PLEASE HELP I have SEVERAL issues

[wheels351972]

To whom it may concern:

I have been infected with SOMETHING im just not sure what. I cleaned up a few things on my own but I still have something going on. I have run 3 scans with SAS and come up with 3 different results

Computer is running:

XP Pro SP3

Mcafee Virus Scan Online

Webroot Spyweeper

SAS Free

I have a popup "Windows cannot find 'C:\WINDOWS\winlogon.exe'. Make sure you typed the name correctly, and then try again. To search for a file, click the start button, and then click search.

I CANT get rid of that file and in my msconfig under startup I keep seeing kdtzh.exe. I have tried scanning in real mode it sees it but it WONT remove it. I have tried scanning in safe mode with the same results. I googled it and it's telling me it's spyware or a virus im not sure which. I just CANT get rid of it. ANY HELP would be GREATLY appreciated. Also I have 3 logs for you folks:

SUPERAntiSpyware Scan Log

https://www.superantispyware.com

Generated 11/21/2008 at 12:35 PM

Application Version : 4.22.1014

Core Rules Database Version : 3555

Trace Rules Database Version: 1543

Scan type : Complete Scan

Total Scan Time : 01:08:55

Memory items scanned : 585

Memory threats detected : 0

Registry items scanned : 6457

Registry threats detected : 4

File items scanned : 71724

File threats detected : 3

Adware.MyWebSearch

HKU\S-1-5-21-1292428093-789336058-854245398-1003\Software\Microsoft\Internet Explorer\URLSearchHooks#{00A6FAF6-072E-44cf-8957-5838F569A31D}

C:\PROGRAM FILES\MYWEBSEARCH\BAR\1.BIN\MWSOEMON.EXE

C:\PROGRAM FILES\MYWEBSEARCH\BAR\2.BIN\MWSOEMON.EXE

Trojan.DNS-Changer (Hi-Jacked DNS)

HKLM\SYSTEM\CONTROLSET001\SERVICES\TCPIP\PARAMETERS\INTERFACES\{673587BB-1E19-416A-BD73-38D714B64176}#NAMESERVER

HKLM\SYSTEM\CONTROLSET002\SERVICES\TCPIP\PARAMETERS\INTERFACES\{673587BB-1E19-416A-BD73-38D714B64176}#NAMESERVER

Trojan.Unclassified/K-Series

HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINLOGON#SYSTEM

C:\WINDOWS\SYSTEM32\KDTZH.EXE

Log 2:

SUPERAntiSpyware Scan Log

https://www.superantispyware.com

Generated 11/22/2008 at 07:08 PM

Application Version : 4.22.1014

Core Rules Database Version : 3555

Trace Rules Database Version: 1543

Scan type : Complete Scan

Total Scan Time : 01:20:15

Memory items scanned : 598

Memory threats detected : 0

Registry items scanned : 6458

Registry threats detected : 4

File items scanned : 71557

File threats detected : 3

Adware.MyWebSearch

HKU\S-1-5-21-1292428093-789336058-854245398-1003\Software\Microsoft\Internet Explorer\URLSearchHooks#{00A6FAF6-072E-44cf-8957-5838F569A31D}

C:\PROGRAM FILES\MYWEBSEARCH\BAR\1.BIN\MWSOEMON.EXE

C:\PROGRAM FILES\MYWEBSEARCH\BAR\2.BIN\MWSOEMON.EXE

Trojan.DNS-Changer (Hi-Jacked DNS)

HKLM\SYSTEM\CONTROLSET001\SERVICES\TCPIP\PARAMETERS\INTERFACES\{673587BB-1E19-416A-BD73-38D714B64176}#NAMESERVER

HKLM\SYSTEM\CONTROLSET002\SERVICES\TCPIP\PARAMETERS\INTERFACES\{673587BB-1E19-416A-BD73-38D714B64176}#NAMESERVER

Trojan.Unclassified/K-Series

HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINLOGON#SYSTEM

C:\WINDOWS\SYSTEM32\KDTZH.EXE

Log 3:

SUPERAntiSpyware Scan Log

https://www.superantispyware.com

Generated 11/22/2008 at 11:04 PM

Application Version : 4.22.1014

Core Rules Database Version : 3648

Trace Rules Database Version: 1631

Scan type : Complete Scan

Total Scan Time : 01:21:17

Memory items scanned : 569

Memory threats detected : 0

Registry items scanned : 6470

Registry threats detected : 80

File items scanned : 72002

File threats detected : 20

Rootkit.NDisProt/Fake

HKLM\System\ControlSet001\Services\Ndisprot

C:\WINDOWS\SYSTEM32\DRIVERS\NDISPROT.SYS

HKLM\System\ControlSet001\Enum\Root\LEGACY_Ndisprot

HKLM\System\ControlSet002\Services\Ndisprot

HKLM\System\ControlSet002\Enum\Root\LEGACY_Ndisprot

HKLM\System\CurrentControlSet\Services\Ndisprot

HKLM\System\CurrentControlSet\Enum\Root\LEGACY_Ndisprot

Adware.MyWebSearch/FunWebProducts

HKLM\SOFTWARE\Fun Web Products

HKLM\SOFTWARE\Fun Web Products#JpegConversionLib

HKLM\SOFTWARE\Fun Web Products\ScreenSaver

HKLM\SOFTWARE\Fun Web Products\ScreenSaver#ImagesDir

HKLM\SOFTWARE\Fun Web Products\Settings

HKLM\SOFTWARE\Fun Web Products\Settings\Promos

HKLM\SOFTWARE\Fun Web Products\Settings\Promos#BuddyTextNone.numActive

HKLM\SOFTWARE\Fun Web Products\Settings\Promos#BuddyTextNone.0

HKLM\SOFTWARE\Fun Web Products\Settings\Promos#BuddyFreqNone

HKLM\SOFTWARE\Fun Web Products\Settings\Promos#BuddyTextUninstalled.numActive

HKLM\SOFTWARE\Fun Web Products\Settings\SmileyCentralBtn

HKLM\SOFTWARE\Fun Web Products\Settings\SmileyCentralBtn#HTMLMenuPosDeleted

HKLM\SOFTWARE\MyWebSearch

HKLM\SOFTWARE\MyWebSearch\bar

HKLM\SOFTWARE\MyWebSearch\bar#Maximized

HKLM\SOFTWARE\MyWebSearch\bar#Visible

HKLM\SOFTWARE\MyWebSearch\bar#UseFWB

HKLM\SOFTWARE\MyWebSearch\bar#pid

HKLM\SOFTWARE\MyWebSearch\bar#fwp

HKLM\SOFTWARE\MyWebSearch\bar#tiec

HKLM\SOFTWARE\MyWebSearch\bar#Dir

HKLM\SOFTWARE\MyWebSearch\bar#UninstallString

HKLM\SOFTWARE\MyWebSearch\bar#SettingsDir

HKLM\SOFTWARE\MyWebSearch\bar#sr

HKLM\SOFTWARE\MyWebSearch\bar#pl

HKLM\SOFTWARE\MyWebSearch\bar#un

HKLM\SOFTWARE\MyWebSearch\MWSOEMON

HKLM\SOFTWARE\MyWebSearch\MWSOEPLG

HKLM\SOFTWARE\MyWebSearch\OEHosts

HKLM\SOFTWARE\MyWebSearch\SearchAssistant

HKLM\SOFTWARE\MyWebSearch\SearchAssistant#pid

HKLM\SOFTWARE\MyWebSearch\SearchAssistant#fwp

HKLM\SOFTWARE\MyWebSearch\SearchAssistant#Dir

HKLM\SOFTWARE\MyWebSearch\SearchAssistant#sr

HKLM\SOFTWARE\MyWebSearch\SearchAssistant#pl

HKLM\SOFTWARE\MyWebSearch\SkinTools

HKLM\SOFTWARE\MyWebSearch\SkinTools#PlayerPath

HKCR\CLSID\{147A976F-EEE1-4377-8EA7-4716E4CDD239}

HKCR\CLSID\{9AFB8248-617F-460d-9366-D71CDEDA3179}

HKCR\CLSID\{9AFB8248-617F-460d-9366-D71CDEDA3179}\TreatAs

HKCR\TypeLib\{D518921A-4A03-425E-9873-B9A71756821E}

HKCR\TypeLib\{D518921A-4A03-425E-9873-B9A71756821E}\1.0

HKCR\TypeLib\{D518921A-4A03-425E-9873-B9A71756821E}\1.0\0

HKCR\TypeLib\{D518921A-4A03-425E-9873-B9A71756821E}\1.0\0\win32

HKCR\TypeLib\{D518921A-4A03-425E-9873-B9A71756821E}\1.0\FLAGS

HKCR\TypeLib\{D518921A-4A03-425E-9873-B9A71756821E}\1.0\HELPDIR

HKCR\Interface\{CF54BE1C-9359-4395-8533-1657CF209CFE}

HKCR\Interface\{CF54BE1C-9359-4395-8533-1657CF209CFE}\ProxyStubClsid

HKCR\Interface\{CF54BE1C-9359-4395-8533-1657CF209CFE}\ProxyStubClsid32

HKCR\Interface\{CF54BE1C-9359-4395-8533-1657CF209CFE}\TypeLib

HKCR\Interface\{CF54BE1C-9359-4395-8533-1657CF209CFE}\TypeLib#Version

HKLM\Software\FocusInteractive

HKLM\Software\FocusInteractive\bar

HKLM\Software\FocusInteractive\bar\Switches

HKLM\Software\FocusInteractive\bar\Switches#incmail.exe

HKLM\Software\FocusInteractive\bar\Switches#msimn.exe

HKLM\Software\FocusInteractive\bar\Switches#msn.exe

HKLM\Software\FocusInteractive\bar\Switches#outlook.exe

HKLM\Software\FocusInteractive\bar\Switches#waol.exe

HKLM\Software\FocusInteractive\bar\Switches#aim.exe

HKLM\Software\FocusInteractive\bar\Switches#icq.exe

