HJT Scan result Posted, Sister Still hasn't learned...

**stogie5150** · 14-10-2007

I'm back...

http://www.d-a-l.com/help/showthread.php?t=9258

Was my old problem...after four years she's fouled up the computer again. I have it here next to me. I've run AVG antispyware,Ad-aware 2007,spybot latest, etc. I've had her run zonealarm pro but my clueless nephew cannot resist letting everything by that zonealarm asks permisson for, which leaves the machine essentailly unprotected.

I found over 200 malware hits the first time I ran ad-aware. All of them are gone but I am more than sure more exist becuase Zonealarm is asking me for these programs access to the internet and I do NOT know the programs it is asking for, plus I have googled some of the filenames and they show up as malware. So I need help, please.

Here is the HJT scan.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:19:48 AM, on 10/14/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Safe mode
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Lavasoft\Ad-Aware 2007\Ad-Aware2007.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {4522BF4C-91AA-2AC7-F6C3-02F9FA534F67} - C:\Program Files\Ehmrwynl\kgxhijeh.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: HelloWorldBHO - {B3A05538-8F91-49C1-8EE3-6EB142B41E2A} - C:\Program Files\Microsoft Help\Microsoft.System.Help.dll (file missing)
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [trdmens] C:\WINDOWS\system32\plstsme.exe
O4 - HKLM\..\Run: [shdned] C:\WINDOWS\system32\bcdheeld.exe
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ohclgpsb] rundll32.exe "C:\Program Files\ohclgpsb\upahodkx.dll",Init
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [ngravmzw] regsvr32 /u "C:\Documents and Settings\All Users\Application Data\ngravmzw.dll"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [mvudpter] C:\WINDOWS\system32\xmlcjfgi.exe
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [lmnvizca] C:\Program Files\Mpxfekey\lmnvizca.exe
O4 - HKLM\..\Run: [hursdken] C:\WINDOWS\system32\dopesl.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb0 5.exe
O4 - HKLM\..\Run: [gerwics] C:\WINDOWS\system32\bvfrs32.exe
O4 - HKLM\..\Run: [berdests] C:\WINDOWS\system32\vcldmeas.exe
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [cvddchkd] KB62658336.exe
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKCU\..\Run: [shdned] C:\WINDOWS\system32\bcdheeld.exe
O4 - HKCU\..\Run: [trdmens] C:\WINDOWS\system32\plstsme.exe
O4 - HKCU\..\Run: [mvudpter] C:\WINDOWS\system32\xmlcjfgi.exe
O4 - HKCU\..\Run: [gerwics] C:\WINDOWS\system32\bvfrs32.exe
O4 - HKCU\..\Run: [berdests] C:\WINDOWS\system32\vcldmeas.exe
O4 - HKUS\S-1-5-21-3549093167-4165085895-2220386658-1006\..\Run: [shdned] C:\WINDOWS\system32\bcdheeld.exe (User '?')
O4 - HKUS\S-1-5-21-3549093167-4165085895-2220386658-1006\..\Run: [trdmens] C:\WINDOWS\system32\plstsme.exe (User '?')
O4 - HKUS\S-1-5-21-3549093167-4165085895-2220386658-1006\..\Run: [mvudpter] C:\WINDOWS\system32\xmlcjfgi.exe (User '?')
O4 - HKUS\S-1-5-21-3549093167-4165085895-2220386658-1006\..\Run: [gerwics] C:\WINDOWS\system32\bvfrs32.exe (User '?')
O4 - HKUS\S-1-5-21-3549093167-4165085895-2220386658-1006\..\Run: [berdests] C:\WINDOWS\system32\vcldmeas.exe (User '?')
O4 - Global Startup: Event Planner Reminders Tray Icon.lnk = C:\Sierra\Planner\PLNRnote.exe
O4 - Global Startup: Event Reminder.lnk = C:\Program Files\Broderbund\PrintMaster\PMREMIND.EXE
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {01016526-5E80-11D8-9E86-0007E96C65AE} (SmartAccess Ctl Class) - https://install.charter.com/diskless/bin/ssctlsma.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/wind...?1190643679187
O16 - DPF: {BE1BDC4F-2AAC-494E-88B1-86B2EE4F2D6D} (CopySafe3 Control) - http://download.copysafe.net/Plugin/...d/Copysafe.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{977CF7DC-9631-4BE3-96A9-AAE012439A7F}: NameServer = 85.255.113.146,85.255.112.111
O17 - HKLM\System\CCS\Services\Tcpip\..\{E21186FB-0A55-4F28-8F85-DA3495BE24BD}: NameServer = 85.255.113.146,85.255.112.111
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.113.146 85.255.112.111
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CS3\Services\Tcpip\Parameters: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 208.67.220.220,208.67.222.222
O20 - AppInit_DLLs: SYSTRAY.dll
O21 - SSODL: qIsHwVj - {88DDFC9D-2277-5637-CB10-72CA8E050120} - C:\WINDOWS\system32\magbdv.dll (file missing)
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AOL Spyware Protection Service (AOLService) - Unknown owner - C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\\aolserv.exe (file missing)
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Intel(R) NMS (NMSSvc) - Intel Corporation - C:\WINDOWS\System32\NMSSvc.exe
--
End of file - 7151 bytes

**VopThis** · 15-10-2007

You may want to print out these instructions for reference, since you will have to restart your computer during the fix.

Please download FixWareout from one of these sites:
http://downloads.subratam.org/Fixwareout.exe
http://www.bleepingcomputer.com/file...Fixwareout.exe

Save it to your desktop and run it (preferably in NORMAL mode). Click Next, then Install, make sure ’Run fixit’ is checked and click Finish.
The fix will begin; follow the prompts.
You will be asked to reboot your computer; please do so.
Your system may take longer than usual to load; this is normal.

Once the desktop loads, post the text that will open (report.txt) and a new Hijackthis log in the forum please.

POSSIBLE ERROR MSG:
C:\WINDOWS\system32\AUTOEXEC.NT not there

You are missing a file which is preventing you from running the wareoutfix tool.

Go to the link below and select your operating system and click the link on that site and follow instructions for obtaining the missing file and try the wareoutfix tool again please.

fixautont.html: http://www.tech-forums.net/computer/topic/29806.html

**stogie5150** · 17-10-2007

Damn sorry it took me so long to get back to ya, I'll do this ASAP. I have THREE PC's running side by side, so I always have internet access. So that should be a snap to do. THANKS!

Keith

**stogie5150** · 18-10-2007

No problems running the fix...here are the logs...

Username "Lori" - 10/18/2007 11:51:39 [Fixwareout edited 9/01/2007]

~~~~~ Prerun check

HKEY_LOCAL_MACHINE\system\currentcontrolset\servic es\tcpip\parameters\interfaces\{977CF7DC-9631-4BE3-96A9-AAE012439A7F}
"nameserver"="85.255.113.146,85.255.112.111" <Value cleared.
HKEY_LOCAL_MACHINE\system\currentcontrolset\servic es\tcpip\parameters\interfaces\{E21186FB-0A55-4F28-8F85-DA3495BE24BD}
"nameserver"="85.255.113.146,85.255.112.111" <Value cleared.

Successfully flushed the DNS Resolver Cache.
System was rebooted successfully.

~~~~~ Postrun check
HKLM\SOFTWARE\~\Winlogon\ "System"="kdxar.exe"
....
....
~~~~~ Misc files.
....
~~~~~ Checking for older varients.
....

~~~~~ Current runs (hklm hkcu "run" Keys Only)
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run]
"DwlClient"="C:\\Program Files\\Common Files\\Dell\\EUSW\\Support.exe"
"Zone Labs Client"="\"C:\\Program Files\\Zone Labs\\ZoneAlarm\\zlclient.exe\""
"trdmens"="C:\\WINDOWS\\system32\\plstsme.exe"
"shdned"="C:\\WINDOWS\\system32\\bcdheeld.exe"
"Share-to-Web Namespace Daemon"="C:\\Program Files\\Hewlett-Packard\\HP Share-to-Web\\hpgs2wnd.exe"
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"ohclgpsb"="rundll32.exe \"C:\\Program Files\\ohclgpsb\\upahodkx.dll\",Init"
"nwiz"="nwiz.exe /install"
"ngravmzw"="regsvr32 /u \"C:\\Documents and Settings\\All Users\\Application Data\\ngravmzw.dll\""
"NeroFilterCheck"="C:\\WINDOWS\\system32\\NeroChec k.exe"
"mvudpter"="C:\\WINDOWS\\system32\\xmlcjfgi.ex e"
"Microsoft Works Update Detection"="C:\\Program Files\\Common Files\\Microsoft Shared\\Works Shared\\WkUFind.exe"
"lmnvizca"="C:\\Program Files\\Mpxfekey\\lmnvizca.exe"
"hursdken"="C:\\WINDOWS\\system32\\dopesl.exe"
"HPDJ Taskbar Utility"="C:\\WINDOWS\\System32\\spool\\drivers\\w 32x86\\3\\hpztsb05.exe"
"gerwics"="C:\\WINDOWS\\system32\\bvfrs32.exe"
"berdests"="C:\\WINDOWS\\system32\\vcldmeas.ex e"
"BCMSMMSG"="BCMSMMSG.exe"
"AOLDialer"="C:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"
"AdaptecDirectCD"="\"C:\\Program Files\\Roxio\\Easy CD Creator 5\\DirectCD\\DirectCD.exe\""
"!AVG Anti-Spyware"="\"C:\\Program Files\\Grisoft\\AVG Anti-Spyware 7.5\\avgas.exe\" /minimized"
"mnicsev"="secvvzkw.exe"
"svchost"="C:\\WINDOWS\\svchost.exe"
"xswdmse"="dllcajfo.exe"
"csrss"="C:\\WINDOWS\\system32\\wbem\\csrss.ex e"

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Run]
"shdned"="C:\\WINDOWS\\system32\\bcdheeld.exe"
"trdmens"="C:\\WINDOWS\\system32\\plstsme.exe"
"mvudpter"="C:\\WINDOWS\\system32\\xmlcjfgi.ex e"
"gerwics"="C:\\WINDOWS\\system32\\bvfrs32.exe"
"berdests"="C:\\WINDOWS\\system32\\vcldmeas.ex e"
"hursdken"="C:\\WINDOWS\\system32\\dopesl.exe"
"mnicsev"="secvvzkw.exe"
"xswdmse"="dllcajfo.exe"
....
Hosts file was reset, If you use a custom hosts file please replace it...
~~~~~ End report ~~~~~

