I think I may have all but solved the problem I had but would be grateful if someone who knows about these things would just cast their eye over the following and wonder if I should post a hijack this log.
Operating system is win xp home edition
Norton antivirus 2005 installed with auto updates turned on, full scan hadn’t been done in a while before the problem occurred.
Ad-aware se personal installed but not used for a while
Spybot Search and Destroy installed but not used for a while
Spywareblaster installed but rarely used
All steps outlined at http://www.bleepingcomputer.com/forums/t/34773/preparation-guide-for-use-before-using-malware-removal-tools-and-requesting-help/
have been carried out.
The problem began when a flashing icon was noticed in the systray alternating between a red disc with a white “X” on it and an icon that looked a bit like a windows update symbol. Every so often a “balloon” appeared from the flashing icons saying something to the effect of “the machine was infected with a virus and to click hear to down load the best antimalware software”. I’m sure that it was clicked on but nothing happened.
On running a full Norton Scan it picked a file named xpuudate.exe which it designated as “Spysheriff” and apparently deleted it. The flashing icon didn’t go though! I found a startup entry for xpuudate with the following command C:WINDOWS\system32\xpuupdate.exe
and location SOFTWARE\Microsoft\Windows\CurrentVersion\Run.
I disabled it in startup which got rid of the flashing icon. Then did a search for the file and there it was in the system32 folder.
Did another Norton scan which again detected it and deleted it. This time it had gone from the system32 folder. Mind you at the same time I was doing ad-aware and spybot scan’s to but I don’t think they picked nything up.
After this ran through all of the various anti virus/malware scanners as detailed on the above mentioned link, some things found particularly by “Bit Defender” from memory, and I believe this identified something call Renos B.
Anyhow what I’m left with, as far as I can tell, is a disabled startup entry xpuudate as described above and the following entries in the registry when searching for xpuudate;HKEY_CURRENT_USER\Software\Microsoft\Search Assistant\ACMru\5603\ab000 REG_SZ xpuudate.exe
HKEY_CURRENT_USER\Software\Microsoft\Search Assistant\ACMru\5603\ab001 REG_SZ xpuudate.exe.
Not sure what you would prefer me to do now, please advise.
Thanks for your patience