Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

A-squared Problems


  • Please log in to reply
66 replies to this topic

#1 computerclueless

computerclueless

  • Members
  • 79 posts
  • OFFLINE
  •  
  • Local time:10:56 AM

Posted 13 February 2006 - 11:09 PM

Well, I updated and ran my a-squared program and I got the following 16 things:


Object Diagnosis
C:\WINDOWS\system32\$sys$filesystem Trace.Directory.XCP.Sony.Rootkit
C:\WINDOWS\cdproxyserv.exe Trace.File.XCP.Sony.Rootkit
Key: HKEY_LOCAL_MACHINE\system\currentcontrolset\enum\root\legacy_$sys$aries Trace.Registry.XCP.Sony.Rootkit
Value: HKEY_LOCAL_MACHINE\system\currentcontrolset\enum\root\legacy_$sys$aries --> nextinstance Trace.Registry.XCP.Sony.Rootkit
Key: HKEY_LOCAL_MACHINE\system\currentcontrolset\enum\root\legacy_$sys$drmserver Trace.Registry.XCP.Sony.Rootkit
Value: HKEY_LOCAL_MACHINE\system\currentcontrolset\enum\root\legacy_$sys$drmserver --> nextinstance Trace.Registry.XCP.Sony.Rootkit
Key: HKEY_LOCAL_MACHINE\system\currentcontrolset\enum\root\legacy_cd_proxy Trace.Registry.XCP.Sony.Rootkit
Value: HKEY_LOCAL_MACHINE\system\currentcontrolset\enum\root\legacy_cd_proxy --> nextinstance Trace.Registry.XCP.Sony.Rootkit
C:\WINDOWS\system32\$sys$filesystem Trace.Directory.XCP.Sony.Rootkit
C:\WINDOWS\cdproxyserv.exe Trace.File.XCP.Sony.Rootkit
Key: HKEY_LOCAL_MACHINE\system\currentcontrolset\enum\root\legacy_$sys$aries Trace.Registry.XCP.Sony.Rootkit
Value: HKEY_LOCAL_MACHINE\system\currentcontrolset\enum\root\legacy_$sys$aries --> nextinstance Trace.Registry.XCP.Sony.Rootkit
Key: HKEY_LOCAL_MACHINE\system\currentcontrolset\enum\root\legacy_$sys$drmserver Trace.Registry.XCP.Sony.Rootkit
Value: HKEY_LOCAL_MACHINE\system\currentcontrolset\enum\root\legacy_$sys$drmserver --> nextinstance Trace.Registry.XCP.Sony.Rootkit
Key: HKEY_LOCAL_MACHINE\system\currentcontrolset\enum\root\legacy_cd_proxy Trace.Registry.XCP.Sony.Rootkit
Value: HKEY_LOCAL_MACHINE\system\currentcontrolset\enum\root\legacy_cd_proxy --> nextinstance Trace.Registry.XCP.Sony.Rootkit

Well, I removed the selected object, but they kept coming back! When I tried to delete them, the computer won't let me. None of my other programs (Symantec, Spybot-Search and Destroy, Ad-ware,and Ewido) and when I cleaned up my computer with CCleaner, it still came up. Here's my HiJackThis Log:

Logfile of HijackThis v1.99.1
Scan saved at 11:09:03 PM, on 2/13/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\$sys$filesystem\$sys$DRMServer.exe
C:\WINDOWS\CDProxyServ.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe

Can someone please help me?
"I'm computer clueless. I seriously am. So clueless, in fact, when I first got my computer, I couldn't figure out how to turn it off for an hour. I mean, come on, how is someone like me going to look for the button to turn off the computer on the Start Menu?" - Personal Quote

BC AdBot (Login to Remove)

 


#2 tos226

tos226

    BleepIN--BleepOUT


  • Members
  • 1,574 posts
  • ONLINE
  •  
  • Gender:Female
  • Location:LocalHost
  • Local time:10:56 AM

Posted 13 February 2006 - 11:55 PM

I'm no expert, but I see SONY ROOTKIT and you will need real EXPERTS for help.
In the meantime take a peek here
http://www.bleepingcomputer.com/forums/t/35464/sony-xpc-rootkit-key-info-list-of-52-cds/

