Duis mollis, est non commodo luctus, nisi erat porttitor ligula, eget lacinia odio sem nec elit. Sed posuere consectetur est at lobortis. Vestibulum id ligula porta felis euismod semper. Donec ullamcorper nulla non metus auctor fringilla. Aenean lacinia bibendum nulla sed consectetur. Cras justo odio, dapibus ac facilisis in, egestas eget quam. Cras mattis consectetur purus sit amet fermentum. Morbi leo risus, porta ac consectetur ac, vestibulum at eros. Sed posuere consectetur est at lobortis. Etiam porta sem malesuada magna mollis euismod. Cum sociis natoque penatibus et magnis dis parturient montes, nascetur ridiculus mus. Duis mollis, est non commodo luctus, nisi erat porttitor ligula, eget lacinia odio sem nec elit. Cras justo odio, dapibus ac facilisis in, egestas eget quam. Aenean eu leo quam. Pellentesque ornare sem lacinia quam venenatis vestibulum. Curabitur blandit tempus porttitor. Sed posuere consectetur est at lobortis.

Please let us know if this did the trick for you

Thanks and I will let you know how it goes when I try it tonight. Also would like some opionions on using a program called smitfraudfix. I've had a couple of people recommend it as a way to remove this virus. Your opinions would be greatly appreciated

Thanks again

Did not work   I went the highkey below and could not find anything.  Also came across a security responce titled Trojan.Ziob.N that has a picture of the pop-up warning I keep getting. Went to the removal instructions but the registry entries they told me to delete don't exist.  HELP

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

---

avibuzz wrote:

Did not work   I went the highkey below and could not find anything... 

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

---

What did you find when you click on that key? Which programs are listed there that you question?

If you want to I could look at a log for you to find the unwanted files. Just save the Silent runners script on your desktop (important) and then run it, just click Yes and Ok on the questions. It will create a log of startup entries in a textfile called Startup programs on your desktop. Copy/paste it back here.

Programs like smitfraudfix and combofix usually do the trick if the trojan you have is included in their lists.

How can I get rid of this virus/spyware on my laptop. Just showed up last night and it is playing hell on my computer. Seems like it has taken control of IE and will not let me run Spybot or any other adware remover. I’ve ran Norton several times and it is not seeing it but i keep getting that annoying pop up.

Tony. Not sure if this is what you are looking for but here is what I have. When I get to the run folder there is another folder called "optional components', under that are three folders labeled Imail, Mapi, and Msfs

JAW. i will try the script thing tonight if IE will let me. right now this virus has IE hijacked so it contantly redirects me to spam sites. If I manage to download programs like smitfraudfix it will not allow me to open them up even in the safe mood. I have to rename them to get them to open. I have run smitfraudfix but it's not fxing the problem.

I have manged to open "hijack this" but when I try to save the file to notepad the virus seems to be blocking that as well. I'm getting a "Data Execution Prevention" message and then note pad shuts down. it also prevents me from updating my virus definitions through Live update

This is the log from hijack this

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 14:21:57, on 6/3/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Safe mode

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\ZcfgSvc.exe
C:\WINDOWS\system32\cleanmgr.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,First Home Page = http://www.dell.com
O3 - Toolbar: Alcohol Toolbar - {ED4BD629-C1B6-4399-8A34-02CCAA921DC9} - C:\Program Files\Alcohol Toolbar\v3.2.0.0\Alcohol_Toolbar.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [IntelWireless] C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [IEUpdate] C:\WINDOWS\system32\2052d.exe
O4 - HKLM\..\Run: [88d8f13b] rundll32.exe "C:\WINDOWS\system32\apmvxinp.dll",b
O4 - HKLM\..\Run: [BM8bebc2a7] Rundll32.exe "C:\WINDOWS\system32\aycglsiu.dll",s
O4 - HKLM\..\RunServices: [IEUpdate] C:\WINDOWS\system32\2052d.exe
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [OE_OEM] "C:\Program Files\Trend Micro\Internet Security 12\TMAS_OE\TMAS_OEMon.exe"
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://C:\Program Files\Google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {459E93B6-150E-45D5-8D4B-45C66FC035FE} (get_atlcom Class) - http://apps.corel.com/nos_dl_manager_dev/plugin/IEGetPlugin.ocx
O16 - DPF: {6F15128C-E66A-490C-B848-5000B5ABEEAC} (HP Download Manager) - https://h20436.www2.hp.com/ediags/dex/secure/HPDEXAXO.cab
O16 - DPF: {FFBB3F3B-0A5A-4106-BE53-DFE1E2340CB1} (DownloadManager Control) - http://dlm.tools.akamai.com/dlmanager/versions/activex/dlm-activex-2.2.1.6.cab
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Capture Device Service - InterVideo Inc. - C:\Program Files\Common Files\InterVideo\DeviceService\DevSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: EvtEng - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: RegSrvc - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation  - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: StarWind AE Service (StarWindServiceAE) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 52\StarWind\StarWindServiceAE.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
O23 - Service: WLANKEEPER - Intel® Corporation - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe

--
End of file - 6888 bytes

Thanks for your help and time

Looks like it may be fixed. I ran both smitfraudfix and combofix. Smitfraudfx didn’t have any impact but Combofix looks like it did the job. Appears everything is back to the good.  Thanks jAW and to all of you who took the time to help. I’m keeping my fingers crossed

Please keep us informed

Sounds good that you do not experience any more problems with your computer. I do however see in the log that you have Java version 1.4 installed, and that version of Java has security flaws. I recommend that you install the new version using either the Java option from your control panel or by going to www.java.com.

It could also be an idea to check other programs that are for internet use, like Adobe Flash Player, and update them if needed.

Regarding the hijackthis log. The files that should have been removed by ComboFix are the 4 lines below. You can doublecheck if you want to.

O4 - HKLM\..\Run: [IEUpdate] C:\WINDOWS\system32\2052d.exe
O4 - HKLM\..\Run: [88d8f13b] rundll32.exe "C:\WINDOWS\system32\apmvxinp.dll",b
O4 - HKLM\..\Run: [BM8bebc2a7] Rundll32.exe "C:\WINDOWS\system32\aycglsiu.dll",s
O4 - HKLM\..\RunServices: [IEUpdate] C:\WINDOWS\system32\2052d.exe

The ones loading through rundll32.exe usually have a few more loadingpoints/files along with them, but I do not know what measures you had taked before creating this log. If you want to you can always post the silent runners log for confirmation.

Thanks jAW. I will post the silent runner log when I get home tonight. I'm still having some virus's show up on my Norton anti virus scan even though it appears my laptop is running OK. Can't figure out how they aree getting there because I have avoided downloading any itmes until I'm sure my computer is clean. Will also update the Java thing tonight.

Really appreciate the time and advise all of you have given. Standby for more

Here is the hijack this log after I did the compufix

There are two entries in the log that need to be addressed. Use Hijackthis and locate and check the two below. (you might want to do that booted in safemode).

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = C:\WINDOWS\system32\spywarewarning.mht

O4 - HKCU\..\Run: [Microsoft Windows Installer] C:\Documents and Settings\Chief\Application Data\Microsoft\dtsc\24612.exe

Where does Norton find the threats? It might be in the quarantine from the other tools you used.

here is my silent runner log

"Silent Runners.vbs", revision 58, http://www.silentrunners.org/
Operating System: Windows XP SP2
Output limited to non-default values, except where indicated by "{++}"


Startup items buried in registry:
---------------------------------

HKCU\Software\Microsoft\Windows\CurrentVersion\Run\ {++}
"ctfmon.exe" = "C:\WINDOWS\system32\ctfmon.exe" [MS]
"AlcoholAutomount" = ""C:\Program Files\Alcohol Soft\Alcohol 52\axcmd.exe" /automount" [file not found]
"swg" = "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [file not found]
"AnyDVD" = "C:\Program Files\SlySoft\AnyDVD\AnyDVDtray.exe" ["SlySoft, Inc."]
"MSMSGS" = ""C:\Program Files\Messenger\msmsgs.exe" /background" [MS]
"SpybotSD TeaTimer" = "C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" ["Safer Networking Limited"]
"Microsoft Windows Installer" = "C:\Documents and Settings\Chief\Application Data\Microsoft\dtsc\24612.exe" [file not found]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"SunJavaUpdateSched" = "C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe" [file not found]
"IntelWireless" = "C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe /tf Intel PROSet/Wireless" [file not found]
"ISUSPM Startup" = ""C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup" [file not found]
"ISUSScheduler" = ""C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start" [file not found]
"QuickTime Task" = ""C:\Program Files\QuickTime\QTTask.exe" -atboottime" ["Apple Inc."]
"AVG8_TRAY" = "C:\PROGRA~1\AVG\AVG8\avgtray.exe" ["AVG Technologies CZ, s.r.o."]

HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components\
<{12d0ed0d-0ee0-4f90-8827-78cefb8f4988}\(Default) = "IE7 Uninstall Stub"
                                        \StubPath   = "C:\WINDOWS\system32\ieudinit.exe" [MS]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
{3CA2F312-6F6E-4B53-A66E-4E65E497C8C0}\(Default) = "WormRadar.com IESiteBlocker.NavFilter"
  -> {HKLM...CLSID} = "AVG Safe Search"
                   \InProcServer32\(Default) = "C:\Program Files\AVG\AVG8\avgssie.dll" ["AVG Technologies CZ, s.r.o."]
{53707962-6F74-2D53-2644-206D7942484F}\(Default) = (no title provided)
  -> {HKLM...CLSID} = "Spybot-S&D IE Protection"
                   \InProcServer32\(Default) = "C:\Program Files\Spybot - Search & Destroy\SDHelper.dll" ["Safer Networking Limited"]
{8126A4A5-BFD3-46FE-BBDF-BFB5CF78E489}\(Default) = (no title provided)
  -> {HKLM...CLSID} = "Alcohol Toolbar Helper"
                   \InProcServer32\(Default) = "C:\Program Files\Alcohol Toolbar\v3.2.0.0\Alcohol_Toolbar.dll" [null data]
{AF69DE43-7D58-4638-B6FA-CE66B5AD205D}\(Default) = (no title provided)
  -> {HKLM...CLSID} = "Google Toolbar Notifier BHO"
                   \InProcServer32\(Default) = "C:\Program Files\Google\GoogleToolbarNotifier\2.1.1119.1736\swg.dll" ["Google Inc."]
{CF7C3CF0-4B15-11D1-ABED-709549C10000}\(Default) = (no title provided)
  -> {HKLM...CLSID} = "IEPlugin Class"
                   \InProcServer32\(Default) = "C:\Program Files\Advanced System Optimizer\IEHelper.dll" ["Systweak Inc"]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "HyperTerminal Icon Ext"
  -> {HKLM...CLSID} = "HyperTerminal Icon Ext"
                   \InProcServer32\(Default) = "C:\WINDOWS\system32\hticons.dll" ["Hilgraeve, Inc."]
"{00020D75-0000-0000-C000-000000000046}" = "Microsoft Office Outlook Desktop Icon Handler"
  -> {HKLM...CLSID} = "Microsoft Office Outlook"
                   \InProcServer32\(Default) = "C:\PROGRA~1\MICROS~4\OFFICE11\MLSHEXT.DLL" [MS]
"{0006F045-0000-0000-C000-000000000046}" = "Microsoft Office Outlook Custom Icon Handler"
  -> {HKLM...CLSID} = "Outlook File Icon Extension"
                   \InProcServer32\(Default) = "C:\PROGRA~1\MICROS~4\OFFICE11\OLKFSTUB.DLL" [MS]
"{42042206-2D85-11D3-8CFF-005004838597}" = "Microsoft Office HTML Icon Handler"
  -> {HKLM...CLSID} = (no title provided)
                   \InProcServer32\(Default) = "C:\Program Files\Microsoft Office\OFFICE11\msohev.dll" [MS]
"{20082881-FC36-4E47-9A7A-644C95FF749F}" = "IntelliPoint Wireless Control Panel Property Page"
  -> {HKLM...CLSID} = "Wireless Property Page"
                   \InProcServer32\(Default) = ""C:\Program Files\Microsoft IntelliPoint\ipcplwir.dll"" [MS]
"{AF90F543-6A3A-4C1B-8B16-ECEC073E69BE}" = "IntelliPoint Wheel Control Panel Property Page"
  -> {HKLM...CLSID} = "Wheel Property Page"
                   \InProcServer32\(Default) = ""C:\Program Files\Microsoft IntelliPoint\ipcplwhl.dll"" [MS]
"{653DCCC2-13DB-45B2-A389-427885776CFE}" = "IntelliPoint Activities Control Panel Property Page"
  -> {HKLM...CLSID} = "Activities Property Page"
                   \InProcServer32\(Default) = ""C:\Program Files\Microsoft IntelliPoint\ipcplact.dll"" [MS]
"{124597D8-850A-41AE-849C-017A4FA99CA2}" = "IntelliPoint Buttons Control Panel Property Page"
  -> {HKLM...CLSID} = "Buttons Property Page"
                   \InProcServer32\(Default) = ""C:\Program Files\Microsoft IntelliPoint\ipcplbtn.dll"" [MS]
"{BDA77241-42F6-11d0-85E2-00AA001FE28C}" = "LDVP Shell Extensions"
  -> {HKLM...CLSID} = "VpshellEx Class"
                   \InProcServer32\(Default) = "C:\Program Files\Common Files\Symantec Shared\SSC\vpshell2.dll" ["Symantec Corporation"]
"{B41DB860-8EE4-11D2-9906-E49FADC173CA}" = "WinRAR shell extension"
  -> {HKLM...CLSID} = "WinRAR"
                   \InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]
"{A4DF5659-0801-4A60-9607-1C48695EFDA9}" = "Share-to-Web Upload Folder"
  -> {HKLM...CLSID} = "Share-to-Web Upload Folder"
                   \InProcServer32\(Default) = "c:\Program Files\HP\HP Share-to-Web\HPGS2WNS.DLL" ["Hewlett-Packard"]
"{9F97547E-4609-42C5-AE0C-81C61FFAEBC3}" = "AVG8 Shell Extension"
  -> {HKLM...CLSID} = "AVG8 Shell Extension Class"
                   \InProcServer32\(Default) = "C:\Program Files\AVG\AVG8\avgse.dll" ["AVG Technologies CZ, s.r.o."]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\
"WPDShServiceObj" = "{AAA288BA-9A4C-45B0-95D7-94D524869DB5}"
  -> {HKLM...CLSID} = "WPDShServiceObj Class"
                   \InProcServer32\(Default) = "C:\WINDOWS\system32\WPDShServiceObj.dll" [MS]