HKLM\Software\FocusInteractive\bar\Switches#icqlite.exe

HKLM\Software\FocusInteractive\bar\Switches#msmsgs.exe

HKLM\Software\FocusInteractive\bar\Switches#msnmsgr.exe

HKLM\Software\FocusInteractive\bar\Switches#ypager.exe

HKLM\Software\FocusInteractive\Email-IM

HKLM\Software\FocusInteractive\Email-IM\0

HKLM\Software\FocusInteractive\Email-IM\0#Toolbar

HKLM\Software\FocusInteractive\Email-IM\0#AppName

HKLM\Software\FocusInteractive\Outlook

HKLM\Software\FocusInteractive\Outlook#MyWebSearch.OutlookAddin

C:\Program Files\MyWebSearch\bar\1.bin\MWSOESTB.DLL

C:\Program Files\MyWebSearch\bar\1.bin

C:\Program Files\MyWebSearch\bar\2.bin\MWSOESTB.DLL

C:\Program Files\MyWebSearch\bar\2.bin

C:\Program Files\MyWebSearch\bar\Settings\s_pid.dat

C:\Program Files\MyWebSearch\bar\Settings

C:\Program Files\MyWebSearch\bar

C:\Program Files\MyWebSearch\SrchAstt\1.bin

C:\Program Files\MyWebSearch\SrchAstt\2.bin

C:\Program Files\MyWebSearch\SrchAstt

C:\Program Files\MyWebSearch

C:\Program Files\FunWebProducts\ScreenSaver\Images

C:\Program Files\FunWebProducts\ScreenSaver

C:\Program Files\FunWebProducts

Trojan.DNSChanger-Codec

HKCR\homeview

HKCR\homeview\CLSID

Rogue.Component/Trace

HKLM\Software\RHC5WGJ0E94J

Trojan.Unknown Origin

D:\HACKERS PACK\MISSING FILES\COMPCONTROLS.OCX

Adware.MyWebSearch-Installer

D:\KAELEES GAMES\CURSORMANIASETUP2.2.60.11-2.ZCFOX000.EXE

D:\KAELEES GAMES\ZWINKYSETUP2.2.60.11-2.ZJFOX000.EXE

D:\KAELEES GAMES\ZWINKYSETUP2.3.50.17.ZJFOX000.EXE

D:\KAELEES GAMES\ZWINKYSETUP2.3.50.22.ZJFOX000.EXE

I STILL have that cannot find winlogon popup AND still have kdtzh.exe in my startup.

Willie

*UPDATE*

Scan log #4

SUPERAntiSpyware Scan Log

https://www.superantispyware.com

Generated 11/23/2008 at 01:14 AM

Application Version : 4.22.1014

Core Rules Database Version : 3648

Trace Rules Database Version: 1631

Scan type : Complete Scan

Total Scan Time : 01:24:51

Memory items scanned : 566

Memory threats detected : 0

Registry items scanned : 6462

Registry threats detected : 0

File items scanned : 71860

File threats detected : 0

Willie

[Seth]

3 and 4 no longer show the infection.

Go into msconfig and disable kdtzh. That will disable the reg entry for it and should solve the popup message.

[SUPERAntiSpy]

Your first scan was using old definitions - make sure you always scan with the latest definitions.

[wheels351972]

kdtzh.exe is not even in the msconfig anymore I still however am getting that mswinlogon.exe popup issue. Should mswinlogon.exe ALWAYS be in system or system32 or can it reside in Root directory of Windows, or is that considered to be a virus or what not? Also mswinlogon.exe is in the msconfig as c:\windows\mswinlogon.exe

[wheels351972]

I looked up mswinlogon.exe and the only hits I got were for viruses, and specifically that it should NOT be listed in msconfig startups. It looks to be a trojan, I'm sorry to say. The actual process from microsoft is winlogon.exe, and it should only reside in the system32 folder and should not appear under the startup list in msconfig.

Thats what I meant to say was winlogon.exe. But yeah thats the only traces I could find is system32 I cant find it in Windows either. ANY help in getting rid of this damn thing would be greatly appreciated thanks. My virus scanner is NOT picking it up.

[wheels351972]

I have run cure-it and it got rid of a few files I rebooted it was still there. I ran autoruns and removed it by deleting the option it was still there on reboot. I went into safe mood and used autoruns and removed it and rebooted it was back again. I went into regedit and removed c:\windows\mswinlogon.exe and c:\winlogon.exe and it deleted all but one entry in the registry. I rebooted it come back. Im doing a scan now with Kapersky. Im at my wits end with this thing. Everythign I have looked it up says it's spyware or a trojan. Any more ideas?