Hello,

I have been getting loads of pop-ups while surfing and after running Spybot and AdAware found a bunch of spyware entries. Most of these cleaned up but I still have 3 Command Service entries appearing with only one entry able to be fixed. I am aware that these may be false positive. Also, Surf sidekick 3 seems to make a reappearance occasionaly.

Can you please check my log for any more bugs, thanks.


Logfile of HijackThis v1.99.1
Scan saved at 9:06:50 PM, on 3/05/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
D:\WINDOWS\system32\rundll32.exe
D:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
D:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
D:\WINDOWS\system32\spoolsv.exe
D:\Program Files\Norton AntiVirus\navapsvc.exe
D:\Program Files\Sony\MD Simple Burner\NetMDSB.exe
D:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
D:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
D:\WINDOWS\Explorer.EXE
D:\WINDOWS\System32\DeltTray.exe
D:\Program Files\Common Files\Symantec Shared\ccApp.exe
D:\Program Files\QuickTime\qttask.exe
D:\WINDOWS\System32\ctfmon.exe
D:\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://aandr.com.au/web
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://aandr.com.au/web
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://aandr.com.au/web
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://aandr.com.au/web
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - D:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - D:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - D:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [DeltTray] DeltTray.exe
O4 - HKLM\..\Run: [ccApp] "D:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [SSC_UserPrompt] D:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] D:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [QuickTime Task] "D:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [CTFMON.EXE] D:\WINDOWS\System32\ctfmon.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1139394307984
O20 - AppInit_DLLs: repairs303169578.dll
O20 - Winlogon Notify: Internet Settings - D:\WINDOWS\system32\g6lmlg3116.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - D:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - D:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - D:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - D:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: MD Simple Burner Service (NetMDSB) - Sony Corporation - D:\Program Files\Sony\MD Simple Burner\NetMDSB.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - D:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: SAVScan - Symantec Corporation - D:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - D:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - D:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - D:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - D:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

Hi ~Shauno~

You've got a mixed bag of problems there. Let's take it one step at a time

First step

Please download Look2Me-Destroyer.exe to your desktop.
http://www.atribune.org/ccount/click.php?id=7

* Close all windows before continuing.
* Double-click Look2Me-Destroyer.exe to run it.
* Put a check next to Run this program as a task.
* You will receive a message saying Look2Me-Destroyer will close and re-open in approximately 10 seconds. Click OK
* When Look2Me-Destroyer re-opens, click the Scan for L2M button, your desktop icons will disappear, this is normal.
* Once it's done scanning, click the Remove L2M button.
* You will receive a Done Scanning message, click OK.
* When completed, you will receive this message: Done removing infected files! Look2Me-Destroyer will now shutdown your computer, click OK.
* Your computer will then shutdown.
* Turn your computer back on.
* Please post the contents of C:\Look2Me-Destroyer.txt and a new HiJackThis log.

If you receive a message from your firewall about this program accessing the internet please allow it.

If you receive a runtime error '339' please download MSWINSCK.OCX from the link below and place it in your C:\Windows\System32 Directory.
http://www.ascentive.com/support/new/images/lib/MSWINSCK.OCX

Hi Calamity and thanks for the reply.
I have scanned with L2M Destroyer and removed L2M. Here's the log...