#3 -David-

-David-

  • Members
  • 10,603 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London
  • Local time:03:56 PM

Posted 14 February 2006 - 05:08 AM

Here is the self help removal tool if you need it:
http://www.bleepingcomputer.com/forums/t/34904/how-to-remove-the-sony-drm-rootkit/

David

#4 computerclueless

computerclueless
  • Topic Starter

  • Members
  • 79 posts
  • OFFLINE
  •  
  • Local time:10:56 AM

Posted 14 February 2006 - 05:36 PM

According the self-help guide that was put up, I don't have the program, which I don't get. But anyways how did I fix this? I got the Symantec removal tool but it didn't find anything. How can I get it out of my system without crashing my computer? Here my new A-squared report (four items are gone for some strange reason...)

Key: HKEY_LOCAL_MACHINE\system\currentcontrolset\enum\root\legacy_$sys$aries Trace.Registry.XCP.Sony.Rootkit
Value: HKEY_LOCAL_MACHINE\system\currentcontrolset\enum\root\legacy_$sys$aries --> nextinstance Trace.Registry.XCP.Sony.Rootkit
Key: HKEY_LOCAL_MACHINE\system\currentcontrolset\enum\root\legacy_$sys$drmserver Trace.Registry.XCP.Sony.Rootkit
Value: HKEY_LOCAL_MACHINE\system\currentcontrolset\enum\root\legacy_$sys$drmserver --> nextinstance Trace.Registry.XCP.Sony.Rootkit
Key: HKEY_LOCAL_MACHINE\system\currentcontrolset\enum\root\legacy_cd_proxy Trace.Registry.XCP.Sony.Rootkit
Value: HKEY_LOCAL_MACHINE\system\currentcontrolset\enum\root\legacy_cd_proxy --> nextinstance Trace.Registry.XCP.Sony.Rootkit
Key: HKEY_LOCAL_MACHINE\system\currentcontrolset\enum\root\legacy_$sys$aries Trace.Registry.XCP.Sony.Rootkit
Value: HKEY_LOCAL_MACHINE\system\currentcontrolset\enum\root\legacy_$sys$aries --> nextinstance Trace.Registry.XCP.Sony.Rootkit
Key: HKEY_LOCAL_MACHINE\system\currentcontrolset\enum\root\legacy_$sys$drmserver Trace.Registry.XCP.Sony.Rootkit
Value: HKEY_LOCAL_MACHINE\system\currentcontrolset\enum\root\legacy_$sys$drmserver --> nextinstance Trace.Registry.XCP.Sony.Rootkit
Key: HKEY_LOCAL_MACHINE\system\currentcontrolset\enum\root\legacy_cd_proxy Trace.Registry.XCP.Sony.Rootkit
Value: HKEY_LOCAL_MACHINE\system\currentcontrolset\enum\root\legacy_cd_proxy --> nextinstance

And here's my HijackThis:

Logfile of HijackThis v1.99.1
Scan saved at 6:25:00 PM, on 2/14/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\PROGRA~1\Yahoo!\MESSEN~1\ypager.exe
C:\Program Files\a2 Free\a2start.exe

Edited by computerclueless, 14 February 2006 - 06:25 PM.

"I'm computer clueless. I seriously am. So clueless, in fact, when I first got my computer, I couldn't figure out how to turn it off for an hour. I mean, come on, how is someone like me going to look for the button to turn off the computer on the Start Menu?" - Personal Quote

#5 -David-

-David-

  • Members
  • 10,603 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London
  • Local time:03:56 PM

Posted 15 February 2006 - 04:15 AM

Ooops.

Edited by D-Trojanator, 15 February 2006 - 04:17 AM.


#6 -David-

-David-

  • Members
  • 10,603 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London
  • Local time:03:56 PM

Posted 15 February 2006 - 04:18 AM

EDit out also.
Wrong infomation.

Edited by D-Trojanator, 15 February 2006 - 05:52 AM.


