Hijack Report (plz Help! What Do I Need To Remove) Spybot Shows Zlob.dnschanger.

Welcome to Bleeping Computer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.
Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

BleepingComputer.com > Security > HijackThis Logs and Virus/Trojan/Spyware/Malware Removal

Forum Guidelines

Read this topic before posting a log.

DO NOT post a ComboFix log unless requested to.

Only members of the HijackThis Team or Moderators are allowed to help people with logs. Anyone else should refrain from posting to another user's log.

When posting a log please put the type of infection you have in the topic title. IE: Winfixer, Virtumonde, WinTools, WebSearch, Home Search Assistant, etc.

Do not bump your topic. We try to resolve logs on a first come/first served basis. By bumping your log you will be pushed back in line due to the new date of your bump.

Hijack Report (plz Help! What Do I Need To Remove) Spybot Shows Zlob.dnschanger., can't run SC either :( says due to virus

Options

BillBailey View Member Profile	May 13 2008, 01:17 PM Post #1
New Member Group: Members Posts: 14 Joined: 13-May 08 Member No.: 208,737	Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 2:15:08 PM, on 5/12/2008 Platform: Windows XP SP3 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.6000.16640) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\csrss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\Windows Defender\MsMpEng.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\svchost.exe c:\Program Files\Common Files\Symantec Shared\ccProxy.exe c:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\spoolsv.exe C:\windows\system\hpsysdrv.exe C:\HP\KBD\KBD.EXE C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE C:\WINDOWS\system32\HPZipm12.exe C:\WINDOWS\system32\hkcmd.exe C:\WINDOWS\AGRSMMSG.exe C:\WINDOWS\system32\svchost.exe c:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe C:\Program Files\Common Files\Symantec Shared\ccApp.exe C:\Program Files\BroadJump\Client Foundation\CFD.exe C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe C:\Program Files\HP\HP Software Update\HPWuSchd2.exe C:\Program Files\Windows Defender\MSASCui.exe C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe C:\Program Files\Messenger\msmsgs.exe C:\WINDOWS\system32\ctfmon.exe C:\WINDOWS\System32\alg.exe C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Trend Micro\HijackThis\HijackThis.exe C:\WINDOWS\system32\wbem\wmiprvse.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...=EN_US&c=Q4 04&bd=presario&pf=desktop R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...e=EN_US&c=Q 404&bd=presario&pf=desktop R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.sbc.com/dsl R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...e=EN_US&c=Q 404&bd=presario&pf=desktop R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.sbc.com/dsl R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1 O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll O2 - BHO: CNisExtBho Class - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - c:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\en-us\msntb.dll O3 - Toolbar: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll (file missing) O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\en-us\msntb.dll O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe" O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM') O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user') O4 - Global Startup: Compaq Connections.lnk = C:\Program Files\Compaq Connections\6750491\Program\Compaq Connections.exe O4 - Global Startup: HP Digital Imaging Monitor.lnk.disabled O4 - Global Startup: SBC Self Support Tool.lnk.disabled O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O12 - Plugin for .mid: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin2.dll O12 - Plugin for .wav: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204 O16 - DPF: {2DEF4530-8CE6-41C9-84B6-A54536C90213} (Crystal Report Viewer Control 9) - http://www.ugaais.com/viewer9/activeXViewe...tivexviewer.cab O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\common\yinsthelper.dll O16 - DPF: {37DF41B2-61DB-4CAC-A755-CFB3C7EE7F40} - http://esupport.aol.com/help/acp2/engine/aolcoach_core_1.cab O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} - http://aolcc.aol.com/computercheckup/qdiagcc.cab O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...ols/en/x86/clie nt/muweb_site.cab?1210477749796 O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMesse...pDownloader.cab O17 - HKLM\System\CCS\Services\Tcpip\..\{E9552735-0D73-4652-B82E-8A0C2C8 713D2}: NameServer = 208.67.220.220,208.67.222.222 O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 208.67.220.220,208.67.222.222 O17 - HKLM\System\CS4\Services\Tcpip\Parameters: NameServer = 208.67.220.220,208.67.222.222 O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 208.67.220.220,208.67.222.222 O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccProxy.exe O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe -- End of file - 10349 bytes

2 Pages

1 2 >

Replies (1 - 14)

Buckeye_Sam View Member Profile	May 13 2008, 02:00 PM Post #2
Malware Expert Group: HJT Team Posts: 15,582 Joined: 23-December 04 From: Pickerington, Ohio Member No.: 7,762	Hi and welcome to Bleeping Computer! My name is Sam and I will be helping you. Please go to this page and scroll down to step 6. http://www.bleepingcomputer.com/forums/topic34773.html Follow the directions there to run DSS and then post those logs back here in your next reply. -------------------- If I have helped you in any way, please consider a donation to help me continue the fight against malware. Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it! ========================================================

Buckeye_Sam View Member Profile	May 13 2008, 10:59 PM Post #4
Malware Expert Group: HJT Team Posts: 15,582 Joined: 23-December 04 From: Pickerington, Ohio Member No.: 7,762	Download and scan with SUPERAntiSpyware Free for Home Users Double-click SUPERAntiSpyware.exe and use the default settings for installation. An icon will be created on your desktop. Double-click that icon to launch the program. If asked to update the program definitions, click "Yes". If not, update the definitions before scanning by selecting "Check for Updates". (If you encounter any problems while downloading the updates, manually download and unzip them from here.) Under "*Configuration and Preferences", click the Preferences* button. Click the Scanning Control tab. Under Scanner Options make sure the following are checked (leave all others unchecked): Close browsers before scanning. Scan for tracking cookies. Terminate memory threats before quarantining. Click the "Close" button to leave the control center screen. Back on the main screen, under "*Scan for Harmful Software" click Scan your computer. On the left, make sure you check C:\Fixed Drive. On the right, under "Complete Scan", choose Perform Complete Scan. Click "Next" to start the scan. Please be patient while it scans your computer. After the scan is complete, a Scan Summary box will appear with potentially harmful items that were detected. Click "OK". Make sure everything has a checkmark next to it and click "Next". A notification will appear that "Quarantine and Removal is Complete". Click "OK" and then click the "Finish" button to return to the main menu. If asked if you want to reboot, click "Yes". To retrieve the removal information after reboot, launch SUPERAntispyware again. Click Preferences, then click the Statistics/Logs tab.* Under Scanner Logs, double-click SUPERAntiSpyware Scan Log. If there are several logs, click the current dated log and press View log. A text file will open in your default text editor. Please copy and paste the Scan Log results in your next reply. Click Close to exit the program. -------------------- If I have helped you in any way, please consider a donation to help me continue the fight against malware. Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it! ========================================================

BillBailey View Member Profile	May 13 2008, 11:37 PM Post #5
New Member Group: Members Posts: 14 Joined: 13-May 08 Member No.: 208,737	I ran the scan and it identified no items. What next?

BillBailey View Member Profile	May 13 2008, 11:43 PM Post #6
New Member Group: Members Posts: 14 Joined: 13-May 08 Member No.: 208,737	SUPERAntiSpyware Scan Log http://www.superantispyware.com Generated 05/13/2008 at 00:36 AM Application Version : 4.0.1154 Core Rules Database Version : 3460 Trace Rules Database Version: 1451 Scan type : Complete Scan Total Scan Time : 00:27:00 Memory items scanned : 458

BillBailey View Member Profile	May 13 2008, 11:59 PM Post #7
New Member Group: Members Posts: 14 Joined: 13-May 08 Member No.: 208,737	Application Version : 4.0.1154 Core Rules Database Version : 3460 Trace Rules Database Version: 1451 Scan type : Complete Scan Total Scan Time : 00:27:00 Memory items scanned : 458 Memory threats detected : 0 Registry items scanned : 5352 Registry threats detected : 0 File items scanned : 60475 File threats detected : 0

Buckeye_Sam View Member Profile	May 14 2008, 04:40 PM Post #8
Malware Expert Group: HJT Team Posts: 15,582 Joined: 23-December 04 From: Pickerington, Ohio Member No.: 7,762	I want to check out a suspicious file that shows up in your log. Please go to Jotti's malware scan Copy and paste the following file path into the "File to upload & scan" box on the top of the page: C:\WINDOWS\system32\kdvsn.exe Click on the submit button Please post the results in your next reply. Can you post the info from Spybot that is showing the infected items? -------------------- If I have helped you in any way, please consider a donation to help me continue the fight against malware. Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it! ========================================================

BillBailey View Member Profile	May 14 2008, 08:42 PM Post #9
New Member Group: Members Posts: 14 Joined: 13-May 08 Member No.: 208,737	Hi Sam, Here is the virusscan report... The file you uploaded is 0 bytes. It is very likely a firewall or a piece of malware is prohibiting you from uploading this file Next I will run my Spybot report again and submit results.

BillBailey View Member Profile	May 14 2008, 09:16 PM Post #11
New Member Group: Members Posts: 14 Joined: 13-May 08 Member No.: 208,737	Zlob.DNSChanger.Rtk: [SBI $FE3023DF] Settings (Registry value, nothing done) HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\System=...KDVSN.EXE... Common Dialogs: History (12 files) (Registry key, nothing done) HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\OpenSaveMRU Log: Activity: SchedLgU.Txt (Backup file, nothing done) C:\WINDOWS\SchedLgU.Txt Log: Activity: imsins.log (Backup file, nothing done) C:\WINDOWS\imsins.log Log: Activity: OEWABLog.txt (Backup file, nothing done) C:\WINDOWS\OEWABLog.txt Log: Install: comsetup.log (Backup file, nothing done) C:\WINDOWS\comsetup.log Log: Install: ocgen.log (Backup file, nothing done) C:\WINDOWS\ocgen.log Log: Install: setupact.log (Backup file, nothing done) C:\WINDOWS\setupact.log Log: Install: setupapi.log (Backup file, nothing done) C:\WINDOWS\setupapi.log Log: Install: setuplog.txt (Backup file, nothing done) C:\WINDOWS\setuplog.txt Log: Install: svcpack.log (Backup file, nothing done) C:\WINDOWS\svcpack.log Log: Install: wmsetup.log (Backup file, nothing done) C:\WINDOWS\wmsetup.log Log: Install: DtcInstall.log (Backup file, nothing done) C:\WINDOWS\DtcInstall.log Log: Shutdown: System32\wbem\logs\mofcomp.log (Backup file, nothing done) C:\WINDOWS\System32\wbem\logs\mofcomp.log Log: Shutdown: System32\wbem\logs\setup.log (Backup file, nothing done) C:\WINDOWS\System32\wbem\logs\setup.log Log: Shutdown: System32\wbem\logs\wbemcore.log (Backup file, nothing done) C:\WINDOWS\System32\wbem\logs\wbemcore.log Log: Shutdown: System32\wbem\logs\wbemess.lo_ (Backup file, nothing done) C:\WINDOWS\System32\wbem\logs\wbemess.lo_ Log: Shutdown: System32\wbem\logs\wbemess.log (Backup file, nothing done) C:\WINDOWS\System32\wbem\logs\wbemess.log Log: Shutdown: System32\wbem\logs\wmiprov.log (Backup file, nothing done) C:\WINDOWS\System32\wbem\logs\wmiprov.log MS Media Player: [SBI $5C51E349] Client ID (Registry change, nothing done) HKEY_USERS\.DEFAULT\Software\Microsoft\MediaPlayer\Player\Settings\Client ID MS Media Player: [SBI $5C51E349] Client ID (Registry change, nothing done) HKEY_USERS\S-1-5-18\Software\Microsoft\MediaPlayer\Player\Settings\Client ID MS Direct3D: [SBI $7FB7B83F] Most recent application (Registry change, nothing done) HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Direct3D\MostRecentApplication\Name MS DirectDraw: [SBI $EB49D5AF] Most recent application (Registry change, nothing done) HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\DirectDraw\MostRecentApplication\Name MS Search Assistant: [SBI $AE0C4647] Typed search terms history (Registry key, nothing done) HKEY_USERS\S-1-5-21-3341656437-3043363843-2328747555-1009\Software\Microsoft\Search Assistant\ACMru Windows Explorer: [SBI $AA0766B5] Stream history (2 files) (Registry key, nothing done) HKEY_USERS\S-1-5-21-3341656437-3043363843-2328747555-1009\Software\Microsoft\Windows\CurrentVersion\Explorer\StreamMRU Windows Explorer: [SBI $2026AFB6] User Assistant history IE (6 files) (Registry key, nothing done) HKEY_USERS\S-1-5-21-3341656437-3043363843-2328747555-1009\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{5E6AB780-7743-11CF-A12B-00AA004AE837}\Count Windows Explorer: [SBI $6107D172] User Assistant history files (61 files) (Registry key, nothing done) HKEY_USERS\S-1-5-21-3341656437-3043363843-2328747555-1009\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{75048700-EF1F-11D0-9888-006097DEACF9}\Count Windows Explorer: [SBI $B7EBA926] Last visited history (5 files) (Registry key, nothing done) HKEY_USERS\S-1-5-21-3341656437-3043363843-2328747555-1009\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\LastVisitedMRU Windows Explorer: [SBI $D20DA0AD] Recent file global history (Registry key, nothing done) HKEY_USERS\S-1-5-21-3341656437-3043363843-2328747555-1009\Software\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs Cookie: Cookie (3) (Cookie, nothing done) Cache: Cache (78) (Cache, nothing done) History: History (20) (History, nothing done) Cookie: Cookie (18) (Cookie, nothing done) --- Spybot - Search & Destroy version: 1.5.2 (build: 20080128) --- 2008-01-28 blindman.exe (1.0.0.7) 2008-01-28 SDDelFile.exe (1.0.2.4) 2008-01-28 SDMain.exe (1.0.0.5) 2007-10-07 SDShred.exe (1.0.1.2) 2008-01-28 SDUpdate.exe (1.0.8.8) 2008-01-28 SDWinSec.exe (1.0.0.11) 2008-01-28 SpybotSD.exe (1.5.2.20) 2008-01-28 TeaTimer.exe (1.5.2.16) 2004-04-27 unins000.exe (51.13.0.0) 2008-02-29 unins001.exe (51.49.0.0) 2008-01-28 Update.exe (1.4.0.6) 2008-01-28 advcheck.dll (1.5.4.5) 2007-04-02 aports.dll (2.1.0.0) 2004-05-12 borlndmm.dll (7.0.4.453) 2004-05-12 delphimm.dll (7.0.4.453) 2007-11-17 DelZip179.dll (1.79.7.4) 2008-01-28 SDFiles.dll (1.5.1.19) 2008-01-28 SDHelper.dll (1.5.0.11) 2006-02-20 Tools.dll (2.0.0.2) 2004-05-12 UnzDll.dll (1.73.1.1) 2004-05-12 ZipDll.dll (1.73.2.0) 2008-04-16 Includes\Adware.sbi () 2008-05-07 Includes\AdwareC.sbi () 2008-05-07 Includes\Cookies.sbi () 2007-12-26 Includes\Dialer.sbi () 2008-05-07 Includes\DialerC.sbi () 2008-05-07 Includes\HeavyDuty.sbi () 2008-04-30 Includes\Hijackers.sbi () 2008-05-07 Includes\HijackersC.sbi () 2008-04-30 Includes\Keyloggers.sbi () 2008-05-07 Includes\KeyloggersC.sbi () 2004-11-29 Includes\LSP.sbi () 2008-04-22 Includes\Malware.sbi () here is the results report 2008-05-07 Includes\MalwareC.sbi () 2008-03-26 Includes\PUPS.sbi () 2008-05-07 Includes\PUPSC.sbi () 2008-05-07 Includes\Revision.sbi () 2008-01-09 Includes\Security.sbi () 2008-05-07 Includes\SecurityC.sbi () 2008-04-16 Includes\Spybots.sbi () 2008-05-07 Includes\SpybotsC.sbi () 2008-04-16 Includes\Spyware.sbi () 2008-05-07 Includes\SpywareC.sbi () 2007-11-06 Includes\Tracks.uti () 2008-04-30 Includes\Trojans.sbi () 2008-05-07 Includes\TrojansC.sbi (*) 2008-03-04 Plugins\Chai.dll 2008-03-05 Plugins\Fennel.dll 2008-02-26 Plugins\Mate.dll 2007-06-06 Plugins\TCPIPAddress.dll

Buckeye_Sam View Member Profile	May 15 2008, 07:39 AM Post #12
Malware Expert Group: HJT Team Posts: 15,582 Joined: 23-December 04 From: Pickerington, Ohio Member No.: 7,762	That's a little more info than I really needed, but I do see the problem. Please download the OTMoveIt2 by OldTimer. Save it to your desktop. Please double-click OTMoveIt2.exe to run it. Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy): CODE C:\WINDOWS\system32\KDVSN.EXE HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\\System Return to OTMoveIt2, right click in the "Paste List of Files/Folders to Move" window (under the light Yellow bar) and choose Paste. Click the red Moveit! button. A log of files and folders moved will be created in the c:\_OTMoveIt\MovedFiles folder in the form of Date and Time (mmddyyyy_hhmmss.log). Please open this log in Notepad and post its contents in your next reply. Close OTMoveIt2 If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes. Also post a new log from DSS. -------------------- If I have helped you in any way, please consider a donation to help me continue the fight against malware. Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it! ========================================================

BillBailey View Member Profile	May 15 2008, 09:55 PM Post #13
New Member Group: Members Posts: 14 Joined: 13-May 08 Member No.: 208,737	I was prompted to reboot and this is what the log read... File move failed. C:\WINDOWS\system32\KDVSN.EXE scheduled to be moved on reboot. < HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\\System > Registry value HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\\System deleted successfully. OTMoveIt2 by OldTimer - Version 1.0.4.1 log created on 05142008_224841 Files moved on Reboot... File move failed. C:\WINDOWS\system32\KDVSN.EXE scheduled to be moved on reboot.

Buckeye_Sam View Member Profile	May 16 2008, 08:31 AM Post #15
Malware Expert Group: HJT Team Posts: 15,582 Joined: 23-December 04 From: Pickerington, Ohio Member No.: 7,762	Please download ComboFix and save it to your desktop. Prior to running Combofix.exe you should disable your antivirus program and disconnect from the internet. Double click combofix.exe and follow the prompts. When it's done running it will produce a log for you. Please post that log in your next reply. Important Note - Do not mouseclick combofix's window whilst it's running. That may cause it to stall. -------------------- If I have helped you in any way, please consider a donation to help me continue the fight against malware. Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it! ========================================================

« Next Oldest · HijackThis Logs and Virus/Trojan/Spyware/Malware Removal · Next Newest »

2 Pages

1 2 >

1 User(s) are reading this topic (1 Guests and 0 Anonymous Users)

0 Members:

Display Mode: Switch to: Standard · Linear+ · Switch to: Outline

Track this topic · Email this topic · Print this topic · Subscribe to this forum

Lo-Fi Version

Time is now: 21st November 2009 - 03:10 AM

Advertise \| About Us \| Terms of Use \| Privacy Policy \| Contact Us \| Site Map \| Chat \| Tutorials \| Uninstall List
Discussion Forums \| The Computer Glossary \| Resources \| RSS Feeds \| Startups \| The File Database \| Virus Removal Guides