Look2Me-Destroyer V1.0.12

Scanning for infected files.....
Scan started at 9/05/2006 5:51:05 PM

Infected! D:\WINDOWS\system32\gpn4l35q1.dll
Infected! D:\System Volume Information\_restore{AC4DCC7D-C4B8-4325-B4C6-5BB0F179E96D}\RP76\A0010387.dll
Infected! D:\System Volume Information\_restore{AC4DCC7D-C4B8-4325-B4C6-5BB0F179E96D}\RP76\A0010389.dll
Infected! D:\System Volume Information\_restore{AC4DCC7D-C4B8-4325-B4C6-5BB0F179E96D}\RP76\A0010399.dll
Infected! D:\System Volume Information\_restore{AC4DCC7D-C4B8-4325-B4C6-5BB0F179E96D}\RP76\A0010406.dll
Infected! D:\System Volume Information\_restore{AC4DCC7D-C4B8-4325-B4C6-5BB0F179E96D}\RP76\A0010420.dll
Infected! D:\System Volume Information\_restore{AC4DCC7D-C4B8-4325-B4C6-5BB0F179E96D}\RP77\A0010429.dll
Infected! D:\System Volume Information\_restore{AC4DCC7D-C4B8-4325-B4C6-5BB0F179E96D}\RP77\A0010438.dll
Infected! D:\System Volume Information\_restore{AC4DCC7D-C4B8-4325-B4C6-5BB0F179E96D}\RP77\A0010445.dll
Infected! D:\System Volume Information\_restore{AC4DCC7D-C4B8-4325-B4C6-5BB0F179E96D}\RP77\A0010453.dll
Infected! D:\System Volume Information\_restore{AC4DCC7D-C4B8-4325-B4C6-5BB0F179E96D}\RP77\A0010461.dll
Infected! D:\System Volume Information\_restore{AC4DCC7D-C4B8-4325-B4C6-5BB0F179E96D}\RP77\A0010467.dll
Infected! D:\System Volume Information\_restore{AC4DCC7D-C4B8-4325-B4C6-5BB0F179E96D}\RP77\A0010475.dll
Infected! D:\System Volume Information\_restore{AC4DCC7D-C4B8-4325-B4C6-5BB0F179E96D}\RP77\A0010481.dll
Infected! D:\System Volume Information\_restore{AC4DCC7D-C4B8-4325-B4C6-5BB0F179E96D}\RP77\A0010490.dll
Infected! D:\System Volume Information\_restore{AC4DCC7D-C4B8-4325-B4C6-5BB0F179E96D}\RP77\A0010495.dll
Infected! D:\System Volume Information\_restore{AC4DCC7D-C4B8-4325-B4C6-5BB0F179E96D}\RP77\A0010500.dll
Infected! D:\System Volume Information\_restore{AC4DCC7D-C4B8-4325-B4C6-5BB0F179E96D}\RP78\A0010517.dll
Infected! D:\System Volume Information\_restore{AC4DCC7D-C4B8-4325-B4C6-5BB0F179E96D}\RP78\A0010519.dll
Infected! D:\System Volume Information\_restore{AC4DCC7D-C4B8-4325-B4C6-5BB0F179E96D}\RP78\A0010528.dll
Infected! D:\System Volume Information\_restore{AC4DCC7D-C4B8-4325-B4C6-5BB0F179E96D}\RP78\A0010534.dll
Infected! D:\System Volume Information\_restore{AC4DCC7D-C4B8-4325-B4C6-5BB0F179E96D}\RP78\A0010539.dll
Infected! D:\System Volume Information\_restore{AC4DCC7D-C4B8-4325-B4C6-5BB0F179E96D}\RP78\A0010546.dll
Infected! D:\System Volume Information\_restore{AC4DCC7D-C4B8-4325-B4C6-5BB0F179E96D}\RP78\A0010554.dll
Infected! D:\System Volume Information\_restore{AC4DCC7D-C4B8-4325-B4C6-5BB0F179E96D}\RP78\A0010560.dll
Infected! D:\System Volume Information\_restore{AC4DCC7D-C4B8-4325-B4C6-5BB0F179E96D}\RP78\A0010567.dll
Infected! D:\System Volume Information\_restore{AC4DCC7D-C4B8-4325-B4C6-5BB0F179E96D}\RP79\A0010576.dll
Infected! D:\System Volume Information\_restore{AC4DCC7D-C4B8-4325-B4C6-5BB0F179E96D}\RP79\A0010577.dll
Infected! D:\System Volume Information\_restore{AC4DCC7D-C4B8-4325-B4C6-5BB0F179E96D}\RP79\A0010579.dll
Infected! D:\System Volume Information\_restore{AC4DCC7D-C4B8-4325-B4C6-5BB0F179E96D}\RP79\A0010587.dll
Infected! D:\System Volume Information\_restore{AC4DCC7D-C4B8-4325-B4C6-5BB0F179E96D}\RP79\A0010588.dll
Infected! D:\System Volume Information\_restore{AC4DCC7D-C4B8-4325-B4C6-5BB0F179E96D}\RP80\A0010594.dll
Infected! D:\System Volume Information\_restore{AC4DCC7D-C4B8-4325-B4C6-5BB0F179E96D}\RP80\A0010595.dll
Infected! D:\System Volume Information\_restore{AC4DCC7D-C4B8-4325-B4C6-5BB0F179E96D}\RP80\A0010601.dll
Infected! D:\System Volume Information\_restore{AC4DCC7D-C4B8-4325-B4C6-5BB0F179E96D}\RP81\A0010607.dll
Infected! D:\System Volume Information\_restore{AC4DCC7D-C4B8-4325-B4C6-5BB0F179E96D}\RP81\A0010613.dll
Infected! D:\System Volume Information\_restore{AC4DCC7D-C4B8-4325-B4C6-5BB0F179E96D}\RP81\A0010616.dll
Infected! D:\System Volume Information\_restore{AC4DCC7D-C4B8-4325-B4C6-5BB0F179E96D}\RP81\A0010622.dll
Infected! D:\WINDOWS\system32\awtodisc.dll
Infected! D:\WINDOWS\system32\cDmocx.dll
Infected! D:\WINDOWS\system32\dicpmon.dll
Infected! D:\WINDOWS\system32\dwmrtp.dll
Infected! D:\WINDOWS\system32\dwstyle.dll
Infected! D:\WINDOWS\system32\gpn4l35q1.dll
Infected! D:\WINDOWS\system32\hr2u05f9e.dll
Infected! D:\WINDOWS\system32\ilssuba.dll
Infected! D:\WINDOWS\system32\kcdcan.dll
Infected! D:\WINDOWS\system32\kgdcz.dll
Infected! D:\WINDOWS\system32\kgdycl.dll
Infected! D:\WINDOWS\system32\kpdhept.dll
Infected! D:\WINDOWS\system32\kvdru.dll
Infected! D:\WINDOWS\system32\msdemui.dll
Infected! D:\WINDOWS\system32\mtdemui.dll
Infected! D:\WINDOWS\system32\mvj8l91u1.dll
Infected! D:\WINDOWS\system32\spmedia.dll
Infected! D:\WINDOWS\system32\susbkup.dll
Infected! D:\WINDOWS\system32\tjflog.dll
Infected! D:\WINDOWS\system32\wgn87em.dll
Infected! D:\WINDOWS\system32\wqnsta.dll
Infected! D:\WINDOWS\system32\wubvw.dll

