Thread: Unclean laptop
View Single Post
Old 11-28-2007, 01:48 PM   #1 (permalink)
kltrip
Registered User
 
Join Date: Jun 2007
Posts: 32
OS: Win XP


Unclean laptop
This time i have my friend's father's computer. When I got the computer it had the BSOD. I got in and cleaned it up some but it is still very dirty. The problems so far:
- there is a file in the \WIN\TEMP folder named startdrv.exe. I can not get rid of this file, I have tried by antivirus as well as under safe mode.
- everytime the computer reboots there is new malware on it. So I suspect a trojan (such as startdrv) is my biggest problem.
-intermittenly I receive the message "Warning! Potential Spyware Operation! Your computer is making unauthorized copies of your system and internet files. Run full scan to protect any unauthorized access to your files. Check yes to download spyware remover." This message will not let me X out of it so I click "No" each time and it goes away.
- When I rightclick on the desktop I get this message:"The operation has been cancelled due to restrictions in effect on this computer. Please contact your system administrator (I am on the administrator account.)
Deckard's System Scanner v20071014.68
Run by merlin on 2007-11-26 23:01:28
Computer is in Normal Mode.
--------------------------------------------------------------------------------

Total Physical Memory: 448 MiB (512 MiB recommended).


-- HijackThis (run as merlin.exe) ----------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:01:41 PM, on 11/26/2007
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\Explorer.exe
C:\WINDOWS\System32\carpserv.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\System32\sistray.EXE
C:\WINDOWS\System32\khooker.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb07.exe
C:\WINDOWS\System32\hphmon04.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\WINDOWS\avp.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Computer\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\merlin.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = http://autoconfig.cpqcorp.net
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\System32\msanton.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: - {154dfb9d-1eed-4242-bc10-3a9b065a2e1e} - C:\WINDOWS\System32\jwhn.dll (file missing)
O2 - BHO: - {309baa87-c2af-4833-a578-df5da3d1363e} - C:\WINDOWS\System32\ptki.dll (file missing)
O2 - BHO: - {773d4d58-808f-4970-8fa2-8a420960a9f0} - C:\WINDOWS\System32\krc.dll (file missing)
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {DABCE839-3831-3818-AF3A-3837BCD324D2} - C:\WINDOWS\System32\mskvtns.dll (file missing)
O2 - BHO: e404 helper - {F10587E9-0E47-4CBE-84AE-7DD20B8684BB} - C:\Program Files\E404 Helper\e404.v6.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [CARPService] carpserv.exe
O4 - HKLM\..\Run: [srmclean] C:\Cpqs\Scom\srmclean.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\realsched.exe -osboot
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [SiS Tray] C:\WINDOWS\System32\sistray.EXE
O4 - HKLM\..\Run: [SiS KHooker] C:\WINDOWS\System32\khooker.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb07.exe
O4 - HKLM\..\Run: [HPHmon04] C:\WINDOWS\System32\hphmon04.exe
O4 - HKLM\..\Run: [HPHUPD04] "C:\Program Files\HP Photosmart 11\hphinstall\UniPatch\hphupd04.exe"
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [dumprep] C:\WINDOWS\System32\spools.exe
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [startdrv] C:\WINDOWS\Temp\startdrv.exe
O4 - HKLM\..\Run: [avp] C:\WINDOWS\avp.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [version] C:\WINDOWS\System32\timoty.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /0
O4 - HKCU\..\Run: [froody] C:\WINDOWS\System32\timoty.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - Startup: setings.exe
O4 - Global Startup: startup.exe
O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O7 - HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {6A344D34-5231-452A-8A57-D064AC9B7862} (Symantec Download Manager) - https://webdl.symantec.com/activex/symdlmgr.cab
O20 - AppInit_DLLs: C:\WINDOWS\System32\hrum133.txt
O21 - SSODL: BejaogyRJe - {383E1092-9294-BA38-F696-BBC465B50B1B} - C:\WINDOWS\System32\ho.dll (file missing)
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Pml Driver HPH11 - HP - C:\WINDOWS\System32\HPHipm11.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