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\
<<!>> AtiExtEvent\DLLName = "Ati2evxx.dll" ["ATI Technologies Inc."]
<<!>> IntelWireless\DLLName = "C:\Program Files\Intel\Wireless\Bin\LgNotify.dll" ["Intel Corporation"]
<<!>> NavLogon\DLLName = "C:\WINDOWS\system32\NavLogon.dll" ["Symantec Corporation"]

HKLM\SOFTWARE\Classes\PROTOCOLS\Filter\
<<!>> text/xml\CLSID = "{807553E5-5146-11D5-A672-00B0D022E945}"
  -> {HKLM...CLSID} = (no title provided)
                   \InProcServer32\(Default) = "C:\Program Files\Common Files\Microsoft Shared\OFFICE11\MSOXMLMF.DLL" [MS]

HKLM\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\
{F9DB5320-233E-11D1-9F84-707F02C10627}\(Default) = "PDF Column Info"
  -> {HKLM...CLSID} = "PDF Shell Extension"
                   \InProcServer32\(Default) = "C:\Program Files\Adobe\Acrobat 7.0\ActiveX\PDFShell.dll" ["Adobe Systems, Inc."]

HKLM\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\
AVG8 Shell Extension\(Default) = "{9F97547E-4609-42C5-AE0C-81C61FFAEBC3}"
  -> {HKLM...CLSID} = "AVG8 Shell Extension Class"
                   \InProcServer32\(Default) = "C:\Program Files\AVG\AVG8\avgse.dll" ["AVG Technologies CZ, s.r.o."]
FileEncrypt\(Default) = "{90A07ACC-0331-4aee-9AAD-A854A9C37667}"
  -> {HKLM...CLSID} = (no title provided)
                   \InProcServer32\(Default) = "C:\Program Files\Advanced System Optimizer\ShellExt.dll" ["Systweak Inc"]
LDVPMenu\(Default) = "{BDA77241-42F6-11d0-85E2-00AA001FE28C}"
  -> {HKLM...CLSID} = "VpshellEx Class"
                   \InProcServer32\(Default) = "C:\Program Files\Common Files\Symantec Shared\SSC\vpshell2.dll" ["Symantec Corporation"]
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
  -> {HKLM...CLSID} = "WinRAR"
                   \InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]

HKLM\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\
FileEncrypt\(Default) = "{90A07ACC-0331-4aee-9AAD-A854A9C37667}"
  -> {HKLM...CLSID} = (no title provided)
                   \InProcServer32\(Default) = "C:\Program Files\Advanced System Optimizer\ShellExt.dll" ["Systweak Inc"]
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
  -> {HKLM...CLSID} = "WinRAR"
                   \InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]

HKLM\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\
AVG8 Shell Extension\(Default) = "{9F97547E-4609-42C5-AE0C-81C61FFAEBC3}"
  -> {HKLM...CLSID} = "AVG8 Shell Extension Class"
                   \InProcServer32\(Default) = "C:\Program Files\AVG\AVG8\avgse.dll" ["AVG Technologies CZ, s.r.o."]
LDVPMenu\(Default) = "{BDA77241-42F6-11d0-85E2-00AA001FE28C}"
  -> {HKLM...CLSID} = "VpshellEx Class"
                   \InProcServer32\(Default) = "C:\Program Files\Common Files\Symantec Shared\SSC\vpshell2.dll" ["Symantec Corporation"]
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
  -> {HKLM...CLSID} = "WinRAR"
                   \InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]


Group Policies {GPedit.msc branch and setting}:
-----------------------------------------------

Note: detected settings may not have any effect.

