Windows alerts and IE popups

JKjerome · 05-21-2006, 03:59 PM

Hi,
I'm on Win XP Pro and I was alerted by Sohpos AV software that I had downloaded a Trojan a couple of weeks back. Since then, whenever I'm connected to the web I randomly get Windows alerts saying I have some virus followed by a popup advertising AV software(both of which must be bogus), or just adverts for random things. I have done multiple Sophos scans and Spybot scans and Ad Aware scans but whatever I remove doesnt stop it and new files appear in the next scan. I found this forum looking for an answer and have downloaded the Hijack This software which has given me the following results:

Logfile of HijackThis v1.99.1
Scan saved at 22:51:14, on 21/05/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Symantec\NORTON~1\GHOSTS~2.EXE
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\system32\nvsvc32.exe
c:\Program Files\Sophos\Sophos Anti-Virus\SAVAdminService.exe
c:\Program Files\Sophos\AutoUpdate\ALsvc.exe
D:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\UAService7.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\COMMON~1\YMANTE~1\winword.exe
C:\WINDOWS\system32\?asks\?ti2evxx.exe
C:\Program Files\Sophos\AutoUpdate\ALMon.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Microsoft Office\Office10\OUTLOOK.EXE
C:\Program Files\Microsoft Office\Office10\WINWORD.EXE
C:\Program Files\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://g.msn.co.uk/0SEENGB/SAOS01
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R3 - Default URLSearchHook is missing
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - (no file)
O3 - Toolbar: (no name) - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - (no file)
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKCU\..\Run: [Ucle] "C:\PROGRA~1\COMMON~1\YMANTE~1\winword.exe" -vt yazr
O4 - HKCU\..\Run: [Pxeswkvc] C:\WINDOWS\system32\?asks\?ti2evxx.exe
O4 - Startup: PowerReg Scheduler V3.exe
O4 - Startup: PowerReg Scheduler.exe
O4 - Global Startup: AutoUpdate Monitor.lnk = C:\Program Files\Sophos\AutoUpdate\ALMon.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: ChatSpace Full Java Client 3.1.0.245 - http://chat-c3.freeserve.com/Java/cfs31245.cab
O16 - DPF: {05D44720-58E3-49E6-BDF6-D00330E511D3} (StagingUI Object) - http://zone.msn.com/binFrameWork/v10...I.cab40443.cab
O16 - DPF: {238F6F83-B8B4-11CF-8771-00A024541EE3} (Citrix ICA Client) - https://secure1.link4it.co.uk/Citrix...a32/ica32t.exe
O16 - DPF: {3BB54395-5982-4788-8AF4-B5388FFDD0D8} (ZoneBuddy Class) - http://zone.msn.com/BinFrameWork/v10...y.cab32846.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/...eInstaller.exe
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by101fd.bay101.hotmail.msn.co...s/MsnPUpld.cab
O16 - DPF: {5736C456-EA94-4AAC-BB08-917ABDD035B3} (ZonePAChat Object) - http://zone.msn.com/binframework/v10...t.cab32846.cab
O16 - DPF: {6DB731A3-B074-4118-8B1C-32511C65D836} (FotovistaPhotoUploader.ctrFpu) - http://www.mypixmania.com/uk/uk/tools/activex/fpu.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/ms...downloader.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/binFramework/v10...o.cab34246.cab
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} - http://us.dl1.yimg.com/download.yaho...tocomplete.cab
O16 - DPF: {DA2AA6CF-5C7A-4B71-BC3B-C771BB369937} (StadiumProxy Class) - http://zone.msn.com/binframework/v10...y.cab35645.cab
O16 - DPF: {E5D419D6-A846-4514-9FAD-97E826C84822} - http://fdl.msn.com/zone/datafiles/heartbeat.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://fdl.msn.com/public/chat/msnchat45.cab
O16 - DPF: {FF3C5A9F-5A99-4930-80E8-4709194C2AD3} (ZPA_Backgammon Object) - http://zone.msn.com/bingame/zpagames...n.cab36385.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{D7CA1130-7480-4477-B52C-56704B131D1E}: NameServer = 80.189.92.2 80.189.94.2
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: winjyg32 - C:\WINDOWS\SYSTEM32\winjyg32.dll
O23 - Service: GhostStartService - Symantec Corporation - C:\PROGRA~1\Symantec\NORTON~1\GHOSTS~2.EXE
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PDEngine - Raxco Software, Inc. - D:\Program Files\PerfectDisk\PDEngine.exe
O23 - Service: PDScheduler (PDSched) - Raxco Software, Inc. - D:\Program Files\PerfectDisk\PDSched.exe
O23 - Service: Sophos Anti-Virus status reporter (SAVAdminService) - Sophos plc - c:\Program Files\Sophos\Sophos Anti-Virus\SAVAdminService.exe
O23 - Service: Sophos Anti-Virus (SAVService) - Sophos plc - c:\Program Files\Sophos\Sophos Anti-Virus\SavService.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Sophos AutoUpdate Service - Sophos plc - c:\Program Files\Sophos\AutoUpdate\ALsvc.exe
O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - D:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
O23 - Service: TuneUp WinStyler Theme Service (TUWinStylerThemeSvc) - TuneUp Software GmbH - C:\Program Files\TuneUp Utilities 2006\WinStylerThemeSvc.exe
O23 - Service: SecuROM User Access Service (V7) (UserAccess7) - Unknown owner - C:\WINDOWS\system32\UAService7.exe
O23 - Service: WebTrends Alerting and Monitoring for Analysis Series 7.0 (WTAMSVC_Analysis Series 7.0) - Unknown owner - C:\Program Files\Developer\WebTrends\wtam_service.exe

Any help on this would be appreciated as Ive tried all that I know.
Thank you.
D. Edwards.

JKjerome · 05-22-2006, 04:51 PM

BUMP please

JKjerome · 05-22-2006, 04:51 PM

BUMP please as

JKjerome · 05-22-2006, 04:51 PM

BUMP please as 24

JKjerome · 05-22-2006, 04:52 PM

BUMP please as 24 hours have passed. Sorry - I'm not sure why this reply has been added in many parts - seems to have happened automatically as I was typing it - some sort of autosubmit or something?

JKjerome · 05-23-2006, 06:37 PM

Bump .......................................................................................................................................

Ried · 05-24-2006, 11:08 PM

Hello JKjerome and welcome to TSF,

Our most sincere apologies for the delay in response. Your log appeared as though it was being taken care of due to the number of replies listed at first glance.

Please copy this page to Notepad since you will not have any browsers open while you are carrying out these instructions.

Make sure to work through the fixes in the exact order it is mentioned below. If there's anything that you don't understand, ask your question(s) before proceeding with the fixes.

******************************************************

You are currently running 2 Anti Virus programs. While it may seem to be added protection for you, more than 1 Anti Virus can cause conflicts and confusion between the AV programs as well as system instability. Please choose and run only 1 and uninstall the other via the Add/Remove Programs in the Control Panel.
******************************************************

Download Ewido Security Suite

Install Ewido Security Suite
When installing, under "Additional Options" uncheck..
- Install background guard
- Install scan via context menu
Double-click the icon on Desktop to launch Ewido

You will need to update Ewido to the latest definition files.

On the left hand side of the main screen click update.
Then click on Start Update.

The update will start and a progress bar will show the updates being installed.
If you are having problems with the updater, you can use this link to manually update Ewido
When you have finished updating, EXIT Ewido.

Download and install CleanUp! but do not run it yet. (Not Recommended for XP64).

---------------------------

Next, please reboot your computer in Safe Mode by doing the following:
1) Restart your computer
2) After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
3) Instead of Windows loading as normal, a menu should appear
4) Use the up arrow key to highlight Safe Mode and press Enter.

Go to My Computer->Tools->Folder Options->View tab:
* Under the Hidden files and folders heading:
* select Show hidden files and folders.
* Uncheck Hide protected operating system files (recommended) option.
*Also, make sure there is no checkmark beside Hide file extensions for known file types.
* Click OK.

---------------------------

Run a scan in HijackThis. 'Check' each of the following if they still exist (make sure not to miss any):

R3 - Default URLSearchHook is missing
O3 - Toolbar: (no name) - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - (no file)
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKCU\..\Run: [Ucle] "C:\PROGRA~1\COMMON~1\YMANTE~1\winword.exe" -vt yazr
O4 - HKCU\..\Run: [Pxeswkvc] C:\WINDOWS\system32\?asks\?ti2evxx.exe
O4 - Startup: PowerReg Scheduler V3.exe
O4 - Startup: PowerReg Scheduler.exe
O20 - Winlogon Notify: winjyg32 - C:\WINDOWS\SYSTEM32\winjyg32.dll

Click 'Fix Checked' and close HijackThis.

---------------------------

Delete the following Files and Folders if they still exist.

C:\WINDOWS\system32\ ?asks<--the ? can be any character--possibly Tasks. Make sure you are deleting the folder from this location only.
C:\WINDOWS\SYSTEM32\ winjyg32.dll

---------------------------

*WARNING* Cleanup deletes EVERYTHING out of temp/temporary folders and does not make backups. If you have any documents or programs that are saved in any Temporary Folders, please make a backup of these before running CleanUp! or move them to a permanent location.

