FarFarAway
New member
I use Xoftspy - always works for the scarier malware 
Oh Dear!
- Thread starter Toxcity
- Start date
Damn! Its still here!
equk's idea now i guess!
Heres my fixwareout report:
Fixwareout Last edited 2/11/2007
Post this report in the forums please
...
»»»»»Prerun check
HKLM\SOFTWARE\~\Winlogon\ "System"="kdsbw.exe"
»»»»» System restarted
»»»»» Postrun check
HKLM\SOFTWARE\~\Winlogon\ "system"=""
....
....
»»»»» Misc files.
....
»»»»» Checking for older varients.
....
Search five digit cs, dm, kd, jb, other, files.
The following files NEED TO BE SUBMITTED to one of the following URL'S for further inspection.
Click browse, find the file then click submit.
http://www.virustotal.com/flash/index_en.html
Or http://virusscan.jotti.org/
»»»»» Other
C:\WINDOWS\Temp\kdsbw.ren 63371 04/08/2004
»»»»» Current runs
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="RUNDLL32.EXE C:\\WINDOWS\\system32\\NvCpl.dll,NvStartup"
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SUPERAntiSpyware"="C:\\Program Files\\SUPERAntiSpyware\\SUPERAntiSpyware.exe"
....
Hosts file was reset, If you use a custom hosts file please replace it
»»»»» End report »»»»»
equk's idea now i guess!
Heres my fixwareout report:
Fixwareout Last edited 2/11/2007
Post this report in the forums please
...
»»»»»Prerun check
HKLM\SOFTWARE\~\Winlogon\ "System"="kdsbw.exe"
»»»»» System restarted
»»»»» Postrun check
HKLM\SOFTWARE\~\Winlogon\ "system"=""
....
....
»»»»» Misc files.
....
»»»»» Checking for older varients.
....
Search five digit cs, dm, kd, jb, other, files.
The following files NEED TO BE SUBMITTED to one of the following URL'S for further inspection.
Click browse, find the file then click submit.
http://www.virustotal.com/flash/index_en.html
Or http://virusscan.jotti.org/
»»»»» Other
C:\WINDOWS\Temp\kdsbw.ren 63371 04/08/2004
»»»»» Current runs
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="RUNDLL32.EXE C:\\WINDOWS\\system32\\NvCpl.dll,NvStartup"
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SUPERAntiSpyware"="C:\\Program Files\\SUPERAntiSpyware\\SUPERAntiSpyware.exe"
....
Hosts file was reset, If you use a custom hosts file please replace it
»»»»» End report »»»»»
Toxteth O'Grady
New member
OK
you can also go delete the "C:\WINDOWS\Temp\kdsbw.ren 63371 04/08/2004" file picked up by Fixwareout.
TOG
you can also go delete the "C:\WINDOWS\Temp\kdsbw.ren 63371 04/08/2004" file picked up by Fixwareout.
TOG
FarFarAway
New member
download and run xoftspy mate
No doubt you will see me posting a similar problem on friday or saturday, the local barber has asked me to look at his system as every time he tries to open an email program it redirects him.
Also his pc has sloooooooowed down loads. Easy route is an option to me as he says its ok , but i would like to try and rescue it first so standby guys.
Also his pc has sloooooooowed down loads. Easy route is an option to me as he says its ok , but i would like to try and rescue it first so standby guys.
Toxteth O'Grady
New member
Not yet.
There's a chance that the Fixwareout and AVG may have got it. Follow the instructions in equk's post #18 for flushing the DNS cache and resetting your DNS then post a new HJT scan log.
TOG
There's a chance that the Fixwareout and AVG may have got it. Follow the instructions in equk's post #18 for flushing the DNS cache and resetting your DNS then post a new HJT scan log.
TOG
name='Toxteth O'Grady' said:Not yet.
There's a chance that the Fixwareout and AVG may have got it. Follow the instructions in equk's post #18 for flushing the DNS cache and resetting your DNS then post a new HJT scan log.
TOG
Right! Flushed!
So far it seems to of disappeared! No more redirecting! :worship:
Does this mean its gone for good?
Thanks to everyone for there awesome help! Plus I have learned some new and intresting programs!
Toxteth O'Grady
New member
Post a fresh HJT log, please.
TOG
TOG
butcherbob
New member
Do a restart and if its gone then its gone.If ok then do a restore point and FFS stop using IE and get firefox and run a zone alarm.
Well done,another night out of your life on the PC lol
Well done,another night out of your life on the PC lol
Here you go Tox -
Logfile of HijackThis v1.99.1
Scan saved at 23:08:43, on 27/02/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\svchost.exe
C:\Program Files\AusLogics Disk Defrag\diskdefrag.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\Niccums\My Documents\Oblivion_v1.1UKEnglish.exe
C:\Documents and Settings\Niccums\My Documents\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.google.co.uk
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = www.google.co.uk
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.google.co.uk
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = www.google.co.uk
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O16 - DPF: {BE833F39-1E0C-468C-BA70-25AAEE55775E} (System Requirements Lab) - http://www.systemrequirementslab.com/sysreqlab.cab
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
Repped you all BTW, Apart from Tox, becasue I repped you yesterday and it won't let me do it again. Oh and kempez, Because your an Admin! 
Logfile of HijackThis v1.99.1
Scan saved at 23:08:43, on 27/02/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\svchost.exe
C:\Program Files\AusLogics Disk Defrag\diskdefrag.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\Niccums\My Documents\Oblivion_v1.1UKEnglish.exe
C:\Documents and Settings\Niccums\My Documents\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.google.co.uk
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = www.google.co.uk
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.google.co.uk
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = www.google.co.uk
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O16 - DPF: {BE833F39-1E0C-468C-BA70-25AAEE55775E} (System Requirements Lab) - http://www.systemrequirementslab.com/sysreqlab.cab
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
Repped you all BTW, Apart from Tox, becasue I repped you yesterday and it won't let me do it again.
Oh and kempez, Because your an Admin! Toxteth O'Grady
New member
Yep - you're clean.
Now go get yourself a decent AV (NOD32) and software firewall.
TOG
Now go get yourself a decent AV (NOD32) and software firewall.
TOG
Similar threads
- Locked