--
End of file - 7347 bytes

-- Files created between 2007-10-26 and 2007-11-26 -----------------------------

2007-11-26 22:51:15 11776 --a------ C:\Program Files\427694.exe
2007-11-24 23:08:35 0 d-------- C:\Program Files\Trend Micro
2007-11-24 00:00:55 0 d-------- C:\Computer
2007-11-23 23:24:50 0 d-------- C:\Documents and Settings\Administrator\Application Data\InterTrust
2007-11-23 23:24:50 0 d-a------ C:\Documents and Settings\Administrator\Application Data\Identities
2007-11-23 23:24:50 0 d-------- C:\Documents and Settings\Administrator\Application Data\Adobe
2007-11-23 23:24:49 0 d-a------ C:\Documents and Settings\Administrator\Desktop
2007-11-23 23:24:49 0 d---s---- C:\Documents and Settings\Administrator\Cookies
2007-11-23 23:24:49 0 d-ah----- C:\Documents and Settings\Administrator\Application Data
2007-11-23 23:24:49 0 d-------- C:\Documents and Settings\Administrator\Application Data\Symantec
2007-11-23 23:24:49 0 d-------- C:\Documents and Settings\Administrator\Application Data\Real
2007-11-23 23:24:49 0 d-a-s---- C:\Documents and Settings\Administrator\Application Data\Microsoft
2007-11-23 23:24:48 0 d--h----- C:\Documents and Settings\Administrator\Local Settings
2007-11-23 23:24:48 0 d-a------ C:\Documents and Settings\Administrator\Favorites
2007-11-23 23:24:47 0 d-------- C:\Documents and Settings\Administrator\WINDOWS
2007-11-23 23:24:47 0 d-ah----- C:\Documents and Settings\Administrator\Templates
2007-11-23 23:24:47 0 d-a------ C:\Documents and Settings\Administrator\Start Menu
2007-11-23 23:24:47 0 d-ah----- C:\Documents and Settings\Administrator\SendTo
2007-11-23 23:24:47 0 dr-h----- C:\Documents and Settings\Administrator\Recent
2007-11-23 23:24:47 0 d-ah----- C:\Documents and Settings\Administrator\PrintHood
2007-11-23 23:24:47 0 d-ah----- C:\Documents and Settings\Administrator\NetHood
2007-11-23 23:24:47 0 d-a------ C:\Documents and Settings\Administrator\My Documents
2007-11-23 23:24:46 786432 --ah----- C:\Documents and Settings\Administrator\NTUSER.DAT
2007-11-23 22:02:55 0 dr-h----- C:\$VAULT$.AVG
2007-11-23 21:50:11 0 d-------- C:\Documents and Settings\merlin\Application Data\AVG7
2007-11-23 21:49:53 0 d-------- C:\Documents and Settings\merlin\Application Data\Grisoft
2007-11-23 21:49:13 0 d-------- C:\Documents and Settings\LocalService\Application Data\AVG7
2007-11-23 21:48:13 0 d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2007-11-23 21:48:13 0 d-------- C:\Documents and Settings\All Users\Application Data\avg7
2007-11-23 21:15:43 0 --a------ C:\WINDOWS\nsreg.dat
2007-11-23 21:15:39 0 d-------- C:\Documents and Settings\merlin\Application Data\Mozilla
2007-11-22 11:58:39 34545 --a------ C:\sysvhem.exe
2007-11-22 11:55:18 0 d-------- C:\Program Files\E404 Helper
2007-11-22 11:53:21 20992 --a------ C:\WINDOWS\avp.exe <Not Verified; MskSoftStudy Corp.; Anti-Virus Project (AVP) spyware removal module>
2007-11-22 11:46:11 6144 --a------ C:\WINDOWS\System32\msanton.exe
2007-11-20 19:54:55 0 d-------- C:\Documents and Settings\All Users\Symantec Temporary Files
2007-11-15 17:28:05 2859008 --a------ C:\Documents and Settings\merlin\ntuser.dat
2007-11-13 18:19:29 289280 --a------ C:\WINDOWS\System32\libcurl.dll <Not Verified; The cURL library, http://curl.haxx.se/; The cURL library>
2007-11-13 18:19:29 5175 --a------ C:\WINDOWS\drabste.exe


