Ok, I've been attempting to get rid of this one on my own, the symptoms are as follows:

Initial install caused spysheriff to pretend to be removing spyware, and changed wallpaper to a blue bg with a black box that said something to the affect that 'you are infected with spyware', and locked the background in display properties where it could not be changed. After which the pop ups started.

Through the process of running Spybot S&D, Ms Antispyware, Adaware, and Spyware Doctor, I ridded my self of SpySheriff and deleted the html file it had made my wallpaper, eventually through a registry patch I found on through google, I fixed the desktop. Now I can't stop the popups. I follow the prehelp suggestions of CCleaner and Ewido, Ewido removed some more things, but the pop ups are still there. Through the use of SysInternals tools, Process Explorer, RootKit Finder, PsList, and Autoruns, as well as the use of Xp's Administrator Services window, I have not been able to find anything out of the ordinary running. Included as attachments are the Ewido and Hijack this logs. Anything you find will be greatly appreciated.

Thanks,
Danl

Attached Files

	Scan report_20051120.txt.txt (15.3 KB, 1 views)
	hijackthis.txt (9.7 KB, 1 views)

[update] Am running Trend Micro's Housecall now, cause my Symantec Corporate Antivirus 9.0 found nothing.

Hya Load Ambiance , welcome to PCHF.

You can cancel the online scan for now , it's not gona fix the Look2me infection you have im afraid....



But i will. :tongue:




Before using HijackThis Please Do the Following:



Show hidden files and folders:

For XP:

1. On the Tools menu in Windows Explorer, click Folder Options.
2. Click the View tab.
3. Under Hidden files and folders, click Show hidden files and folders.
4. If you see a warning message, click Yes.
5. Click Apply.
6. Click OK.

Disable System Restore to prevent re-infection.
(If you have/use it. You can turn it back on when youre PC is clean).

How to disable system restore:

WinXP.

1. Click the Start button.
2. Right-click My Computer, and then click Properties.
3. On the System Restore tab, check Turn off System Restore or Turn off System Restore on all drives.

Please download CCleaner


Since you have a Look2me infection on there , atm Spysweeper is the only way to get rid of that infection:


Download and scan with Spysweeper from:
http://www.webroot.com/downloads/ (click on free trial on the right for direct download)

Install it using the Standard Install option. (You will be asked for your e-mail address, it is safe to give it. If you receive alerts from your firewall, allow all activities for Spy Sweeper)

You will be prompted to check for updated definitions, please do so.
Click on "Options" > "Sweep Options" and check "Sweep all Folders on Selected drives".
Check "Local Disc C" and under "What to Sweep", check every box.
Click on "Sweep" and allow it to fully scan your system.
When the sweep has finished, click "Remove" to remove any items found.
Exit SpySweeper and reboot your computer.

NOTE: After Spysweeper has finishined and removed any items found, it is important that you exit and reboot your computer right away to ensure the infection is fully removed.

Then boot in safemode (hit f8 when booting up) and fix these with hjt:
(if still present)

Now please run Ccleaner and then reboot to normal mode.


And to make sure you got everything from Spysherrif you could walktrhough the instructions here to see if you missed anything:
http://forums.majorgeeks.com/showthread.php?t=65945

Also i see you don't have a firewall , to prevent problems like this you should really have one. If you want you can have a look in our download section for some free ones.

Then please post a new hjt log to check.

because i can't afford to purchase spy sweeper... would it work to simply press reset... go into safe mode and delete all the files that spy sweeper listed?

You get a 30 day trial with spysweeper and it should remove everything it finds for that period, did you click on the "free trial" link?

Or did you use the online spyware scan? If yes then use the "free trial" download link above that.

I am 95% sure i clicked free trial, and it scanned then said that i have to pay ( get subscription) to remove the objects it found.