Hello guys pretty sure i have a virus as sysoverload.exe seems dodgy but would ask for help before i delete also is \RunServices: [Win32 USB2 service] winsound1.exe ok? and O4 - HKLM\..\RunServices: [Windows OEM Tool] wnres.exe

Anyway here is the log, thanks for any help you provide:

Hi DDS

Welcome to CC!

Run Hijack This again and put a check by these. Close ALL windows except HijackThis and click "Fix checked"

O4 - HKLM\..\Run: [WindowsRegKeys update] winsysi.exe

O4 - HKLM\..\Run: [Microsoftvirus] sysoverload.exe

O4 - HKLM\..\RunServices: [Windows Run] WinRun.exe

O4 - HKLM\..\RunServices: [WindowsRegKeys update] winsysi.exe

O4 - HKLM\..\RunServices: [Win32 USB2 service] winsound1.exe

O4 - HKLM\..\RunServices: [Windows OEM Tool] wnres.exe

O4 - HKLM\..\RunServices: [Microsoftvirus] sysoverload.exe

O4 - HKCU\..\Run: [Microsoftvirus] sysoverload.exe

Restart to safe mode.

How to start your computer in safe mode

Because XP will not always show you hidden files and folders by default, Go to Start > Search and under "More advanced search options".
Make sure there is a check by "Search System Folders" and "Search hidden files and folders" and "Search system subfolders"

Next click on My Computer. Go to Tools > Folder Options. Click on the View tab and make sure that "Show hidden files and folders" is checked. Also uncheck "Hide protected operating system files" and "Hide extensions for known file types" . Now click "Apply to all folders"
Click "Apply" then "OK"

Now find and delete these files:

G:\WINDOWS\system32\winsysi.exe
G:\WINDOWS\system32\WinRun.exe
G:\WINDOWS\system32\sysoverload.exe
G:\WINDOWS\system32\wnres.exe
G:\WINDOWS\system32\SSMS.EXE -----> (DO Not delete smss.exe)
G:\WINDOWS\system32\LSSAS.EXE -----> (DO Not delete LSASS.EXE)
G:\WINDOWS\system32\service.exe -----> (DO Not delete services.exe)
G:\WINDOWS\system32\csrs.exe -----> (Do Not delete csrss.exe)

Also in safe mode navigate to the C:\Windows\Temp folder. Open the Temp folder and go to Edit > Select All then Edit > Delete to delete the entire contents of the Temp folder.

Go to Start > Run and type %temp% in the Run box. The Temp folder will open. Click Edit > Select All then Edit > Delete to delete the entire contents of the Temp folder.

Finally go to Control Panel > Internet Options. On the General tab under "Temporary Internet Files" Click "Delete Files". Put a check by "Delete Offline Content" and click OK. Click on the Programs tab then click the "Reset Web Settings" button. Click Apply then OK.


Empty the Recycle Bin


Turn off System Restore:

On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore.
Click Apply, and then click OK.
Restart your computer.

When you are sure you are clean turn it back on and create a restore point.


Go here and do an online virus scan.

Be sure and put a check in the box by "Auto Clean" before you do the scan. If it finds anything that it cannot clean have it delete it or make a note of the exact file name and file location so you can delete it yourself.


IMPORTANT!: I highly recommend that you go to Windows update and install all "Critical Updates and Service Packs" except for Service Pack 2 ASAP!. This will patch numerous security holes in IE and Windows. Many baddies get on your machine by taking advantage of these vulnerabilities. As your machine stands now it is wide open to attack from all sorts of nasties. You need to get these updates IMMEDITELY!

Note: At this time I cannot and do not recommend that you install Service Pack 2. See here for more info:

http://support.microsoft.com/default.aspx?scid=kb;en-us;884130

And here:

http://support.microsoft.com/default.aspx?kbid=842242

And here:

http://support.microsoft.com/default.aspx?scid=kb;en-us;878474

A new version of Hijack This has been released so get rid of the old one and Click here to download the new one, come back here and post the log from it after you have done the above,

Thank you for the quick responses.. here is the second log using the updated version:

Boot to safe mode and delete these files:

G:\WINDOWS\system32\SSMS.EXE -----> (DO Not delete smss.exe)
G:\WINDOWS\system32\LSSAS.EXE -----> (DO Not delete LSASS.EXE)

Update your virus definitions and do a full system scan.

Hey i've done what you have ask and here is the current log.. Hopefully now i can say im cleaned?

Clean!

That was the best response i've ever seen.. you really do yourselfs proud, thanks guys.

<3

You've earnt yourself a bookmark!

You're Welcome!

Glad we were able to help.

NOTE: This thread is now closed. Should you need it reopened, please PM a mod.
Everyone else having a similar issue, please launch a new topic for yourselves.

To reduce the chances of future Spyware/Hijacking problems, please follow the suggestions here: /t7736-So_how_did_I_get_infected_in_the_first_place.html