-- Find3M Report ---------------------------------------------------------------

2007-11-26 22:45:47 0 d-------- C:\Program Files\Common Files\Symantec Shared
2007-11-26 22:44:43 0 d-a------ C:\Program Files\Common Files
2007-11-23 23:38:55 0 d-------- C:\Program Files\America Online 7.0
2007-11-20 2027 0 d-------- C:\Program Files\Symantec


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{154dfb9d-1eed-4242-bc10-3a9b065a2e1e}]
C:\WINDOWS\System32\jwhn.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{309baa87-c2af-4833-a578-df5da3d1363e}]
C:\WINDOWS\System32\ptki.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{773d4d58-808f-4970-8fa2-8a420960a9f0}]
C:\WINDOWS\System32\krc.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{DABCE839-3831-3818-AF3A-3837BCD324D2}]
C:\WINDOWS\System32\mskvtns.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{F10587E9-0E47-4CBE-84AE-7DD20B8684BB}]
11/26/2007 08:21 PM 18432 --a------ C:\Program Files\E404 Helper\e404.v6.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CARPService"="carpserv.exe" [10/03/2002 01:59 AM C:\WINDOWS\system32\carpserv.exe]
"srmclean"="C:\Cpqs\Scom\srmclean.exe" [07/24/2001 04:34 PM]
"AdaptecDirectCD"="C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe" [12/17/2002 03:28 PM]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [02/12/2003 05:01 PM]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [12/02/2003 03:11 PM]
"ccRegVfy"="C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe" [12/02/2003 03:11 PM]
"SiS Tray"="C:\WINDOWS\System32\sistray.EXE" [11/17/2002 09:36 AM]
"SiS KHooker"="C:\WINDOWS\System32\khooker.exe" [09/24/2002 12:50 AM]
"HPDJ Taskbar Utility"="C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb07.exe" [11/22/2002 02:49 PM]
"HPHmon04"="C:\WINDOWS\System32\hphmon04.exe" [11/22/2002 02:48 PM]
"HPHUPD04"="C:\Program Files\HP Photosmart 11\hphinstall\UniPatch\hphupd04.exe" [11/22/2002 02:50 PM]
"Share-to-Web Namespace Daemon"="C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe" [04/17/2002 09:42 AM]
"Symantec NetDriver Monitor"="C:\PROGRA~1\SYMNET~1\SNDMon.exe" [06/29/2005 12:11 PM]
"dumprep"="C:\WINDOWS\System32\spools.exe" []
"SSC_UserPrompt"="C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe" [11/02/2004 04:59 PM]
"startdrv"="C:\WINDOWS\Temp\startdrv.exe" [11/26/2007 10:44 PM]
"avp"="C:\WINDOWS\avp.exe" [11/22/2007 11:53 AM]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [11/23/2007 09:48 PM]
"!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [06/11/2007 04:25 AM]
"version"="C:\WINDOWS\System32\timoty.exe" []

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [08/20/2002 05:08 PM]
"SpySweeper"="C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" [09/13/2004 08:21 AM]
"froody"="C:\WINDOWS\System32\timoty.exe" []

C:\Documents and Settings\merlin\Start Menu\Programs\Startup\
setings.exe [11/22/2007 11:46:10 AM]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
startup.exe [11/22/2007 11:46:10 AM]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"=1 (0x1)
"DisableTaskMgr"=1 (0x1)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"=1 (0x1)
"DisableTaskMgr"=1 (0x1)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoControlPanel"=1 (0x1)
"NoWindowsUpdate"=1 (0x1)

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"BejaogyRJe"= {383E1092-9294-BA38-F696-BBC465B50B1B} - C:\WINDOWS\System32\ho.dll [ ]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"Shell"="Explorer.exe C:\WINDOWS\System32\msanton.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"appinit_dlls"=C:\WINDOWS\System32\hrum133.txt




-- End of Deckard's System Scanner: finished at 2007-11-26 23:02:47 ------------


Without further ado, here are the main.txt file, the extra.txt is attached. As always, thank you!
Attached Files
File Type: txt extra112407.txt (8.5 KB, 0 views)
kltrip is offline   Reply With Quote