#7 Bobbi Flekman

Bobbi Flekman

    The computer whisperer


  • Malware Response Team
  • 4,423 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:56 PM

Posted 15 February 2006 - 06:32 AM

Hi computerclueless,

What you perceive to be the Sony Rootkit is actually the XCP copy protection scheme used by Sony. This is not the rootkit. The rootkit is the file Aries.dll that hides everything that stars with $sys$. By running the uninstaller from Symantec you killed the rootkit, but not XCP.

We can get that out of here but it would require you to follow instructions to the letter. By not doing this you can, and will, sever all connections to any CD/DVD drive on your system, resulting in a complete reformat and installation of everything that is on the computer. Also be aware that in many countries it is against the law to interfere with copy protection schemes, so you may be breaking the law as well.

The first question is this: Do you still have access to your CD/DVD drives?

Furthermore can you post a complete log from HijackThis. You seem to have only posted the process list. That will not be sufficient to get other malwares of your system.
Posted Image

#8 computerclueless

computerclueless
  • Topic Starter

  • Members
  • 79 posts
  • OFFLINE
  •  
  • Local time:10:56 AM

Posted 15 February 2006 - 06:59 PM

Thanks for answering Bobbi Flekman!

Well, yes, I only have a CD drive, I don't have a DVD one. It opens and closes, but it won't play the music on it.

Here's my HijackThis log:

Logfile of HijackThis v1.99.1
Scan saved at 6:59:01 PM, on 2/15/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Musicmatch\Musicmatch Update\MMUpdateMgr.exe
C:\Documents and Settings\Sara\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/.../search/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com/?.home=ytie
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/?.home=ytie
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dell4me.com/myway
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: UberButton Class - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: CNisExtBho Class - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: Norton Internet Security - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Yahoo! Pager] C:\PROGRA~1\Yahoo!\MESSEN~1\ypager.exe -quiet
O4 - Global Startup: dlbcserv.lnk = C:\Program Files\Dell Photo Printer 720\dlbcserv.exe
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .avi: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxdev.dll
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\system32\NavLogon.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: IS Service (ISSVC) - Symantec Corporation - C:\Program Files\Norton Internet Security\ISSVC.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe


Thanks once again for replying, and I await for your further instructions
"I'm computer clueless. I seriously am. So clueless, in fact, when I first got my computer, I couldn't figure out how to turn it off for an hour. I mean, come on, how is someone like me going to look for the button to turn off the computer on the Start Menu?" - Personal Quote

#9 Bobbi Flekman

Bobbi Flekman

    The computer whisperer


  • Malware Response Team
  • 4,423 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:56 PM

Posted 16 February 2006 - 06:49 AM

Well, yes, I only have a CD drive, I don't have a DVD one. It opens and closes, but it won't play the music on it.

Does this mean that you can see the drive in Windows Explorer? If the system is out of whack thanks to this, you cannot see or access the drive through Windows. In short, open Windows Explorer and check to see if the DC drive is there.
Posted Image

#10 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,593 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:10:56 AM

Posted 16 February 2006 - 12:38 PM

Also if the DRM was removed, and your running a CD that required the DRM, like theone that installed this (sony label), then the cd wont play. Can you play any other cds in the cdrom player?

#11 computerclueless

computerclueless
  • Topic Starter

  • Members
  • 79 posts
  • OFFLINE
  •  
  • Local time:10:56 AM

Posted 16 February 2006 - 04:04 PM

Also if the DRM was removed, and your running a CD that required the DRM, like theone that installed this (sony label), then the cd wont play. Can you play any other cds in the cdrom player?


No, I can't
"I'm computer clueless. I seriously am. So clueless, in fact, when I first got my computer, I couldn't figure out how to turn it off for an hour. I mean, come on, how is someone like me going to look for the button to turn off the computer on the Start Menu?" - Personal Quote

#12 computerclueless

computerclueless
  • Topic Starter

  • Members
  • 79 posts
  • OFFLINE
  •  
  • Local time:10:56 AM

Posted 16 February 2006 - 04:11 PM

Okay, I'll put this as best I can. I put a music CD in, clicked my computer and it didn't come up. I put in a different music CD, repeated, but still nothing. Then I tried a disc with just a normal file on it and still nothing. Is this bad? Have I completely lost hope of fixing this?
"I'm computer clueless. I seriously am. So clueless, in fact, when I first got my computer, I couldn't figure out how to turn it off for an hour. I mean, come on, how is someone like me going to look for the button to turn off the computer on the Start Menu?" - Personal Quote