Open Cleanup! by double-clicking the icon on your desktop (or from the Start > All Programs menu). Set the program up as follows:
*Click "Options..."
*Move the arrow down to "Custom CleanUp!"
*Put a check next to the following:

Empty Recycle Bins
Delete Cookies
Delete Prefetch files
Cleanup! All Users
Click on the "Temporary Files" and uncheck the box for "Scan drives for file matching" if it's checked.

Click OK
Press the CleanUp! button to start the program. Do NOT reboot/logoff when prompted.

------------------------------------------------

Run Ewido with it's updated definitions:(...it's important that all windows must be closed)

Click Scanner
Click Complete System Scan to begin scanning.
Click OK when prompted to clean files

With the first file it prompts to clean, select the option:

"Perform action on all infections"
Choose clean and click OK.

Once finished, click the Save report button & save the report to your desktop

** Ewido scan would require at least an hour. Ewido is compatible with most AV and anti-spyware products, and the free version will continue to be useful as a second anti-malware scanner.

---------------------------

Reboot into Normal Mode.

---------------------------

Perform an online scan using Internet Explorer with Panda ActiveScan
** click on "Free use ActiveScan" located on the top right hand corner

Click Check Now & a 'pop up' window shall appear. *ensure that your pop up blocker doesn't block it
Enter your e-mail address, country, and state & click Scan Now ...begins downloading 8 MB Panda's ActiveX controls

Begin the scan by selecting My Computer

If it finds any malware, it will offer you a report.

Please ignore any entry it finds and wants you to buy the program for removal as we will address this later.
Click on see report. Then click Save report

--------------------------------------

Launch Notepad, and copy/paste the box below into a new text file. Save it as FindFolder.bat and save it on your Desktop.

Code:

dir "C:\PROGRA~1\COMMON~1\YMANTE~1\winword.exe" /a h > files.txt
notepad files.txt

Locate FindFolder.bat on your Desktop and double-click on it. It will open Notepad with some text in it. Please post the text here.

In your next reply, I'll need the following:

Ewido results
Panda results
New HijackThis log
FindFolder text

JKjerome · 05-25-2006, 04:29 PM

Thank you so much for replying Ried. It is really appreciated. Now, I have tried what you suggested. I could not delete the file C:\WINDOWS\SYSTEM32\winjyg32.dll but Ewido picked it up and removed it after that.
Re: Norton - I tried to remove Norton when I started using Sophos but for some reason certain elements of it couldn't be removed, hence the entries in Hijack This. Not sure what to do about that.
There follow the 4 reports/files you requested, separated by dashed lines:
---------------------------------------------------------
ewido anti-malware - Scan report
---------------------------------------------------------

+ Created on: 22:29:33, 25/05/2006
+ Report-Checksum: 4503BFAB

+ Scan result:

HKLM\SOFTWARE\Microsoft\VisualStudio\Analyzer\Events\{6C736D71-BCBF-11D0-8A23-00AA00B58E10} -> Adware.CoolWebSearch : Cleaned with backup
[280] C:\WINDOWS\system32\winjyg32.dll -> Trojan.Agent.qt : Cleaned with backup
C:\Documents and Settings\David Edwards\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\file\Gummy.class-6fbcc2a0-3738c6ad.class -> Not-A-Virus.Exploit.ByteVerify : Cleaned with backup
C:\Program Files\Common Files\Ѕymantec\winword.exe -> Downloader.PurityScan.cl : Cleaned with backup
C:\WINDOWS\system32\winjyg32.dll -> Trojan.Agent.qt : Cleaned with backup

::Report End
---------------------------------------------------------
Panda Active Scan
---------------------------------------------------------

Incident Status Location

Potentially unwanted tool:application/winfixer2005 Not disinfected c:\windows\downloaded program files\UERS_0001_N82M1105NetInstaller.exe
Potentially unwanted tool:application/errorsafe Not disinfected hkey_local_machine\software\Error Safe Free
Potentially unwanted tool:application/myway Not disinfected HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\{014DA6C9-189F-421A-88CD-07CFE51CFF10}
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\David Edwards\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\menu.jr-2f231a82-5aa6653d.zip[Dummy.class]
Spyware:Cookie/Apmebf Not disinfected C:\Documents and Settings\David Edwards\Cookies\david edwards@apmebf[2].txt
Spyware:Cookie/QkSrv Not disinfected C:\Documents and Settings\David Edwards\Cookies\david edwards@qksrv[2].txt
Spyware:Cookie/Tribalfusion Not disinfected C:\Documents and Settings\David Edwards\Cookies\david edwards@tribalfusion[1].txt
---------------------------------------------------------
New Hijack This log
---------------------------------------------------------
Logfile of HijackThis v1.99.1
Scan saved at 22:54:01, on 25/05/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\PROGRA~1\Symantec\NORTON~1\GHOSTS~2.EXE
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\system32\nvsvc32.exe
c:\Program Files\Sophos\Sophos Anti-Virus\SAVAdminService.exe
c:\Program Files\Sophos\AutoUpdate\ALsvc.exe
D:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\UAService7.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\Sophos\AutoUpdate\ALMon.exe
C:\Program Files\Microsoft Office\Office10\WINWORD.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\system32\cmd.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - Global Startup: AutoUpdate Monitor.lnk = C:\Program Files\Sophos\AutoUpdate\ALMon.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {238F6F83-B8B4-11CF-8771-00A024541EE3} (Citrix ICA Client) - https://secure1.link4it.co.uk/Citrix...a32/ica32t.exe
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/...eInstaller.exe
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{D7CA1130-7480-4477-B52C-56704B131D1E}: NameServer = 80.189.92.2 80.189.94.2
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: winjyg32 - winjyg32.dll (file missing)
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: GhostStartService - Symantec Corporation - C:\PROGRA~1\Symantec\NORTON~1\GHOSTS~2.EXE
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PDEngine - Raxco Software, Inc. - D:\Program Files\PerfectDisk\PDEngine.exe
O23 - Service: PDScheduler (PDSched) - Raxco Software, Inc. - D:\Program Files\PerfectDisk\PDSched.exe
O23 - Service: Sophos Anti-Virus status reporter (SAVAdminService) - Sophos plc - c:\Program Files\Sophos\Sophos Anti-Virus\SAVAdminService.exe
O23 - Service: Sophos Anti-Virus (SAVService) - Sophos plc - c:\Program Files\Sophos\Sophos Anti-Virus\SavService.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Sophos AutoUpdate Service - Sophos plc - c:\Program Files\Sophos\AutoUpdate\ALsvc.exe
O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - D:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
O23 - Service: TuneUp WinStyler Theme Service (TUWinStylerThemeSvc) - TuneUp Software GmbH - C:\Program Files\TuneUp Utilities 2006\WinStylerThemeSvc.exe
O23 - Service: SecuROM User Access Service (V7) (UserAccess7) - Unknown owner - C:\WINDOWS\system32\UAService7.exe
O23 - Service: WebTrends Alerting and Monitoring for Analysis Series 7.0 (WTAMSVC_Analysis Series 7.0) - Unknown owner - C:\Program Files\Developer\WebTrends\wtam_service.exe
---------------------------------------------------------
Results of FindFolder.bat
---------------------------------------------------------
Volume in drive C is Local Disk
Volume Serial Number is 0CF8-4CD5

Directory of C:\PROGRA~1\COMMON~1\YMANTE~1

Directory of C:\Documents and Settings\David Edwards\Desktop
---------------------------------------------------------

I was concerned by all the stuff the scans found, which leads me to wonder how effective Sophos is. Im wondering if Ive got everything off now. Oh I also removed some entries from Hijack this that related to things I no longer use. I hope that is OK.
Thank you so much for your help on this Ried. I really don't know what I'd do otherwise.
Jerome.

Ried · 05-25-2006, 08:14 PM

Hello Jerome,

Sophos is just fine. Anti Virus programs are not designed to look for spyware and other sorts of malware. In this day in age, a multi-layered approach is best. I'll have all that information for you as soon as your system is cleaned up.

Once again, please copy this page to Notepad and save to your desktop for reference as you will not have any browsers open while you are carrying out these instructions.

********************************************

Norton is known to have difficulty uninstalling properly at times. If the version of Norton uninstalled was 2004 or later, please download and run
SymNRT.

********************************************

Download the attached jkfix.zip file to your desktop. Do not run it yet.

----------------------------------------------

Reboot into Safe Mode. (tapping F8 ro F5)

----------------------------------------------

Uninstall the following via the Add/Remove Panel (Start->(Settings)->Control Panel->Add/Remove Programs) if it exists:

Error Safe Free

----------------------------------------------

Run a scan in HijackThis. 'Check' the following entry:

O20 - Winlogon Notify: winjyg32 - winjyg32.dll (file missing)

Click 'Fix Checked' and close HijackThis.

---------------------------

Click Start>Run and copy/paste regsvr32 /u occache.dll and click OK.

Delete the following file and folder:

c:\windows\downloaded program files\UERS_0001_N82M1105NetInstaller.exe

C:\PROGRA~1\COMMON~1\ YMANTE~1 <--Make sure it is in this location and spelled exactly as you see it listed in this path.

Click Start>Run and copy/paste regsvr32 occache.dll and click OK.

---------------------------

Double click on the jkfix.zip folder, then double click on the jkfix.reg file within. Click yes to allow it to merge into your registry.

---------------------------

Reboot into Normal Mode.

---------------------------

Run another online scan at Panda and post the results here along with a new HijackThis log and the following Uninstall list:

Open HijackThis
*Click on the "Configure" button on the bottom right
*Click on the tab "Misc Tools"
*Click on the Box that says "Open Uninstall Manager"
*Click on the button "Save list"
Please copy and past the List from the notebook here.

JKjerome · 05-26-2006, 03:31 AM

Ried,
Thanks again for your ongoing help on this. By the way I definitely got rid of that O20 entry in /Hijack This before, but it appeared back there afterwards, so I dont know if that's relevant. Re: Norton AV: my version was 2003 so I'd better not run that fix.
Anyway I'm at work now, but I will follow the intructions in your reply as soon as I get home tonight and will let you know the results.
Thank you very much,
Jerome

Ried · 05-26-2006, 05:28 AM

Hi Jerome,

I realize you did fix the O2O entry before, but now that the file is gone it should quietly.

----------------------------

If the version of Norton was 2003 or earlier download and run these three tools in the order listed:
Rnav2003
RnisUPG
SYMCLEAN

Delete the following folders if present:
C:\Program Files\ (Delete all folders beginning with Norton or Symantec.)
C:\Program Files\Common Files\Symantec Shared
C:\Documents and Settings\All Users\Application Data\Symantec

-----------------------------

If you had Norton Internet Security, use this uninstaller:
NIS 2003 Uninstaller

JKjerome · 05-27-2006, 07:34 AM

I didn't get a chance to your latest recommendations yesterday evening as intended, but will endeavour to follow them later, along with the uypdated Norton AV instructions.
Thank you very much once again.
Jerome.

JKjerome · 05-27-2006, 12:41 PM

Ried,
OK, I finally got round to doing what you recommended. I had a lot of trouble with the Panda Active Scan though as my internet connection keeps disconnecting automatically. Originally it was to do with an upgrade from ADSL to Max ADSL, but now Im not so sure - perhaps that's caused by a virus too? The dodgy popups seem to have stopped, so thank you for solving that one.
I ran all 3 Norton things, but couldnt physically delete entries in Programs/ under Symantec or Norton. I can tell you Norton Ghost is still required as there's still an old ghost image of my hard drive on a separate partitioned drive.
Here are the results you requested:
------------------------------------------------------------
Panda Active Scan Results
------------------------------------------------------------

Incident Status Location

Potentially unwanted tool:application/myway Not disinfected HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\{014DA6C9-189F-421A-88CD-07CFE51CFF10}
Spyware:Cookie/adultfriendfinder Not disinfected C:\Documents and Settings\David Edwards\Cookies\david edwards@adultfriendfinder[2].txt
Spyware:Cookie/Apmebf Not disinfected C:\Documents and Settings\David Edwards\Cookies\david edwards@apmebf[1].txt
Spyware:Cookie/Casalemedia Not disinfected C:\Documents and Settings\David Edwards\Cookies\david edwards@casalemedia[2].txt
Spyware:Cookie/QkSrv Not disinfected C:\Documents and Settings\David Edwards\Cookies\david edwards@qksrv[1].txt
Spyware:Cookie/Tribalfusion Not disinfected C:\Documents and Settings\David Edwards\Cookies\david edwards@tribalfusion[1].txt
Spyware:Cookie/Xmts Not disinfected C:\Documents and Settings\David Edwards\Cookies\david edwards@xmts[2].txt
Spyware:Application/PRScheduler Not disinfected C:\Program Files\HijackThis\backups\backup-20060525-203432-935-PowerReg Scheduler.exe

------------------------------------------------------------
Hijack This
------------------------------------------------------------
Logfile of HijackThis v1.99.1
Scan saved at 19:35:37, on 27/05/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\PROGRA~1\Symantec\NORTON~1\GHOSTS~2.EXE
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\Explorer.EXE
c:\Program Files\Sophos\Sophos Anti-Virus\SAVAdminService.exe
c:\Program Files\Sophos\AutoUpdate\ALsvc.exe
D:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\UAService7.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\Sophos\AutoUpdate\ALMon.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =

http://www.google.co.uk/
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE

C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE

C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - Global Startup: AutoUpdate Monitor.lnk = C:\Program

Files\Sophos\AutoUpdate\ALMon.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {238F6F83-B8B4-11CF-8771-00A024541EE3} (Citrix ICA Client) -

https://secure1.link4it.co.uk/Citrix...a32/ica32t.exe
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} -

http://a1540.g.akamai.net/7/1540/52/...com/bonnie/us/

win/QuickTimeInstaller.exe
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) -

http://acs.pandasoftware.com/actives...ree/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{D7CA1130-7480-4477-B52C-56704B131D1E}:

NameServer = 80.189.92.2 80.189.94.2
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} -

"C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O23 - Service: ewido security suite control - ewido networks - C:\Program

Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: GhostStartService - Symantec Corporation -

C:\PROGRA~1\Symantec\NORTON~1\GHOSTS~2.EXE
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation

- C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program

Files\iPod\bin\iPodService.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec

Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation -

C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PDEngine - Raxco Software, Inc. - D:\Program

Files\PerfectDisk\PDEngine.exe
O23 - Service: PDScheduler (PDSched) - Raxco Software, Inc. - D:\Program

Files\PerfectDisk\PDSched.exe
O23 - Service: Sophos Anti-Virus status reporter (SAVAdminService) - Sophos plc

- c:\Program Files\Sophos\Sophos Anti-Virus\SAVAdminService.exe
O23 - Service: Sophos Anti-Virus (SAVService) - Sophos plc - c:\Program

Files\Sophos\Sophos Anti-Virus\SavService.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation -

C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation

- C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Sophos AutoUpdate Service - Sophos plc - c:\Program

Files\Sophos\AutoUpdate\ALsvc.exe
O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division

Software - D:\Program Files\Alcohol Soft\Alcohol

120\StarWind\StarWindService.exe
O23 - Service: TuneUp WinStyler Theme Service (TUWinStylerThemeSvc) - TuneUp

Software GmbH - C:\Program Files\TuneUp Utilities 2006\WinStylerThemeSvc.exe
O23 - Service: SecuROM User Access Service (V7) (UserAccess7) - Unknown owner -

C:\WINDOWS\system32\UAService7.exe
O23 - Service: WebTrends Alerting and Monitoring for Analysis Series 7.0

(WTAMSVC_Analysis Series 7.0) - Unknown owner - C:\Program

Files\Developer\WebTrends\wtam_service.exe
------------------------------------------------------------
Uninstall List(from Hijack This)
------------------------------------------------------------

AC-3 ACM Codec
Ace Utilities 2.5.0
Ad-Aware SE Personal
Adobe Acrobat 5.0
Adobe Photoshop 7.0.1
Ahead Nero - Burning Rom
Alcatel SpeedTouch USB Software
AngelPotion Video Codec V1
Anti-Blaxx 1.17
Armed and Dangerous
AviSynth 2 (remove only)
Beyond Compare Version 2.0.1
BigFix
BitTornado 0.3.7
CDex extraction audio
Citrix Web Client
CleanUp!
CloneCD
Cool Edit Pro 2.1
Creative MediaSource
Creative Mouse Optical 3000
Creative PC-CAM Center Lite
CSE HTML Validator Professional v5.02
DAEMON Tools
Direct Show Ogg Vorbis Filter (remove only)
DivX Pro Codec
DVD2SVCD 1.1.3 Build 2
EAX Unified
EPSON Printer Software
ewido anti-malware
Eye Candy 3
Eye Candy 4000
ffdshow (remove only)
FinePixViewer Ver.4.0
Freelancer
FreeSpace 2
FUJIFILM USB Driver
Google Earth
Gordian Knot Rip Pack 0.28
Half-Life(R) 2
HijackThis 1.99.1
InterVideo WinDVD Platinum
iTunes
J2SE Runtime Environment 5.0 Update 1
LeechFTP
LiveReg (Symantec Corporation)
Macromedia Dreamweaver MX
Macromedia Extension Manager
Macromedia Flash MX
Macromedia Flash Player 8
Macromedia Shockwave Player
Medal of Honor Allied Assault
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB886903)
Microsoft Data Access Components KB870669
Microsoft Office XP Professional with FrontPage
Microsoft SQL Server 2000
Microsoft Visio for Enterprise Architects SR-1 [English]
Microsoft Visual J# .NET Redistributable Package 1.1
Microsoft Visual Studio .NET Enterprise Architect 2003 - English
Monkey's Audio
MSDN Library for Visual Studio .NET 2003
MSN Messenger 7.5
Need for Speed™ Most Wanted
Norton Ghost
NVIDIA Drivers
Panda ActiveScan
PerfectDisk
PowerQuest PartitionMagic 8.0
Quick File Rename Personal Edition v3.0
QuickTime
RealPlayer
Realtek AC'97 Audio
Saitek Configuration Software
Saitek NT Controller Drivers
SATARaid
Security Update for Windows Media Player (KB911564)
Security Update for Windows XP (KB890046)
Security Update for Windows XP (KB896358)
Security Update for Windows XP (KB896422)
Security Update for Windows XP (KB896423)
Security Update for Windows XP (KB896424)
Security Update for Windows XP (KB896428)
Security Update for Windows XP (KB896688)
Security Update for Windows XP (KB899587)
Security Update for Windows XP (KB899588)
Security Update for Windows XP (KB899589)
Security Update for Windows XP (KB899591)
Security Update for Windows XP (KB900725)
Security Update for Windows XP (KB901017)
Security Update for Windows XP (KB901214)
Security Update for Windows XP (KB902400)
Security Update for Windows XP (KB904706)
Security Update for Windows XP (KB905414)
Security Update for Windows XP (KB905749)
Security Update for Windows XP (KB905915)
Security Update for Windows XP (KB908519)
Security Update for Windows XP (KB911562)
Security Update for Windows XP (KB911567)
Security Update for Windows XP (KB911927)
Security Update for Windows XP (KB912812)
Security Update for Windows XP (KB912919)
Security Update for Windows XP (KB913446)
Shockwave
SiSoftware Sandra Professional 2003 (Jagged Online Edition)
Sophos Anti-Virus
Sophos AutoUpdate
Spybot - Search & Destroy 1.4
SST Programming Software
Steam(TM)
Tag&Rename
TextPad 4.7
TuneUp Utilities 2006
Update for Windows XP (KB896727)
WebTrends Analysis Series 7.0c
Windows Installer 3.1 (KB893803)
Windows Installer 3.1 (KB893803)
Windows Media Format Runtime
Windows Media Player 10
Windows XP Hotfix - KB834707
Windows XP Hotfix - KB867282
Windows XP Hotfix - KB873333
Windows XP Hotfix - KB873339
Windows XP Hotfix - KB885250
Windows XP Hotfix - KB885835
Windows XP Hotfix - KB885836
Windows XP Hotfix - KB885884
Windows XP Hotfix - KB886185
Windows XP Hotfix - KB887472
Windows XP Hotfix - KB887742
Windows XP Hotfix - KB888113
Windows XP Hotfix - KB888302
Windows XP Hotfix - KB890047
Windows XP Hotfix - KB890175
Windows XP Hotfix - KB890859
Windows XP Hotfix - KB890923
Windows XP Hotfix - KB891781
Windows XP Hotfix - KB893066
Windows XP Hotfix - KB893086
Windows XP Service Pack 2
WinRAR archiver
WinZip
xat.com Image Optimizer
xat.com JPEG Optimizer
Xenofex 1.0
XviD MPEG-4 Video Codec
------------------------------------------------------------

Once again thank you very much.
Jerome.

Ried · 05-27-2006, 03:33 PM

Hi Jerome,

Norton Ghost is fine to keep on your system, we are only concerned with the conflict 2 Anti Virus programs can create.

Please copy this page to Notepad and save to your desktop for reference as you will not have any browsers open while you are carrying out these instructions.

*******************************************

Click START…RUN…Type in regedit. Make sure just "My Computer" is showing in the left pane and click..FILE….EXPORT…and save a copy some were in case you make a mistake. Now navigate to the following key by clicking the + sign next to each category to expand them. Continue doing so until you've reached the file/folder/entry I highlighted in RED Right click and select 'delete'.

HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\ {014DA6C9-189F-421A-88CD-07CFE51CFF10}

If the above registry key is giving you problems deleting, right click on it and click on Permissions. Then click on the Advanced button. Make sure the first box (Inherit from parent...) is checked. Click OK and OK. Then try deleting the entry again. Once you're done, close the Registry Editor.

----------------------------------

Click Start->Run - type services.msc & then click on the OK button
*Locate the service - Norton AntiVirus Auto Protect Service
*Double-click on it to open the Properties dialog.
*Under the General tab:
*Stop the service by using the Stop button.
*Change the Startup type to Disabled & then click on the OK button

*Locate the service - Symantec Network Drivers Service
*Double-click on it to open the Properties dialog.
*Under the General tab:
*Stop the service by using the Stop button.
*Change the Startup type to Disabled & then click on the OK button

Next, start HiJackThis & go to Config>Misc.Tools...> Delete an NT service...
*In the popup box that appears, type in navapsvc . Do NOT allow the reboot yet.

Still within Delete an NT service:
*In the popup box that appears, type in SNDSrvc. Click ok and allow the reboot.

----------------------------------

Run a scan in HijackThis. 'Check' each of the following if they still exist:

O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe

Click 'Fix Checked' and close HijackThis.

---------------------------

Delete the following File and Folder if they exist:

C:\Program Files\ Norton AntiVirus
C:\Program Files\Common Files\Symantec Shared\ SNDSrvc.exe

---------------------------

Reboot into Normal Mode.

---------------------------

How is your system behaving now?

JKjerome · 05-28-2006, 04:31 PM

Ried,
I did have a problem deleting the NT Service in Hijack This - it said it was "system critical", but I tried it again after I'd deleted Symantec/Norton the file/folder and it worked.
The original problem of the alerts and pop-ups stopped once I'd done the first few things you suggested, so I really appreciate the extra help on getting that Norton stuff stopped and removed. I had no idea it might conflict. It all seems fine.
I don't know how you know how to do all of that stuff from the little info you have to go on, but thank you so much for your help. I really am impressed with this forum and will go and donate now as I dont know who else I wouldve gone to for this helpwithout paying someone.
All the best,
Jerome.
p.s. let me know if you want to see any more logs or reports but I think that's probably the end of it.

Ried · 05-29-2006, 10:42 AM

Hi Jerome,

Your logs are clean, I think we're all set here.

If there aren't any more problems, please continue with these final instructions and helpful links.

Your logs are clean. If there aren't any more problems, please continue with these final instructions and helpful links.

Reset hidden/system files and folders
Windows XP
===============
Click Start.
* Open My Computer.
* Select the Tools menu and click Folder Options.
* Select the View tab.
* Deselect the Show hidden files and folders option.
* Select the Hide file extensions for known types option.
* Select the Hide protected operating system files option.
Click Yes to confirm.
Click OK.

Enable Windows Auto Update
*Go to Start>Run - type wuaucpl.cpl
*Tick on the checkbox - "Keep my computer up to date"
*Under Settings, choose "Automatically download the updates, and install them on the schedule that I specify".
Click on "OK".

Create a new System Restore point
Click Start >> Run - type SYSDM.CPL & press Enter
* Select the System Restore Tab
* Tick on the checkbox - "Turn off System Restore on all drives"
Click Apply
* Then untick the same checkbox & click OK
This will prevent any reinfection from previous restore points.

In light of your recent issue, I'm sure you'll like to avoid any future infections. Please take a look at these well written articles:

HOW DID I GET INFECTED IN THE FIRST PLACE? by Tony Klein
THE ANTI-SPYWARE TUTORIAL
MAKING INTERNET EXPLORER SAFER
Understanding and Using Firewalls

**Be very wary with any security software that is advertised in popups or in other ways. They are not only usually of no use, but often have malware in them.

More information and free downloads are available at the following links:

Download SpywareBlaster 3.5.1 to help prevent spyware from installing in the first place. Install & update SpywareBlaster with the latest definitions. After you have updated, click the button - enable protection for all unprotected items .

Download Spyware Guard to catch and block spyware before it can execute.

Download IE-SPYAD.EXE to block access to malicious websites so you cannot be redirected to them from an infected site or email. This is a self-extracting .ZIP file, and save it to your desktop. Once downloaded, double-click on it to extract the files inside (default dir is C:\IE-SPYAD)
From within the folder, double-click install.bat
Select Option #2 - Install the new IE-SPYAD list, by typing 2
Then return to the main menu.
Select option #4 - Add the old porn sites domain, by typing 4

Update all these programs regularly. Without regular updates you will not be protected when new malicious programs are released.

Follow this list and your potential for being infected again will reduce dramatically.

JKjerome · 05-30-2006, 12:45 PM

Thanks Ried,
I did all of that and have saved the links into my favourites for future reading.
I find it amazing how much trouble these b####### have the rest of us go to!
Thanks for all your ridiculous amounts of help on this.
Jerome.

05-21-2006, 03:59 PM	#1 (permalink)
JKjerome Registered User Join Date: May 2006 Posts: 24 OS: XP Pro	Windows alerts and IE popups Hi, I'm on Win XP Pro and I was alerted by Sohpos AV software that I had downloaded a Trojan a couple of weeks back. Since then, whenever I'm connected to the web I randomly get Windows alerts saying I have some virus followed by a popup advertising AV software(both of which must be bogus), or just adverts for random things. I have done multiple Sophos scans and Spybot scans and Ad Aware scans but whatever I remove doesnt stop it and new files appear in the next scan. I found this forum looking for an answer and have downloaded the Hijack This software which has given me the following results: Logfile of HijackThis v1.99.1 Scan saved at 22:51:14, on 21/05/2006 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\PROGRA~1\Symantec\NORTON~1\GHOSTS~2.EXE C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe C:\Program Files\Norton AntiVirus\navapsvc.exe C:\WINDOWS\system32\nvsvc32.exe c:\Program Files\Sophos\Sophos Anti-Virus\SAVAdminService.exe c:\Program Files\Sophos\AutoUpdate\ALsvc.exe D:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\UAService7.exe C:\WINDOWS\System32\MsPMSPSv.exe C:\WINDOWS\Explorer.EXE C:\PROGRA~1\COMMON~1\YMANTE~1\winword.exe C:\WINDOWS\system32\?asks\?ti2evxx.exe C:\Program Files\Sophos\AutoUpdate\ALMon.exe C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files\Microsoft Office\Office10\OUTLOOK.EXE C:\Program Files\Microsoft Office\Office10\WINWORD.EXE C:\Program Files\HijackThis\HijackThis.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://g.msn.co.uk/0SEENGB/SAOS01 R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/ R3 - Default URLSearchHook is missing O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - (no file) O3 - Toolbar: (no name) - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - (no file) O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k O4 - HKCU\..\Run: [Ucle] "C:\PROGRA~1\COMMON~1\YMANTE~1\winword.exe" -vt yazr O4 - HKCU\..\Run: [Pxeswkvc] C:\WINDOWS\system32\?asks\?ti2evxx.exe O4 - Startup: PowerReg Scheduler V3.exe O4 - Startup: PowerReg Scheduler.exe O4 - Global Startup: AutoUpdate Monitor.lnk = C:\Program Files\Sophos\AutoUpdate\ALMon.exe O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll O16 - DPF: ChatSpace Full Java Client 3.1.0.245 - http://chat-c3.freeserve.com/Java/cfs31245.cab O16 - DPF: {05D44720-58E3-49E6-BDF6-D00330E511D3} (StagingUI Object) - http://zone.msn.com/binFrameWork/v10...I.cab40443.cab O16 - DPF: {238F6F83-B8B4-11CF-8771-00A024541EE3} (Citrix ICA Client) - https://secure1.link4it.co.uk/Citrix...a32/ica32t.exe O16 - DPF: {3BB54395-5982-4788-8AF4-B5388FFDD0D8} (ZoneBuddy Class) - http://zone.msn.com/BinFrameWork/v10...y.cab32846.cab O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/...eInstaller.exe O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by101fd.bay101.hotmail.msn.co...s/MsnPUpld.cab O16 - DPF: {5736C456-EA94-4AAC-BB08-917ABDD035B3} (ZonePAChat Object) - http://zone.msn.com/binframework/v10...t.cab32846.cab O16 - DPF: {6DB731A3-B074-4118-8B1C-32511C65D836} (FotovistaPhotoUploader.ctrFpu) - http://www.mypixmania.com/uk/uk/tools/activex/fpu.cab O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/ms...downloader.cab O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/binFramework/v10...o.cab34246.cab O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} - http://us.dl1.yimg.com/download.yaho...tocomplete.cab O16 - DPF: {DA2AA6CF-5C7A-4B71-BC3B-C771BB369937} (StadiumProxy Class) - http://zone.msn.com/binframework/v10...y.cab35645.cab O16 - DPF: {E5D419D6-A846-4514-9FAD-97E826C84822} - http://fdl.msn.com/zone/datafiles/heartbeat.cab O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://fdl.msn.com/public/chat/msnchat45.cab O16 - DPF: {FF3C5A9F-5A99-4930-80E8-4709194C2AD3} (ZPA_Backgammon Object) - http://zone.msn.com/bingame/zpagames...n.cab36385.cab O17 - HKLM\System\CCS\Services\Tcpip\..\{D7CA1130-7480-4477-B52C-56704B131D1E}: NameServer = 80.189.92.2 80.189.94.2 O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing) O20 - Winlogon Notify: winjyg32 - C:\WINDOWS\SYSTEM32\winjyg32.dll O23 - Service: GhostStartService - Symantec Corporation - C:\PROGRA~1\Symantec\NORTON~1\GHOSTS~2.EXE O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe O23 - Service: PDEngine - Raxco Software, Inc. - D:\Program Files\PerfectDisk\PDEngine.exe O23 - Service: PDScheduler (PDSched) - Raxco Software, Inc. - D:\Program Files\PerfectDisk\PDSched.exe O23 - Service: Sophos Anti-Virus status reporter (SAVAdminService) - Sophos plc - c:\Program Files\Sophos\Sophos Anti-Virus\SAVAdminService.exe O23 - Service: Sophos Anti-Virus (SAVService) - Sophos plc - c:\Program Files\Sophos\Sophos Anti-Virus\SavService.exe O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe O23 - Service: Sophos AutoUpdate Service - Sophos plc - c:\Program Files\Sophos\AutoUpdate\ALsvc.exe O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - D:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe O23 - Service: TuneUp WinStyler Theme Service (TUWinStylerThemeSvc) - TuneUp Software GmbH - C:\Program Files\TuneUp Utilities 2006\WinStylerThemeSvc.exe O23 - Service: SecuROM User Access Service (V7) (UserAccess7) - Unknown owner - C:\WINDOWS\system32\UAService7.exe O23 - Service: WebTrends Alerting and Monitoring for Analysis Series 7.0 (WTAMSVC_Analysis Series 7.0) - Unknown owner - C:\Program Files\Developer\WebTrends\wtam_service.exe Any help on this would be appreciated as Ive tried all that I know. Thank you. D. Edwards.

05-22-2006, 04:51 PM	#2 (permalink)
JKjerome Registered User Join Date: May 2006 Posts: 24 OS: XP Pro	Bump BUMP please

05-22-2006, 04:51 PM	#3 (permalink)
JKjerome Registered User Join Date: May 2006 Posts: 24 OS: XP Pro	Bump BUMP please as

05-22-2006, 04:51 PM	#4 (permalink)
JKjerome Registered User Join Date: May 2006 Posts: 24 OS: XP Pro	Bump BUMP please as 24

05-22-2006, 04:52 PM	#5 (permalink)
JKjerome Registered User Join Date: May 2006 Posts: 24 OS: XP Pro	Bump BUMP please as 24 hours have passed. Sorry - I'm not sure why this reply has been added in many parts - seems to have happened automatically as I was typing it - some sort of autosubmit or something?

05-23-2006, 06:37 PM	#6 (permalink)
JKjerome Registered User Join Date: May 2006 Posts: 24 OS: XP Pro	Bump Bump .......................................................................................................................................

05-24-2006, 11:08 PM	#7 (permalink)
Ried Assistant Manager, TSF Academy; Moderator/Analyst Security Team Join Date: Jan 2005 Location: Ohio Posts: 26,983 OS: WinXP and Vista	Hello JKjerome and welcome to TSF, Our most sincere apologies for the delay in response. Your log appeared as though it was being taken care of due to the number of replies listed at first glance. Please copy this page to Notepad since you will not have any browsers open while you are carrying out these instructions. Make sure to work through the fixes in the exact order it is mentioned below. If there's anything that you don't understand, ask your question(s) before proceeding with the fixes. **************************************************** You are currently running 2 Anti Virus programs. While it may seem to be added protection for you, more than 1 Anti Virus can cause conflicts and confusion between the AV programs as well as system instability. Please choose and run only 1 and uninstall the other via the Add/Remove Programs in the Control Panel. ************************************************** Download Ewido Security Suite Install Ewido Security Suite When installing, under "Additional Options" uncheck.. Install background guard Install scan via context menu Double-click the icon on Desktop to launch Ewido You will need to update Ewido to the latest definition files. On the left hand side of the main screen click update. Then click on Start Update. The update will start and a progress bar will show the updates being installed. If you are having problems with the updater, you can use this link to manually update Ewido When you have finished updating, EXIT Ewido. Download and install CleanUp! but do not run it yet. (Not Recommended for XP64). --------------------------- Next, please reboot your computer in Safe Mode by doing the following: 1) Restart your computer 2) After hearing your computer beep once during startup, but before the Windows icon appears, press F8. 3) Instead of Windows loading as normal, a menu should appear 4) Use the up arrow key to highlight Safe Mode and press Enter. Go to My Computer->Tools->Folder Options->View** tab: * Under the Hidden files and folders heading: * select Show hidden files and folders. * Uncheck Hide protected operating system files (recommended) option. Also, make sure there is no checkmark beside Hide file extensions for known file types. Click OK. --------------------------- Run a scan in HijackThis. 'Check' each of the following if they still exist (make sure not to miss any): R3 - Default URLSearchHook is missing O3 - Toolbar: (no name) - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - (no file) O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k O4 - HKCU\..\Run: [Ucle] "C:\PROGRA~1\COMMON~1\YMANTE~1\winword.exe" -vt yazr O4 - HKCU\..\Run: [Pxeswkvc] C:\WINDOWS\system32\?asks\?ti2evxx.exe O4 - Startup: PowerReg Scheduler V3.exe O4 - Startup: PowerReg Scheduler.exe O20 - Winlogon Notify: winjyg32 - C:\WINDOWS\SYSTEM32\winjyg32.dll Click 'Fix Checked' and close HijackThis. --------------------------- Delete the following Files and Folders if they still exist. C:\WINDOWS\system32\ ?asks<--the ? can be any character--possibly Tasks. Make sure you are deleting the folder from this location only. C:\WINDOWS\SYSTEM32\ winjyg32.dll --------------------------- WARNING Cleanup deletes EVERYTHING out of temp/temporary folders and does not make backups. If you have any documents or programs that are saved in any Temporary Folders, please make a backup of these before running CleanUp! or move them to a permanent location. Open Cleanup! by double-clicking the icon on your desktop (or from the Start > All Programs menu). Set the program up as follows: Click "Options..." Move the arrow down to "Custom CleanUp!" Put a check next to the following: Empty Recycle Bins Delete Cookies Delete Prefetch files Cleanup! All Users Click on the "Temporary Files"* and uncheck the box for "Scan drives for file matching" if it's checked. Click OK Press the CleanUp! button to start the program. Do NOT reboot/logoff when prompted. ------------------------------------------------ Run Ewido with it's updated definitions:(...it's important that all windows must be closed) Click Scanner Click Complete System Scan to begin scanning. Click OK when prompted to clean files With the first file it prompts to clean, select the option: "Perform action on all infections" Choose clean and click OK. Once finished, click the Save report button & save the report to your desktop Ewido scan would require at least an hour. Ewido is compatible with most AV and anti-spyware products, and the free version will continue to be useful as a second anti-malware scanner. --------------------------- Reboot into Normal Mode. --------------------------- Perform an online scan using Internet Explorer with Panda ActiveScan click on "Free use ActiveScan" located on the top right hand corner Click Check Now & a 'pop up' window shall appear. ensure that your pop up blocker doesn't block it Enter your e-mail address, country, and state & click Scan Now* ...begins downloading 8 MB Panda's ActiveX controls Begin the scan by selecting My Computer If it finds any malware, it will offer you a report. Please ignore any entry it finds and wants you to buy the program for removal as we will address this later. Click on see report. Then click Save report -------------------------------------- Launch Notepad, and copy/paste the box below into a new text file. Save it as FindFolder.bat and save it on your Desktop. Code: dir "C:\PROGRA~1\COMMON~1\YMANTE~1\winword.exe" /a h > files.txt notepad files.txt Locate FindFolder.bat on your Desktop and double-click on it. It will open Notepad with some text in it. Please post the text here. In your next reply, I'll need the following: Ewido results Panda results New HijackThis log FindFolder text __________________ Member of ASAP since 2005 Member of UNITE since 2006 "It is one life whether we spend it laughing or weeping." "Take the time to laugh--it is the music of the soul."

05-25-2006, 04:29 PM	#8 (permalink)
JKjerome Registered User Join Date: May 2006 Posts: 24 OS: XP Pro	Thank you Thank you so much for replying Ried. It is really appreciated. Now, I have tried what you suggested. I could not delete the file C:\WINDOWS\SYSTEM32\winjyg32.dll but Ewido picked it up and removed it after that. Re: Norton - I tried to remove Norton when I started using Sophos but for some reason certain elements of it couldn't be removed, hence the entries in Hijack This. Not sure what to do about that. There follow the 4 reports/files you requested, separated by dashed lines: --------------------------------------------------------- ewido anti-malware - Scan report --------------------------------------------------------- + Created on: 22:29:33, 25/05/2006 + Report-Checksum: 4503BFAB + Scan result: HKLM\SOFTWARE\Microsoft\VisualStudio\Analyzer\Events\{6C736D71-BCBF-11D0-8A23-00AA00B58E10} -> Adware.CoolWebSearch : Cleaned with backup [280] C:\WINDOWS\system32\winjyg32.dll -> Trojan.Agent.qt : Cleaned with backup C:\Documents and Settings\David Edwards\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\file\Gummy.class-6fbcc2a0-3738c6ad.class -> Not-A-Virus.Exploit.ByteVerify : Cleaned with backup C:\Program Files\Common Files\Ѕymantec\winword.exe -> Downloader.PurityScan.cl : Cleaned with backup C:\WINDOWS\system32\winjyg32.dll -> Trojan.Agent.qt : Cleaned with backup ::Report End --------------------------------------------------------- Panda Active Scan --------------------------------------------------------- Incident Status Location Potentially unwanted tool:application/winfixer2005 Not disinfected c:\windows\downloaded program files\UERS_0001_N82M1105NetInstaller.exe Potentially unwanted tool:application/errorsafe Not disinfected hkey_local_machine\software\Error Safe Free Potentially unwanted tool:application/myway Not disinfected HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\{014DA6C9-189F-421A-88CD-07CFE51CFF10} Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\David Edwards\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\menu.jr-2f231a82-5aa6653d.zip[Dummy.class] Spyware:Cookie/Apmebf Not disinfected C:\Documents and Settings\David Edwards\Cookies\david edwards@apmebf[2].txt Spyware:Cookie/QkSrv Not disinfected C:\Documents and Settings\David Edwards\Cookies\david edwards@qksrv[2].txt Spyware:Cookie/Tribalfusion Not disinfected C:\Documents and Settings\David Edwards\Cookies\david edwards@tribalfusion[1].txt --------------------------------------------------------- New Hijack This log --------------------------------------------------------- Logfile of HijackThis v1.99.1 Scan saved at 22:54:01, on 25/05/2006 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\Explorer.EXE C:\Program Files\ewido anti-malware\ewidoctrl.exe C:\PROGRA~1\Symantec\NORTON~1\GHOSTS~2.EXE C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe C:\Program Files\Norton AntiVirus\navapsvc.exe C:\WINDOWS\system32\nvsvc32.exe c:\Program Files\Sophos\Sophos Anti-Virus\SAVAdminService.exe c:\Program Files\Sophos\AutoUpdate\ALsvc.exe D:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\UAService7.exe C:\WINDOWS\System32\MsPMSPSv.exe C:\Program Files\Sophos\AutoUpdate\ALMon.exe C:\Program Files\Microsoft Office\Office10\WINWORD.EXE C:\Program Files\Internet Explorer\iexplore.exe C:\WINDOWS\system32\notepad.exe C:\WINDOWS\system32\cmd.exe C:\WINDOWS\system32\notepad.exe C:\Program Files\HijackThis\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/ O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit O4 - Global Startup: AutoUpdate Monitor.lnk = C:\Program Files\Sophos\AutoUpdate\ALMon.exe O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll O16 - DPF: {238F6F83-B8B4-11CF-8771-00A024541EE3} (Citrix ICA Client) - https://secure1.link4it.co.uk/Citrix...a32/ica32t.exe O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/...eInstaller.exe O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab O17 - HKLM\System\CCS\Services\Tcpip\..\{D7CA1130-7480-4477-B52C-56704B131D1E}: NameServer = 80.189.92.2 80.189.94.2 O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing) O20 - Winlogon Notify: winjyg32 - winjyg32.dll (file missing) O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe O23 - Service: GhostStartService - Symantec Corporation - C:\PROGRA~1\Symantec\NORTON~1\GHOSTS~2.EXE O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe O23 - Service: PDEngine - Raxco Software, Inc. - D:\Program Files\PerfectDisk\PDEngine.exe O23 - Service: PDScheduler (PDSched) - Raxco Software, Inc. - D:\Program Files\PerfectDisk\PDSched.exe O23 - Service: Sophos Anti-Virus status reporter (SAVAdminService) - Sophos plc - c:\Program Files\Sophos\Sophos Anti-Virus\SAVAdminService.exe O23 - Service: Sophos Anti-Virus (SAVService) - Sophos plc - c:\Program Files\Sophos\Sophos Anti-Virus\SavService.exe O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe O23 - Service: Sophos AutoUpdate Service - Sophos plc - c:\Program Files\Sophos\AutoUpdate\ALsvc.exe O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - D:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe O23 - Service: TuneUp WinStyler Theme Service (TUWinStylerThemeSvc) - TuneUp Software GmbH - C:\Program Files\TuneUp Utilities 2006\WinStylerThemeSvc.exe O23 - Service: SecuROM User Access Service (V7) (UserAccess7) - Unknown owner - C:\WINDOWS\system32\UAService7.exe O23 - Service: WebTrends Alerting and Monitoring for Analysis Series 7.0 (WTAMSVC_Analysis Series 7.0) - Unknown owner - C:\Program Files\Developer\WebTrends\wtam_service.exe --------------------------------------------------------- Results of FindFolder.bat --------------------------------------------------------- Volume in drive C is Local Disk Volume Serial Number is 0CF8-4CD5 Directory of C:\PROGRA~1\COMMON~1\YMANTE~1 Directory of C:\Documents and Settings\David Edwards\Desktop --------------------------------------------------------- I was concerned by all the stuff the scans found, which leads me to wonder how effective Sophos is. Im wondering if Ive got everything off now. Oh I also removed some entries from Hijack this that related to things I no longer use. I hope that is OK. Thank you so much for your help on this Ried. I really don't know what I'd do otherwise. Jerome.

05-25-2006, 08:14 PM	#9 (permalink)
Ried Assistant Manager, TSF Academy; Moderator/Analyst Security Team Join Date: Jan 2005 Location: Ohio Posts: 26,983 OS: WinXP and Vista	Hello Jerome, Sophos is just fine. Anti Virus programs are not designed to look for spyware and other sorts of malware. In this day in age, a multi-layered approach is best. I'll have all that information for you as soon as your system is cleaned up. Once again, please copy this page to Notepad and save to your desktop for reference as you will not have any browsers open while you are carrying out these instructions. ****************************************** Norton is known to have difficulty uninstalling properly at times. If the version of Norton uninstalled was 2004 or later, please download and run SymNRT. **************************************** Download the attached jkfix.zip file to your desktop. Do not run it yet. ---------------------------------------------- Reboot into Safe Mode. (tapping F8 ro F5) ---------------------------------------------- Uninstall the following via the Add/Remove Panel (Start->(Settings)->Control Panel->Add/Remove Programs) if it exists: Error Safe Free ---------------------------------------------- Run a scan in HijackThis. 'Check' the following entry: O20 - Winlogon Notify: winjyg32 - winjyg32.dll (file missing) Click 'Fix Checked' and close HijackThis. --------------------------- Click Start>Run and copy/paste regsvr32 /u occache.dll and click OK. Delete the following file and folder: c:\windows\downloaded program files\UERS_0001_N82M1105NetInstaller.exe C:\PROGRA~1\COMMON~1\ YMANTE~1 <--Make sure it is in this location and spelled exactly as you see it listed in this path. Click Start>Run and copy/paste regsvr32 occache.dll and click OK. --------------------------- Double click on the jkfix.zip folder, then double click on the jkfix.reg file within. Click yes to allow it to merge into your registry. --------------------------- Reboot into Normal Mode. --------------------------- Run another online scan at Panda and post the results here along with a new HijackThis log and the following Uninstall list: Open HijackThis** Click on the "Configure" button on the bottom right Click on the tab "Misc Tools" Click on the Box that says "Open Uninstall Manager" Click on the button "Save list" Please copy and past the List from the notebook here. __________________ Member of ASAP since 2005 Member of UNITE since 2006 "It is one life whether we spend it laughing or weeping." "Take the time to laugh--it is the music of the soul." Last edited by Ried; 07-15-2006 at 09:25 PM.

05-26-2006, 03:31 AM	#10 (permalink)
JKjerome Registered User Join Date: May 2006 Posts: 24 OS: XP Pro	Ried, Thanks again for your ongoing help on this. By the way I definitely got rid of that O20 entry in /Hijack This before, but it appeared back there afterwards, so I dont know if that's relevant. Re: Norton AV: my version was 2003 so I'd better not run that fix. Anyway I'm at work now, but I will follow the intructions in your reply as soon as I get home tonight and will let you know the results. Thank you very much, Jerome

05-26-2006, 05:28 AM	#11 (permalink)
Ried Assistant Manager, TSF Academy; Moderator/Analyst Security Team Join Date: Jan 2005 Location: Ohio Posts: 26,983 OS: WinXP and Vista	Hi Jerome, I realize you did fix the O2O entry before, but now that the file is gone it should quietly. ---------------------------- If the version of Norton was 2003 or earlier download and run these three tools in the order listed: Rnav2003 RnisUPG SYMCLEAN Delete the following folders if present: C:\Program Files\ (Delete all folders beginning with Norton or Symantec.) C:\Program Files\Common Files\Symantec Shared C:\Documents and Settings\All Users\Application Data\Symantec ----------------------------- If you had Norton Internet Security, use this uninstaller: NIS 2003 Uninstaller __________________ Member of ASAP since 2005 Member of UNITE since 2006 "It is one life whether we spend it laughing or weeping." "Take the time to laugh--it is the music of the soul."

05-27-2006, 07:34 AM	#12 (permalink)
JKjerome Registered User Join Date: May 2006 Posts: 24 OS: XP Pro	I didn't get a chance to your latest recommendations yesterday evening as intended, but will endeavour to follow them later, along with the uypdated Norton AV instructions. Thank you very much once again. Jerome.

05-27-2006, 12:41 PM	#13 (permalink)
JKjerome Registered User Join Date: May 2006 Posts: 24 OS: XP Pro	Ried, OK, I finally got round to doing what you recommended. I had a lot of trouble with the Panda Active Scan though as my internet connection keeps disconnecting automatically. Originally it was to do with an upgrade from ADSL to Max ADSL, but now Im not so sure - perhaps that's caused by a virus too? The dodgy popups seem to have stopped, so thank you for solving that one. I ran all 3 Norton things, but couldnt physically delete entries in Programs/ under Symantec or Norton. I can tell you Norton Ghost is still required as there's still an old ghost image of my hard drive on a separate partitioned drive. Here are the results you requested: ------------------------------------------------------------ Panda Active Scan Results ------------------------------------------------------------ Incident Status Location Potentially unwanted tool:application/myway Not disinfected HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\{014DA6C9-189F-421A-88CD-07CFE51CFF10} Spyware:Cookie/adultfriendfinder Not disinfected C:\Documents and Settings\David Edwards\Cookies\david edwards@adultfriendfinder[2].txt Spyware:Cookie/Apmebf Not disinfected C:\Documents and Settings\David Edwards\Cookies\david edwards@apmebf[1].txt Spyware:Cookie/Casalemedia Not disinfected C:\Documents and Settings\David Edwards\Cookies\david edwards@casalemedia[2].txt Spyware:Cookie/QkSrv Not disinfected C:\Documents and Settings\David Edwards\Cookies\david edwards@qksrv[1].txt Spyware:Cookie/Tribalfusion Not disinfected C:\Documents and Settings\David Edwards\Cookies\david edwards@tribalfusion[1].txt Spyware:Cookie/Xmts Not disinfected C:\Documents and Settings\David Edwards\Cookies\david edwards@xmts[2].txt Spyware:Application/PRScheduler Not disinfected C:\Program Files\HijackThis\backups\backup-20060525-203432-935-PowerReg Scheduler.exe ------------------------------------------------------------ Hijack This ------------------------------------------------------------ Logfile of HijackThis v1.99.1 Scan saved at 19:35:37, on 27/05/2006 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\ewido anti-malware\ewidoctrl.exe C:\PROGRA~1\Symantec\NORTON~1\GHOSTS~2.EXE C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe C:\Program Files\Norton AntiVirus\navapsvc.exe C:\WINDOWS\system32\nvsvc32.exe C:\WINDOWS\Explorer.EXE c:\Program Files\Sophos\Sophos Anti-Virus\SAVAdminService.exe c:\Program Files\Sophos\AutoUpdate\ALsvc.exe D:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\UAService7.exe C:\WINDOWS\System32\MsPMSPSv.exe C:\Program Files\Sophos\AutoUpdate\ALMon.exe C:\Program Files\Internet Explorer\iexplore.exe C:\WINDOWS\system32\notepad.exe C:\Program Files\HijackThis\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/ O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit O4 - Global Startup: AutoUpdate Monitor.lnk = C:\Program Files\Sophos\AutoUpdate\ALMon.exe O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll O16 - DPF: {238F6F83-B8B4-11CF-8771-00A024541EE3} (Citrix ICA Client) - https://secure1.link4it.co.uk/Citrix...a32/ica32t.exe O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/...com/bonnie/us/ win/QuickTimeInstaller.exe O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab O17 - HKLM\System\CCS\Services\Tcpip\..\{D7CA1130-7480-4477-B52C-56704B131D1E}: NameServer = 80.189.92.2 80.189.94.2 O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing) O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe O23 - Service: GhostStartService - Symantec Corporation - C:\PROGRA~1\Symantec\NORTON~1\GHOSTS~2.EXE O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe O23 - Service: PDEngine - Raxco Software, Inc. - D:\Program Files\PerfectDisk\PDEngine.exe O23 - Service: PDScheduler (PDSched) - Raxco Software, Inc. - D:\Program Files\PerfectDisk\PDSched.exe O23 - Service: Sophos Anti-Virus status reporter (SAVAdminService) - Sophos plc - c:\Program Files\Sophos\Sophos Anti-Virus\SAVAdminService.exe O23 - Service: Sophos Anti-Virus (SAVService) - Sophos plc - c:\Program Files\Sophos\Sophos Anti-Virus\SavService.exe O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe O23 - Service: Sophos AutoUpdate Service - Sophos plc - c:\Program Files\Sophos\AutoUpdate\ALsvc.exe O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - D:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe O23 - Service: TuneUp WinStyler Theme Service (TUWinStylerThemeSvc) - TuneUp Software GmbH - C:\Program Files\TuneUp Utilities 2006\WinStylerThemeSvc.exe O23 - Service: SecuROM User Access Service (V7) (UserAccess7) - Unknown owner - C:\WINDOWS\system32\UAService7.exe O23 - Service: WebTrends Alerting and Monitoring for Analysis Series 7.0 (WTAMSVC_Analysis Series 7.0) - Unknown owner - C:\Program Files\Developer\WebTrends\wtam_service.exe ------------------------------------------------------------ Uninstall List(from Hijack This) ------------------------------------------------------------ AC-3 ACM Codec Ace Utilities 2.5.0 Ad-Aware SE Personal Adobe Acrobat 5.0 Adobe Photoshop 7.0.1 Ahead Nero - Burning Rom Alcatel SpeedTouch USB Software AngelPotion Video Codec V1 Anti-Blaxx 1.17 Armed and Dangerous AviSynth 2 (remove only) Beyond Compare Version 2.0.1 BigFix BitTornado 0.3.7 CDex extraction audio Citrix Web Client CleanUp! CloneCD Cool Edit Pro 2.1 Creative MediaSource Creative Mouse Optical 3000 Creative PC-CAM Center Lite CSE HTML Validator Professional v5.02 DAEMON Tools Direct Show Ogg Vorbis Filter (remove only) DivX Pro Codec DVD2SVCD 1.1.3 Build 2 EAX Unified EPSON Printer Software ewido anti-malware Eye Candy 3 Eye Candy 4000 ffdshow (remove only) FinePixViewer Ver.4.0 Freelancer FreeSpace 2 FUJIFILM USB Driver Google Earth Gordian Knot Rip Pack 0.28 Half-Life(R) 2 HijackThis 1.99.1 InterVideo WinDVD Platinum iTunes J2SE Runtime Environment 5.0 Update 1 LeechFTP LiveReg (Symantec Corporation) Macromedia Dreamweaver MX Macromedia Extension Manager Macromedia Flash MX Macromedia Flash Player 8 Macromedia Shockwave Player Medal of Honor Allied Assault Microsoft .NET Framework 1.1 Microsoft .NET Framework 1.1 Microsoft .NET Framework 1.1 Hotfix (KB886903) Microsoft Data Access Components KB870669 Microsoft Office XP Professional with FrontPage Microsoft SQL Server 2000 Microsoft Visio for Enterprise Architects SR-1 [English] Microsoft Visual J# .NET Redistributable Package 1.1 Microsoft Visual Studio .NET Enterprise Architect 2003 - English Monkey's Audio MSDN Library for Visual Studio .NET 2003 MSN Messenger 7.5 Need for Speed™ Most Wanted Norton Ghost NVIDIA Drivers Panda ActiveScan PerfectDisk PowerQuest PartitionMagic 8.0 Quick File Rename Personal Edition v3.0 QuickTime RealPlayer Realtek AC'97 Audio Saitek Configuration Software Saitek NT Controller Drivers SATARaid Security Update for Windows Media Player (KB911564) Security Update for Windows XP (KB890046) Security Update for Windows XP (KB896358) Security Update for Windows XP (KB896422) Security Update for Windows XP (KB896423) Security Update for Windows XP (KB896424) Security Update for Windows XP (KB896428) Security Update for Windows XP (KB896688) Security Update for Windows XP (KB899587) Security Update for Windows XP (KB899588) Security Update for Windows XP (KB899589) Security Update for Windows XP (KB899591) Security Update for Windows XP (KB900725) Security Update for Windows XP (KB901017) Security Update for Windows XP (KB901214) Security Update for Windows XP (KB902400) Security Update for Windows XP (KB904706) Security Update for Windows XP (KB905414) Security Update for Windows XP (KB905749) Security Update for Windows XP (KB905915) Security Update for Windows XP (KB908519) Security Update for Windows XP (KB911562) Security Update for Windows XP (KB911567) Security Update for Windows XP (KB911927) Security Update for Windows XP (KB912812) Security Update for Windows XP (KB912919) Security Update for Windows XP (KB913446) Shockwave SiSoftware Sandra Professional 2003 (Jagged Online Edition) Sophos Anti-Virus Sophos AutoUpdate Spybot - Search & Destroy 1.4 SST Programming Software Steam(TM) Tag&Rename TextPad 4.7 TuneUp Utilities 2006 Update for Windows XP (KB896727) WebTrends Analysis Series 7.0c Windows Installer 3.1 (KB893803) Windows Installer 3.1 (KB893803) Windows Media Format Runtime Windows Media Player 10 Windows XP Hotfix - KB834707 Windows XP Hotfix - KB867282 Windows XP Hotfix - KB873333 Windows XP Hotfix - KB873339 Windows XP Hotfix - KB885250 Windows XP Hotfix - KB885835 Windows XP Hotfix - KB885836 Windows XP Hotfix - KB885884 Windows XP Hotfix - KB886185 Windows XP Hotfix - KB887472 Windows XP Hotfix - KB887742 Windows XP Hotfix - KB888113 Windows XP Hotfix - KB888302 Windows XP Hotfix - KB890047 Windows XP Hotfix - KB890175 Windows XP Hotfix - KB890859 Windows XP Hotfix - KB890923 Windows XP Hotfix - KB891781 Windows XP Hotfix - KB893066 Windows XP Hotfix - KB893086 Windows XP Service Pack 2 WinRAR archiver WinZip xat.com Image Optimizer xat.com JPEG Optimizer Xenofex 1.0 XviD MPEG-4 Video Codec ------------------------------------------------------------ Once again thank you very much. Jerome.

05-27-2006, 03:33 PM	#14 (permalink)
Ried Assistant Manager, TSF Academy; Moderator/Analyst Security Team Join Date: Jan 2005 Location: Ohio Posts: 26,983 OS: WinXP and Vista	Hi Jerome, Norton Ghost is fine to keep on your system, we are only concerned with the conflict 2 Anti Virus programs can create. Please copy this page to Notepad and save to your desktop for reference as you will not have any browsers open while you are carrying out these instructions. ***************************************** Click START…RUN…Type in regedit. Make sure just "My Computer" is showing in the left pane and click..FILE….EXPORT…and save a copy some were in case you make a mistake. Now navigate to the following key by clicking the + sign next to each category to expand them. Continue doing so until you've reached the file/folder/entry I highlighted in RED Right click and select 'delete'. HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\ {014DA6C9-189F-421A-88CD-07CFE51CFF10} If the above registry key is giving you problems deleting, right click on it and click on Permissions. Then click on the Advanced button. Make sure the first box (Inherit from parent...) is checked. Click OK and OK. Then try deleting the entry again. Once you're done, close the Registry Editor. ---------------------------------- Click Start->Run - type services.msc** & then click on the OK button Locate the service - Norton AntiVirus Auto Protect Service* Double-click on it to open the Properties dialog. Under the General tab: Stop the service by using the Stop* button. Change the Startup type to Disabled* & then click on the OK button Locate the service - Symantec Network Drivers Service* Double-click on it to open the Properties dialog. Under the General tab: Stop the service by using the Stop* button. Change the Startup type to Disabled* & then click on the OK button Next, start HiJackThis & go to Config>Misc.Tools...> Delete an NT service... In the popup box that appears, type in navapsvc* . Do NOT allow the reboot yet. Still within Delete an NT service: In the popup box that appears, type in SNDSrvc. Click ok and allow the reboot. ---------------------------------- Run a scan in HijackThis. 'Check' each of the following if they still exist: O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe Click 'Fix Checked'* and close HijackThis. --------------------------- Delete the following File and Folder if they exist: C:\Program Files\ Norton AntiVirus C:\Program Files\Common Files\Symantec Shared\ SNDSrvc.exe --------------------------- Reboot into Normal Mode. --------------------------- How is your system behaving now? __________________ Member of ASAP since 2005 Member of UNITE since 2006 "It is one life whether we spend it laughing or weeping." "Take the time to laugh--it is the music of the soul."

05-28-2006, 04:31 PM	#15 (permalink)
JKjerome Registered User Join Date: May 2006 Posts: 24 OS: XP Pro	Thank you Ried Ried, I did have a problem deleting the NT Service in Hijack This - it said it was "system critical", but I tried it again after I'd deleted Symantec/Norton the file/folder and it worked. The original problem of the alerts and pop-ups stopped once I'd done the first few things you suggested, so I really appreciate the extra help on getting that Norton stuff stopped and removed. I had no idea it might conflict. It all seems fine. I don't know how you know how to do all of that stuff from the little info you have to go on, but thank you so much for your help. I really am impressed with this forum and will go and donate now as I dont know who else I wouldve gone to for this helpwithout paying someone. All the best, Jerome. p.s. let me know if you want to see any more logs or reports but I think that's probably the end of it.

05-29-2006, 10:42 AM	#16 (permalink)
Ried Assistant Manager, TSF Academy; Moderator/Analyst Security Team Join Date: Jan 2005 Location: Ohio Posts: 26,983 OS: WinXP and Vista	Hi Jerome, Your logs are clean, I think we're all set here. If there aren't any more problems, please continue with these final instructions and helpful links. Your logs are clean. If there aren't any more problems, please continue with these final instructions and helpful links. Reset hidden/system files and folders Windows XP =============== Click Start. * Open My Computer. * Select the Tools menu and click Folder Options. * Select the View tab. * Deselect the Show hidden files and folders option. * Select the Hide file extensions for known types option. * Select the Hide protected operating system files option. Click Yes to confirm. Click OK. Enable Windows Auto Update Go to Start>Run* - type wuaucpl.cpl Tick on the checkbox - "Keep my computer up to date" Under *Settings, choose "Automatically download the updates, and install them on the schedule that I specify". Click on "OK". Create a new System Restore point* Click Start >> Run - type SYSDM.CPL & press Enter * Select the System Restore Tab * Tick on the checkbox - "Turn off System Restore on all drives" Click Apply * Then untick the same checkbox & click OK This will prevent any reinfection from previous restore points. In light of your recent issue, I'm sure you'll like to avoid any future infections. Please take a look at these well written articles: HOW DID I GET INFECTED IN THE FIRST PLACE? by Tony Klein THE ANTI-SPYWARE TUTORIAL MAKING INTERNET EXPLORER SAFER Understanding and Using Firewalls Be very wary with any security software that is advertised in popups or in other ways. They are not only usually of no use, but often have malware in them. More information and free downloads are available at the following links: Download SpywareBlaster 3.5.1 to help prevent spyware from installing in the first place. Install & update SpywareBlaster with the latest definitions. After you have updated, click the button - enable protection for all unprotected items . Download Spyware Guard to catch and block spyware before it can execute. Download IE-SPYAD.EXE to block access to malicious websites so you cannot be redirected to them from an infected site or email. This is a self-extracting .ZIP file, and save it to your desktop. Once downloaded, double-click on it to extract the files inside (default dir is C:\IE-SPYAD) From within the folder, double-click install.bat Select Option #2 - Install the new IE-SPYAD list, by typing 2 Then return to the main menu. Select option #4 - Add the old porn sites domain, by typing 4 Update all these programs regularly. Without regular updates you will not** be protected when new malicious programs are released. Follow this list and your potential for being infected again will reduce dramatically. __________________ Member of ASAP since 2005 Member of UNITE since 2006 "It is one life whether we spend it laughing or weeping." "Take the time to laugh--it is the music of the soul."

05-30-2006, 12:45 PM	#17 (permalink)
JKjerome Registered User Join Date: May 2006 Posts: 24 OS: XP Pro	Thanks Ried, I did all of that and have saved the links into my favourites for future reading. I find it amazing how much trouble these b####### have the rest of us go to! Thanks for all your ridiculous amounts of help on this. Jerome.