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\

"NoDrives" = (REG_DWORD) dword:0x00000000
{unrecognized setting}

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\

"NoDrives" = (REG_DWORD) dword:0x00000000
{unrecognized setting}

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System\

"HideLegacyLogonScripts" = (REG_DWORD) dword:0x00000000
{unrecognized setting}

"HideLogoffScripts" = (REG_DWORD) dword:0x00000000
{unrecognized setting}

"RunLogonScriptSync" = (REG_DWORD) dword:0x00000001
{unrecognized setting}

"RunStartupScriptSync" = (REG_DWORD) dword:0x00000000
{unrecognized setting}

"HideStartupScripts" = (REG_DWORD) dword:0x00000000
{unrecognized setting}

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\

"shutdownwithoutlogon" = (REG_DWORD) dword:0x00000001
{Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options|
Shutdown: Allow system to be shut down without having to log on}

"undockwithoutlogon" = (REG_DWORD) dword:0x00000001
{Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options|
Devices: Allow undock without having to log on}

"InstallVisualStyle" = (REG_EXPAND_SZ) C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
{unrecognized setting}

"InstallTheme" = (REG_EXPAND_SZ) C:\WINDOWS\Resources\Themes\Royale.theme
{unrecognized setting}

"DisableRegistryTools" = (REG_DWORD) dword:0x00000000
{unrecognized setting}

"HideLegacyLogonScripts" = (REG_DWORD) dword:0x00000000
{unrecognized setting}

"HideLogoffScripts" = (REG_DWORD) dword:0x00000000
{unrecognized setting}

"RunLogonScriptSync" = (REG_DWORD) dword:0x00000001
{unrecognized setting}

"RunStartupScriptSync" = (REG_DWORD) dword:0x00000000
{unrecognized setting}

"HideStartupScripts" = (REG_DWORD) dword:0x00000000
{unrecognized setting}

Active Desktop and Wallpaper:
-----------------------------

Active Desktop may be disabled at this entry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState


Windows Portable Device AutoPlay Handlers
-----------------------------------------

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\AutoplayHandlers\Handlers<BR />
ACDSeeAcquirePicturesOnArrival<BR />“Provider” = “ACDSee”
“InvokeProgID” = “ACDSee.AutoPlayHandlerAcquire”
“InvokeVerb” = “Acquire”
HKLM\SOFTWARE\Classes\ACDSee.AutoPlayHandlerAcquire\shell\Acquire\command(Default) = ““C:\Program Files\ACD Systems\ACDSee\8.0\ACDSee8.exe” /detect:%1” [“ACD Systems Ltd.”]

ACDSeeShowPicturesOnArrival<BR />“Provider” = “ACDSee”
“InvokeProgID” = “ACDSee.AutoPlayHandler”
“InvokeVerb” = “Open”
HKLM\SOFTWARE\Classes\ACDSee.AutoPlayHandler\shell\Open\command(Default) = ““C:\Program Files\ACD Systems\ACDSee\8.0\ACDSee8.exe” “%1"” [“ACD Systems Ltd.”]

AlcoholAutoPlayV2.ReadDisc<BR />“Provider” = “Alcohol 52%”
“InvokeProgID” = “AlcoholAutoPlayV2”
“InvokeVerb” = “ReadDisc”
HKLM\SOFTWARE\Classes\AlcoholAutoPlayV2\shell\ReadDisc\command(Default) = ““C:\Program Files\Alcohol Soft\Alcohol 52\Alcohol.exe” %1” [“Alcohol Soft Development Team”]

BridgeCS3ImportMediaOnArrival<BR />“Provider” = “Adobe Bridge CS3”
“InvokeProgID” = “Adobe.adobebridge”
“InvokeVerb” = “launch”
HKLM\SOFTWARE\Classes\Adobe.adobebridge\shell\launch\command(Default) = “C:\Program Files\Adobe\Adobe Bridge CS3\bridgeproxy.exe -v %1” [“Adobe Systems, Inc.”]