#13 Bobbi Flekman

Bobbi Flekman

    The computer whisperer


  • Malware Response Team
  • 4,423 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:56 PM

Posted 17 February 2006 - 06:02 AM

Okay, I'll put this as best I can. I put a music CD in, clicked my computer and it didn't come up. I put in a different music CD, repeated, but still nothing. Then I tried a disc with just a normal file on it and still nothing. Is this bad? Have I completely lost hope of fixing this?

Nope... This means that you have already killed the link to your CD drive.... Let's get your CD back online.

Launch Notepad, and copy/paste the box below into a new text file. Save it as Options.txt on your Desktop.

RegSearch Options File

[Search]
$sys$
[Exclude]

[Options]
Filter=KVDLUI


Download Registry Search and extract it. Doubleclick the icon to run and click on "Import...". Select the file you created above. Click "OK" and Registry Search will search the Registry and report what it finds. Post that here.

Launch Notepad, and copy/paste the box below into a new text file. Save it as FindFile.bat and save it on your Desktop.

dir c:\$sys$*.* /s /a h > files.txt
notepad files.txt

Locate FindFile.bat on your Desktop and double-click on it. It will open Notepad with some text in it. Please post the text here.
Posted Image

#14 computerclueless

computerclueless
  • Topic Starter

  • Members
  • 79 posts
  • OFFLINE
  •  
  • Local time:10:56 AM

Posted 17 February 2006 - 03:15 PM

Here is the registry searcher:

REGEDIT4

; Registry Search 2.0 by Bobbi Flekman 2005
; Version: 2.0.0.1

; Results at 2/17/2006 3:09:41 PM for strings:
; '$sys$'
; Strings excluded from search:
; (None)
; Search in:
; Registry Keys Registry Values Registry Data
; HKEY_LOCAL_MACHINE HKEY_USERS


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\WDM]
"C:\\WINDOWS\\system32\\$sys$filesystem\\crater.sys[MofResource]"="LowDateTime:1962037760,HighDateTime:29671815***Binary mof compiled successfully"
"C:\\WINDOWS\\System32\\Drivers\\$sys$crater.SYS"="LowDateTime:0,HighDateTime:0***Binary mof failed, see WMIPROV.LOG"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\WDM\DREDGE]
"C:\\WINDOWS\\system32\\$sys$filesystem\\crater.sys[MofResource]"="LowDateTime:1962037760,HighDateTime:29671815***Binary mof compiled successfully"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\CoDeviceInstallers]
; Contents of value:
; SysSetup.Dll,StorageCoInstaller
; SysSetup.Dll,CriticalDeviceCoInstaller $sys$caj.dll,CoInstallCdrom
; $sys$caj.dll,CoInstallCdrom
;
"{4D36E965-E325-11CE-BFC1-08002BE10318}"=hex(7):53,79,73,53,65,74,75,70,2e,44,\
6c,6c,2c,53,74,6f,72,61,67,65,43,6f,49,6e,73,74,61,6c,6c,65,72,00,53,79,73,\
53,65,74,75,70,2e,44,6c,6c,2c,43,72,69,74,69,63,61,6c,44,65,76,69,63,65,43,\
6f,49,6e,73,74,61,6c,6c,65,72,00,24,73,79,73,24,63,61,6a,2e,64,6c,6c,2c,43,\
6f,49,6e,73,74,61,6c,6c,43,64,72,6f,6d,00,00
; Contents of value:
; $sys$caj.dll,CoInstallPC
;
"{FF646F80-8DEF-11D2-9449-00105A075F6B}"=hex(7):24,73,79,73,24,63,61,6a,2e,64,\
6c,6c,2c,43,6f,49,6e,73,74,61,6c,6c,50,43,00,00

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\IDE\CdRomHL-DT-ST_CD-RW_GCE-8487B________________F109____\5&145a0a8f&0&0.0.0]
; Contents of value:
; $sys$crater
; imapi
;
"LowerFilters"=hex(7):24,73,79,73,24,63,72,61,74,65,72,00,69,6d,61,70,69,00,00

