Really Need Expert Help....

Viruses and worms
1

Hi…am disgusted to say that I think I finally took a hit that has perhaps damaged my computer and I don’t even know where to begin…

I always try to be careful on the internet and the sites I visit (Bill paying and a few music artists’ sites often & MySpace infrequently), I get my pattern updates regularly everytime I connect online, I run SpyBot after every net session, avast is running while online, I don’t click on unknown links or allow untrusted Active X’s, but somehow, somewhere I have picked up rootkits and a win32 bot trojan… >:(

My avast scan has always detected them, I tend to them promptly, and I have either moved them to the Chest or renamed the files in hopes of not crippling my system…

However, after moving files to the Chest on 12/19, I can no longer see or access my CD or DVD drives–drives e: and f:…This worries me because a System Restore (to the last known date I played or burned a CD) has not remedied the situation and my HP Recovery discs are on a CD…and, I realllllly do not want to completely wipe my hard drive clean…

So…

  1. Has anyone heard of or experienced lately a virus or rootkit that blocks the cd and dvd drives simultaneously, and if so, how do you restore the drives…
  2. When I reboot my pc and enter Safemode before Windows loads up, will my CD rom be able to read my recovery discs since I am missing the rom drive accessibility in regular Windows?

Any advice would be greatly appreciated…as I said, I really don’t want to completely wipe my hard drive…I’m wondering if I should take my tower to a professional this time… :-\

Here’s some info about my system and the chest…

HP desktop with 512 ram, XP Home, Svc Pk 2, my Control Panel/System shows a yellow alert on my Secondary IDE Channel so is this the source for my cd and dvd roms? When I try to rollback or update, I get this message: Windows cannot start this hardware device because its configuration information (in the registry) is incomplete or damaged. (Code 19)

Am running avast home 4.8 and pattern update 081221-0…

Here’s what is in my Chest and again, thanks for any help you may be able to give me:

7/30/2008 10:07:53 PM SYSTEM 1228 Sign of “Win32:Rootkit-gen [Rtk]” has been found in “C:\WINDOWS\CDProxyServ.exe” file.
9/5/2008 11:31:26 AM SYSTEM 1176 Function setifaceUpdatePackages() has failed. Return code is 0x20000004, dwRes is 20000004.
9/16/2008 10:21:25 AM SYSTEM 1172 Function setifaceUpdatePackages() has failed. Return code is 0x00000001, dwRes is 00000001.
9/25/2008 3:25:59 PM Owner 1524 Function setifaceUpdatePackages() has failed. Return code is 0x000004C7, dwRes is 000004C7.
9/28/2008 3:14:01 PM SYSTEM 1188 Function setifaceUpdatePackages() has failed. Return code is 0x00000001, dwRes is 00000001.
9/28/2008 7:33:46 PM SYSTEM 1176 Sign of “Win32:Rootkit-gen [Rtk]” has been found in “C:\WINDOWS\system32$sys$caj.dll” file.
9/29/2008 5:20:14 PM SYSTEM 1176 Sign of “Win32:Rootkit-gen [Rtk]” has been found in “C:\WINDOWS\system32$sys$upgtool.exe” file.
11/13/2008 4:28:03 PM SYSTEM 1120 Sign of “Win32:Rootkit-gen [Rtk]” has been found in “C:\WINDOWS\system32$sys$filesystem\crater.sys” file.
12/5/2008 11:16:26 AM SYSTEM 1228 Sign of “Win32:Rootkit-gen [Rtk]” has been found in “C:\WINDOWS\system32$sys$filesystem\crater.sys” file.
12/5/2008 2:05:39 PM Owner 1548 Sign of “Win32:Rootkit-gen [Rtk]” has been found in “c:\windows\system32\drivers$sys$cor.sys” file.
12/19/2008 3:10:42 PM Owner 1924 Sign of “Win32:Rootkit-gen [Rtk]” has been found in “C:\System Volume Information_restore{6CD01810-EFB9-4AF0-A405-DE07EB8CD51D}\RP300\A0070003.dll” file.
12/19/2008 5:09:55 PM Owner 1924 Sign of “Win32:Rootkit-gen [Rtk]” has been found in “C:\System Volume Information_restore{6CD01810-EFB9-4AF0-A405-DE07EB8CD51D}\RP301\A0070037.exe” file.
12/19/2008 5:19:21 PM Owner 1924 Sign of “Win32:Rootkit-gen [Rtk]” has been found in “C:\System Volume Information_restore{6CD01810-EFB9-4AF0-A405-DE07EB8CD51D}\RP358\A0083111.sys” file.
12/19/2008 7:06:42 PM Owner 1924 Sign of “Win32:Rootkit-gen [Rtk]” has been found in “C:\System Volume Information_restore{6CD01810-EFB9-4AF0-A405-DE07EB8CD51D}\RP358\A0083117.sys” file.
12/19/2008 7:14:57 PM Owner 1924 Sign of “Win32:SdBot-gen44 [trj]” has been found in “C:\WINDOWS\Debug\DCPROMO.LOG” file.
12/19/2008 8:04:06 PM Owner 1924 Sign of “Win32:Adware-gen [Adw]” has been found in “C:\WINDOWS\system32$sys$filesystem\lim.sys” file.

2

Well I would suggest this could have something to do with it:
7/30/2008 10:07:53 PM SYSTEM 1228 Sign of “Win32:Rootkit-gen [Rtk]” has been found in “C:\WINDOWS\CDProxyServ.exe” file.

As it is the only thing that might possible be related.

Check this out, http://www.bleepingcomputer.com/startups/CDProxyServ.exe-13346.html as it points to this being a rootkit, but it was installed by Sony as part of its infamous DRM rootkit fiasco.

If you have this service, then there is a good chance you also have the Sony XPC DRM rootkit. Please the use the following rootkit removal instructions:

So the detection is technically correct as it is asociated with the sony DRM rootkit, but removing it could have this repercussion. Now you could elect to restore this file and I believe that your CD may work again.

However, it is a rootkit and there were a number of exploits to take advantage of this Sony Rootkit, once it was known sony had installed a rootkit and they knew how it worked they used the sony rootkit to hide their malware.

There was a huge stink and a lawsuit, etc. to have sony remove it, so there should be a sony removal tool to restore your CD drive to full health. This would almost certainly require you to restore the file from the chest and exclude it from scans, with the associated risk of the exploit mentioned above.

I suggest that you do a google search for Sony DRM Rootkit Removal tool and see what is brought up. The big thing is to restore your CD to a working state, e.g. correcting all the hacks that the sony rootkit made as just removing the rootkit won’t help (the same as what happened with avast removing it).

Edit: See this sony page, http://cp.sonybmg.com/xcp/english/updates.html. I believe there is an uninstaller there but you would have to restore the file from the chest before running this or any other sony drm rootkit removal tool. You would also need to pause the standard shield whilst doing this (ensure you are disconnected from the internet) or it would alert when you try to restore from the chest and probably when running the removal tool.