EHomeMusicDropTarget<BR />“Provider” = “Media Center”
“InvokeProgID” = “EHomeDropTarget.EHomeMusicDropTarget”
“InvokeVerb” = “play”
HKLM\SOFTWARE\Classes\EHomeDropTarget.EHomeMusicDropTarget\shell\play\DropTarget\CLSID = “{ED87EFF3-FF22-404E-B2BD-BC3841BDCB2C}”
  -> {HKLM…CLSID} = “EHomeMusicDropTarget Class”
                   \InProcServer32(Default) = “C:\WINDOWS\eHome\ehdrop.dll” [MS]

EHomePhotosHandler<BR />“Provider” = “Media Center”
“InvokeProgID” = “EHomeDropTarget.EHomePhotosHandler”
“InvokeVerb” = “play”
HKLM\SOFTWARE\Classes\EHomeDropTarget.EHomePhotosHandler\shell\play\DropTarget\CLSID = “{4b7601c1-d292-4902-89f4-583a5ce0c535}”
  -> {HKLM…CLSID} = “EHomePhotosHandler Class”
                   \InProcServer32(Default) = “C:\WINDOWS\eHome\ehdrop.dll” [MS]

EHomeVideoDropTarget<BR />“Provider” = “Media Center”
“InvokeProgID” = “EHomeDropTarget.EHomeVideoDropTarget”
“InvokeVerb” = “play”
HKLM\SOFTWARE\Classes\EHomeDropTarget.EHomeVideoDropTarget\shell\play\DropTarget\CLSID = “{A48E70A4-8E15-4465-9D85-CCE9E63F8AAB}”
  -> {HKLM…CLSID} = “EHomeVideoDropTarget Class”
                   \InProcServer32(Default) = “C:\WINDOWS\eHome\ehdrop.dll” [MS]

EHomeVideosHandler<BR />“Provider” = “Media Center”
“InvokeProgID” = “EHomeDropTarget.EHomeVideosHandler”
“InvokeVerb” = “play”
HKLM\SOFTWARE\Classes\EHomeDropTarget.EHomeVideosHandler\shell\play\DropTarget\CLSID = “{4f61ec50-acef-4ae7-b4c6-b19bddc0f745}”
  -> {HKLM…CLSID} = “EHomeVideosHandler Class”
                   \InProcServer32(Default) = “C:\WINDOWS\eHome\ehdrop.dll” [MS]

HPAutoplayExpress<BR />“Provider” = “HP Photosmart Express Software”
“InvokeProgID” = “HpqUnApl.Autoplay”
“InvokeVerb” = “Express”
HKLM\SOFTWARE\Classes\HpqUnApl.Autoplay\shell\Express\DropTarget\CLSID = “{57FA3F08-E36E-4820-9CC4-122D46114993}”
  -> {HKLM…CLSID} = (no title provided)
                   \LocalServer32(Default) = “C:\Program Files\HP\Digital Imaging\Unload\HpqUnApl.exe” [“Hewlett-Packard”]

HPUnloadAutoplay<BR />“Provider” = “HP Photosmart Transfer Software”
“InvokeProgID” = “HpqUnApl.Autoplay”
“InvokeVerb” = “Play”
HKLM\SOFTWARE\Classes\HpqUnApl.Autoplay\shell\Play\DropTarget\CLSID = “{E1A1C814-FD09-4c9d-BB4A-0394B836A1F0}”
  -> {HKLM…CLSID} = (no title provided)
                   \LocalServer32(Default) = “C:\Program Files\HP\Digital Imaging\Unload\HpqUnApl.exe” [“Hewlett-Packard”]

MSPVCapture<BR />“Provider” = “Ulead MediaStudio Pro 8.0”
“ProgID” = “Shell.HWEventHandlerShellExecute”
“InitCmdLine” = “C:\Program Files\Ulead Systems\Ulead MediaStudio Pro 8.0\VCapture.exe”
HKLM\SOFTWARE\Classes\Shell.HWEventHandlerShellExecute\CLSID(Default) = “{FFB8655F-81B9-4fce-B89C-9A6BA76D13E7}”
  -> {HKLM…CLSID} = “ShellExecute HW Event Handler”
                   \LocalServer32(Default) = “rundll32.exe shell32.dll,SHCreateLocalServerRunDll {FFB8655F-81B9-4fce-B89C-9A6BA76D13E7}” [MS]

MSPVEditor<BR />“Provider” = “Ulead MediaStudio Pro 8.0”
“ProgID” = “Shell.HWEventHandlerShellExecute”
“InitCmdLine” = “C:\Program Files\Ulead Systems\Ulead MediaStudio Pro 8.0\VEditor.exe”
HKLM\SOFTWARE\Classes\Shell.HWEventHandlerShellExecute\CLSID(Default) = “{FFB8655F-81B9-4fce-B89C-9A6BA76D13E7}”
  -> {HKLM…CLSID} = “ShellExecute HW Event Handler”
                   \LocalServer32(Default) = “rundll32.exe shell32.dll,SHCreateLocalServerRunDll {FFB8655F-81B9-4fce-B89C-9A6BA76D13E7}” [MS]