Attempting to delete infected files...

Attempting to delete: D:\WINDOWS\system32\gpn4l35q1.dll
D:\WINDOWS\system32\gpn4l35q1.dll Deleted successfully!

Attempting to delete: D:\System Volume Information\_restore{AC4DCC7D-C4B8-4325-B4C6-5BB0F179E96D}\RP76\A0010387.dll
D:\System Volume Information\_restore{AC4DCC7D-C4B8-4325-B4C6-5BB0F179E96D}\RP76\A0010387.dll Deleted successfully!

Attempting to delete: D:\System Volume Information\_restore{AC4DCC7D-C4B8-4325-B4C6-5BB0F179E96D}\RP76\A0010389.dll
D:\System Volume Information\_restore{AC4DCC7D-C4B8-4325-B4C6-5BB0F179E96D}\RP76\A0010389.dll Deleted successfully!

Attempting to delete: D:\System Volume Information\_restore{AC4DCC7D-C4B8-4325-B4C6-5BB0F179E96D}\RP76\A0010399.dll
D:\System Volume Information\_restore{AC4DCC7D-C4B8-4325-B4C6-5BB0F179E96D}\RP76\A0010399.dll Deleted successfully!

Attempting to delete: D:\System Volume Information\_restore{AC4DCC7D-C4B8-4325-B4C6-5BB0F179E96D}\RP76\A0010406.dll
D:\System Volume Information\_restore{AC4DCC7D-C4B8-4325-B4C6-5BB0F179E96D}\RP76\A0010406.dll Deleted successfully!

Attempting to delete: D:\System Volume Information\_restore{AC4DCC7D-C4B8-4325-B4C6-5BB0F179E96D}\RP76\A0010420.dll
D:\System Volume Information\_restore{AC4DCC7D-C4B8-4325-B4C6-5BB0F179E96D}\RP76\A0010420.dll Deleted successfully!

Attempting to delete: D:\System Volume Information\_restore{AC4DCC7D-C4B8-4325-B4C6-5BB0F179E96D}\RP77\A0010429.dll
D:\System Volume Information\_restore{AC4DCC7D-C4B8-4325-B4C6-5BB0F179E96D}\RP77\A0010429.dll Deleted successfully!

Attempting to delete: D:\System Volume Information\_restore{AC4DCC7D-C4B8-4325-B4C6-5BB0F179E96D}\RP77\A0010438.dll
D:\System Volume Information\_restore{AC4DCC7D-C4B8-4325-B4C6-5BB0F179E96D}\RP77\A0010438.dll Deleted successfully!

