PDA

View Full Version : Sigster..............warning


alexstron
06-18-2004, 09:09 PM
Don't download this piece of sh*t
It is slower than a model T Ford
and it comes with more spyware than an atom bomb
i have more spyware prevention/removal progs than i can remember
the spyware still got in and i cant get rid of it
any help appreciated
regards Alex
supersonic
06-18-2004, 09:16 PM
oh if u actually have that much anti-spyware proggs, then reformat.
foot loose
06-18-2004, 10:41 PM
;) it my of been installed here C:\WINDOWS\Downloaded Program Files
try spy sweeper
peat moss
06-18-2004, 11:16 PM
Originally posted by supersonic@18 June 2004 - 13:24
oh if u actually have that much anti-spyware proggs, then reformat.
Huh ? What are you saying? :unsure: Reformat because you have spyware , that seems kinda like throwing the baby out with the bath water.
alexstron
06-19-2004, 12:25 AM
ok peat moss you know what your doing
I've run
ad aware
spybot
spywareblaster
spysweeper which say they have removed them..........but they come back

avg has got rid of 1 of three left but cant get rid of the other two

any ideas...........what more information can i give you
regards Alex
peat moss
06-19-2004, 01:02 AM
Gee off the top of my head, disable System restore, delete saved points , but we'll help . WE might have to sleep on it, but your no dummy either Alex. :)
peat moss
06-19-2004, 01:09 AM
Alex whats that shreder something program? Or Mabye High jink this the one where you post your running services , that would be a good start .Sorry I can't remember the name . :(



Alex its called CWSHREDDER, and HIGHJACKTHIS. <_<
alexstron
06-19-2004, 11:16 AM
Good morning Peat thanks for that
cw shredder says nothing wrong
here is the hijack this log........im not really sure what to do with it
very wary of what to delete
perhaps you could have a look or show it to someone in the board who knows a bit more
regards
alex
alexstron
06-19-2004, 11:26 AM
..sorry forgot to add the log&#33;&#33;&#33;&#33;&#33;&#33;&#33;&#33;&#33;&#33;&#33;&#33;
Logfile of HijackThis v1.97.7
Scan saved at 11:13:18, on 19/06/2004
Platform: Windows ME (Win9x 4.90.3000A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:&#092;WINDOWS&#092;SYSTEM&#092;KERNEL32.DLL
C:&#092;WINDOWS&#092;SYSTEM&#092;MSGSRV32.EXE
C:&#092;WINDOWS&#092;SYSTEM&#092;mmtask.tsk
C:&#092;WINDOWS&#092;SYSTEM&#092;MPREXE.EXE
C:&#092;PROGRAM FILES&#092;SYGATE&#092;SPF&#092;SMC.EXE
C:&#092;PROGRAM FILES&#092;WHITECANYON&#092;SECURECLEAN 4&#092;SCWATCH4.EXE
C:&#092;PROGRAM FILES&#092;GRISOFT&#092;AVG6&#092;AVGSERV9.EXE
C:&#092;WINDOWS&#092;EXPLORER.EXE
C:&#092;WINDOWS&#092;SYSTEM&#092;RPCSS.EXE
C:&#092;WINDOWS&#092;SYSTEM&#092;SYSTRAY.EXE
C:&#092;WINDOWS&#092;SYSTEM&#092;PRINTRAY.EXE
C:&#092;WINDOWS&#092;SYSTEM&#092;LXSUPMON.EXE
C:&#092;WINDOWS&#092;SYSTEM&#092;LEXBCES.EXE
C:&#092;PROGRAM FILES&#092;INTERNET KEYWORD&#092;INETMGR.EXE
C:&#092;WINDOWS&#092;SYSTEM&#092;SPOOL32.EXE
C:&#092;PROGRAM FILES&#092;WHITECANYON&#092;SECURECLEAN 4&#092;SCREGMANAGER4.EXE
C:&#092;PROGRAM FILES&#092;WHITECANYON&#092;SECURECLEAN 4&#092;SCTRAY4.EXE
C:&#092;WINDOWS&#092;SYSTEM&#092;QTTASK.EXE
C:&#092;PROGRAM FILES&#092;GRISOFT&#092;AVG6&#092;AVGCC32.EXE
C:&#092;WINDOWS&#092;SYSTEM&#092;WMIEXE.EXE
C:&#092;PROGRAM FILES&#092;IOLO&#092;SYSTEM MECHANIC 4&#092;POPUPSTOPPER.EXE
C:&#092;PROGRAM FILES&#092;WEBROOT&#092;SPY SWEEPER&#092;SPYSWEEPER.EXE
C:&#092;WINDOWS&#092;SYSTEM&#092;LRDSVR.EXE
C:&#092;PROGRAM FILES&#092;INTERNET KEYWORD&#092;INETSVC.EXE
C:&#092;WINDOWS&#092;SYSTEM&#092;DDHELP.EXE
C:&#092;WINDOWS&#092;SYSTEM&#092;INTDRV.EXE
C:&#092;WINDOWS&#092;RUNDLL32.EXE
C:&#092;WINDOWS&#092;SYSTEM&#092;STIMON.EXE
C:&#092;MY DOCUMENTS&#092;HIJACKTHIS.EXE

R0 - HKCU&#092;Software&#092;Microsoft&#092;Internet Explorer&#092;Main,Start Page = http://www.ntlworld.com
R0 - HKLM&#092;Software&#092;Microsoft&#092;Internet Explorer&#092;Main,Start Page = http://www.ntlworld.com
R0 - HKCU&#092;Software&#092;Microsoft&#092;Internet Explorer&#092;Main,Local Page =
R0 - HKLM&#092;Software&#092;Microsoft&#092;Internet Explorer&#092;Main,Local Page =
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:&#092;PROGRAM FILES&#092;ADOBE&#092;ACROBAT 6.0&#092;READER&#092;ACTIVEX&#092;ACROIEHELPER.DLL
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:&#092;PROGRA~1&#092;SPYBOT~1&#092;SDHELPER.DLL
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:&#092;program files&#092;google&#092;googletoolbar1.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:&#092;program files&#092;google&#092;googletoolbar1.dll
O4 - HKLM&#092;..&#092;Run: [SystemTray] SysTray.Exe
O4 - HKLM&#092;..&#092;Run: [LexStart] Lexstart.exe
O4 - HKLM&#092;..&#092;Run: [LexmarkPrinTray] PrinTray.exe
O4 - HKLM&#092;..&#092;Run: [SmcService] C:&#092;PROGRA~1&#092;SYGATE&#092;SPF&#092;SMC.EXE -startgui
O4 - HKLM&#092;..&#092;Run: [LXSUPMON] C:&#092;WINDOWS&#092;SYSTEM&#092;LXSUPMON.EXE RUN
O4 - HKLM&#092;..&#092;Run: [inetmgr] C:&#092;PROGRA~1&#092;INTERN~2&#092;INETMGR.EXE
O4 - HKLM&#092;..&#092;Run: [SecureClean4RegManager] "C:&#092;Program Files&#092;WhiteCanyon&#092;SecureClean 4&#092;scregmanager4.exe"
O4 - HKLM&#092;..&#092;Run: [SecureClean4Tray] "C:&#092;Program Files&#092;WhiteCanyon&#092;SecureClean 4&#092;sctray4.exe"
O4 - HKLM&#092;..&#092;Run: [QuickTime Task] "C:&#092;WINDOWS&#092;SYSTEM&#092;QTTASK.EXE" -atboottime
O4 - HKLM&#092;..&#092;Run: [AVG_CC] C:&#092;PROGRA~1&#092;GRISOFT&#092;AVG6&#092;avgcc32.exe /STARTUP
O4 - HKLM&#092;..&#092;RunServices: [SmcService] C:&#092;PROGRAM FILES&#092;SYGATE&#092;SPF&#092;SMC.EXE
O4 - HKLM&#092;..&#092;RunServices: [SecureClean4Service] "C:&#092;Program Files&#092;WhiteCanyon&#092;SecureClean 4&#092;scwatch4.exe"
O4 - HKLM&#092;..&#092;RunServices: [Avgserv9.exe] C:&#092;PROGRA~1&#092;GRISOFT&#092;AVG6&#092;Avgserv9.exe
O4 - HKCU&#092;..&#092;Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook
O4 - HKCU&#092;..&#092;Run: [System Mechanic Popup Stopper] "C:&#092;PROGRAM FILES&#092;IOLO&#092;SYSTEM MECHANIC 4&#092;POPUPSTOPPER.EXE"
O4 - HKCU&#092;..&#092;Run: [SpySweeper] C:&#092;Program Files&#092;Webroot&#092;Spy Sweeper&#092;SpySweeper.exe /0
O4 - HKCU&#092;..&#092;Run: [svcSystem] C:&#092;WINDOWS&#092;SYSTEM&#092;lrdsvr.exe
O8 - Extra context menu item: &Google Search - res://C:&#092;PROGRAM FILES&#092;GOOGLE&#092;GOOGLETOOLBAR1.DLL/cmsearch.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:&#092;PROGRAM FILES&#092;GOOGLE&#092;GOOGLETOOLBAR1.DLL/cmcache.html
O8 - Extra context menu item: Si&milar Pages - res://C:&#092;PROGRAM FILES&#092;GOOGLE&#092;GOOGLETOOLBAR1.DLL/cmsimilar.html
O8 - Extra context menu item: Backward &Links - res://C:&#092;PROGRAM FILES&#092;GOOGLE&#092;GOOGLETOOLBAR1.DLL/cmbacklinks.html
O8 - Extra context menu item: Translate into English - res://C:&#092;PROGRAM FILES&#092;GOOGLE&#092;GOOGLETOOLBAR1.DLL/cmtrans.html
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwa...ash/swflash.cab (http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab)
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/...8157.1371064815 (http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?38157.1371064815)
lynx
06-19-2004, 12:21 PM
I tend to agree with Foot Loose.

Look in C:&#092;WINDOWS&#092;Downloaded Program Files.

If there&#39;s anything there that you aren&#39;t ABSOLUTELY sure about, get rid of it, you can easily dl them again.

Make sure your browser is not open when you do this, otherwise your browser may already have an infected prog loaded and simply dl it again. Better still, do it in safe mode.

Edit: Also, check your IE security settings, you may well find that they have been set to LOW, which means you are open to re-infection.
Jg427
06-19-2004, 01:00 PM
Two things I see that need to be fixed are INTDRV.EXE and LRDSVR.EXE

Open taskmanager and see if they are listed in applications or processes and end task.

close all browser windows, run hjt and fix:
R0 - HKCU&#092;Software&#092;Microsoft&#092;Internet Explorer&#092;Main,Local Page =
R0 - HKLM&#092;Software&#092;Microsoft&#092;Internet Explorer&#092;Main,Local Page =

O4 - HKCU&#092;..&#092;Run: [svcSystem] C:&#092;WINDOWS&#092;SYSTEM&#092;lrdsvr.exe

boot into safemode and delete in bold:
C:&#092;WINDOWS&#092;SYSTEM&#092;LRDSVR.EXE
C:&#092;WINDOWS&#092;SYSTEM&#092;INTDRV.EXE

Post a new log. I&#39;ll check back later, have to go to work now.
alexstron
06-19-2004, 02:04 PM
lynx thanks for that;

I&#39;ve looked in c:&#092;windows downloaded program files
All I have is
Windows update client control?
Macromedia Flash player 7
Active x controls?.........says something about microsoft codecs?

delete these?

Funny I&#39;ve downloaded tons of progs,thought there would be more.
the security settings were off..........now on medium high,thanks for reminding me.

BTW jg427 says open taskmanager Im using ME and cant find it,any idea where it is
Regards
Alex
lynx
06-19-2004, 03:17 PM
Downloaded program files is the place where IE stores its plugins, usually ActiveX controls, not the place where progs YOU have downloaded are stored. You can always safely delete these progs if you are unsure, if IE needs them it will give you the opportunity to download them again.

If your Internet Security settings are low, ActiveX controls can do virtually anything to your pc, including installing more ActiveX controls without asking. You may find that the other progs (LDRSRV and INTDRV) have set your security settings back to low, so keep checking until you have eliminated those progs.

There&#39;s a guide to eliminating those progs here (http://www.computercops.net/modules.php?name=Forums&file=viewtopic&p=196598), I don&#39;t know how good it is but the original poster hasn&#39;t come back with further logs so either it was effective or wrecked her machine. :lol: