wheels351972 Posted November 23, 2008 To whom it may concern: I have been infected with SOMETHING im just not sure what. I cleaned up a few things on my own but I still have something going on. I have run 3 scans with SAS and come up with 3 different results Computer is running: XP Pro SP3 Mcafee Virus Scan Online Webroot Spyweeper SAS Free I have a popup "Windows cannot find 'C:\WINDOWS\winlogon.exe'. Make sure you typed the name correctly, and then try again. To search for a file, click the start button, and then click search. I CANT get rid of that file and in my msconfig under startup I keep seeing kdtzh.exe. I have tried scanning in real mode it sees it but it WONT remove it. I have tried scanning in safe mode with the same results. I googled it and it's telling me it's spyware or a virus im not sure which. I just CANT get rid of it. ANY HELP would be GREATLY appreciated. Also I have 3 logs for you folks: SUPERAntiSpyware Scan Log https://www.superantispyware.com Generated 11/21/2008 at 12:35 PM Application Version : 4.22.1014 Core Rules Database Version : 3555 Trace Rules Database Version: 1543 Scan type : Complete Scan Total Scan Time : 01:08:55 Memory items scanned : 585 Memory threats detected : 0 Registry items scanned : 6457 Registry threats detected : 4 File items scanned : 71724 File threats detected : 3 Adware.MyWebSearch HKU\S-1-5-21-1292428093-789336058-854245398-1003\Software\Microsoft\Internet Explorer\URLSearchHooks#{00A6FAF6-072E-44cf-8957-5838F569A31D} C:\PROGRAM FILES\MYWEBSEARCH\BAR\1.BIN\MWSOEMON.EXE C:\PROGRAM FILES\MYWEBSEARCH\BAR\2.BIN\MWSOEMON.EXE Trojan.DNS-Changer (Hi-Jacked DNS) HKLM\SYSTEM\CONTROLSET001\SERVICES\TCPIP\PARAMETERS\INTERFACES\{673587BB-1E19-416A-BD73-38D714B64176}#NAMESERVER HKLM\SYSTEM\CONTROLSET002\SERVICES\TCPIP\PARAMETERS\INTERFACES\{673587BB-1E19-416A-BD73-38D714B64176}#NAMESERVER Trojan.Unclassified/K-Series HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINLOGON#SYSTEM C:\WINDOWS\SYSTEM32\KDTZH.EXE Log 2: SUPERAntiSpyware Scan Log https://www.superantispyware.com Generated 11/22/2008 at 07:08 PM Application Version : 4.22.1014 Core Rules Database Version : 3555 Trace Rules Database Version: 1543 Scan type : Complete Scan Total Scan Time : 01:20:15 Memory items scanned : 598 Memory threats detected : 0 Registry items scanned : 6458 Registry threats detected : 4 File items scanned : 71557 File threats detected : 3 Adware.MyWebSearch HKU\S-1-5-21-1292428093-789336058-854245398-1003\Software\Microsoft\Internet Explorer\URLSearchHooks#{00A6FAF6-072E-44cf-8957-5838F569A31D} C:\PROGRAM FILES\MYWEBSEARCH\BAR\1.BIN\MWSOEMON.EXE C:\PROGRAM FILES\MYWEBSEARCH\BAR\2.BIN\MWSOEMON.EXE Trojan.DNS-Changer (Hi-Jacked DNS) HKLM\SYSTEM\CONTROLSET001\SERVICES\TCPIP\PARAMETERS\INTERFACES\{673587BB-1E19-416A-BD73-38D714B64176}#NAMESERVER HKLM\SYSTEM\CONTROLSET002\SERVICES\TCPIP\PARAMETERS\INTERFACES\{673587BB-1E19-416A-BD73-38D714B64176}#NAMESERVER Trojan.Unclassified/K-Series HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINLOGON#SYSTEM C:\WINDOWS\SYSTEM32\KDTZH.EXE Log 3: SUPERAntiSpyware Scan Log https://www.superantispyware.com Generated 11/22/2008 at 11:04 PM Application Version : 4.22.1014 Core Rules Database Version : 3648 Trace Rules Database Version: 1631 Scan type : Complete Scan Total Scan Time : 01:21:17 Memory items scanned : 569 Memory threats detected : 0 Registry items scanned : 6470 Registry threats detected : 80 File items scanned : 72002 File threats detected : 20 Rootkit.NDisProt/Fake HKLM\System\ControlSet001\Services\Ndisprot C:\WINDOWS\SYSTEM32\DRIVERS\NDISPROT.SYS HKLM\System\ControlSet001\Enum\Root\LEGACY_Ndisprot HKLM\System\ControlSet002\Services\Ndisprot