hey, just re-installed xp because of a problem and got another one, because the os disk is sp1, when i installed it, i had no security, i went on the net to download avg/ad-aware etc and i got a error saying ur comp has been shut down to prevent............

and when i restarted, my wallpaper had changed, i had this suspicious program (spy sheriff) which i removed twice (via add/remove progs.) I conected back up to the net scanned with ad-aware and foung 93 infections!!!!! i deleted them and i still have four red circles with white crosses in them

here are some scrn shots:

This is what my desktop changed to: (centre only, had to crop)

btw, here is a HijackThis log:
Logfile of HijackThis v1.99.1
Scan saved at 22:44:01, on 20/08/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\WINDOWS\Config\svchost.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\BT Voyager 105 ADSL Modem\dslstat.exe
C:\Program Files\BT Voyager 105 ADSL Modem\dslagent.exe
C:\Program Files\VoyagerTest\fts.exe
C:\WINDOWS\System32\paytime.exe
C:\WINDOWS\tool2.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\WINDOWS\System32\paytime.exe
C:\WINDOWS\tool2.exe
C:\winstall.exe
C:\WINDOWS\tool2.exe
C:\Program Files\AOL 9.0a\aoltray.exe
C:\Program Files\AOL Companion\companion.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\Config\FahCore_78.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\System32\svchost.exe
D:\Program files\Security\hijackthis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://195.95.218.172/index.php
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://195.95.218.172/index.php
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://195.95.218.172/index.php
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://195.95.218.172/index.php
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://195.95.218.172/index.php
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = http://195.95.218.172/index.php
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [DSLSTATEXE] C:\Program Files\BT Voyager 105 ADSL Modem\dslstat.exe icon
O4 - HKLM\..\Run: [DSLAGENTEXE] C:\Program Files\BT Voyager 105 ADSL Modem\dslagent.exe
O4 - HKLM\..\Run: [%FP%Friendly fts.exe] "C:\Program Files\VoyagerTest\fts.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [PayTime] C:\WINDOWS\System32\paytime.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [PayTime] C:\WINDOWS\System32\paytime.exe
O4 - HKCU\..\Run: [Windows installer] C:\winstall.exe
O4 - HKCU\..\Run: [SNInstall] C:\WINDOWS\tool2.exe
O4 - Global Startup: AOL 9.0 Tray Icon.lnk = C:\Program Files\AOL 9.0a\aoltray.exe
O4 - Global Startup: AOL Companion.lnk = C:\Program Files\AOL Companion\companion.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O17 - HKLM\System\CCS\Services\Tcpip\..\{35E4EA49-37D2-484F-8936-4926440AE7B4}: NameServer = 205.188.146.145
O17 - HKLM\System\CS1\Services\Tcpip\..\{35E4EA49-37D2-484F-8936-4926440AE7B4}: NameServer = 205.188.146.145
O20 - Winlogon Notify: drct16 - C:\WINDOWS\SYSTEM32\drct16.dll
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
O23 - Service: Hardware Check - Stanford University - C:\WINDOWS\Config\svchost.exe
O23 - Service: Macromedia Licensing Service - Macromedia - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe

i am not sure about these things:
C:\WINDOWS\tool2.exe
O4 - HKCU\..\Run: [PayTime] C:\WINDOWS\System32\paytime.exe
O4 - HKLM\..\Run: [PayTime] C:\WINDOWS\System32\paytime.exe
O20 - Winlogon Notify: drct16 - C:\WINDOWS\SYSTEM32\drct16.dll
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll

But i didnt want to delete them just in case they were important


and this has came back >>> C:\WINDOWS\Config\FahCore_78.exe

(just ignore that though, already been ansered on other thread.... i'll just go back to that)

ok, just scanned for viruses (sorry, should have done this earlier) (some of the viruses that were deleted were related to some things in the HJT log) ill post a fresh one:

Logfile of HijackThis v1.99.1
Scan saved at 23:54:56, on 20/08/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\BT Voyager 105 ADSL Modem\dslstat.exe
C:\Program Files\BT Voyager 105 ADSL Modem\dslagent.exe
C:\Program Files\VoyagerTest\fts.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\winstall.exe
C:\Program Files\AOL 9.0a\aoltray.exe
C:\Program Files\Anfield Alerts\anfieldalerts.exe
C:\Program Files\Grisoft\AVG Free\avgemc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\Program Files\Grisoft\AVG Free\avgcc.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Grisoft\AVG Free\avgwb.dat
C:\Program Files\Internet Explorer\iexplore.exe
D:\Program files\Audio-Video\Napster\NapsterClient-GB-3.1.1.8.dat
C:\WINDOWS\System32\svchost.exe
D:\Program files\Security\hijackthis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://195.95.218.172/index.php
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://195.95.218.172/index.php
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://195.95.218.172/index.php
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://195.95.218.172/index.php
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = http://195.95.218.172/index.php
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [DSLSTATEXE] C:\Program Files\BT Voyager 105 ADSL Modem\dslstat.exe icon
O4 - HKLM\..\Run: [DSLAGENTEXE] C:\Program Files\BT Voyager 105 ADSL Modem\dslagent.exe
O4 - HKLM\..\Run: [%FP%Friendly fts.exe] "C:\Program Files\VoyagerTest\fts.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [PayTime] C:\WINDOWS\System32\paytime.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [Windows installer] C:\winstall.exe
O4 - HKCU\..\Run: [SNInstall] C:\WINDOWS\tool2.exe
O4 - HKCU\..\Run: [Anfield Alerts] C:\Program Files\Anfield Alerts\anfieldalerts.exe
O4 - Global Startup: AOL 9.0 Tray Icon.lnk = C:\Program Files\AOL 9.0a\aoltray.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O17 - HKLM\System\CCS\Services\Tcpip\..\{35E4EA49-37D2-484F-8936-4926440AE7B4}: NameServer = 205.188.146.145
O17 - HKLM\System\CS1\Services\Tcpip\..\{35E4EA49-37D2-484F-8936-4926440AE7B4}: NameServer = 205.188.146.145
O20 - Winlogon Notify: drct16 - C:\WINDOWS\SYSTEM32\drct16.dll
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: Hardware Check - Unknown owner - C:\WINDOWS\Config\svchost.exe (file missing)
O23 - Service: Macromedia Licensing Service - Macromedia - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe

You might like to run Panda av http://www.pandasoftware.com/actives...an/ascan_1.asp and Adaware/Spybot SD while you wait for someone to help .

igfxsrvc.dll is a library belonging to the Intel(R) Graphics Accelerator Helper
paytime.exe, Added by the STARTPA-YR TROJAN
drct16.dll : Added by the Troj/Haxdoor-CN rootkit infection. This file is installed as system driver and is used to hide processes, files, and registry keys from being seen.

ok, thanks, just deleted 2 more trojans with AVG, do i need panda even though i have AVG?

ive just done a clean install of xp sp2, thanks for the help and sorry if i wasted anyones time
Mike

No waste of time here Mike. We like to help as many as we can. Its usually advisable to run free online scans as well as your own av as they can sometimes pick up ones the other will miss.
Hopefully your comp is clean now and working fine.

ok, thanks

yup its working fine now thanks (until the next problem) lol i have combined windows xp and sp2 to make a windows xp sp2 bootable cd so if i do get any problems, i will automaticaly have sp2 when i do a clean install so i will have a bit of security

You could also keep a backup the latest updates from AVG. They are located under C:\Documents and Settings\All Users\Application Data\Grisoft\Avg7Data\upd7bin. So you could do a periodical save of this folder and install AVG on a clean system and update it from there before going on the net.