Hi there, I recently reinstalled my comp and got infected after installing SP2. I used S&D + Ad-aware n this is how my log looks like:

Logfile of HijackThis v1.99.1
Scan saved at 2035, on 2005-05-25
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\system32\winsystem.exe
C:\WINDOWS\system32\msnupdateit.exe
C:\Program Files\Microsoft IntelliType Pro\type32.exe
C:\WINDOWS\system32\IEXwe.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\msnupdateit.exe
C:\Apps\hijackthis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.worldofwarcraft.com/
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [Windows_Protect] winsystem.exe
O4 - HKLM\..\Run: [Firewall Updater] msnupdateit.exe
O4 - HKLM\..\Run: [type32] "C:\Program Files\Microsoft IntelliType Pro\type32.exe"
O4 - HKLM\..\Run: [Microsoft Opeions] IEXwe.exe
O4 - HKLM\..\Run: [SYSTRAY] C:\UNMT.EXE
O4 - HKLM\..\RunServices: [Windows_Protect] winsystem.exe
O4 - HKLM\..\RunServices: [Firewall Updater] msnupdateit.exe
O4 - HKLM\..\RunServices: [Microsoft Opeions] IEXwe.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Windows_Protect] winsystem.exe
O4 - HKCU\..\Run: [Firewall Updater] msnupdateit.exe
O4 - HKCU\..\Run: [Microsoft Opeions] IEXwe.exe
O4 - HKCU\..\RunServices: [Microsoft Opeions] IEXwe.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - ProtocolDefaults: 'http' protocol is in My Computer Zone, should be Internet Zone
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.co...?1117038289733
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = FOO
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: SearchList = FOO
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = FOO




Hope u can help me

Hello,Tib & Welcome

Is this all of the logfile it looks small did you post all
of the logfile or did you post only part of it

please run a new scan see if the logfile looks
the same if no post the new one.

talk to me is this all of the logfile

HGD

Hi,Tib

If i'm not here when you get back check in again
you have a bad Trojan that you need to get off your PC
it has to go right away it's not a nice one

HGD

My comp just crashed and i had to reinstall windows.. this sucks but yea, what can u do

can saved at 23:32:53, on 2005-05-25
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\Explorer.EXE
D:\WINDOWS\system32\spoolsv.exe
D:\WINDOWS\System32\winpadg.exe
D:\WINDOWS\System32\fymkml.exe
D:\WINDOWS\System32\msnpg.exe
c:\rdsds.exe
D:\WINDOWS\System32\wuauclt.exe
D:\WINDOWS\System32\wuauclt.exe
D:\Program Files\Internet Explorer\iexplore.exe
D:\Documents and Settings\Albert\Local Settings\Temporary Internet Files\Content.IE5\8XIFGL6V\hijackthis[1].exe

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://windowsupdate.microsoft.com/
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - D:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - D:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [Service Drivers] msnpg.exe
O4 - HKLM\..\Run: [Windows Desktop Daemon] winpadg.exe
O4 - HKLM\..\Run: [Windows Compliant] fymkml.exe
O4 - HKLM\..\RunServices: [Service Drivers] msnpg.exe
O4 - HKLM\..\RunServices: [Windows Desktop Daemon] winpadg.exe
O4 - HKLM\..\RunServices: [Windows Compliant] fymkml.exe
O4 - HKCU\..\Run: [MSMSGS] "D:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Service Drivers] msnpg.exe
O4 - HKCU\..\Run: [Windows Compliant] fymkml.exe
O4 - HKCU\..\RunServices: [Service Drivers] msnpg.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.co...?1117053644171
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = FOO
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: SearchList = FOO
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = FOO



This is all i can get, updater is not letting me update to SP2 and the viruses are blocking ctrl+alt+del windows..

Hi,Tib

First

Please change the location of HijackThis.exe.
Create a new folder in your C: Drive
Name it C:\HJT or HijackThis and move the HijackThis.exe file in it.
It's best for this tool NOT TO be located in your Desktop or in a TEMP folder.
This way you can undo any changes if something goes wrong

Press control-alt-delete to get into the task manager and end the follow processes if they exist:
winpadg.exe
fymkml.exe
msnpg.exe
rdsds.exe

If you get an error when deleting a file. Right click on the file and check to see if the read only attribute is checked. if it is uncheck it and try again.

Check the following items in HijackThis.
Close all windows except HijackThis and click Fix checked:

O4 - HKLM\..\Run: [Service Drivers] msnpg.exe
O4 - HKLM\..\Run: [Windows Desktop Daemon] winpadg.exe
O4 - HKLM\..\Run: [Windows Compliant] fymkml.exe
O4 - HKLM\..\RunServices: [Service Drivers] msnpg.exe
O4 - HKLM\..\RunServices: [Windows Desktop Daemon] winpadg.exe
O4 - HKLM\..\RunServices: [Windows Compliant] fymkml.exe
O4 - HKCU\..\Run: [Service Drivers] msnpg.exe
O4 - HKCU\..\Run: [Windows Compliant] fymkml.exe
O4 - HKCU\..\RunServices: [Service Drivers] msnpg.exe

These here don't look like an ISP any idea what they are did
you add them your self if no then fix make sure
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = FOO
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: SearchList = FOO
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = FOO

Make sure you can view hidden and system files: Instructions here

Then Boot to safe mode: Instructions here

Delete the following files\folders IF still present:

Do a file Search for these files here if found delete them
msnpg.exe
winpadg.exe
fymkml.exe
rdsds.exe

Then do a reboot do this here

Go for free online Virus scans here:

http://housecall.trendmicro.com/hou.../start_corp.asp
http://www.pandasoftware.com/activescan/

Be sure and put a check in the box by "Auto Clean" before you do the scan. If it finds anything that it cannot clean have it delete it or make a note of the file location so you can delete it yourself.

after doing all of the above till us how it is & show us new logfile

HGD

this is my new logfile.. My comp is still acting weird and i cant install SP2 for some reason, i get the msg: Update was unabled to install etc. I Can't open ctrl+alt+del window either..

Logfile of HijackThis v1.99.1
Scan saved at 19:12:44, on 2005-05-26
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\System32\Ati2evxx.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\system32\Ati2evxx.exe
D:\WINDOWS\System32\setup32.exe
D:\WINDOWS\system32\spoolsv.exe
D:\WINDOWS\Explorer.EXE
D:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
D:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
D:\WINDOWS\SOUNDMAN.EXE
D:\PROGRA~1\Grisoft\AVG7\avgcc.exe
D:\PROGRA~1\Grisoft\AVG7\avgemc.exe
D:\Program Files\Messenger\msmsgs.exe
D:\WINDOWS\System32\systeminfos.exe
D:\Program Files\Internet Explorer\iexplore.exe
D:\WINDOWS\system32\mmc.exe
D:\WINDOWS\System32\wuauclt.exe
D:\WINDOWS\System32\wuauclt.exe
D:\Documents and Settings\Albert\Local Settings\Temporary Internet Files\Content.IE5\K1UN4TYB\hijackthis[1].exe

F2 - REG:system.ini: UserInit=userinit.exe,setup32.exe
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - D:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKLM\..\Run: [Media Access] D:\Program Files\Media Access\MediaAccK.exe
O4 - HKLM\..\Run: [AVG7_CC] D:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] D:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O4 - HKLM\..\Run: [Compaq Service Drivers] systeminfos.exe
O4 - HKLM\..\Run: [MSN MMISSENGER] mssmmspgr.exe
O4 - HKLM\..\RunServices: [Compaq Service Drivers] systeminfos.exe
O4 - HKLM\..\RunServices: [MSN MMISSENGER] mssmmspgr.exe
O4 - HKCU\..\Run: [MSMSGS] "D:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Compaq Service Drivers] systeminfos.exe
O4 - HKCU\..\RunServices: [Compaq Service Drivers] systeminfos.exe
O16 - DPF: {15AD6789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://static.windupdates.com/cab/Me...ridge-c139.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.co...?1117053644171
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = FOO
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: SearchList = FOO
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = FOO
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - D:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - D:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - D:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - D:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: Mouse Hardware Sync (mousehs) - Unknown owner - D:\WINDOWS\System32\mousehs.exe (file missing)
O23 - Service: RadClock - Unknown owner - D:\WINDOWS\system32\RadClock.exe

Btw, the FOO ISP thing is something i have to use for my net.

Hi,Tib

First once again move HijackThis to a folder on your D:\Drive like so D:\HJT

Download Pocket Killbox version 2.0.0.175
From one of these loactions
http://www.downloads.subratam.org/KillBox.zip
http://www.atribune.org/downloads/KillBox.exe
If you already have Killbox first ensure it is this version !.
If you have the one in zipped form it MUST be unzipped/extracted first.

Start Killbox place a tick next to [x]delete on reboot.
Copy this whole list into the windows clipboard, all the Bolded below.

D:\WINDOWS\System32\setup32.exe
D:\WINDOWS\System32\systeminfos.exe
D:\WINDOWS\System32\mousehs.exe

mssmmspgr.exe<--For this item here do a file Search for it
once you find it place it in KillBox like the others above

Back in Killbox go > file > paste from clipboard,
Click the red highlighted X button and say yes to the first prompt and no to the second.

Exit Killbox and immediately restart your PC.

Once back at the forums make and post a hijackthis and findits logs, there will be more to do hang in there.

HGD

now once you do all of the above run a new scan with HijackThis
& go no where but here show me logfile

Logfile of HijackThis v1.99.1
Scan saved at 21:29:54, on 2005-05-26
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\System32\Ati2evxx.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\system32\Ati2evxx.exe
D:\WINDOWS\Explorer.EXE
D:\WINDOWS\system32\spoolsv.exe
D:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
D:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
D:\PROGRA~1\Grisoft\AVG7\avgcc.exe
D:\PROGRA~1\Grisoft\AVG7\avgemc.exe
D:\Program Files\Messenger\msmsgs.exe
D:\Program Files\Internet Explorer\iexplore.exe
D:\WINDOWS\System32\wuauclt.exe
D:\WINDOWS\SoftwareDistribution\Download\S-1-5-18\2cf41f1db14bc8f414e16e1555b77108\update\update. exe
D:\WINDOWS\System32\wuauclt.exe
D:\Program Files\Internet Explorer\iexplore.exe
D:\HJT\hijackthis.exe

F2 - REG:system.ini: UserInit=userinit.exe,setup32.exe
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - D:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKLM\..\Run: [Media Access] D:\Program Files\Media Access\MediaAccK.exe
O4 - HKLM\..\Run: [AVG7_CC] D:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] D:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O4 - HKLM\..\Run: [Compaq Service Drivers] systeminfos.exe
O4 - HKLM\..\Run: [MSN MMISSENGER] mssmmspgr.exe
O4 - HKLM\..\RunServices: [Compaq Service Drivers] systeminfos.exe
O4 - HKLM\..\RunServices: [MSN MMISSENGER] mssmmspgr.exe
O4 - HKCU\..\Run: [MSMSGS] "D:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Compaq Service Drivers] systeminfos.exe
O4 - HKCU\..\RunServices: [Compaq Service Drivers] systeminfos.exe
O16 - DPF: {15AD6789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://static.windupdates.com/cab/Me...ridge-c139.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.co...?1117053644171
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2...ll/xscan53.cab
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = FOO
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: SearchList = FOO
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = FOO
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - D:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - D:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - D:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - D:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: Mouse Hardware Sync (mousehs) - Unknown owner - D:\WINDOWS\System32\mousehs.exe (file missing)
O23 - Service: RadClock - Unknown owner - D:\WINDOWS\system32\RadClock.exe

Now i can Alt+ctrl+del and get SP2 ^^

Hi,Tib

Great now that you have Alt+ctrl+del do this here

Press control-alt-delete to get into the task manager and end the follow processes if they exist:
setup32.exe
systeminfos.exe
mousehs.exe
mssmmspgr.exe


If you get an error when deleting a file. Right click on the file and check to see if the read only attribute is checked. if it is uncheck it and try again.

Then again use KillBox

Download Pocket Killbox version 2.0.0.175
From one of these loactions
http://www.downloads.subratam.org/KillBox.zip
http://www.atribune.org/downloads/KillBox.exe
If you already have Killbox first ensure it is this version !.
If you have the one in zipped form it MUST be unzipped/extracted first.

Start Killbox place a tick next to [x]delete on reboot.
Copy this whole list into the windows clipboard, all the Bolded below.

D:\WINDOWS\System32\setup32.exe
D:\WINDOWS\System32\systeminfos.exe
D:\WINDOWS\System32\mousehs.exe
mssmmspgr.exe<--Do a file Search for this one & add it to KillBox like
the others

Back in Killbox go > file > paste from clipboard,
Click the red highlighted X button and say yes to the first prompt and no to the second.

Exit Killbox and immediately restart your PC.

Once back at the forums make and post a hijackthis and findits logs, there will be more to do hang in there.

HGD