HKLM\System\ControlSet002\Enum\Root\LEGACY_Ndisprot HKLM\System\CurrentControlSet\Services\Ndisprot HKLM\System\CurrentControlSet\Enum\Root\LEGACY_Ndisprot Adware.MyWebSearch/FunWebProducts HKLM\SOFTWARE\Fun Web Products HKLM\SOFTWARE\Fun Web Products#JpegConversionLib HKLM\SOFTWARE\Fun Web Products\ScreenSaver HKLM\SOFTWARE\Fun Web Products\ScreenSaver#ImagesDir HKLM\SOFTWARE\Fun Web Products\Settings HKLM\SOFTWARE\Fun Web Products\Settings\Promos HKLM\SOFTWARE\Fun Web Products\Settings\Promos#BuddyTextNone.numActive HKLM\SOFTWARE\Fun Web Products\Settings\Promos#BuddyTextNone.0 HKLM\SOFTWARE\Fun Web Products\Settings\Promos#BuddyFreqNone HKLM\SOFTWARE\Fun Web Products\Settings\Promos#BuddyTextUninstalled.numActive HKLM\SOFTWARE\Fun Web Products\Settings\SmileyCentralBtn HKLM\SOFTWARE\Fun Web Products\Settings\SmileyCentralBtn#HTMLMenuPosDeleted HKLM\SOFTWARE\MyWebSearch HKLM\SOFTWARE\MyWebSearch\bar HKLM\SOFTWARE\MyWebSearch\bar#Maximized HKLM\SOFTWARE\MyWebSearch\bar#Visible HKLM\SOFTWARE\MyWebSearch\bar#UseFWB HKLM\SOFTWARE\MyWebSearch\bar#pid HKLM\SOFTWARE\MyWebSearch\bar#fwp HKLM\SOFTWARE\MyWebSearch\bar#tiec HKLM\SOFTWARE\MyWebSearch\bar#Dir HKLM\SOFTWARE\MyWebSearch\bar#UninstallString HKLM\SOFTWARE\MyWebSearch\bar#SettingsDir HKLM\SOFTWARE\MyWebSearch\bar#sr HKLM\SOFTWARE\MyWebSearch\bar#pl HKLM\SOFTWARE\MyWebSearch\bar#un HKLM\SOFTWARE\MyWebSearch\MWSOEMON HKLM\SOFTWARE\MyWebSearch\MWSOEPLG HKLM\SOFTWARE\MyWebSearch\OEHosts HKLM\SOFTWARE\MyWebSearch\SearchAssistant HKLM\SOFTWARE\MyWebSearch\SearchAssistant#pid HKLM\SOFTWARE\MyWebSearch\SearchAssistant#fwp HKLM\SOFTWARE\MyWebSearch\SearchAssistant#Dir HKLM\SOFTWARE\MyWebSearch\SearchAssistant#sr HKLM\SOFTWARE\MyWebSearch\SearchAssistant#pl HKLM\SOFTWARE\MyWebSearch\SkinTools HKLM\SOFTWARE\MyWebSearch\SkinTools#PlayerPath HKCR\CLSID\{147A976F-EEE1-4377-8EA7-4716E4CDD239} HKCR\CLSID\{9AFB8248-617F-460d-9366-D71CDEDA3179} HKCR\CLSID\{9AFB8248-617F-460d-9366-D71CDEDA3179}\TreatAs HKCR\TypeLib\{D518921A-4A03-425E-9873-B9A71756821E} HKCR\TypeLib\{D518921A-4A03-425E-9873-B9A71756821E}\1.0 HKCR\TypeLib\{D518921A-4A03-425E-9873-B9A71756821E}\1.0\0 HKCR\TypeLib\{D518921A-4A03-425E-9873-B9A71756821E}\1.0\0\win32 HKCR\TypeLib\{D518921A-4A03-425E-9873-B9A71756821E}\1.0\FLAGS HKCR\TypeLib\{D518921A-4A03-425E-9873-B9A71756821E}\1.0\HELPDIR HKCR\Interface\{CF54BE1C-9359-4395-8533-1657CF209CFE} HKCR\Interface\{CF54BE1C-9359-4395-8533-1657CF209CFE}\ProxyStubClsid HKCR\Interface\{CF54BE1C-9359-4395-8533-1657CF209CFE}\ProxyStubClsid32 HKCR\Interface\{CF54BE1C-9359-4395-8533-1657CF209CFE}\TypeLib HKCR\Interface\{CF54BE1C-9359-4395-8533-1657CF209CFE}\TypeLib#Version HKLM\Software\FocusInteractive HKLM\Software\FocusInteractive\bar HKLM\Software\FocusInteractive\bar\Switches HKLM\Software\FocusInteractive\bar\Switches#incmail.exe HKLM\Software\FocusInteractive\bar\Switches#msimn.exe HKLM\Software\FocusInteractive\bar\Switches#msn.exe HKLM\Software\FocusInteractive\bar\Switches#outlook.exe HKLM\Software\FocusInteractive\bar\Switches#waol.exe HKLM\Software\FocusInteractive\bar\Switches#aim.exe HKLM\Software\FocusInteractive\bar\Switches#icq.exe HKLM\Software\FocusInteractive\bar\Switches#icqlite.exe HKLM\Software\FocusInteractive\bar\Switches#msmsgs.exe HKLM\Software\FocusInteractive\bar\Switches#msnmsgr.exe HKLM\Software\FocusInteractive\bar\Switches#ypager.exe HKLM\Software\FocusInteractive\Email-IM HKLM\Software\FocusInteractive\Email-IM\0 HKLM\Software\FocusInteractive\Email-IM\0#Toolbar HKLM\Software\FocusInteractive\Email-IM\0#AppName HKLM\Software\FocusInteractive\Outlook HKLM\Software\FocusInteractive\Outlook#MyWebSearch.OutlookAddin C:\Program Files\MyWebSearch\bar\1.bin\MWSOESTB.DLL