Attempting to delete: D:\System Volume Information\_restore{AC4DCC7D-C4B8-4325-B4C6-5BB0F179E96D}\RP77\A0010445.dll
D:\System Volume Information\_restore{AC4DCC7D-C4B8-4325-B4C6-5BB0F179E96D}\RP77\A0010445.dll Deleted successfully!

Attempting to delete: D:\System Volume Information\_restore{AC4DCC7D-C4B8-4325-B4C6-5BB0F179E96D}\RP77\A0010453.dll
D:\System Volume Information\_restore{AC4DCC7D-C4B8-4325-B4C6-5BB0F179E96D}\RP77\A0010453.dll Deleted successfully!

Attempting to delete: D:\System Volume Information\_restore{AC4DCC7D-C4B8-4325-B4C6-5BB0F179E96D}\RP77\A0010461.dll
D:\System Volume Information\_restore{AC4DCC7D-C4B8-4325-B4C6-5BB0F179E96D}\RP77\A0010461.dll Deleted successfully!

Attempting to delete: D:\System Volume Information\_restore{AC4DCC7D-C4B8-4325-B4C6-5BB0F179E96D}\RP77\A0010467.dll
D:\System Volume Information\_restore{AC4DCC7D-C4B8-4325-B4C6-5BB0F179E96D}\RP77\A0010467.dll Deleted successfully!

Attempting to delete: D:\System Volume Information\_restore{AC4DCC7D-C4B8-4325-B4C6-5BB0F179E96D}\RP77\A0010475.dll
D:\System Volume Information\_restore{AC4DCC7D-C4B8-4325-B4C6-5BB0F179E96D}\RP77\A0010475.dll Deleted successfully!

Attempting to delete: D:\System Volume Information\_restore{AC4DCC7D-C4B8-4325-B4C6-5BB0F179E96D}\RP77\A0010481.dll
D:\System Volume Information\_restore{AC4DCC7D-C4B8-4325-B4C6-5BB0F179E96D}\RP77\A0010481.dll Deleted successfully!

Attempting to delete: D:\System Volume Information\_restore{AC4DCC7D-C4B8-4325-B4C6-5BB0F179E96D}\RP77\A0010490.dll
D:\System Volume Information\_restore{AC4DCC7D-C4B8-4325-B4C6-5BB0F179E96D}\RP77\A0010490.dll Deleted successfully!

Attempting to delete: D:\System Volume Information\_restore{AC4DCC7D-C4B8-4325-B4C6-5BB0F179E96D}\RP77\A0010495.dll
D:\System Volume Information\_restore{AC4DCC7D-C4B8-4325-B4C6-5BB0F179E96D}\RP77\A0010495.dll Deleted successfully!

Attempting to delete: D:\System Volume Information\_restore{AC4DCC7D-C4B8-4325-B4C6-5BB0F179E96D}\RP77\A0010500.dll
D:\System Volume Information\_restore{AC4DCC7D-C4B8-4325-B4C6-5BB0F179E96D}\RP77\A0010500.dll Deleted successfully!

Attempting to delete: D:\System Volume Information\_restore{AC4DCC7D-C4B8-4325-B4C6-5BB0F179E96D}\RP78\A0010517.dll
D:\System Volume Information\_restore{AC4DCC7D-C4B8-4325-B4C6-5BB0F179E96D}\RP78\A0010517.dll Deleted successfully!

Attempting to delete: D:\System Volume Information\_restore{AC4DCC7D-C4B8-4325-B4C6-5BB0F179E96D}\RP78\A0010519.dll
D:\System Volume Information\_restore{AC4DCC7D-C4B8-4325-B4C6-5BB0F179E96D}\RP78\A0010519.dll Deleted successfully!

Attempting to delete: D:\System Volume Information\_restore{AC4DCC7D-C4B8-4325-B4C6-5BB0F179E96D}\RP78\A0010528.dll
D:\System Volume Information\_restore{AC4DCC7D-C4B8-4325-B4C6-5BB0F179E96D}\RP78\A0010528.dll Deleted successfully!

Attempting to delete: D:\System Volume Information\_restore{AC4DCC7D-C4B8-4325-B4C6-5BB0F179E96D}\RP78\A0010534.dll
D:\System Volume Information\_restore{AC4DCC7D-C4B8-4325-B4C6-5BB0F179E96D}\RP78\A0010534.dll Deleted successfully!

Attempting to delete: D:\System Volume Information\_restore{AC4DCC7D-C4B8-4325-B4C6-5BB0F179E96D}\RP78\A0010539.dll
D:\System Volume Information\_restore{AC4DCC7D-C4B8-4325-B4C6-5BB0F179E96D}\RP78\A0010539.dll Deleted successfully!

Attempting to delete: D:\System Volume Information\_restore{AC4DCC7D-C4B8-4325-B4C6-5BB0F179E96D}\RP78\A0010546.dll
D:\System Volume Information\_restore{AC4DCC7D-C4B8-4325-B4C6-5BB0F179E96D}\RP78\A0010546.dll Deleted successfully!

Attempting to delete: D:\System Volume Information\_restore{AC4DCC7D-C4B8-4325-B4C6-5BB0F179E96D}\RP78\A0010554.dll
D:\System Volume Information\_restore{AC4DCC7D-C4B8-4325-B4C6-5BB0F179E96D}\RP78\A0010554.dll Deleted successfully!

Attempting to delete: D:\System Volume Information\_restore{AC4DCC7D-C4B8-4325-B4C6-5BB0F179E96D}\RP78\A0010560.dll
D:\System Volume Information\_restore{AC4DCC7D-C4B8-4325-B4C6-5BB0F179E96D}\RP78\A0010560.dll Deleted successfully!

Attempting to delete: D:\System Volume Information\_restore{AC4DCC7D-C4B8-4325-B4C6-5BB0F179E96D}\RP78\A0010567.dll
D:\System Volume Information\_restore{AC4DCC7D-C4B8-4325-B4C6-5BB0F179E96D}\RP78\A0010567.dll Deleted successfully!

Attempting to delete: D:\System Volume Information\_restore{AC4DCC7D-C4B8-4325-B4C6-5BB0F179E96D}\RP79\A0010576.dll
D:\System Volume Information\_restore{AC4DCC7D-C4B8-4325-B4C6-5BB0F179E96D}\RP79\A0010576.dll Deleted successfully!

Attempting to delete: D:\System Volume Information\_restore{AC4DCC7D-C4B8-4325-B4C6-5BB0F179E96D}\RP79\A0010577.dll
D:\System Volume Information\_restore{AC4DCC7D-C4B8-4325-B4C6-5BB0F179E96D}\RP79\A0010577.dll Deleted successfully!

Attempting to delete: D:\System Volume Information\_restore{AC4DCC7D-C4B8-4325-B4C6-5BB0F179E96D}\RP79\A0010579.dll
D:\System Volume Information\_restore{AC4DCC7D-C4B8-4325-B4C6-5BB0F179E96D}\RP79\A0010579.dll Deleted successfully!

Attempting to delete: D:\System Volume Information\_restore{AC4DCC7D-C4B8-4325-B4C6-5BB0F179E96D}\RP79\A0010587.dll
D:\System Volume Information\_restore{AC4DCC7D-C4B8-4325-B4C6-5BB0F179E96D}\RP79\A0010587.dll Deleted successfully!

Attempting to delete: D:\System Volume Information\_restore{AC4DCC7D-C4B8-4325-B4C6-5BB0F179E96D}\RP79\A0010588.dll
D:\System Volume Information\_restore{AC4DCC7D-C4B8-4325-B4C6-5BB0F179E96D}\RP79\A0010588.dll Deleted successfully!

Attempting to delete: D:\System Volume Information\_restore{AC4DCC7D-C4B8-4325-B4C6-5BB0F179E96D}\RP80\A0010594.dll
D:\System Volume Information\_restore{AC4DCC7D-C4B8-4325-B4C6-5BB0F179E96D}\RP80\A0010594.dll Deleted successfully!

Attempting to delete: D:\System Volume Information\_restore{AC4DCC7D-C4B8-4325-B4C6-5BB0F179E96D}\RP80\A0010595.dll
D:\System Volume Information\_restore{AC4DCC7D-C4B8-4325-B4C6-5BB0F179E96D}\RP80\A0010595.dll Deleted successfully!

Attempting to delete: D:\System Volume Information\_restore{AC4DCC7D-C4B8-4325-B4C6-5BB0F179E96D}\RP80\A0010601.dll
D:\System Volume Information\_restore{AC4DCC7D-C4B8-4325-B4C6-5BB0F179E96D}\RP80\A0010601.dll Deleted successfully!

Attempting to delete: D:\System Volume Information\_restore{AC4DCC7D-C4B8-4325-B4C6-5BB0F179E96D}\RP81\A0010607.dll
D:\System Volume Information\_restore{AC4DCC7D-C4B8-4325-B4C6-5BB0F179E96D}\RP81\A0010607.dll Deleted successfully!

Attempting to delete: D:\System Volume Information\_restore{AC4DCC7D-C4B8-4325-B4C6-5BB0F179E96D}\RP81\A0010613.dll
D:\System Volume Information\_restore{AC4DCC7D-C4B8-4325-B4C6-5BB0F179E96D}\RP81\A0010613.dll Deleted successfully!

Attempting to delete: D:\System Volume Information\_restore{AC4DCC7D-C4B8-4325-B4C6-5BB0F179E96D}\RP81\A0010616.dll
D:\System Volume Information\_restore{AC4DCC7D-C4B8-4325-B4C6-5BB0F179E96D}\RP81\A0010616.dll Deleted successfully!

Attempting to delete: D:\System Volume Information\_restore{AC4DCC7D-C4B8-4325-B4C6-5BB0F179E96D}\RP81\A0010622.dll
D:\System Volume Information\_restore{AC4DCC7D-C4B8-4325-B4C6-5BB0F179E96D}\RP81\A0010622.dll Deleted successfully!

Attempting to delete: D:\WINDOWS\system32\awtodisc.dll
D:\WINDOWS\system32\awtodisc.dll Deleted successfully!

Attempting to delete: D:\WINDOWS\system32\cDmocx.dll
D:\WINDOWS\system32\cDmocx.dll Deleted successfully!

Attempting to delete: D:\WINDOWS\system32\dicpmon.dll
D:\WINDOWS\system32\dicpmon.dll Deleted successfully!

Attempting to delete: D:\WINDOWS\system32\dwmrtp.dll
D:\WINDOWS\system32\dwmrtp.dll Deleted successfully!

Attempting to delete: D:\WINDOWS\system32\dwstyle.dll
D:\WINDOWS\system32\dwstyle.dll Deleted successfully!

Attempting to delete: D:\WINDOWS\system32\gpn4l35q1.dll
D:\WINDOWS\system32\gpn4l35q1.dll Deleted successfully!

Attempting to delete: D:\WINDOWS\system32\hr2u05f9e.dll
D:\WINDOWS\system32\hr2u05f9e.dll Deleted successfully!

Attempting to delete: D:\WINDOWS\system32\ilssuba.dll
D:\WINDOWS\system32\ilssuba.dll Deleted successfully!

Attempting to delete: D:\WINDOWS\system32\kcdcan.dll
D:\WINDOWS\system32\kcdcan.dll Deleted successfully!

Attempting to delete: D:\WINDOWS\system32\kgdcz.dll
D:\WINDOWS\system32\kgdcz.dll Deleted successfully!

Attempting to delete: D:\WINDOWS\system32\kgdycl.dll
D:\WINDOWS\system32\kgdycl.dll Deleted successfully!

Attempting to delete: D:\WINDOWS\system32\kpdhept.dll
D:\WINDOWS\system32\kpdhept.dll Deleted successfully!

Attempting to delete: D:\WINDOWS\system32\kvdru.dll
D:\WINDOWS\system32\kvdru.dll Deleted successfully!

Attempting to delete: D:\WINDOWS\system32\msdemui.dll
D:\WINDOWS\system32\msdemui.dll Deleted successfully!

Attempting to delete: D:\WINDOWS\system32\mtdemui.dll
D:\WINDOWS\system32\mtdemui.dll Deleted successfully!

Attempting to delete: D:\WINDOWS\system32\mvj8l91u1.dll
D:\WINDOWS\system32\mvj8l91u1.dll Deleted successfully!

Attempting to delete: D:\WINDOWS\system32\spmedia.dll
D:\WINDOWS\system32\spmedia.dll Deleted successfully!

Attempting to delete: D:\WINDOWS\system32\susbkup.dll
D:\WINDOWS\system32\susbkup.dll Deleted successfully!

Attempting to delete: D:\WINDOWS\system32\tjflog.dll
D:\WINDOWS\system32\tjflog.dll Deleted successfully!

Attempting to delete: D:\WINDOWS\system32\wgn87em.dll
D:\WINDOWS\system32\wgn87em.dll Deleted successfully!

Attempting to delete: D:\WINDOWS\system32\wqnsta.dll
D:\WINDOWS\system32\wqnsta.dll Deleted successfully!

Attempting to delete: D:\WINDOWS\system32\wubvw.dll
D:\WINDOWS\system32\wubvw.dll Deleted successfully!

Making registry repairs.

Removing: HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Controls Folder

Removing: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved "{4158FFBB-B9E1-45E7-962A-67F2E32AC70C}"
HKCR\Clsid\{4158FFBB-B9E1-45E7-962A-67F2E32AC70C}

Removing: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved "{2883A13E-2011-437D-83B7-C3512DAD9F97}"
HKCR\Clsid\{2883A13E-2011-437D-83B7-C3512DAD9F97}

Removing: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved "{2B6C15AB-BE24-4F04-939C-14CF04C833E5}"
HKCR\Clsid\{2B6C15AB-BE24-4F04-939C-14CF04C833E5}

Removing: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved "{2426E19D-FDE5-420D-8DC0-158C3CC0364A}"
HKCR\Clsid\{2426E19D-FDE5-420D-8DC0-158C3CC0364A}

Removing: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved "{2D29B02C-A0C2-4D5E-971D-5B202671DD02}"
HKCR\Clsid\{2D29B02C-A0C2-4D5E-971D-5B202671DD02}

Removing: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved "{9DE89AA5-349D-4F5D-9F71-FEC4DC0BB7C9}"
HKCR\Clsid\{9DE89AA5-349D-4F5D-9F71-FEC4DC0BB7C9}

Removing: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved "{A495E403-2BB4-4E8B-A69E-0D10C60442FB}"
HKCR\Clsid\{A495E403-2BB4-4E8B-A69E-0D10C60442FB}

Removing: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved "{61463057-84E6-4A0D-A1FB-69EF2FABC805}"
HKCR\Clsid\{61463057-84E6-4A0D-A1FB-69EF2FABC805}

Removing: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved "{9F62B8BC-AA92-4270-9916-9E14A6C01F42}"
HKCR\Clsid\{9F62B8BC-AA92-4270-9916-9E14A6C01F42}

Removing: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved "{1EF07504-12AD-4BEB-B91C-324DCB2218D3}"
HKCR\Clsid\{1EF07504-12AD-4BEB-B91C-324DCB2218D3}

Removing: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved "{F3CDAF6D-9795-4574-8773-6B861F5051AD}"
HKCR\Clsid\{F3CDAF6D-9795-4574-8773-6B861F5051AD}

Removing: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved "{BAF991C8-BFD4-4098-9BB9-56666D9D0FF6}"
HKCR\Clsid\{BAF991C8-BFD4-4098-9BB9-56666D9D0FF6}

Restoring Windows certificates.

Replaced hosts file with default windows hosts file


Restoring SeDebugPrivilege for Administrators - Succeeded

...and the HiJackthis log...

Logfile of HijackThis v1.99.1
Scan saved at 6:01:39 PM, on 9/05/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\Explorer.EXE
D:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
D:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
D:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
D:\WINDOWS\system32\spoolsv.exe
D:\WINDOWS\System32\DeltTray.exe
D:\Program Files\Common Files\Symantec Shared\ccApp.exe
D:\Program Files\Norton AntiVirus\navapsvc.exe
D:\Program Files\QuickTime\qttask.exe
D:\WINDOWS\System32\ctfmon.exe
D:\Program Files\Sony\MD Simple Burner\NetMDSB.exe
D:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
D:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
D:\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://aandr.com.au/web
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://aandr.com.au/web
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://aandr.com.au/web
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://aandr.com.au/web
R3 - Default URLSearchHook is missing
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - D:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - D:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [DeltTray] DeltTray.exe
O4 - HKLM\..\Run: [ccApp] "D:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [SSC_UserPrompt] D:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] D:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [QuickTime Task] "D:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [CTFMON.EXE] D:\WINDOWS\System32\ctfmon.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1139394307984
O20 - AppInit_DLLs: repairs303169578.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - D:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - D:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - D:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - D:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: MD Simple Burner Service (NetMDSB) - Sony Corporation - D:\Program Files\Sony\MD Simple Burner\NetMDSB.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - D:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: SAVScan - Symantec Corporation - D:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - D:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - D:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - D:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - D:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

Open HijackThis do a *scan only*. When the list is done, checkmark these items, then press the *fix checked* button:

R3 - Default URLSearchHook is missing

O20 - AppInit_DLLs: repairs303169578.dll

Delete this file:
repairs303169578.dll
........................................
Please download delcmdservice (by Marckie), and save it to your Desktop.
http://users.telenet.be/marcvn/tools/delcmdservice.zip

* Unzip the content to your Desktop (a folder named delcmdservice)
* Double-click on the delcmdservice folder
* Double-click on delreg.bat to launch the tool
* When the tool has finished, please reboot your computer.

Scan once more with HijackThis to produce a log and post the fresh log back here please. :)

Thanks again.
I checked and fixed the two items, Hijackthis came up with an error but I can't find where it saved the error log.
Anyway, I ran delreg tool and it seemed to work.

Latest log...


Logfile of HijackThis v1.99.1
Scan saved at 9:49:59 PM, on 11/05/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
D:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
D:\WINDOWS\Explorer.EXE
D:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
D:\WINDOWS\system32\spoolsv.exe
D:\Program Files\Norton AntiVirus\navapsvc.exe
D:\Program Files\Sony\MD Simple Burner\NetMDSB.exe
D:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
D:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
D:\WINDOWS\System32\DeltTray.exe
D:\Program Files\Common Files\Symantec Shared\ccApp.exe
D:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
D:\Program Files\QuickTime\qttask.exe
D:\WINDOWS\System32\ctfmon.exe
D:\hijackthis\HijackThis.exe
D:\WINDOWS\System32\wuauclt.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://aandr.com.au/web
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://aandr.com.au/web
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://aandr.com.au/web
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://aandr.com.au/web
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - D:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - D:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [DeltTray] DeltTray.exe
O4 - HKLM\..\Run: [ccApp] "D:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [SSC_UserPrompt] D:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] D:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [QuickTime Task] "D:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [CTFMON.EXE] D:\WINDOWS\System32\ctfmon.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1139394307984
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - D:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - D:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - D:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - D:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: MD Simple Burner Service (NetMDSB) - Sony Corporation - D:\Program Files\Sony\MD Simple Burner\NetMDSB.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - D:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: SAVScan - Symantec Corporation - D:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - D:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - D:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - D:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - D:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe



No more pop ups while online at the moment, whatever we are doing it seems to be working.

:^)

That looks good! :bigthumb:

Now that your PC is clean, make sure all programs are running properly and then you'll need to reset your restore point in Windows XP.......why?

One of the best features of Windows ME or XP is the System Restore option, however if a malware infects a computer with this operating system it can be backed up in the System Restore folder. Therefore, clearing the restore points is necessary after malware removal.

To reset your restore points, please note that you will need to log into your computer with an account which has full administrator access. You will know if the account has administrator access because you will be able to see the System Restore tab. If the tab is missing, you are logged in under a limited account.

(winXP)

1. Turn off System Restore.
Go to Start > Run, click on *My Computer*.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore.
Click Apply, and then click OK.

2. Reboot.

3. Turn ON System Restore.
Go to Start > Run, click on *My Computer*.
Click Properties.
Click the System Restore tab.
UN-Check *Turn off System Restore*.
Click Apply, and then click OK.

How to Turn On and Turn Off System Restore in Windows XP
http://support.microsoft.com/default.aspx?scid=kb;en-us;310405

Important! You need to get SP2 for XP - you're way out of date with your windows updates.

Service Pack 2 for XP is now available and it will address numerous security issues in your Operating System and IE :)
http://v5.windowsupdate.microsoft.com/en/default.asp

And see this link for instructions on how to configure the enhanced security features in SP2:
http://www.microsoft.com/technet/security/smallbusiness/prodtech/windowsxp/iesecxp.mspx

Next, I highly recommend you get some extra protection to prevent future infections. Here are some things you can do and some free programs to help :).

"So, how did I get infected in the first place?" (by Tony Klein)
http://forums.spybot.info/showthread.php?t=279

I also highly recommend to get the free tool, Microsoft Baseline Security Analyzer (MBSA) from Microsoft to analyze your PC security for prevention purposes.

MBSA Version 2.0 will scan for common system misconfigurations on Windows 2000, Windows XP, and Windows Server 2003 systems. This program will identify the system security weaknesses in your browser and operating system and provides easy instructions to correct them. This includes any missing critical Windows security updates, system vulnerabilities and your IE Browser security settings. Get the download here:
Microsoft Baseline Security Analyzer
http://www.microsoft.com/technet/security/tools/mbsahome.mspx
Choose MBSAsetup-EN.msi = (English Version) or the language appropriate for you.

Yes, I have been rather slack on my updates, I'm onto it now. :blush:

It's nice to be surfing free again! Thanks very much for the great advice, you guys are teriffic! :heart:

Glad to hear it! You're welcome and I'm glad we could help.

I'll go ahead and archive this thread now since your issues have been resolved :)

Stay safe and happy surfing :bigthumb: