Pop Ups Wont Go Away

Unknown · March 2006

If someone could help me with this it would be great. It all started with a virus in the file system32/eraseme_4488.exe AVG syay this virus was SdBot.SRW. that is now gone and avg says its clean. but i continue to get pop ups every few seconds. Ad aware finds hr4u05h9e.dll but cannot delete it and i can not delete it manually. if i delete it from HJT it just reappears on the next scan.

Logfile of HijackThis v1.99.1
Scan saved at 1:50:02 AM, on 22/03/2006
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\LVCOMSX.EXE
C:\Program Files\Logitech\Video\LogiTray.exe
C:\WINDOWS\System32\RUNDLL32.EXE
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Logitech\Video\FxSvr2.exe
C:\Program Files\Lavasoft\Ad-Aware SE Personal\Ad-Aware.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Outlook Express\msimn.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Messenger\msmsgs.exe
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\Downloads\HijackThis1.99.1.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.ebay.com/
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [LVCOMSX] C:\WINDOWS\system32\LVCOMSX.EXE
O4 - HKLM\..\Run: [LogitechVideoRepair] C:\Program Files\Logitech\Video\ISStart.exe
O4 - HKLM\..\Run: [LogitechVideoTray] C:\Program Files\Logitech\Video\LogiTray.exe
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O15 - Trusted Zone: http://*.ebay.ca
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary/ZIntro.cab32846.cab
O20 - Winlogon Notify: App Management - C:\WINDOWS\system32\hr4u05h9e.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

Trogan · March 2006

Hi, Welcome to Short-Media

You have the Look2Me Infection, hence the reason for popups. Before we remove this infection, you need to update your computer.

You have Windows XP with no Service Pack. Without Service Pack 1a you are wide open to getting re-infected as soon as you connect to the internet.

Service Pack 1a can be download from Windows Update. If your having trouble downloading it from Windows Update, then you can get it from here.
Note: Do NOT attempt to download Service Pack 2 (SP2) as your computer is infected. Installing SP2 on an infected machine, can render computer unusable.

After installing Service Pack 1a, please post a new HJT log

chekra · March 2006

Updated windows to sp1 here is new HJT log. thanks

Logfile of HijackThis v1.99.1
Scan saved at 2:43:34 PM, on 22/03/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\services.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\LVCOMSX.EXE
C:\Program Files\Logitech\Video\LogiTray.exe
C:\WINDOWS\System32\RUNDLL32.EXE
C:\WINDOWS\System32\ServiceX32.exe
C:\Program Files\Logitech\Video\FxSvr2.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\WINDOWS\System32\ctfmon.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Downloads\HijackThis1.99.1.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.ebay.com/
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [LVCOMSX] C:\WINDOWS\system32\LVCOMSX.EXE
O4 - HKLM\..\Run: [LogitechVideoRepair] C:\Program Files\Logitech\Video\ISStart.exe
O4 - HKLM\..\Run: [LogitechVideoTray] C:\Program Files\Logitech\Video\LogiTray.exe
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Services Control] ServiceX32.exe
O4 - HKLM\..\RunServices: [Services Control] ServiceX32.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [Services Control] ServiceX32.exe
O15 - Trusted Zone: http://*.ebay.ca
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1143057518076
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1143058204498
O16 - DPF: {A1426AC5-8CE5-4A00-B71E-011D35709AC6} (Progetto1.int_ver34) - http://advnt01.com/dialer/int_ver34.CAB
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary/ZIntro.cab32846.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: RunOnce - C:\WINDOWS\system32\k8jsli1718.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Microsoft Windows Update Service (Windows Update Service) - Unknown owner - C:\WINDOWS\services.exe

chekra · March 2006

I found a look2me destroyer on another thread and ran it here is the log

Look2Me-Destroyer V1.0.11

Scanning for infected files.....
Scan started at 3/22/2006 2:59:15 PM

Infected! C:\WINDOWS\system32\n22u0cf9ef2.dll
Infected! C:\System Volume Information\_restore{2098611B-1AA4-4012-8251-F9EE69BCD9AD}\RP1\A0000172.dll
Infected! C:\System Volume Information\_restore{2098611B-1AA4-4012-8251-F9EE69BCD9AD}\RP15\A0001871.dll
Infected! C:\System Volume Information\_restore{2098611B-1AA4-4012-8251-F9EE69BCD9AD}\RP18\A0006070.dll
Infected! C:\System Volume Information\_restore{2098611B-1AA4-4012-8251-F9EE69BCD9AD}\RP18\A0006074.dll
Infected! C:\System Volume Information\_restore{2098611B-1AA4-4012-8251-F9EE69BCD9AD}\RP18\A0006079.dll
Infected! C:\System Volume Information\_restore{2098611B-1AA4-4012-8251-F9EE69BCD9AD}\RP18\A0006083.dll
Infected! C:\System Volume Information\_restore{2098611B-1AA4-4012-8251-F9EE69BCD9AD}\RP18\A0006087.dll
Infected! C:\System Volume Information\_restore{2098611B-1AA4-4012-8251-F9EE69BCD9AD}\RP4\A0000205.dll
Infected! C:\WINDOWS\system32\j44o0eh3eh4.dll
Infected! C:\WINDOWS\system32\l0n40a5qed.dll
Infected! C:\WINDOWS\system32\l28m0cl1efq.dll
Infected! C:\WINDOWS\system32\n22u0cf9ef2.dll
Infected! C:\WINDOWS\system32\n6n60g5se6.dll
Infected! C:\WINDOWS\system32\nktfxperf.dll
Infected! C:\WINDOWS\system32\phlmon.dll

Attempting to delete infected files...

Attempting to delete: C:\WINDOWS\system32\n22u0cf9ef2.dll
C:\WINDOWS\system32\n22u0cf9ef2.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{2098611B-1AA4-4012-8251-F9EE69BCD9AD}\RP1\A0000172.dll
C:\System Volume Information\_restore{2098611B-1AA4-4012-8251-F9EE69BCD9AD}\RP1\A0000172.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{2098611B-1AA4-4012-8251-F9EE69BCD9AD}\RP15\A0001871.dll
C:\System Volume Information\_restore{2098611B-1AA4-4012-8251-F9EE69BCD9AD}\RP15\A0001871.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{2098611B-1AA4-4012-8251-F9EE69BCD9AD}\RP18\A0006070.dll
C:\System Volume Information\_restore{2098611B-1AA4-4012-8251-F9EE69BCD9AD}\RP18\A0006070.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{2098611B-1AA4-4012-8251-F9EE69BCD9AD}\RP18\A0006074.dll
C:\System Volume Information\_restore{2098611B-1AA4-4012-8251-F9EE69BCD9AD}\RP18\A0006074.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{2098611B-1AA4-4012-8251-F9EE69BCD9AD}\RP18\A0006079.dll
C:\System Volume Information\_restore{2098611B-1AA4-4012-8251-F9EE69BCD9AD}\RP18\A0006079.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{2098611B-1AA4-4012-8251-F9EE69BCD9AD}\RP18\A0006083.dll
C:\System Volume Information\_restore{2098611B-1AA4-4012-8251-F9EE69BCD9AD}\RP18\A0006083.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{2098611B-1AA4-4012-8251-F9EE69BCD9AD}\RP18\A0006087.dll
C:\System Volume Information\_restore{2098611B-1AA4-4012-8251-F9EE69BCD9AD}\RP18\A0006087.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{2098611B-1AA4-4012-8251-F9EE69BCD9AD}\RP4\A0000205.dll
C:\System Volume Information\_restore{2098611B-1AA4-4012-8251-F9EE69BCD9AD}\RP4\A0000205.dll Deleted successfully!

Attempting to delete: C:\WINDOWS\system32\j44o0eh3eh4.dll
C:\WINDOWS\system32\j44o0eh3eh4.dll Deleted successfully!

Attempting to delete: C:\WINDOWS\system32\l0n40a5qed.dll
C:\WINDOWS\system32\l0n40a5qed.dll Deleted successfully!

Attempting to delete: C:\WINDOWS\system32\l28m0cl1efq.dll
C:\WINDOWS\system32\l28m0cl1efq.dll Deleted successfully!

Attempting to delete: C:\WINDOWS\system32\n22u0cf9ef2.dll
C:\WINDOWS\system32\n22u0cf9ef2.dll Deleted successfully!

Attempting to delete: C:\WINDOWS\system32\n6n60g5se6.dll
C:\WINDOWS\system32\n6n60g5se6.dll Deleted successfully!

Attempting to delete: C:\WINDOWS\system32\nktfxperf.dll
C:\WINDOWS\system32\nktfxperf.dll Deleted successfully!

Attempting to delete: C:\WINDOWS\system32\phlmon.dll
C:\WINDOWS\system32\phlmon.dll Deleted successfully!

Making registry repairs.

Removing: HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\App Management

Removing: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved "{EF63A5E1-DF9E-404E-AE5E-7719CF4B46FA}"
HKCR\Clsid\{EF63A5E1-DF9E-404E-AE5E-7719CF4B46FA}

Removing: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved "{185ADE4B-DF12-419C-ABC8-A341EDBE620F}"
HKCR\Clsid\{185ADE4B-DF12-419C-ABC8-A341EDBE620F}

Restoring Windows certificates.

Replaced hosts file with default windows hosts file

Restoring SeDebugPrivilege for Administrators - Succeeded

And here is my HJT log. it does not seem to be having anymore popups does everything look clean?
Logfile of HijackThis v1.99.1
Scan saved at 3:13:14 PM, on 22/03/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\services.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\LVCOMSX.EXE
C:\Program Files\Logitech\Video\LogiTray.exe
C:\WINDOWS\System32\RUNDLL32.EXE
C:\WINDOWS\System32\ServiceX32.exe
C:\Program Files\Logitech\Video\FxSvr2.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\WINDOWS\System32\ctfmon.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Outlook Express\msimn.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\mdm.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Downloads\HijackThis1.99.1.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.ebay.com/
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [LVCOMSX] C:\WINDOWS\system32\LVCOMSX.EXE
O4 - HKLM\..\Run: [LogitechVideoRepair] C:\Program Files\Logitech\Video\ISStart.exe
O4 - HKLM\..\Run: [LogitechVideoTray] C:\Program Files\Logitech\Video\LogiTray.exe
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Services Control] ServiceX32.exe
O4 - HKLM\..\RunServices: [Services Control] ServiceX32.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [Services Control] ServiceX32.exe
O15 - Trusted Zone: http://*.ebay.ca
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1143057518076
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1143058204498
O16 - DPF: {A1426AC5-8CE5-4A00-B71E-011D35709AC6} (Progetto1.int_ver34) - http://advnt01.com/dialer/int_ver34.CAB
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary/ZIntro.cab32846.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Microsoft Windows Update Service (Windows Update Service) - Unknown owner - C:\WINDOWS\services.exe

Trogan · March 2006

Thanks for updating to SP1

Great! You found the tool to remove the Look2Me infection.

There's a bit left to do but before we begin, could you do the following for me:

Please go to Jotti's malware scan
Copy and paste the following file path into the "File to upload & scan" box on the top of the page:
C:\WINDOWS\services.exe
Click on the submit button
Please post the results in your next reply.

Do the same for this file:
C:\WINDOWS\System32\ServiceX32.exe

Please scan your computer with Panda ActiveScan

- Once you are on the Panda site, click the Scan your PC button
- A new window will open...click the Check Now button
- Enter your Country
- Enter your State/Province
- Enter your e-mail address and click send
- Select either Home User or Company
- Click the big Scan Now button
- If it wants to install an ActiveX component allow it
- It will start downloading the files it requires for the scan (Note: It may take a couple of minutes)
- When download is complete, click on Local Disks to start the scan
- When the scan completes, if anything malicious is detected, click the See Report button, then Save Report and save it to a convenient location.

Post the contents of the Panda scan report, along with a new HijackThis Log.

skankinred · March 2006

I think another thing that should be added to sticky is Startup Control Panel. By typing that in google or going to:
http://www.mlin.net/StartupCPL.shtml

This is one the the MOST useful programs I have ever used for windows. Makes is very easy to see what's being loaded through the registry. You can easily disable or delete ServiceX32 from starting up with this.

If you ever see anything out of the ordinary in the registry startup, 9 times out of 10 it will be malicious.

chekra · March 2006

Service load: 0% 100%

File: services.exe
Status: INFECTED/MALWARE (Note: this file has been scanned before. Therefore, this file's scan results will not be stored in the database)
MD5 f7168b46b508081625d2891bcf8fc111
Packers detected: ASPROTECT
Scanner results
AntiVir Found Worm/Sdbot.92672.37
ArcaVir Found nothing
Avast Found nothing
AVG Antivirus Found nothing
BitDefender Found Backdoor.SDBot.2EA3C6BA
ClamAV Found Trojan.SdBot-1230
Dr.Web Found Win32.HLLW.MyBot
F-Prot Antivirus Found W32/Sdbot.OUZ
Fortinet Found W32/SDBot.DRN!wm
Kaspersky Anti-Virus Found Backdoor.Win32.SdBot.xd
NOD32 Found a variant of IRC/SdBot
Norman Virus Control Found W32/SDBot.AAJS
UNA Found nothing
VirusBuster Found Worm.SdBot.BWZ
VBA32 Found Backdoor.Win32.SdBot.xd

Service load: 0% 100%

File: ServiceX32.exe
Status: INFECTED/MALWARE
MD5 be85b172c3d33e403f7c8119bcc22cd1
Packers detected: NSPACK
Scanner results
AntiVir Found Heuristic/Trojan.Downloader (probable variant)
ArcaVir Found nothing
Avast Found nothing
AVG Antivirus Found nothing
BitDefender Found Backdoor.RBot.DFEEE3B7
ClamAV Found nothing
Dr.Web Found Win32.HLLW.MyBot
F-Prot Antivirus Found nothing
Fortinet Found nothing
Kaspersky Anti-Virus Found Backdoor.Win32.Rbot.gen
NOD32 Found a variant of Win32/Rbot
Norman Virus Control Found W32/Spybot.AIMP
UNA Found nothing
VirusBuster Found nothing
VBA32 Found Backdoor.Win32.Rbot.gen

Panda scan

Incident Status Location

Spyware:Cookie/2o7 Not disinfected C:\Documents and Settings\us\Cookies\us@2o7[1].txt
Spyware:Cookie/888 Not disinfected C:\Documents and Settings\us\Cookies\us@888[1].txt
Spyware:Cookie/888 Not disinfected C:\Documents and Settings\us\Cookies\us@888[2].txt
Spyware:Cookie/YieldManager Not disinfected C:\Documents and Settings\us\Cookies\us@ad.yieldmanager[1].txt
Spyware:Cookie/Falkag Not disinfected C:\Documents and Settings\us\Cookies\us@as-us.falkag[1].txt
Spyware:Cookie/Atlas DMT Not disinfected C:\Documents and Settings\us\Cookies\us@atdmt[2].txt
Spyware:Cookie/Cassava Not disinfected C:\Documents and Settings\us\Cookies\us@cassava[1].txt
Spyware:Cookie/Clickbank Not disinfected C:\Documents and Settings\us\Cookies\us@clickbank[1].txt
Spyware:Cookie/Doubleclick Not disinfected C:\Documents and Settings\us\Cookies\us@doubleclick[2].txt
Spyware:Cookie/Hitbox Not disinfected C:\Documents and Settings\us\Cookies\us@ehg-ads.hitbox[1].txt
Spyware:Cookie/FastClick Not disinfected C:\Documents and Settings\us\Cookies\us@fastclick[2].txt
Spyware:Cookie/Hitbox Not disinfected C:\Documents and Settings\us\Cookies\us@hitbox[1].txt
Spyware:Cookie/FastClick Not disinfected C:\Documents and Settings\us\Cookies\us@media.fastclick[1].txt
Spyware:Cookie/Mediaplex Not disinfected C:\Documents and Settings\us\Cookies\us@mediaplex[1].txt
Spyware:Cookie/Microsofte Not disinfected C:\Documents and Settings\us\Cookies\us@microsofteup.112.2o7[1].txt
Spyware:Cookie/Paypopup Not disinfected C:\Documents and Settings\us\Cookies\us@paypopup[2].txt
Spyware:Cookie/Overture Not disinfected C:\Documents and Settings\us\Cookies\us@perf.overture[1].txt
Spyware:Cookie/Rn11 Not disinfected C:\Documents and Settings\us\Cookies\us@rn11[2].txt
Spyware:Cookie/Statcounter Not disinfected C:\Documents and Settings\us\Cookies\us@statcounter[1].txt
Spyware:Cookie/Reliablestats Not disinfected C:\Documents and Settings\us\Cookies\us@stats1.reliablestats[1].txt
Spyware:Cookie/Mammamediasolutions Not disinfected C:\Documents and Settings\us\Cookies\us@targetnet[2].txt
Adware:Adware/nCase Not disinfected C:\Documents and Settings\us\Local Settings\Temporary Internet Files\Content.IE5\IR6R892P\AppWrap[1].exe
Dialer:Dialer.GQK Not disinfected C:\Documents and Settings\us\Local Settings\Temporary Internet Files\Content.IE5\IR6R892P\int_ver34[1].CAB
Dialer:Dialer.GQK Not disinfected C:\Documents and Settings\us\Local Settings\Temporary Internet Files\Content.IE5\IR6R892P\int_ver34[1].CAB[int_ver34.INF]
Dialer:Dialer.GQK Not disinfected C:\Documents and Settings\us\Local Settings\Temporary Internet Files\Content.IE5\IR6R892P\int_ver34[1].CAB[int_ver34.ocx]
Adware:Adware/nCase Not disinfected C:\Documents and Settings\us\Local Settings\Temporary Internet Files\Content.IE5\M1OV8L09\AppWrap[1].exe
Dialer:Dialer.GQK Not disinfected C:\Downloads\backups\backup-20060322-003634-310.dll
Dialer:Dialer.GQK Not disinfected C:\Downloads\backups\backup-20060322-003634-310.inf
Spyware:Spyware/SurfSideKick Not disinfected C:\Program Files\Common Files\VCClient\VCUpdate.exe
Dialer:Dialer.GQK Not disinfected C:\WINDOWS\Downloaded Program Files\int_ver34.INF
Dialer:Dialer.GQK Not disinfected C:\WINDOWS\Downloaded Program Files\int_ver34.ocx
Adware:adware/dollarrevenue Not disinfected C:\WINDOWS\drsmartload2.dat
Adware:Adware/nCase Not disinfected C:\WINDOWS\icont.exe
Adware:adware/wupd Not disinfected C:\WINDOWS\system32\ide21201.vxd
HJT log

Logfile of HijackThis v1.99.1
Scan saved at 6:16:45 PM, on 22/03/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\LVCOMSX.EXE
C:\Program Files\Logitech\Video\LogiTray.exe
C:\WINDOWS\System32\RUNDLL32.EXE
C:\WINDOWS\System32\ServiceX32.exe
C:\Program Files\Logitech\Video\FxSvr2.exe
C:\Program Files\Outlook Express\msimn.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\mdm.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Downloads\HijackThis1.99.1.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.ebay.com/
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [LVCOMSX] C:\WINDOWS\system32\LVCOMSX.EXE
O4 - HKLM\..\Run: [LogitechVideoRepair] C:\Program Files\Logitech\Video\ISStart.exe
O4 - HKLM\..\Run: [LogitechVideoTray] C:\Program Files\Logitech\Video\LogiTray.exe
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Services Control] ServiceX32.exe
O4 - HKLM\..\RunServices: [Services Control] ServiceX32.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [Services Control] ServiceX32.exe
O15 - Trusted Zone: http://*.ebay.ca
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1143057518076
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1143058204498
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {A1426AC5-8CE5-4A00-B71E-011D35709AC6} (Progetto1.int_ver34) - http://advnt01.com/dialer/int_ver34.CAB
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary/ZIntro.cab32846.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Microsoft Windows Update Service (Windows Update Service) - Unknown owner - C:\WINDOWS\services.exe (file missing)

Trogan · March 2006

The Jotti scans are showing the files to be backdoors. You should consider changing all your internet passwords (Forums, emails, etc) now from a non-infected computer. Do that and then we will remove the infected files.

Can you start by putting HijackThis into its own folder please. Continue below after this is done.

================================================================

Run HiJackThis then:

1. Click "Open the Misc Tools Section"
2. Click "Open Process manager"

-

Next, while holding down the CTRL key, locate (if present) and click on (highlight) each of the following:

C:\WINDOWS\System32\ServiceX32.exe

Now double-check and make sure that only those item(s) above are highlighted, then click "Kill process". Now, click "Refresh", check again, and repeat this step if any remain

Next, click "Back" under Other stuff towards the bottom right.
Now, towards the bottom left, under "Scan & fix stuff" press the Scan button.
Please check the following entries, making sure there is a TICK inside the boxes

O4 - HKLM\..\Run: [Services Control] ServiceX32.exe
O4 - HKLM\..\RunServices: [Services Control] ServiceX32.exe
O4 - HKCU\..\Run: [Services Control] ServiceX32.exe

O15 - Trusted Zone: http://*.ebay.ca

O16 - DPF: {A1426AC5-8CE5-4A00-B71E-011D35709AC6} (Progetto1.int_ver34) - http://advnt01.com/dialer/int_ver34.CAB

O23 - Service: Microsoft Windows Update Service (Windows Update Service) - Unknown owner - C:\WINDOWS\services.exe (file missing)

Close ALL open windows (Especially Internet Explorer!) and click Fix Checked.

================================================================

View Hidden Files and Folders

* Click Start.
* Open My Computer.
* Select the Tools menu and click Folder Options.
* Select the View Tab.
* Under the Hidden files and folders heading select Show hidden files and folders.
* Uncheck the Hide protected operating system files (recommended) option.
* Click Yes to confirm.
* Click OK.

================================================================

Find and Delete the following, if found:

C:\Program Files\Common Files\VCClient << this folder
C:\WINDOWS\System32\ServiceX32.exe << this file
C:\WINDOWS\services.exe << this file

================================================================

Download ATF (Atribune Temp File) Cleaner© by Atribune
http://www.atribune.org/ccount/click.php?id=1
It is a stand-alone program that does not need to be "installed". Save it to a convenient location and make a shortcut on your desktop.

Run ATF Cleaner
Double-click ATF Cleaner.exe
Under Main choose:
Windows Temp
Current User Temp
All Users Temp
Cookies
Temporary Internet Files
Prefetch
*The other boxes are optional*
Then click the Empty Selected button.

Firefox:
Click Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click NO at the prompt.

Opera:
Click Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click NO at the prompt.

Click Exit on the Main menu to close the program.

For Technical Support, double-click the e-mail address located at the bottom of each menu

================================================================

Restart your computer and post a new HJT log

chekra · March 2006

All that is done here is the new HJT log
Logfile of HijackThis v1.99.1
Scan saved at 7:11:19 PM, on 22/03/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\igfxtray.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\LVCOMSX.EXE
C:\Program Files\Logitech\Video\LogiTray.exe
C:\WINDOWS\System32\RUNDLL32.EXE
C:\Program Files\Logitech\Video\FxSvr2.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\WINDOWS\System32\ctfmon.exe
C:\hijackthis\HijackThis1.99.1.exe
C:\WINDOWS\System32\wuauclt.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.ebay.com/
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [LVCOMSX] C:\WINDOWS\system32\LVCOMSX.EXE
O4 - HKLM\..\Run: [LogitechVideoRepair] C:\Program Files\Logitech\Video\ISStart.exe
O4 - HKLM\..\Run: [LogitechVideoTray] C:\Program Files\Logitech\Video\LogiTray.exe
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1143057518076
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1143058204498
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary/ZIntro.cab32846.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Microsoft Windows Update Service (Windows Update Service) - Unknown owner - C:\WINDOWS\services.exe (file missing)

skankinred · March 2006

I don't think restart should be mentioned in spyware/troj/virus removals. They can store themselves in the ram which a soft-boot/restart would not remove them from memory. Always do a full shutdown and cold boot.

Trogan · March 2006

Excellent! A little left to do now.

We need to stop a service...

Click Start button then select Run.
Type services.msc then hit OK.
Scroll down and find the service called.

Microsoft Windows Update Service

Right-click on Service and choose Properties.
On the General tab under Service Status click the Stop button to stop the service.
Beside Startup Type in the dropdown menu select Disabled.
Click Apply then OK. Exit the Services utility.

Let's delete that service

Start HijackThis.
Click Config button.
Click Misc Tools button.
click Delete an NT Service button
Copy and Paste the text in the box below in the Delete an NT Service window.

Windows Update Service

Click OK.
Close HijackThis.

Find and Delete the following:

C:\WINDOWS\services.exe << this file

Reboot and post a new HJT log

Pop Ups Wont Go Away

Comments