MSWMEncVCArrival<BR />“Provider” = “Windows Media Encoder 9 Series”
“ProgID” = “Shell.HWEventHandlerShellExecute”
“InitCmdLine” = “C:\Program Files\Windows Media Components\Encoder\WMEnc.exe”
HKLM\SOFTWARE\Classes\Shell.HWEventHandlerShellExecute\CLSID(Default) = “{FFB8655F-81B9-4fce-B89C-9A6BA76D13E7}”
  -> {HKLM…CLSID} = “ShellExecute HW Event Handler”
                   \LocalServer32(Default) = “rundll32.exe shell32.dll,SHCreateLocalServerRunDll {FFB8655F-81B9-4fce-B89C-9A6BA76D13E7}” [MS]

MSWPDShellNamespaceHandler<BR />“Provider” = “@%SystemRoot%\System32\WPDShextRes.dll,-501”
“CLSID” = “{A55803CC-4D53-404c-8557-FD63DBA95D24}”
“InitCmdLine” = " “
  -> {HKLM…CLSID} = “WPDShextAutoplay”
                   \LocalServer32(Default) = “C:\WINDOWS\system32\WPDShextAutoplay.exe” [MS]

NeroAutoPlayAudioCD<BR />“Provider” = “Nero StartSmart”
“InvokeProgID” = “Nero.AutoPlay”
“InvokeVerb” = “AudioCD”
HKLM\SOFTWARE\Classes\Nero.AutoPlay\shell\AudioCD\command(Default) = ““C:\Program Files\Ahead\nero startsmart\nerostartsmart.exe” /Drive:%L” [“Ahead Software AG”]

NeroAutoPlayEmptyCD<BR />“Provider” = “Nero StartSmart”
“InvokeProgID” = “Nero.AutoPlay”
“InvokeVerb” = “EmptyCD”
HKLM\SOFTWARE\Classes\Nero.AutoPlay\shell\EmptyCD\command(Default) = ““C:\Program Files\Ahead\nero startsmart\nerostartsmart.exe” /Drive:%L” [“Ahead Software AG”]

NeroAutoPlayMusicCD<BR />“Provider” = “Nero StartSmart”
“InvokeProgID” = “Nero.AutoPlay”
“InvokeVerb” = “MusicCD”
HKLM\SOFTWARE\Classes\Nero.AutoPlay\shell\MusicCD\command(Default) = ““C:\Program Files\Ahead\nero startsmart\nerostartsmart.exe” /Drive:%L” [“Ahead Software AG”]

UBNBurnOnArrival<BR />“Provider” = “Ulead Burn.Now 4.5”
“InvokeProgID” = “BurnNow.AutoPlay”
“InvokeVerb” = “CreateDisc”
HKLM\SOFTWARE\Classes\BurnNow.AutoPlay\shell\CreateDisc\Command(Default) = “C:\Program Files\Ulead Systems\Ulead DVD MovieFactory 6\Ulead DVD MovieFactory 6\BurnNow.exe /Drive: %L” [file not found]


Enabled Scheduled Tasks:
------------------------

“1-Click Maintenance” -> launches: “C:\Program Files\TuneUp Utilities 2006\SystemOptimizer.exe /schedulestart” [file not found]
“AppleSoftwareUpdate” -> launches: “C:\Program Files\Apple Software Update\SoftwareUpdate.exe -task” [“Apple Inc.”]
“Norton Security Scan” -> launches: “C:\Program Files\Norton Security Scan\Nss.exe /scan-full /scheduled” [“Symantec Corporation”]


Winsock2 Service Provider DLLs:
-------------------------------

Namespace Service Providers

HKLM\SYSTEM\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}
000000000001\LibraryPath = “%SystemRoot%\System32\mswsock.dll” [MS]
000000000002\LibraryPath = “%SystemRoot%\System32\winrnr.dll” [MS]
000000000003\LibraryPath = “%SystemRoot%\System32\mswsock.dll” [MS]
000000000004\LibraryPath = “C:\Program Files\Bonjour\mdnsNSP.dll” [“Apple Computer, Inc.”]

