The file c:\windows\services.exe keeps creating itself and attempting to access the net through my firewall on reboot. I've tried deleting the file, deleting the registry keys that list c:\windows\services.exe (usually under HKCU\Software\Microsoft\Search Assistant\ACMru, also sometimes listing mssyncr.exe). I've run Ad-Aware, a full system updated NAV scan, McAfee Stinger, and quite a few others. I've included quite a bit of info from 3 log files here, please let me know if you can identify this as a specific virus or malware. Thanks for all your help, and let me know if you need more info! Logfile of HijackThis v1.98.0 Scan saved at 10:57:10 PM, on 7/7/2004 Platform: Windows XP SP1 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\system32\cisvc.exe C:\Program Files\Deerfield.com\DNS2Go\DNS2GoClient.exe C:\WINDOWS\System32\GEARSEC.exe C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe C:\Program Files\Norton Personal Firewall\NISUM.exe C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.exe C:\WINDOWS\System32\nvsvc32.exe C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Norton Personal Firewall\SymProxySvc.exe C:\WINDOWS\System32\MsPMSPSv.exe C:\Program Files\Norton Personal Firewall\NISSERV.exe C:\WINDOWS\system32\cidaemon.exe C:\WINDOWS\system32\cidaemon.exe C:\WINDOWS\Explorer.exe C:\WINDOWS\services.exe C:\WINDOWS\BCMSMMSG.exe C:\WINDOWS\System32\DSentry.exe C:\Program Files\Common Files\Real\Update_OB\realsched.exe C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe C:\PROGRA~1\NORTON~1\NORTON~1\navapw32.exe C:\Program Files\Common Files\Dell\EUSW\Support.exe C:\Program Files\iTunes\iTunesHelper.exe C:\Program Files\Norton Personal Firewall\IAMAPP.exe C:\Program Files\NETGEAR\WG311TSU\Utility\Gear311T.exe C:\Program Files\iPod\bin\iPodService.exe C:\Program Files\Norton Personal Firewall\ATRACK.exe C:\Documents and Settings\Charles J. Mountel\Desktop\temp\virus crap\HijackThis\HijackThis.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dellnet.com R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dellnet.com/ O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.exe C:\WINDOWS\System32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe" O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\NORTON~1\navapw32.exe O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe O4 - HKLM\..\Run: [nwiz] nwiz.exe /install O4 - HKLM\..\Run: [PNSetup] C:\Program Files\PopNot\PNSetup.exe O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe O4 - HKLM\..\Run: [AceGain LiveUpdate] C:\Program Files\AceGain\LiveUpdate\LiveUpdate.exe O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.exe C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit O4 - HKLM\..\Run: [iamapp] C:\Program Files\Norton Personal Firewall\IAMAPP.exe O4 - HKLM\..\Run: [AS00_Gear311T] C:\Program Files\NETGEAR\WG311TSU\Utility\Gear311T.exe -hide O4 - HKCU\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\Symantec\LIVEUP~1\SNDMon.exe O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html O8 - Extra context menu item: Allow Site's Pop-&ups - file://C:\Program Files\PopNot\trustsite.script O8 - Extra context menu item: Always &Kill this Pop-up - file://C:\Program Files\PopNot\blocksite.script O8 - Extra context menu item: Backward &Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html O8 - Extra context menu item: Cac&hed Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html O8 - Extra context menu item: Si&milar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0411.dll O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0411.dll O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRA~1\AIM\aim.exe O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.exe O16 - DPF: ppctlcab - http://www.pestscan.com/scanner/ppctlcab.cab O16 - DPF: Yahoo! NFL GameChannel StatTracker - http://aud14.sports.yahoo.com/java/y/nflgcst1008_x.cab O16 - DPF: {12861693-950C-11D3-B4C5-A8B007C8E655} - http://access.nku.edu/djmanning/webfiles/VBApplications/LAB52/dragdropteams.CAB O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab O16 - DPF: {2FC9A21E-2069-4E47-8235-36318989DB13} (PPSDKActiveXScanner.MainScreen) - http://www.pestscan.com/scanner/axscanner.cab O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/bff3af7d050da5/housecall.antivirus.com/housecall/xscan53.cab O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.symantec.com/techsupp/activedata/SymAData.cab O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} (ActiveDataObj Class) - https://www-secure.symantec.com/techsupp/activedata/ActiveData.cab Security Task Manager info for the services.exe process: Portions Copyright c 199,2003 Avenger by NhT The instruction at 0x70d4431e referenced memory at 0x11fd0200. The memory could not be written. Click on OK to terminate the program. Software\Microsoft\RAS Autodial\Control SOFTWARE\Microsoft\Active Setup\Installed Components\44AE4113C12110CC1F32A0BC12E2014D Service Pack 1 Portins yCpy ---------------- LoadLibraryA Gpoq Vawu FeBr Exit 4DdBabPah Explo b.ad6\ju. dialoCf0 Softwa zDabl\8 Seqs cLulRn p/TheVi , vpBlica 19,8203AvengrbyNhTj InternetCloseHandle InternetOpenA InternetOpenUrlA InternetReadFile wininet.dll DispatchMessageA GetMessageA MessageBoxA TranslateMessage CloseHandle CopyFileA CreateFileA CreateMutexA FreeLibrary GetCurrentProcessId GetFileTime GetLastError GetProcAddress GetSystemDirectoryA GetVersionExA GetWindowsDirectoryA LoadLibraryA SetFileAttributesA SetFileTime Sleep SuspendThread WinExec lstrcmpiA kernel32.dll RegCloseKey RegCreateKeyExA RegDeleteKeyA RegOpenKeyExA RegSetValueExA advapi32.dll CharNextA GetProcessHeap HeapAlloc HeapReAlloc HeapFree FreeLibrary GetModuleFileNameA GetModuleHandleA LocalAlloc TlsGetValue TlsSetValue GetCommandLineA RaiseException RtlUnwind UnhandledExceptionFilter CreateThread ExitProcess GetCurrentThreadId kernel32.dll wwCwiCw wK/w.wa C\WINDOWS\System32 a_dick StubPath msapplg.exe services.exe Explorer.exe RegisterServiceProcess http//badmental.netfirms.com/bad.gif http//ww.microsoft.com/ LoginSessionDisable Application Error StartupList report, 7/7/2004, 10:56:26 PM StartupList version: 1.52 Started from : C:\Documents and Settings\Charles J. Mountel\Desktop\temp\virus crap\StartupList.exe Detected: Windows XP SP1 (WinNT 5.01.2600) Detected: Internet Explorer v6.00 SP1 (6.00.2800.1106) * Using default options ================================================== Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\system32\cisvc.exe C:\Program Files\Deerfield.com\DNS2Go\DNS2GoClient.exe C:\WINDOWS\System32\GEARSEC.exe C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe C:\Program Files\Norton Personal Firewall\NISUM.exe C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.exe C:\WINDOWS\System32\nvsvc32.exe C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Norton Personal Firewall\SymProxySvc.exe C:\WINDOWS\System32\MsPMSPSv.exe C:\Program Files\Norton Personal Firewall\NISSERV.exe C:\WINDOWS\system32\cidaemon.exe C:\WINDOWS\system32\cidaemon.exe C:\WINDOWS\Explorer.exe C:\WINDOWS\services.exe C:\WINDOWS\BCMSMMSG.exe C:\WINDOWS\System32\DSentry.exe C:\Program Files\Common Files\Real\Update_OB\realsched.exe C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe C:\PROGRA~1\NORTON~1\NORTON~1\navapw32.exe C:\Program Files\Common Files\Dell\EUSW\Support.exe C:\Program Files\iTunes\iTunesHelper.exe C:\Program Files\Norton Personal Firewall\IAMAPP.exe C:\Program Files\NETGEAR\WG311TSU\Utility\Gear311T.exe C:\Program Files\iPod\bin\iPodService.exe C:\Program Files\Norton Personal Firewall\ATRACK.exe C:\Documents and Settings\Charles J. Mountel\Desktop\temp\virus crap\StartupList.exe --------------------- Checking Windows NT UserInit: [HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon] UserInit = C:\WINDOWS\system32\userinit.exe, --------------------- Autorun entries from Registry: HKLM\Software\Microsoft\Windows\CurrentVersion\Run NvCplDaemon = RUNDLL32.exe C:\WINDOWS\System32\NvCpl.dll,NvStartup BCMSMMSG = BCMSMMSG.exe DVDSentry = C:\WINDOWS\System32\DSentry.exe TkBellExe = "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot AdaptecDirectCD = "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe" NAV Agent = C:\PROGRA~1\NORTON~1\NORTON~1\navapw32.exe --------------------- Autorun entries from Registry: HKCU\Software\Microsoft\Windows\CurrentVersion\Run Symantec NetDriver Monitor = C:\PROGRA~1\Symantec\LIVEUP~1\SNDMon.exe --------------------- Shell & screensaver key from C:\WINDOWS\SYSTEM.INI: Shell=*INI section not found* SCRNSAVE.EXE=*INI section not found* drivers=*INI section not found* Shell & screensaver key from Registry: Shell=Explorer.exe SCRNSAVE.EXE=*Registry value not found* drivers=*Registry value not found* Policies Shell key: HKCU\..\Policies: Shell=*Registry key not found* HKLM\..\Policies: Shell=*Registry value not found* --------------------- Enumerating Browser Helper Objects: (no name) - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} (no name) - c:\program files\google\googletoolbar1.dll - {AA58ED58-01DD-4d91-8333-CF10577473F7} NAV Helper - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll - {BDF3E430-B101-42AD-A544-FADC6B084872} --------------------- Enumerating Task Scheduler jobs: ISP signup reminder 1.job Norton AntiVirus - Scan my computer.job Norton SystemWorks One Button Checkup.job Symantec NetDetect.job --------------------- Enumerating Download Program Files: [ppctlcab] CODEBASE = http://www.pestscan.com/scanner/ppctlcab.cab OSD = C:\WINDOWS\Downloaded Program Files\OSD406.OSD [{12861693-950C-11D3-B4C5-A8B007C8E655}] CODEBASE = http://access.nku.edu/djmanning/webfiles/VBApplications/LAB52/dragdropteams.CAB [Shockwave ActiveX Control] InProcServer32 = C:\WINDOWS\SYSTEM32\Macromed\Director\SwDir.dll CODEBASE = http://download.macromedia.com/pub/shockwave/cabs/director/swdir.cab [Symantec AntiVirus scanner] InProcServer32 = C:\WINDOWS\Downloaded Program Files\avsniff.dll CODEBASE = http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab [PPSDKActiveXScanner.MainScreen] InProcServer32 = C:\WINDOWS\Downloaded Program Files\PPSDKActiveXScanner.ocx CODEBASE = http://www.pestscan.com/scanner/axscanner.cab [YInstStarter Class] InProcServer32 = C:\WINDOWS\Downloaded Program Files\yinsthelper.dll CODEBASE = http://download.yahoo.com/dl/installs/yinst0309.cab [Office Update Installation Engine] InProcServer32 = C:\WINDOWS\opuc.dll CODEBASE = http://office.microsoft.com/officeupdate/content/opuc.cab [Symantec RuFSI Utility Class] InProcServer32 = C:\WINDOWS\Downloaded Program Files\rufsi.dll CODEBASE = http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab [HouseCall Control] InProcServer32 = C:\WINDOWS\DOWNLO~1\xscan53.ocx CODEBASE = http://a840.g.akamai.net/7/840/537/bff3af7d050da5/housecall.antivirus.com/housecall/xscan53.cab [Update Class] InProcServer32 = C:\WINDOWS\System32\iuctl.dll CODEBASE = http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37847.6770486111 [ActiveDataInfo Class] InProcServer32 = C:\WINDOWS\Downloaded Program Files\SymAData.dll CODEBASE = https://www-secure.symantec.com/techsupp/activedata/SymAData.cab [Shockwave Flash Object] InProcServer32 = C:\WINDOWS\System32\macromed\flash\Flash.ocx CODEBASE = http://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab [ActiveDataObj Class] InProcServer32 = C:\WINDOWS\Downloaded Program Files\ActiveData.dll CODEBASE = https://www-secure.symantec.com/techsupp/activedata/ActiveData.cab --------------------- Enumerating ShellServiceObjectDelayLoad items: PostBootReminder: C:\WINDOWS\system32\SHELL32.dll CDBurn: C:\WINDOWS\system32\SHELL32.dll WebCheck: C:\WINDOWS\System32\webcheck.dll SysTray: C:\WINDOWS\System32\stobject.dll --------------------- End of report, 7,176 bytes Report generated in 0.063 seconds Command line options: /verbose - to add additional info on each section /complete - to include empty sections and unsuspicious data /full - to include several rarely-important sections /force9x - to include Win9x-only startups even if running on WinNT /forcent - to include WinNT-only startups even if running on Win9x /forceall - to include all Win9x and WinNT startups, regardless of platform /history - to list version history only

HI chucko, Please check out this link: Where can we post Hijack This Logs i_XpUser

whoops, sorry, and thanks for the heads-up!

Here is how I got rid of it: http://computing.net/windowsxp/wwwboard/forum/108695.html