Pesky Winservad keeps re-installing itself

It all started with Spam from Pepsi. I was offered a BOGOF coupon but when I printed it, I got the Cool Savings Trojan. I used HijackThis and AdAware to kill it but it kept coming back. Worse yet, the popups introduced other Trojans to my machine. I was able to kill 180Solutions and Istsvc by deleting the directories C:\_Restore\Temp, C:\Temp, and C:\Windows\Temp. Deleting C:\Windows\Freed~1 got rid of Cool Savings for good.

My problem is that Winservad is not so easy to kill. I found the main file in C:\Windows\Window~3 and Deltreed the directory, along with C:\Windows\Window~2, after first running Attrib -r -s -h *.* in each directory. The pesky directory re-appears after each re-boot, along with the offending files.

I tried a Regedit search for WINSERVAD and WINSERVSUIT and deleted all their entries but this also was to no avail. I also ran MSCONFIG and unchecked all unknown Start entries. I quickly found that I needed a few of those to access the internet and local network and turned those back on. I cleaned all the others from my computer but this also failed to stop WINSERVAD.

My computer is an old Gateway 2000 P 233 mhz with 256 meg RAM. My OS is Win ME with IE 6.0 SP1. I have a LAN with 2 other computers (not infected) and I connect to the intermet via cable modem.
Any help you can offer will be much appreciated.

 

I just personally encountered that one last nite. It is a pain i know. Tried to kill the process but that did not work.
I actually used a program that I have installed called Security Task Manager. It tells you about your running processes, services, drivers, programs - the works and then you can remove it or quarantine it. If you use quarantine it will prevent it from reloading itself. Then after it has been put into quarantine, you can delete it from the quarantine (not restore it but just delete it.)
Thats what i did and then I also manually deleted the folder it put in my Program Files folder, and manually deleted the registry keys I found under Local machine and under Current User, also under the microsoft/windows/current version/run registry location.
Then just to be sure I sis a search on all files and folders for files that had been created or modified that same day (yesterday) since that was when it hit. I wiped all entries seen there from the disk - even references to it that were found as a recently accessed file shortcut.
Today I am free from that little bugger....

SO I may have done overkill but it worked so who cares!!

 

Thanks for the idea. I do not have the Security Task Manager but the quarantine feature is included in Trini Personal Firewall, a shareware program which was on a CD ROM bundled with a recent issue of PC World Magazine. I used Trini to disable Winservad and then ran MSCONFIG to disable Trini because it slows my old machine to a crawl.

As to your other steps, there is no overkill with Winservad. I have delt with other Trojans but this one is the worst.

BTW: I contacted Pepsi's webmaster, regaurding the Cool Savings Trojan. He had me telephone "our Consumer Relations Department at (800-433-2652) Monday - Friday between 9-6 EST". The lady I spoke with claimed that Pepsi would never do such a thing but promised to look into the problem. Cool Savings generates pop-ups that install other Trojans, leading to a cascade of the stupid things.