Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Here is another log, what should I do?


  • Please log in to reply
2 replies to this topic

#1 magnus

magnus

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:10:35 AM

Posted 06 April 2005 - 09:14 PM

It seems like I have tried everything. The virus/spyware seems to start a shutdown-process with lsass.exe/unexpected error 128 when I start a browser and the computer is connected to internet.

I have tried adaware, cwshredder and spy sweeper. It doesn't seemt to help me.

Here is another log (this time I have to get rid a two files manually, but this action is not good enoght - I have done that 10 times already.

Help me, please!

Magnus Cedergren
Sollentuna, Sweden

Logfile of HijackThis v1.99.1
Scan saved at 04:12:21, on 2005-04-07
Platform: Windows 2000 SP2 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\Program\Citrix\ICA Client\ssonsvr.exe
C:\WINNT\Explorer.EXE
C:\PROGRAM\mozilla.org\Mozilla\mozilla.exe
C:\Documents and Settings\magced\Skrivbord\HijackThis.exe

N2 - Netscape 6: user_pref("browser.startup.homepage", "http://home.netscape.com/"); (C:\Documents and Settings\Magced\Application Data\Mozilla\Profiles\default\ft2qb9i6.slt\prefs.js)
N2 - Netscape 6: user_pref("browser.search.defaultengine", "http://www.google.com/"); (C:\Documents and Settings\Magced\Application Data\Mozilla\Profiles\default\ft2qb9i6.slt\prefs.js)
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [Windows_Protect] iedspgcwku.exe
O4 - HKLM\..\Run: [Windows Update Drive] drives.exe
O4 - HKLM\..\RunServices: [Windows_Protect] iedspgcwku.exe
O4 - HKLM\..\RunServices: [Windows Update Drive] drives.exe
O4 - HKCU\..\Run: [Windows_Protect] iedspgcwku.exe
O4 - HKCU\..\Run: [Windows Update Drive] drives.exe
O15 - Trusted Zone: *.frame.crazywinnings.com (HKLM)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = vinnova.se
O17 - HKLM\System\CCS\Services\Tcpip\..\{162B9D70-82E6-46E6-ABB1-842BF0B678C3}: NameServer = 81.26.228.3,81.26.227.3
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = vinnova.se
O17 - HKLM\System\CS1\Services\Tcpip\..\{162B9D70-82E6-46E6-ABB1-842BF0B678C3}: NameServer = 81.26.228.3,81.26.227.3
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = vinnova.se
O17 - HKLM\System\CS2\Services\Tcpip\..\{162B9D70-82E6-46E6-ABB1-842BF0B678C3}: NameServer = 81.26.228.3,81.26.227.3
O23 - Service: AVSync Manager (AvSynMgr) - Unknown owner - C:\Program\Network Associates\VirusScan\avsynmgr.exe
O23 - Service: C-DillaCdaC11BA - C-Dilla Ltd - C:\WINNT\System32\drivers\CDAC11BA.EXE
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINNT\system32\LEXBCES.EXE
O23 - Service: McShield - Network Associates, Inc. - C:\Program\Delade filer\Network Associates\McShield\mcshield.exe

BC AdBot (Login to Remove)

 


#2 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,614 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:11:35 AM

Posted 06 April 2005 - 09:56 PM

Print out these instructions and then close all windows including Internet Explorer.

Reboot your computer into Safe Mode

Then I want you to fix some of those entries. Please do the following:

Please make sure that you can view all hidden files. Instructions on how to do this can be found here:

How to see hidden files in Windows

Run Hijackthis again, click scan, and Put a checkmark next to each of these. Then click the Fix button:

O4 - HKLM\..\Run: [Windows_Protect] iedspgcwku.exe
O4 - HKLM\..\Run: [Windows Update Drive] drives.exe
O4 - HKLM\..\RunServices: [Windows_Protect] iedspgcwku.exe
O4 - HKLM\..\RunServices: [Windows Update Drive] drives.exe
O4 - HKCU\..\Run: [Windows_Protect] iedspgcwku.exe
O4 - HKCU\..\Run: [Windows Update Drive] drives.exe
O15 - Trusted Zone: *.frame.crazywinnings.com (HKLM)


Then delete these files or directories (Do not be concerned if they do not exist)

c:\windows\system32\iedspgcwku.exe
c:\windows\system32\drives.exe

Reboot your computer to go back to normal mode and post a new log.

#3 magnus

magnus
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:10:35 AM

Posted 07 April 2005 - 04:05 AM

Ok, I did that, several times. drives.exe came back, after starting IE in normal (not safe) mode. It seemed that the nasty beast has hidden somewhere else. I didn't know where.

But: Then I also tried about 10 different anti-virus programs. One of them, xoft spy, showed the way to some peculiar regkeys. When I removed them, everything SEEMS to work out for me.

Though, I am not sure YET. If not, I hope perhaps you will help me some more...

(It is strange that those regkeys didn't show up in the hijackthis log for me.)

Well, thank you so far!

Magnus




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users