-----Inline Attachment Follows-----

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:58:16 AM, on 10/18/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\userinit.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\system32\cisvc.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Common Files\Dell\EUSW\Support.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\system32\plstsme.exe
C:\WINDOWS\system32\bcdheeld.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\regsvr32.exe
C:\WINDOWS\system32\xmlcjfgi.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\Program Files\Mpxfekey\lmnvizca.exe
C:\WINDOWS\system32\dopesl.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\bvfrs32.exe
C:\WINDOWS\system32\vcldmeas.exe
C:\WINDOWS\BCMSMMSG.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\WINDOWS\svchost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\wbem\csrss.exe
C:\WINDOWS\system32\dllcajfo.exe
C:\Sierra\Planner\PLNRnote.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {4522BF4C-91AA-2AC7-F6C3-02F9FA534F67} - C:\Program Files\Ehmrwynl\kgxhijeh.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: HelloWorldBHO - {B3A05538-8F91-49C1-8EE3-6EB142B41E2A} - C:\Program Files\Microsoft Help\Microsoft.System.Help.dll (file missing)
O2 - BHO: CBho Class - {F369DA09-FADE-44CB-987F-E2E0DEF51BCA} - C:\WINDOWS\system32\pgd.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [trdmens] C:\WINDOWS\system32\plstsme.exe
O4 - HKLM\..\Run: [shdned] C:\WINDOWS\system32\bcdheeld.exe
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ohclgpsb] rundll32.exe "C:\Program Files\ohclgpsb\upahodkx.dll",Init
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [ngravmzw] regsvr32 /u "C:\Documents and Settings\All Users\Application Data\ngravmzw.dll"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [mvudpter] C:\WINDOWS\system32\xmlcjfgi.exe
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [lmnvizca] C:\Program Files\Mpxfekey\lmnvizca.exe
O4 - HKLM\..\Run: [hursdken] C:\WINDOWS\system32\dopesl.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb0 5.exe
O4 - HKLM\..\Run: [gerwics] C:\WINDOWS\system32\bvfrs32.exe
O4 - HKLM\..\Run: [berdests] C:\WINDOWS\system32\vcldmeas.exe
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [svchost] C:\WINDOWS\svchost.exe
O4 - HKLM\..\Run: [xswdmse] dllcajfo.exe
O4 - HKLM\..\Run: [csrss] C:\WINDOWS\system32\wbem\csrss.exe
O4 - HKCU\..\Run: [shdned] C:\WINDOWS\system32\bcdheeld.exe
O4 - HKCU\..\Run: [trdmens] C:\WINDOWS\system32\plstsme.exe
O4 - HKCU\..\Run: [mvudpter] C:\WINDOWS\system32\xmlcjfgi.exe
O4 - HKCU\..\Run: [gerwics] C:\WINDOWS\system32\bvfrs32.exe
O4 - HKCU\..\Run: [berdests] C:\WINDOWS\system32\vcldmeas.exe
O4 - HKCU\..\Run: [hursdken] C:\WINDOWS\system32\dopesl.exe
O4 - HKCU\..\Run: [xswdmse] dllcajfo.exe
O4 - HKUS\S-1-5-21-3549093167-4165085895-2220386658-1006\..\Run: [shdned] C:\WINDOWS\system32\bcdheeld.exe (User '?')
O4 - HKUS\S-1-5-21-3549093167-4165085895-2220386658-1006\..\Run: [trdmens] C:\WINDOWS\system32\plstsme.exe (User '?')
O4 - HKUS\S-1-5-21-3549093167-4165085895-2220386658-1006\..\Run: [mvudpter] C:\WINDOWS\system32\xmlcjfgi.exe (User '?')
O4 - HKUS\S-1-5-21-3549093167-4165085895-2220386658-1006\..\Run: [gerwics] C:\WINDOWS\system32\bvfrs32.exe (User '?')
O4 - HKUS\S-1-5-21-3549093167-4165085895-2220386658-1006\..\Run: [berdests] C:\WINDOWS\system32\vcldmeas.exe (User '?')
O4 - HKUS\S-1-5-21-3549093167-4165085895-2220386658-1006\..\Run: [hursdken] C:\WINDOWS\system32\dopesl.exe (User '?')
O4 - HKUS\S-1-5-21-3549093167-4165085895-2220386658-1006\..\Run: [xswdmse] dllcajfo.exe (User '?')
O4 - Global Startup: Event Planner Reminders Tray Icon.lnk = C:\Sierra\Planner\PLNRnote.exe
O4 - Global Startup: Event Reminder.lnk = C:\Program Files\Broderbund\PrintMaster\PMREMIND.EXE
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {01016526-5E80-11D8-9E86-0007E96C65AE} (SmartAccess Ctl Class) - https://install.charter.com/diskless/bin/ssctlsma.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/wind...?1190643679187
O16 - DPF: {BE1BDC4F-2AAC-494E-88B1-86B2EE4F2D6D} (CopySafe3 Control) - http://download.copysafe.net/Plugin/...d/Copysafe.cab
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.113.146 85.255.112.111
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CS3\Services\Tcpip\Parameters: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 208.67.220.220,208.67.222.222
O20 - AppInit_DLLs: SYSTRAY.dll
O21 - SSODL: qIsHwVj - {88DDFC9D-2277-5637-CB10-72CA8E050120} - C:\WINDOWS\system32\magbdv.dll (file missing)
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AOL Spyware Protection Service (AOLService) - Unknown owner - C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\\aolserv.exe (file missing)
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Intel(R) NMS (NMSSvc) - Intel Corporation - C:\WINDOWS\System32\NMSSvc.exe

--
End of file - 8430 bytes

I have noticed now a browser hijacker is redirecting me whenever I try to go to most any website...took me 10 minutes to D/L the Fixwareout software...Thanks again for the help.

**VopThis** · 18-10-2007

SELECT HijackThis FIX ITEMS: Scan with HijackThis and place a check next to these items:

O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.113.146 85.255.112.111

Make sure that all browser windows and internet links are closed, even this one!
CLICK ’FIX CHECKED’ with HijackThis.

PLEASE CONSIDER THE FOLLOWING ISSUES CAREFULLY: Your system has likely been compromised to a point where even cleaning it does not promise you a trustworthy machine. There is a lot of serious concern about the SDBOT infection family which your PC has presently encountered and its known updateable/installable capabilities whether currently in use or not - SEE:
(20K hits for inclusive search terms SDBOT, banking, password, and keylogger).

If you do online banking or have passwords that would be a serious concern in the hands of others (identity theft or compromise of confidential information), then more serious action is likely advisable and potentially warranted (contacting and alerting bank(s), backup user files, do a clean re-install, and change all user passwords while off-line). More often than not they want your PC as a compromised zombie (a botnet/spambot member to do evil deeds) – but who is to know.

Nevertheless, initial and further cleaning may still be warranted to give you some renewed degree of control and then time to more fully consider your options. Let us know how you wish to proceed.

Download SDFix and save it to your Desktop.

Double click SDFix.exe and choose Install to extract it to its own folder on the Desktop. Please then reboot your computer in Safe Mode by doing the following :

Restart your computer
After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
Instead of Windows loading as normal, a menu with options should appear;
Select the first option, to run Windows in Safe Mode, then press "Enter".
Choose your usual account.

In Safe Mode, right click the SDFix.zip folder and choose Extract All,
Open the extracted folder and double click RunThis.bat to start the script.
Type Y to begin the script.
It will remove the Trojan Services then make some repairs to the registry and prompt you to press any key to Reboot.
Press any Key and it will restart the PC.
Your system will take longer that normal to restart as the fixtool will be running and removing files.
When the desktop loads the Fixtool will complete the removal and display Finished, then press any key to end the script and load your desktop icons.
Finally open the SDFix folder on your desktop and copy and paste the contents of the results file Report.txt back onto the forum with a new HijackThis log.

HJT Scan result Posted, Sister Still hasn't learned...

HJT Scan result Posted, Sister Still hasn't learned...

Similar Threads

pesky google result redirect

Last nights result (CL final)

What is your best overcloacking stable result

Advice on Adaware Scan Result??

google search freeze's after third result is read