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\PCIIDE\IDEChannel\4&2351db4e&0&1]
; Contents of value:
; $sys$cor
;
"UpperFilters"=hex(7):24,73,79,73,24,63,6f,72,00,00

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_$SYS$ARIES]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_$SYS$ARIES\0000]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_$SYS$ARIES\0000]
"Service"="$sys$aries"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_$SYS$ARIES\0000\LogConf]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_$SYS$DRMSERVER]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_$SYS$DRMSERVER\0000]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_$SYS$DRMSERVER\0000]
"Service"="$sys$DRMServer"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_$SYS$LIM]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_$SYS$LIM\0000]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_$SYS$LIM\0000]
"Service"="$sys$lim"
"DeviceDesc"="$sys$lim"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_$SYS$OCT]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_$SYS$OCT\0000]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_$SYS$OCT\0000]
"Service"="$sys$oct"
"DeviceDesc"="$sys$oct"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Control\CoDeviceInstallers]
; Contents of value:
; SysSetup.Dll,StorageCoInstaller
; SysSetup.Dll,CriticalDeviceCoInstaller $sys$caj.dll,CoInstallCdrom
; $sys$caj.dll,CoInstallCdrom
;
"{4D36E965-E325-11CE-BFC1-08002BE10318}"=hex(7):53,79,73,53,65,74,75,70,2e,44,\
6c,6c,2c,53,74,6f,72,61,67,65,43,6f,49,6e,73,74,61,6c,6c,65,72,00,53,79,73,\
53,65,74,75,70,2e,44,6c,6c,2c,43,72,69,74,69,63,61,6c,44,65,76,69,63,65,43,\
6f,49,6e,73,74,61,6c,6c,65,72,00,24,73,79,73,24,63,61,6a,2e,64,6c,6c,2c,43,\
6f,49,6e,73,74,61,6c,6c,43,64,72,6f,6d,00,00
; Contents of value:
; $sys$caj.dll,CoInstallPC
;
"{FF646F80-8DEF-11D2-9449-00105A075F6B}"=hex(7):24,73,79,73,24,63,61,6a,2e,64,\
6c,6c,2c,43,6f,49,6e,73,74,61,6c,6c,50,43,00,00

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Enum\IDE\CdRomHL-DT-ST_CD-RW_GCE-8487B________________F109____\5&145a0a8f&0&0.0.0]
; Contents of value:
; $sys$crater
; imapi
;
"LowerFilters"=hex(7):24,73,79,73,24,63,72,61,74,65,72,00,69,6d,61,70,69,00,00

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Enum\PCIIDE\IDEChannel\4&2351db4e&0&1]
; Contents of value:
; $sys$cor
;
"UpperFilters"=hex(7):24,73,79,73,24,63,6f,72,00,00