Transport Service Providers

HKLM\SYSTEM\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}
0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:
%SystemRoot%\system32\mswsock.dll [MS], 01 - 03, 06 - 21
%SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05


Toolbars, Explorer Bars, Extensions:
------------------------------------

Toolbars

HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser<BR />”{ED4BD629-C1B6-4399-8A34-02CCAA921DC9}”
  -> {HKLM…CLSID} = “Alcohol Toolbar”
                   \InProcServer32(Default) = “C:\Program Files\Alcohol Toolbar\v3.2.0.0\Alcohol_Toolbar.dll” [null data]

HKLM\SOFTWARE\Microsoft\Internet Explorer\Toolbar<BR />“{ED4BD629-C1B6-4399-8A34-02CCAA921DC9}” = “Alcohol Toolbar”
  -> {HKLM…CLSID} = “Alcohol Toolbar”
                   \InProcServer32(Default) = “C:\Program Files\Alcohol Toolbar\v3.2.0.0\Alcohol_Toolbar.dll” [null data]

Explorer Bars

HKLM\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars<BR />
HKLM\SOFTWARE\Classes\CLSID{FF059E31-CC5A-4E2E-BF3B-96E929D65503}(Default) = “&Research”
Implemented Categories{00021493-0000-0000-C000-000000000046}\ [vertical bar]
InProcServer32(Default) = “C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL” [MS]

Extensions (Tools menu items, main toolbar menu buttons)

HKLM\SOFTWARE\Microsoft\Internet Explorer\Extensions<BR />{08B0E5C0-4FCB-11CF-AAA5-00401C608501}<BR />“MenuText” = “Sun Java Console”
“CLSIDExtension” = “{08B0E5C0-4FCB-11CF-AAA5-00401C608501}”

{92780B25-18CC-41C8-B9BE-3C9C571A8263}<BR />“ButtonText” = “Research”

{CD67F990-D8E9-11D2-98FE-00C0F0318AFE}<BR />
{DFB852A3-47F8-48C4-A200-58CAB36FD2A2}<BR />“MenuText” = “Spybot - Search && Destroy Configuration”
“CLSIDExtension” = “{53707962-6F74-2D53-2644-206D7942484F}”
  -> {HKLM…CLSID} = “Spybot-S&D IE Protection”
                   \InProcServer32(Default) = “C:\Program Files\Spybot - Search & Destroy\SDHelper.dll” [“Safer Networking Limited”]

{E2E2DD38-D088-4134-82B7-F2BA38496583}<BR />“MenuText” = “@xpsp3res.dll,-20001”
“Exec” = “%windir%\Network Diagnostic\xpnetdiag.exe” [MS]

{FB5F1910-F110-11D2-BB9E-00C04F795683}<BR />“ButtonText” = “Messenger”
“MenuText” = “Windows Messenger”
“Exec” = “C:\Program Files\Messenger\msmsgs.exe” [MS]


Miscellaneous IE Hijack Points
------------------------------

HKLM\SOFTWARE\Microsoft\Internet Explorer\AboutURLs<BR /><<H>> “TuneUp” = “file://C|/Documents and Settings/All Users/Application Data/TuneUp Software/Common/base.css” [file not found]


Running Services (Display Name, Service Name, Path {Service DLL}):
------------------------------------------------------------------

##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762##, Bonjour Service, ““C:\Program Files\Bonjour\mDNSResponder.exe”” [“Apple Computer, Inc.”]
Ati HotKey Poller, Ati HotKey Poller, “C:\WINDOWS\system32\Ati2evxx.exe” [“ATI Technologies Inc.”]

The log looks clean beside the two items I posted before, you should try and remove them using hijackthis. It should not be a problem since it is a dead registry value (file missing). The last lines of the log were missing but hijack usually show the same.

Do you still get warnings from your Symantec Antivirus? If so, is it only while running a full system scan or is it also the auto-protect popping up? It can, as I said before, be files in quarantine that Symantec finds but cannot remove. In that case they are harmless and if you want them gone you will have to delete them manually or through the program that put them there.

I also see that you have AVG and Spybot search and destroy in the system. If multiple antivirus programs are active in the system at the same time they can collide, slow down the system and trigger different false positive detections. This will show by auto-protect popping up with the same threat over and over. In that case, shut down the other programs, at least AVG, and see if the warning still pops up.

jAW, just as you thought the files I keep getting are in quarantine. I manually deleted them and ran anothe full scan with Norton and it came back clean.  As far as the other two items you wanted me to delete ,using Hijack This, i couldn't find them. May be due to the fact that I uninstalled IE and started using Firefox instead.  Although I may reinstall IE because some programs that do updates (ie AnyDvd etc.) start up IE when I don't have it anymore. Can't seem to figure out how to point them to using Firefox.

Again a very big thanks to you for your help. If it wasn't for this site I would have tossed that laptop out the window days ago. I've bookmarked this site because I'm sure I'll do something stupid again and need your help

Read this discription and you'll notice your cyberlog-x in included. Then goto the heading "Removal" and follow the instructions there. Good luck and let us know how you made out....

Technical details