C:\Program Files\MyWebSearch\bar\1.bin C:\Program Files\MyWebSearch\bar\2.bin\MWSOESTB.DLL C:\Program Files\MyWebSearch\bar\2.bin C:\Program Files\MyWebSearch\bar\Settings\s_pid.dat C:\Program Files\MyWebSearch\bar\Settings C:\Program Files\MyWebSearch\bar C:\Program Files\MyWebSearch\SrchAstt\1.bin C:\Program Files\MyWebSearch\SrchAstt\2.bin C:\Program Files\MyWebSearch\SrchAstt C:\Program Files\MyWebSearch C:\Program Files\FunWebProducts\ScreenSaver\Images C:\Program Files\FunWebProducts\ScreenSaver C:\Program Files\FunWebProducts Trojan.DNSChanger-Codec HKCR\homeview HKCR\homeview\CLSID Rogue.Component/Trace HKLM\Software\RHC5WGJ0E94J Trojan.Unknown Origin D:\HACKERS PACK\MISSING FILES\COMPCONTROLS.OCX Adware.MyWebSearch-Installer D:\KAELEES GAMES\CURSORMANIASETUP2.2.60.11-2.ZCFOX000.EXE D:\KAELEES GAMES\ZWINKYSETUP2.2.60.11-2.ZJFOX000.EXE D:\KAELEES GAMES\ZWINKYSETUP2.3.50.17.ZJFOX000.EXE D:\KAELEES GAMES\ZWINKYSETUP2.3.50.22.ZJFOX000.EXE I STILL have that cannot find winlogon popup AND still have kdtzh.exe in my startup. Willie *UPDATE* Scan log #4 SUPERAntiSpyware Scan Log https://www.superantispyware.com Generated 11/23/2008 at 01:14 AM Application Version : 4.22.1014 Core Rules Database Version : 3648 Trace Rules Database Version: 1631 Scan type : Complete Scan Total Scan Time : 01:24:51 Memory items scanned : 566 Memory threats detected : 0 Registry items scanned : 6462 Registry threats detected : 0 File items scanned : 71860 File threats detected : 0 Willie Share this post Link to post Share on other sites
Seth Posted November 23, 2008 3 and 4 no longer show the infection. Go into msconfig and disable kdtzh. That will disable the reg entry for it and should solve the popup message. Share this post Link to post Share on other sites
SUPERAntiSpy Posted November 23, 2008 Your first scan was using old definitions - make sure you always scan with the latest definitions. Share this post Link to post Share on other sites
wheels351972 Posted November 23, 2008 kdtzh.exe is not even in the msconfig anymore I still however am getting that mswinlogon.exe popup issue. Should mswinlogon.exe ALWAYS be in system or system32 or can it reside in Root directory of Windows, or is that considered to be a virus or what not? Also mswinlogon.exe is in the msconfig as c:\windows\mswinlogon.exe Share this post Link to post Share on other sites
wheels351972 Posted November 24, 2008 I looked up mswinlogon.exe and the only hits I got were for viruses, and specifically that it should NOT be listed in msconfig startups. It looks to be a trojan, I'm sorry to say. The actual process from microsoft is winlogon.exe, and it should only reside in the system32 folder and should not appear under the startup list in msconfig. Thats what I meant to say was winlogon.exe. But yeah thats the only traces I could find is system32 I cant find it in Windows either. ANY help in getting rid of this damn thing would be greatly appreciated thanks. My virus scanner is NOT picking it up. Share this post Link to post Share on other sites
wheels351972 Posted November 25, 2008 I have run cure-it and it got rid of a few files I rebooted it was still there. I ran autoruns and removed it by deleting the option it was still there on reboot. I went into safe mood and used autoruns and removed it and rebooted it was back again. I went into regedit and removed c:\windows\mswinlogon.exe and c:\winlogon.exe and it deleted all but one entry in the registry. I rebooted it come back. Im doing a scan now with Kapersky. Im at my wits end with this thing. Everythign I have looked it up says it's spyware or a trojan. Any more ideas? Share this post Link to post Share on other sites