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Enum\Root\LEGACY_$SYS$ARIES]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Enum\Root\LEGACY_$SYS$ARIES\0000]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Enum\Root\LEGACY_$SYS$ARIES\0000]
"Service"="$sys$aries"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Enum\Root\LEGACY_$SYS$ARIES\0000\LogConf]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Enum\Root\LEGACY_$SYS$DRMSERVER]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Enum\Root\LEGACY_$SYS$DRMSERVER\0000]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Enum\Root\LEGACY_$SYS$DRMSERVER\0000]
"Service"="$sys$DRMServer"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Enum\Root\LEGACY_$SYS$LIM]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Enum\Root\LEGACY_$SYS$LIM\0000]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Enum\Root\LEGACY_$SYS$LIM\0000]
"Service"="$sys$lim"
"DeviceDesc"="$sys$lim"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Enum\Root\LEGACY_$SYS$OCT]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Enum\Root\LEGACY_$SYS$OCT\0000]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Enum\Root\LEGACY_$SYS$OCT\0000]
"Service"="$sys$oct"
"DeviceDesc"="$sys$oct"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\CoDeviceInstallers]
; Contents of value:
; SysSetup.Dll,StorageCoInstaller
; SysSetup.Dll,CriticalDeviceCoInstaller $sys$caj.dll,CoInstallCdrom
; $sys$caj.dll,CoInstallCdrom
;
"{4D36E965-E325-11CE-BFC1-08002BE10318}"=hex(7):53,79,73,53,65,74,75,70,2e,44,\
6c,6c,2c,53,74,6f,72,61,67,65,43,6f,49,6e,73,74,61,6c,6c,65,72,00,53,79,73,\
53,65,74,75,70,2e,44,6c,6c,2c,43,72,69,74,69,63,61,6c,44,65,76,69,63,65,43,\
6f,49,6e,73,74,61,6c,6c,65,72,00,24,73,79,73,24,63,61,6a,2e,64,6c,6c,2c,43,\
6f,49,6e,73,74,61,6c,6c,43,64,72,6f,6d,00,00
; Contents of value:
; $sys$caj.dll,CoInstallPC
;
"{FF646F80-8DEF-11D2-9449-00105A075F6B}"=hex(7):24,73,79,73,24,63,61,6a,2e,64,\
6c,6c,2c,43,6f,49,6e,73,74,61,6c,6c,50,43,00,00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\IDE\CdRomHL-DT-ST_CD-RW_GCE-8487B________________F109____\5&145a0a8f&0&0.0.0]
; Contents of value:
; $sys$crater
; imapi
;
"LowerFilters"=hex(7):24,73,79,73,24,63,72,61,74,65,72,00,69,6d,61,70,69,00,00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\PCIIDE\IDEChannel\4&2351db4e&0&1]
; Contents of value:
; $sys$cor
;
"UpperFilters"=hex(7):24,73,79,73,24,63,6f,72,00,00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_$SYS$ARIES]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_$SYS$ARIES\0000]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_$SYS$ARIES\0000]
"Service"="$sys$aries"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_$SYS$ARIES\0000\LogConf]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_$SYS$DRMSERVER]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_$SYS$DRMSERVER\0000]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_$SYS$DRMSERVER\0000]
"Service"="$sys$DRMServer"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_$SYS$LIM]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_$SYS$LIM\0000]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_$SYS$LIM\0000]
"Service"="$sys$lim"
"DeviceDesc"="$sys$lim"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_$SYS$OCT]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_$SYS$OCT\0000]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_$SYS$OCT\0000]
"Service"="$sys$oct"
"DeviceDesc"="$sys$oct"

[HKEY_USERS\S-1-5-21-322178578-492858288-3111900784-1007\Software\$sys$reference]

; End Of The Log...

And here's the other:

Volume in drive C has no label.
Volume Serial Number is D07D-CF36
"I'm computer clueless. I seriously am. So clueless, in fact, when I first got my computer, I couldn't figure out how to turn it off for an hour. I mean, come on, how is someone like me going to look for the button to turn off the computer on the Start Menu?" - Personal Quote

#15 Bobbi Flekman

Bobbi Flekman

    The computer whisperer


  • Malware Response Team
  • 4,423 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:56 PM

Posted 18 February 2006 - 12:36 PM

I'm sorry, but I forgot a few other entries I need from the Registry. We know that A2 killed off the all the files leaving you without the CD.

Launch Notepad, and copy/paste the box below into a new text file. Save it as Options.txt on your Desktop.

RegSearch Options File

[Search]
$sys$
ECDDiskProducer
SonyBMG
crater
aries
qwap

[Exclude]

[Options]
Filter=KVDLUI

Run RegSearch, import this file, run it and post the report. After that I'll be going over my references as to what needs to be changed.

Launch Notepad, and copy/paste the box below into a new text file. Save it as FindFile.bat and save it on your Desktop.

dir c:\$sys$*.* /s /a h > 1.txt
dir c:\aries*.* /s /a h > 2.txt
dir c:\crater*.* /s /a h > 3.txt
dir c:\CDProxyServ*.* /s /a h > 4.txt
copy 1.txt+2.txt+3.txt+4.txt files.txt
del /q 1.txt
del /q 2.txt
del /q 3.txt
del /q 4.txt
notepad files.txt
del /q files.txt

Locate FindFile.bat on your Desktop and double-click on it. It will open Notepad with some text in it. Please post the text here.
Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users