My browser started going crazy a few days ago when I accidentally clicked on something I shouldn't have. Numerous windows open by themselves and they're all advertisements. Closing some or all of them doesn't help, and after awhile my taskbar disappears and the laptop freezes. Websites that I go to on purpose no longer work right. I attempted to bring my windows updates current as per your instructions but failed. Below is my log.


Monique



Logfile of HijackThis v1.99.1
Scan saved at 10:59:35, on 8/10/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\SUJNIFVTRVI\command.exe
C:\Program Files\Executive Software\Diskeeper\DkService.exe
C:\Program Files\Network Monitor\netmon.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\wbem\wmiapsrv.exe
C:\Program Files\FastAccessDSL\HelpCenter43\bin\sprtcmd.exe
C:\Program Files\BellSouthWCC\McciTrayApp.exe
C:\Program Files\CyberLink\PowerDVD SE\PDVDServ.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe
C:\Program Files\Scansoft\PaperPort\pptd40nt.exe
C:\WINDOWS\mrofinu572.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Common Files\Motive\BellSouthBrowser.exe
C:\WINDOWS\System32\Rundll32.exe
C:\WINDOWS\system32\Rundll32.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Skra\Skra.exe
C:\Documents and Settings\Monique\Application Data\SpeedRunner\SpeedRunner.exe
C:\Documents and Settings\Monique\Application Data\Microsoft\Windows\spcukk.exe
C:\DOCUME~1\Monique\MYDOCU~1\SMBOLS~1\spoolsv.exe
C:\WINDOWS\system32\?asks\r?ndll32.exe
C:\PROGRA~1\COMMON~1\ozmz\ozmzm.exe
C:\Program Files\GetPack\GetPack20.exe
C:\Program Files\MSOffice2000\Office\1033\OLFSNT40.EXE
C:\Program Files\MSWorks45a\Calendar\WKCALREM.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\PROGRA~1\COMMON~1\ozmz\ozmza.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O3 - Toolbar: AT&T Toolbar - {4E7BD74F-2B8D-469E-8CBD-FD60BB9AAE2E} - C:\PROGRA~1\BLSTOO~1\BLSTOO~1.DLL
O4 - HKLM\..\Run: [HelpCenter4.1] C:\Program Files\FastAccessDSL\HelpCenter43\bin\sprtcmd.exe /P HelpCenter4.1
O4 - HKLM\..\Run: [MotiveReportAgent] "C:\Program Files\Common Files\Motive\McciBootStrapper.exe" /url="-url=file://C:\Program Files\Common Files\Motive\ReportAgent.html" /browsertype=CustomMSIE /browserpath="C:\Program Files\Common Files\Motive\BellSouthBrowser.exe" /hidden
O4 - HKLM\..\Run: [BellSouthWCC_McciTrayApp] C:\Program Files\BellSouthWCC\McciTrayApp.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD SE\PDVDServ.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime750\qttask.exe" -atboottime
O4 - HKLM\..\Run: [PaperPort PTD] C:\Program Files\Scansoft\PaperPort\pptd40nt.exe
O4 - HKLM\..\Run: [IndexSearch] C:\Program Files\Scansoft\PaperPort\IndexSearch.exe
O4 - HKLM\..\Run: [runner1] C:\WINDOWS\mrofinu572.exe 61A847B5BBF728173599284503996897C881250221C8670836AC4FA7C88332017491394661A64DB7
C8F0287E55E246220D9E728F9FC17D446BC57D5375FB0FB68AD6
O4 - HKLM\..\Run: [34401059] rundll32.exe "C:\WINDOWS\system32\wathqybw.dll",b
O4 - HKLM\..\Run: [{fc08d908-5d2e-ce30-adbd-b010252acf8e}] C:\WINDOWS\System32\Rundll32.exe "C:\WINDOWS\system32\azxhorvziqwb.dll" DllStart
O4 - HKLM\..\Run: [BM377323c5] Rundll32.exe "C:\WINDOWS\system32\miplslib.dll",s
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Skra] C:\Program Files\Skra\Skra.exe
O4 - HKCU\..\Run: [SpeedRunner] C:\Documents and Settings\Monique\Application Data\SpeedRunner\SpeedRunner.exe
O4 - HKCU\..\Run: [SfKg6wIP] C:\Documents and Settings\Monique\Application Data\Microsoft\Windows\spcukk.exe
O4 - HKCU\..\Run: [Uahe] "C:\DOCUME~1\Monique\MYDOCU~1\SMBOLS~1\spoolsv.exe" -vt yazb
O4 - HKCU\..\Run: [Avdpi] C:\WINDOWS\system32\?asks\r?ndll32.exe
O4 - HKCU\..\Run: [ozmz] C:\PROGRA~1\COMMON~1\ozmz\ozmzm.exe
O4 - HKCU\..\Run: [GetPack20] "C:\Program Files\GetPack\GetPack20.exe"
O4 - Startup: Microsoft Works Calendar Reminders.lnk = C:\Program Files\MSWorks45a\Calendar\WKCALREM.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\MSOffice2000\Office\OSA9.EXE
O4 - Global Startup: Symantec Fax Starter Edition Port.lnk = C:\Program Files\MSOffice2000\Office\1033\OLFSNT40.EXE
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - http://support.att.net/sdccommon/download/tgctlcm.cab
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://pcpitstop.com/betapit/PCPitStop.CAB
O16 - DPF: {2DAD3559-2923-4935-AD49-B673D2539944} (IASRunner Class) - http://www-307.ibm.com/pc/support/acpir.cab
O16 - DPF: {321FB770-1FBE-4BFE-BDC1-6F622D4FA499} - https://pbells.broadjump.com/wizlet/iw60/st...aller_4-0-0.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1210984409787
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1210990980218
O16 - DPF: {9BFC2253-B9D9-477E-9488-CA450232620D} (BinAg1 Class) - https://pbells.broadjump.com/wizlet/iw60/st...flowActiveX.CAB
O16 - DPF: {EA7F451B-94DD-4009-A8BF-8F977B0B2696} - http://pbells.broadjump.com/wizlet/Standar...aller_4-2-0.cab
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINDOWS\SUJNIFVTRVI\command.exe
O23 - Service: Diskeeper - Executive Software International, Inc. - C:\Program Files\Executive Software\Diskeeper\DkService.exe
O23 - Service: McciCMService - Unknown owner - C:\Program Files\Common Files\Motive\McciCMService.exe (file missing)
O23 - Service: Network Monitor - Unknown owner - C:\Program Files\Network Monitor\netmon.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe

Hello Monique6ft

Welcome to the Whatthetech Malware Removal Forum, sorry about the delay, but the amount of people posting with infected computers is through the roof and sometimes we can't get to logs as fast as we would like to.

Your infected with the SDBot Worm


This tool needs to be run from Safemode to be effective so download it to your desktop then boot to Safemode to run it



Download SDFix and save it to your Desktop.

Double click SDFix.exe and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:\SDFix)

Please then reboot your computer in Safe Mode by doing the following :

• Restart your computer
• After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
• Instead of Windows loading as normal, the Advanced Options Menu should appear;
• Select the first option, to run Windows in Safe Mode, then press Enter.
• Choose your usual account.

• Open the extracted SDFix folder and double click RunThis.bat to start the script.
• Type Y to begin the cleanup process.
• It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
• Press any Key and it will restart the PC.
• When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
• Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
  (Report.txt will also be copied to Clipboard ready for posting back on the forum).
• Finally paste the contents of the Report.txt back on the forum with a new HijackThis log

OK, a few strange things happened. I'm posting here on a 2nd computer because the infected one won't load the forum pages. So I downloaded SDFix to this 2nd computer then transferred it to the infected computer, then attempted to install it but got this error:

"CRC failed in SDFix\apps\ERUNT.EXE
Unexpected end of archive"

So I downloaded it again, this time straight to the infected machine, and it installed and ran as per your instructions. Upon the last bootup I immediately got a Windows error box titled RUNDLL that had an OK button and the red X-button. It said this:

"Error loading C:\WINDOWS\system32\azxhorvziqwb.dll
The specified module could not be found."

I clicked on OK, then got another error box right away. This one was titled Internet Explorer and had buttons for yes, no and the red X. It said this:

"Do you want to allow software such as ActiveX controls and plug-ins to run?"

I clicked the red X but that box re-appeared over and over again. Closing it with ALT-F4 several times makes it disappear for a few minutes but then it pops up again over and over. The laptop went back to opening advertising come-on sites on its own. Below are the logs.

Btw, may I ask which lines in the original log told you I had this worm? Just curious...


Monique

P.S. How do I insert bitmaps into a post? I took screenshots of the error msgs and pasted them into Paint to be saved as bmp files. Trying to copy and paste from Paint into this post failed.



************************************



SDFix: Version 1.216
Run by Monique on Fri 08/15/2008 at 00:06

Microsoft Windows XP [Version 5.1.2600]
Running From: C:\SDFix

Checking Services :

Name :
cmdService
Network Monitor

Path :
C:\WINDOWS\SUJNIFVTRVI\command.exe
C:\Program Files\Network Monitor\netmon.exe service

cmdService - Deleted
Network Monitor - Deleted



Restoring Default Security Values
Restoring Default Hosts File

Rebooting


Checking Files :

Trojan Files Found:

C:\WINDOWS\system32\mlJCUKeE.dll - Deleted
C:\WINDOWS\system32\azxhorvziqwb.dll - Deleted
C:\WINDOWS\SUJNIFVTRVI\asappsrv.dll - Deleted
C:\WINDOWS\SUJNIFVTRVI\command.exe - Deleted
C:\WINDOWS\SUJNIFVTRVI\moLhKIpnlpK.vbs - Deleted
C:\Documents and Settings\Monique\Application Data\SpeedRunner\config.cfg - Deleted
C:\Documents and Settings\Monique\Application Data\SpeedRunner\SRUninstall.exe - Deleted
C:\Documents and Settings\Monique\Application Data\SpeedRunner\SpeedRunner.exe - Deleted
C:\Documents and Settings\LocalService\Application Data\NetMon\log.txt - Deleted
C:\Documents and Settings\LocalService\Application Data\NetMon\domains.txt - Deleted
C:\Program Files\BChanger\data.dat - Deleted
C:\Program Files\BChanger\bchanger.dll - Deleted
C:\Program Files\BChanger\Uninstall.exe - Deleted
C:\Program Files\GetPack\GetPack20.exe - Deleted
C:\Program Files\GetPack\trgtame.gz - Deleted
C:\Program Files\GetPack\dictame.gz - Deleted
C:\Program Files\iCheck\iCheck.exe - Deleted
C:\Program Files\iCheck\Uninstall.exe - Deleted
C:\Program Files\Mjcore\Mjcore.dll - Deleted
C:\Program Files\QdrDrive\QdrDrive20.dll - Deleted
C:\Program Files\QdrDrive\qdrloader.exe - Deleted
C:\Program Files\Skra\Skra.exe - Deleted
C:\Program Files\VnrBlock\VnrBlock20.exe - Deleted
C:\Program Files\VnrBlock\xtarga.gz - Deleted
C:\Program Files\Webtools\webtools.dll - Deleted
C:\Program Files\Common Files\Yazzle1560OinAdmin.exe - Deleted
C:\Program Files\Common Files\Yazzle1560OinUninstaller.exe - Deleted
C:\DOCUME~1\Monique\LOCALS~1\Temp\gettpa420.exe - Deleted
C:\DOCUME~1\Monique\LOCALS~1\Temp\tmp8D.tmp - Deleted
C:\WINDOWS\b103.exe - Deleted
C:\WINDOWS\b104.exe - Deleted
C:\WINDOWS\b116.exe - Deleted
C:\WINDOWS\b152.exe - Deleted
C:\WINDOWS\b155.exe - Deleted
C:\WINDOWS\b156.exe - Deleted
C:\WINDOWS\b158.exe - Deleted
C:\WINDOWS\b157.exe - Deleted
C:\WINDOWS\mrofinu572.exe - Deleted
C:\WINDOWS\mrofinu_upx.exe - Deleted
C:\Program Files\Network Monitor\netmon.exe - Deleted
C:\DOCUME~1\Monique\LOCALS~1\Temp\removalfile.bat - Deleted
C:\WINDOWS\system32\atmtd.dll - Deleted
C:\WINDOWS\system32\atmtd.dll._ - Deleted
C:\WINDOWS\uninstall_nmon.vbs - Deleted



Folder C:\Documents and Settings\Monique\Application Data\SpeedRunner - Removed
Folder C:\Program Files\BChanger - Removed
Folder C:\Program Files\GetPack - Removed
Folder C:\Program Files\iCheck - Removed
Folder C:\Program Files\InetGet2 - Removed
Folder C:\Program Files\Mjcore - Removed
Folder C:\Program Files\Network Monitor - Removed
Folder C:\Program Files\QdrDrive - Removed
Folder C:\Program Files\Skra - Removed
Folder C:\Program Files\VnrBlock - Removed
Folder C:\Program Files\Webtools - Removed
Folder C:\Documents and Settings\LocalService\Application Data\NetMon - Removed


Removing Temp Files

ADS Check :



Final Check :

catchme 0.3.1361.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-08-15 00:13:59
Windows 5.1.2600 Service Pack 3 FAT NTAPI

scanning hidden processes ...

scanning hidden services ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0


Remaining Services :




Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"C:\\WINDOWS\\Network Diagnostic\\xpnetdiag.exe"="C:\\WINDOWS\\Network Diagnostic\\xpnetdiag.exe:*:Disabled:@xpsp3res.dll,-20000"
"C:\\WINDOWS\\system32\\sessmgr.exe"="C:\\WINDOWS\\system32\\sessmgr.exe:*:Disabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\TurboTax\\Home & Business 2007\\32bit\\ttax.exe"="C:\\Program Files\\TurboTax\\Home & Business 2007\\32bit\\ttax.exe:LocalSubNet:Enabled:TurboTax"
"C:\\Program Files\\TurboTax\\Home & Business 2007\\32bit\\updatemgr.exe"="C:\\Program Files\\TurboTax\\Home & Business 2007\\32bit\\updatemgr.exe:LocalSubNet:Enabled:TurboTax Update Manager"
"C:\\Program Files\\TurboTax\\Home & Business 2006\\32bit\\Ttax.exe"="C:\\Program Files\\TurboTax\\Home & Business 2006\\32bit\\Ttax.exe:LocalSubNet:Enabled:TurboTax"
"C:\\Program Files\\TurboTax\\Home & Business 2006\\32bit\\updatemgr.exe"="C:\\Program Files\\TurboTax\\Home & Business 2006\\32bit\\updatemgr.exe:LocalSubNet:Enabled:TurboTax Update Manager"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"

Remaining Files :


File Backups: - C:\SDFix\backups\backups.zip

Files with Hidden Attributes :

Thu 8 Jun 2000 92,992 ..SH. --- "C:\COMMAND.COM"
Thu 29 May 2008 230,400 ..SHR --- "C:\WINDOWS\system32\?asks\r?ndll32.exe"
Fri 23 May 2008 0 A.SH. --- "C:\Documents and Settings\All Users\DRM\Cache\Indiv01.tmp"
Sat 9 Aug 2008 68,608 ..SHR --- "C:\Documents and Settings\Monique\My Documents\s?mbols\spoolsv.exe"

Finished!



**************************************



Logfile of HijackThis v1.99.1
Scan saved at 00:20:02, on 8/15/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Executive Software\Diskeeper\DkService.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\wbem\wmiapsrv.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\FastAccessDSL\HelpCenter43\bin\sprtcmd.exe
C:\Program Files\BellSouthWCC\McciTrayApp.exe
C:\Program Files\CyberLink\PowerDVD SE\PDVDServ.exe
C:\Program Files\Common Files\Motive\BellSouthBrowser.exe
C:\Program Files\Scansoft\PaperPort\pptd40nt.exe
C:\WINDOWS\system32\Rundll32.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\ctfmon.exe
C:\DOCUME~1\Monique\MYDOCU~1\SMBOLS~1\spoolsv.exe
C:\WINDOWS\system32\?asks\r?ndll32.exe
C:\PROGRA~1\COMMON~1\ozmz\ozmzm.exe
C:\Program Files\MSOffice2000\Office\1033\OLFSNT40.EXE
C:\Program Files\MSWorks45a\Calendar\WKCALREM.EXE
C:\PROGRA~1\COMMON~1\ozmz\ozmza.exe
C:\Program Files\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O3 - Toolbar: AT&T Toolbar - {4E7BD74F-2B8D-469E-8CBD-FD60BB9AAE2E} - C:\PROGRA~1\BLSTOO~1\BLSTOO~1.DLL
O4 - HKLM\..\Run: [HelpCenter4.1] C:\Program Files\FastAccessDSL\HelpCenter43\bin\sprtcmd.exe /P HelpCenter4.1
O4 - HKLM\..\Run: [MotiveReportAgent] "C:\Program Files\Common Files\Motive\McciBootStrapper.exe" /url="-url=file://C:\Program Files\Common Files\Motive\ReportAgent.html" /browsertype=CustomMSIE /browserpath="C:\Program Files\Common Files\Motive\BellSouthBrowser.exe" /hidden
O4 - HKLM\..\Run: [BellSouthWCC_McciTrayApp] C:\Program Files\BellSouthWCC\McciTrayApp.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD SE\PDVDServ.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime750\qttask.exe" -atboottime
O4 - HKLM\..\Run: [PaperPort PTD] C:\Program Files\Scansoft\PaperPort\pptd40nt.exe
O4 - HKLM\..\Run: [IndexSearch] C:\Program Files\Scansoft\PaperPort\IndexSearch.exe
O4 - HKLM\..\Run: [{fc08d908-5d2e-ce30-adbd-b010252acf8e}] C:\WINDOWS\System32\Rundll32.exe "C:\WINDOWS\system32\azxhorvziqwb.dll" DllStart
O4 - HKLM\..\Run: [34401059] rundll32.exe "C:\WINDOWS\system32\wejbuekh.dll",b
O4 - HKLM\..\Run: [BM377323c5] Rundll32.exe "C:\WINDOWS\system32\gxquviph.dll",s
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Uahe] "C:\DOCUME~1\Monique\MYDOCU~1\SMBOLS~1\spoolsv.exe" -vt yazb
O4 - HKCU\..\Run: [Avdpi] C:\WINDOWS\system32\?asks\r?ndll32.exe
O4 - HKCU\..\Run: [ozmz] C:\PROGRA~1\COMMON~1\ozmz\ozmzm.exe
O4 - Startup: Microsoft Works Calendar Reminders.lnk = C:\Program Files\MSWorks45a\Calendar\WKCALREM.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\MSOffice2000\Office\OSA9.EXE
O4 - Global Startup: Symantec Fax Starter Edition Port.lnk = C:\Program Files\MSOffice2000\Office\1033\OLFSNT40.EXE
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - http://support.att.net/sdccommon/download/tgctlcm.cab
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://pcpitstop.com/betapit/PCPitStop.CAB
O16 - DPF: {2DAD3559-2923-4935-AD49-B673D2539944} (IASRunner Class) - http://www-307.ibm.com/pc/support/acpir.cab
O16 - DPF: {321FB770-1FBE-4BFE-BDC1-6F622D4FA499} - https://pbells.broadjump.com/wizlet/iw60/st...aller_4-0-0.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1210984409787
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1210990980218
O16 - DPF: {9BFC2253-B9D9-477E-9488-CA450232620D} (BinAg1 Class) - https://pbells.broadjump.com/wizlet/iw60/st...flowActiveX.CAB
O16 - DPF: {EA7F451B-94DD-4009-A8BF-8F977B0B2696} - http://pbells.broadjump.com/wizlet/Standar...aller_4-2-0.cab
O20 - AppInit_DLLs: rndmxf.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Diskeeper - Executive Software International, Inc. - C:\Program Files\Executive Software\Diskeeper\DkService.exe
O23 - Service: McciCMService - Unknown owner - C:\Program Files\Common Files\Motive\McciCMService.exe (file missing)
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe

Good Morning Monique,

You have a few issues going on and sometimes removing this garbage does not go smoothly, but your doing fine

SDBot worm, these mainly
O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINDOWS\SUJNIFVTRVI\command.exe
O23 - Service: Network Monitor - Unknown owner - C:\Program Files\Network Monitor\netmon.exe


Your still infected with some other garbage including the Vundo Trojan so we are not done yet

This will also fix that error your getting
Open HijackThis > Do a System Scan Only, close your browser and all open windows including this one, the only program or window you should have open is HijackThis, check the following entries and click on Fix Checked.

O4 - HKLM\..\Run: [{fc08d908-5d2e-ce30-adbd-b010252acf8e}] C:\WINDOWS\System32\Rundll32.exe "C:\WINDOWS\system32\azxhorvziqwb.dll" DllStart
O4 - HKLM\..\Run: [34401059] rundll32.exe "C:\WINDOWS\system32\wejbuekh.dll",b
O4 - HKLM\..\Run: [BM377323c5] Rundll32.exe "C:\WINDOWS\system32\gxquviph.dll",s
O4 - HKCU\..\Run: [Avdpi] C:\WINDOWS\system32\?asks\r?ndll32.exe
O4 - HKCU\..\Run: [ozmz] C:\PROGRA~1\COMMON~1\ozmz\ozmzm.exe

O20 - AppInit_DLLs: rndmxf.dll




Please download Malwarebytes' Anti-Malware from Here or Here

Double Click mbam-setup.exe to install the application.

• Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  
• If an update is found, it will download and install the latest version.
  
• Once the program has loaded, select "Perform Quick Scan", then click Scan.
  
• The scan may take some time to finish,so please be patient.
  
• When the scan is complete, click OK, then Show Results to view the results.
  
• Make sure that everything is checked, and click Remove Selected.<-- Don't forget this
  
• When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  
• The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  
• Copy and Paste the entire report in your next reply along with a New Hijackthis log.

Hmm, for the 2nd and 3d entries my scan results do not match yours. The filenames at the end are different like so:

O4-HKLM\...\Run: [34401059] rundll32.exe "C:\Windows\system32\gxmrjjcj.dll",b
O4-HKLM\...\Run: [BM377323c5] Rundll32.exe "C:\Windows\system32\sutkjdxo.dll",s

Also my scan doesn't show an O20 entry -- it goes from O16 to O21

So do I still check off my version of those lines? I'm going to hold off until I hear from you just to be safe.


Monique

These infections have a way of changing file names so remove what I posted including these, if the ones I posted are no longer there than don't worry about it, but do run Malwarebytes and post the log along with a new HJT log
O4-HKLM\...\Run: [34401059] rundll32.exe "C:\Windows\system32\gxmrjjcj.dll",b
O4-HKLM\...\Run: [BM377323c5] Rundll32.exe "C:\Windows\system32\sutkjdxo.dll",s <---Remove these also

Thanks for the clarification. Below are the new logs. The date on the mbam log is wrong -- it was taken on 8/17.

I'm still getting the same behavior on the computer, although it seems a little less frantic now.


Monique



************************************



bMalwarebytes' Anti-Malware 1.24
Database version: 1061
Windows 5.1.2600 Service Pack 3

1:42:47 PM 8/16/2008
mbam-log-8-16-2008 (13-42-47).txt

Scan type: Quick Scan
Objects scanned: 48707
Time elapsed: 3 minute(s), 44 second(s)

Memory Processes Infected: 2
Memory Modules Infected: 6
Registry Keys Infected: 27
Registry Values Infected: 3
Registry Data Items Infected: 2
Folders Infected: 3
Files Infected: 42

Memory Processes Infected:
C:\Documents and Settings\Monique\My Documents\s?mbols\spoolsv.exe (Adware.ClickSpring) -> Unloaded process successfully.
C:\Program Files\Common Files\ozmz\ozmza.exe (Trojan.Downloader) -> Unloaded process successfully.

Memory Modules Infected:
C:\WINDOWS\system32\urqRIxvW.dll (Trojan.Vundo) -> Delete on reboot.
C:\WINDOWS\system32\gxmrjjcj.dll (Trojan.Vundo) -> Delete on reboot.
C:\WINDOWS\system32\fhqcismt.dll (Trojan.Vundo) -> Delete on reboot.
C:\WINDOWS\system32\oyxhjjvr.dll (Trojan.Vundo) -> Delete on reboot.
C:\Program Files\Common Files\ozmz\ozmzd\ozmzc.dll (Adware.TargetServer) -> Delete on reboot.
C:\WINDOWS\system32\aagpmj.dll (Trojan.Vundo) -> Delete on reboot.

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{30fd3f64-bea6-42a5-bff3-4d3e7bd20186} (Trojan.Vundo) -> Delete on reboot.
HKEY_CLASSES_ROOT\CLSID\{30fd3f64-bea6-42a5-bff3-4d3e7bd20186} (Trojan.Vundo) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{98a68d4f-5932-41ea-9565-8b0e336b01bf} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{98a68d4f-5932-41ea-9565-8b0e336b01bf} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{fa35ef4b-27dd-2d05-ff38-0ca2ed981ac5} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{fa35ef4b-27dd-2d05-ff38-0ca2ed981ac5} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{17e44256-51e0-4d46-a0c8-44e80ab4ba5b} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\{e0f01490-dcf3-4357-95aa-169a8c2b2190} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\AppID\{ff46f4ab-a85f-487e-b399-3f191ac0fe23} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{2e4a04a1-a24d-45ae-aca4-949778400813} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\{63334394-3da3-4b29-a041-03535909d361} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\testcpv6.bho (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\testcpv6.bho.1 (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\bannerstyle (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Webtools (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\SpeedRunner (Adware.SurfAccuracy) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\AppID\testCPV6.DLL (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\TSA (Adware.TargetSaver) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\rdfa (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Juan (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\contim (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\dslcnnct (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\IProxyProvider (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Track System (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\FCOVM (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\RemoveRP (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\aoprndtws (Trojan.Vundo) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\34401059 (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Mozilla\Firefox\Extensions\{59a40ac9-e67d-4155-b31d-4b7330fcd2d6} (Adware.PurityScan) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\bm377323c5 (Trojan.Agent) -> Delete on reboot.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\Notification Packages (Trojan.Vundo) -> Data: c:\windows\system32\urqrixvw -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\Authentication Packages (Trojan.Vundo) -> Data: c:\windows\system32\urqrixvw -> Delete on reboot.

Folders Infected:
C:\Program Files\Outerinfo (Adware.Outerinfo) -> Quarantined and deleted successfully.
C:\Program Files\Outerinfo\FF (Adware.Outerinfo) -> Quarantined and deleted successfully.
C:\Program Files\Outerinfo\FF\components (Adware.Outerinfo) -> Quarantined and deleted successfully.

Files Infected:
C:\WINDOWS\system32\urqRIxvW.dll (Trojan.Vundo) -> Delete on reboot.
C:\WINDOWS\system32\WvxIRqru.ini (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\WvxIRqru.ini2 (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\aagpmj.dll (Trojan.Vundo) -> Delete on reboot.
C:\WINDOWS\system32\wmaamyou.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\uoymaamw.ini (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\gxmrjjcj.dll (Trojan.Vundo) -> Delete on reboot.
C:\WINDOWS\system32\jcjjrmxg.ini (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\fhqcismt.dll (Trojan.Vundo) -> Delete on reboot.
C:\WINDOWS\system32\tmsicqhf.ini (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\oyxhjjvr.dll (Trojan.Vundo) -> Delete on reboot.
C:\Documents and Settings\Monique\My Documents\s?mbols\spoolsv.exe (Adware.ClickSpring) -> Quarantined and deleted successfully.
C:\Program Files\Common Files\ozmz\ozmza.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Program Files\Common Files\ozmz\ozmzd\ozmzc.dll (Adware.TargetServer) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\rpmfm.dll (Trojan.BHO) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\mlmxxgia.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\cagojw.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\jvpmjhyj.exe (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\tsuninst.exe (Spyware.TargetSaver) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\xdemelds.exe (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\ganncltfsrclgf.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\fjslpeyq.exe (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\tliqfhpe.exe (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\lhyfjryg.exe (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\ttlpdjhh.exe (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Documents and Settings\Monique\Local Settings\Temporary Internet Files\Content.IE5\EW5MAXHZ\kb65666[1] (Trojan.Vundo) -> Delete on reboot.
C:\Documents and Settings\Monique\Local Settings\Temporary Internet Files\Content.IE5\EW5MAXHZ\kb767887[1] (Trojan.Vundo) -> Delete on reboot.
C:\Documents and Settings\Monique\Local Settings\Temporary Internet Files\Content.IE5\EW5MAXHZ\kb456456[1] (Trojan.Vundo) -> Delete on reboot.
C:\Documents and Settings\Monique\Application Data\Microsoft\Windows\spcukk.exe (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Program Files\Outerinfo\FF\install.rdf (Adware.Outerinfo) -> Quarantined and deleted successfully.
C:\Program Files\Outerinfo\FF\chrome.manifest (Adware.Outerinfo) -> Quarantined and deleted successfully.
C:\Program Files\Outerinfo\FF\components\FF.dll (Adware.Outerinfo) -> Quarantined and deleted successfully.
C:\Program Files\Outerinfo\FF\components\OuterinfoAds.xpt (Adware.Outerinfo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\mcrh.tmp (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\cookies.ini (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\lcdocqeh.dll (Trojan.Agent) -> Delete on reboot.
C:\WINDOWS\pskt.ini (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\opnnmKeC.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\rqRJDtSj.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\urqQghfE.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\BM377323c5.xml (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\BM377323c5.txt (Trojan.Vundo) -> Quarantined and deleted successfully.



*****************************************************



Logfile of HijackThis v1.99.1
Scan saved at 13:53:34, on 8/17/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Executive Software\Diskeeper\DkService.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\wbem\wmiapsrv.exe
C:\Program Files\FastAccessDSL\HelpCenter43\bin\sprtcmd.exe
C:\Program Files\BellSouthWCC\McciTrayApp.exe
C:\Program Files\CyberLink\PowerDVD SE\PDVDServ.exe
C:\Program Files\Scansoft\PaperPort\pptd40nt.exe
C:\Program Files\Common Files\Motive\BellSouthBrowser.exe
C:\WINDOWS\system32\ctfmon.exe
C:\DOCUME~1\Monique\MYDOCU~1\SMBOLS~1\spoolsv.exe
C:\Program Files\MSOffice2000\Office\1033\OLFSNT40.EXE
C:\Program Files\MSWorks45a\Calendar\WKCALREM.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\rundll32.exe
C:\Documents and Settings\Monique\Application Data\??mantec\w?nspool.exe
C:\Program Files\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O3 - Toolbar: AT&T Toolbar - {4E7BD74F-2B8D-469E-8CBD-FD60BB9AAE2E} - C:\PROGRA~1\BLSTOO~1\BLSTOO~1.DLL
O4 - HKLM\..\Run: [HelpCenter4.1] C:\Program Files\FastAccessDSL\HelpCenter43\bin\sprtcmd.exe /P HelpCenter4.1
O4 - HKLM\..\Run: [MotiveReportAgent] "C:\Program Files\Common Files\Motive\McciBootStrapper.exe" /url="-url=file://C:\Program Files\Common Files\Motive\ReportAgent.html" /browsertype=CustomMSIE /browserpath="C:\Program Files\Common Files\Motive\BellSouthBrowser.exe" /hidden
O4 - HKLM\..\Run: [BellSouthWCC_McciTrayApp] C:\Program Files\BellSouthWCC\McciTrayApp.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD SE\PDVDServ.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime750\qttask.exe" -atboottime
O4 - HKLM\..\Run: [PaperPort PTD] C:\Program Files\Scansoft\PaperPort\pptd40nt.exe
O4 - HKLM\..\Run: [IndexSearch] C:\Program Files\Scansoft\PaperPort\IndexSearch.exe
O4 - HKLM\..\Run: [BM377323c5] Rundll32.exe "C:\WINDOWS\system32\dhgmylej.dll",s
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Uahe] "C:\DOCUME~1\Monique\MYDOCU~1\SMBOLS~1\spoolsv.exe" -vt yazb
O4 - HKCU\..\Run: [Dqefb] "C:\Documents and Settings\Monique\Application Data\??mantec\w?nspool.exe"
O4 - Startup: Microsoft Works Calendar Reminders.lnk = C:\Program Files\MSWorks45a\Calendar\WKCALREM.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\MSOffice2000\Office\OSA9.EXE
O4 - Global Startup: Symantec Fax Starter Edition Port.lnk = C:\Program Files\MSOffice2000\Office\1033\OLFSNT40.EXE
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - http://support.att.net/sdccommon/download/tgctlcm.cab
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://pcpitstop.com/betapit/PCPitStop.CAB
O16 - DPF: {2DAD3559-2923-4935-AD49-B673D2539944} (IASRunner Class) - http://www-307.ibm.com/pc/support/acpir.cab
O16 - DPF: {321FB770-1FBE-4BFE-BDC1-6F622D4FA499} - https://pbells.broadjump.com/wizlet/iw60/st...aller_4-0-0.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1210984409787
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1210990980218
O16 - DPF: {9BFC2253-B9D9-477E-9488-CA450232620D} (BinAg1 Class) - https://pbells.broadjump.com/wizlet/iw60/st...flowActiveX.CAB
O16 - DPF: {EA7F451B-94DD-4009-A8BF-8F977B0B2696} - http://pbells.broadjump.com/wizlet/Standar...aller_4-2-0.cab
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Diskeeper - Executive Software International, Inc. - C:\Program Files\Executive Software\Diskeeper\DkService.exe
O23 - Service: McciCMService - Unknown owner - C:\Program Files\Common Files\Motive\McciCMService.exe (file missing)
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe

Hello Monique,

Keep in mind like I posted earlier, you have had some major infections on this system and most need some work to get your system back to normal. Before we proceed any further I would like you to drag Hijackthis to the trash as its out dated and download and install the latest version by Trendmicro.

Download Trendmicros Hijackthis to your desktop.

• Double click it to install
• Follow the prompts and by default it will install in C:\Program Files\Trendmicro\Hijackthis\Highjackthis.exe

Please download ATF Cleaner by Atribune to your desktop.

• This program is for XP and Windows 2000 only
• Double-click ATF-Cleaner.exe to run the program.
• Under Main choose: Select All
• Click the Empty Selected button.

Your system may start up slower after running ATF Cleaner, this is expected but will be back to normal after the first or second boot up
Please note: If you use online banking or are registered online with any other organizations, ensure you have memorized password and other personal information as removing cookies will temporarily disable the auto-login facility.







Download ComboFix from Here or Here to your Desktop.

In the event you already have Combofix, this is a new version that I need you to download.
It must be saved directly to your desktop.


1. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

• Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan.
• Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
• Remember to re enable the protection again afterwards before connecting to the net

2. Close any open browsers and make sure you are disconnected from the net. Unplug the cable if need be before running combofix.

• IF you have not already done so Combofix will disconnect your machine from the Internet when it starts.
• If there is no internet connection when Combofix has completely finished then restart your computer to restore back the connections.

3. Now double click on combofix.exe & follow the prompts.
When finished, it will produce a report for you.
Please post the "C:\ComboFix.txt" along with a new HijackThis log for further review

Note: Do not mouseclick combofix's window while it's running. That may cause it to stall or freeze.

• Open HJT Scan and Save a Log File, it will open in Notepad
• Go to Format and make sure Wordwrap is Unchecked
• Go to Edit> Select All.....Edit > Copy and Paste the new log into this thread by using the Post Reply and not start a New Thread.