click Search
3. Search for codesupport in all or part of the filenames
4. Once search finds it, right click and select Remove as directed above.

If you don't find the files, you likely never installed sony's rootkit removal software.

So, that should mean, you have the original rootkit itself- and, I should be able to help you remove it.
 

·
Registered
Joined
·
9 Posts
Discussion Starter · #9 ·
OK here is what happens a pop up alert comes out and says that Verizon Security Suite was unable to delete Sony Rootkit. And I checked the folders for the information that you asked me to check for and nothing came up. So should I try what you told me to do one the first reply or should I try something different
 

·
Gone but Never Forgotten
Joined
·
17,735 Posts
Hi, I think you could apply the new fixed version of Sony's downloadable update/remover, however, this looks better>

http://www.lavasoft.com/support/securitycenter/aries_rootkit_remover.php

[webquote=http://www.lavasoft.com/support/securitycenter/aries_rootkit_remover.php]
What does this program do?
The ARIES Rootkit Remover v1.0 is designed to locate and permanently remove the rootkit that was developed by First4Internet and used by Sony BMG to hide their digital rights management (DRM) software. Unlike Sony's own rootkit remover that has been known to cause blue screens, Lavasoft's ARIES Rootkit Remover is a reliable, stand-alone tool.

In fall of 2005, Sony included rootkit-style content protection software on around 4.7 million CDs from over 50 artists worldwide, exposing consumer's computers to security holes. The rootkit, developed by First4Internet, was placed on unsuspecting systems and networks to hide Sony BMG's DRM protection software. According to Sony, about 6 million distributed CDs are currently imbedded with this software.

Who should use this program?
Anyone who has purchased Sony BMG CDs in 2005 and 2006 should use this program.

Note: The Lavasoft ARIES Rootkit Remover only removes the ARIES rootkit; it does not affect the DRM software from Sony. Once the ARIES rootkit is removed, you can listen to the CD on your computer without the ARIES rootkit reinstalling. The remover tool will neutralize the ARIES rootkit, but in some cases the tool may report that traces of the rootkit were found the next time you start your computer. This is a result of the Sony DRM functions and does not indicate additional risk, unless the tool reports "ARIES rootkit module detected" again. In this event, please contact our Lavasoft Security Analysts for assistance.[/webquote]

Next: There is this excellent page about the whole deal, with ways to fix it manually as you first wanted to do. And, there two other excellent removal tools posted there. It's way too much material to webquote here, but it also has a way for you spot which Sony CDs have the old rootkit IN them!

http://www.bleepingcomputer.com/forums/topic34904.html

[webquote=http://www.bleepingcomputer.com/forums/topic34904.html] Table of Contents
How this rootkit affects your computer
CDs that contain this rootkit
How to tell if your CD has the Sony - XPC DRM Rootkit
How to tell if your computer is infected with the Sony / XPC DRM Rootkit
Rootkit removal and detection
Technical Details
"Unfortunately, according to Mark Russinovish of Sysinternals, the way the patch and utilities are removing the rootkit has a small chance of crashing your computer. With that in mind, there is manual method that is safer to use given below. With any of the provided methods, though, the rootkit will be removed and you will still be able to use the CD on your computer. "

[/webquote]
Read down the page, the manual method, is under " Rootkit Removal and Detection"
Then down to> " Manual deletion instructions of the DRM rootkit service (Windows XP/2003):



IN the manual removal method, make sure you are typing the command with the exact spaces
etc as in the guide. I would copy and paste it from a Notepad saved text file so you cannot get it wrong.
After you type the command it has, and have rebooted, your directory to go delete the file would be> C:\WINDOWS\system32\$sys$filesystem\aries.sys <<delete that file only.
 

·
Registered
Joined
·
9 Posts
Discussion Starter · #11 ·
Alright I tried everything you told me to do but it turns out that my computer is clean. The problem with this is that I still get the pop up alert and I was looking at my anti spyware log for Verizon Security Suite and check this out.

Deleted Spyware Type Date deleted
Advertising.com Spyware cookie 1/7/2007 9:08:53 PM
Advertising.com Spyware cookie 1/7/2007 9:33:19 PM
DoubleClick Spyware cookie 1/8/2007 2:28:02 PM
Advertising.com Spyware cookie 1/8/2007 4:34:05 PM
Advertising.com Spyware cookie 1/8/2007 7:20:06 PM
DoubleClick Spyware cookie 1/8/2007 7:20:06 PM
Advertising.com Spyware cookie 1/10/2007 3:41:12 AM
DoubleClick Spyware cookie 1/10/2007 3:41:12 AM
DoubleClick Spyware cookie 1/10/2007 1:17:12 PM
DoubleClick Spyware cookie 1/12/2007 3:29:49 AM
DoubleClick Spyware cookie 1/12/2007 11:00:11 AM
DoubleClick Spyware cookie 1/12/2007 11:06:33 AM
DoubleClick Spyware cookie 1/12/2007 3:20:33 PM
DoubleClick Spyware cookie 1/12/2007 4:32:47 PM
DoubleClick Spyware cookie 1/12/2007 5:57:07 PM
XCP.Sony.Rootkit Registry 1/13/2007 1:19:15 AM
XCP.Sony.Rootkit Registry 1/13/2007 1:19:15 AM
XCP.Sony.Rootkit Registry 1/13/2007 1:19:16 AM
XCP.Sony.Rootkit Registry 1/13/2007 1:19:16 AM
XCP.Sony.Rootkit Registry 1/13/2007 1:19:16 AM
XCP.Sony.Rootkit Registry 1/13/2007 1:19:16 AM
XCP.Sony.Rootkit Registry 1/13/2007 1:19:16 AM
XCP.Sony.Rootkit Registry 1/13/2007 1:19:16 AM
XCP.Sony.Rootkit Registry 1/13/2007 1:19:16 AM
DoubleClick Spyware cookie 1/13/2007 9:22:08 AM

The log says that it has deleted the rootkit several times. What does that mean is it just that Verizon Security Suite is a cheap program? thanks once again for all your help
 

·
Gone but Never Forgotten
Joined
·
17,735 Posts
Hi, Wow, I can't really say why it keeps on getting detected and deleted like that. If you have done the manual method shown at the site I posted, and did not find those things, then I don't see why it should not be completely gone.
Are you reinstalling the Sony XCP stuff by playing one of those older CDs that contain it, and then the Verizon suite finds it again?

If you have checked on BOTH the Service AND deleted the aries file as it shows you then it should be gone, but maybe Verizon is detecting the REST of the Sony files that ARE left....that is so you can continue playing those older CDs....if you remove ALL the Sony stuff you will not be able to play those type of CDs, at least that is how I take the information....

Byteman said:
The remover tool will neutralize the ARIES rootkit, but in some cases the tool may report that traces of the rootkit were found the next time you start your computer
The suite that is finding them could be doing the same thing...I wouldn't worry too much about it.
Yeah, it's confusing!
 
1 - 12 of 12 Posts
Status
Not open for further replies.
Top