PDA

View Full Version : reported Win32/Agent.NEO variant but can not remove



kgeee
2007-05-01, 11:48
Hi All,

I have been pulling my hair trying to get rid of this virus for the last 3 wks, be appreciated if someone can help. FYI, I am an experience users and have tools such as ERD, Haren 8, etc..at my disposable but never come across any challenging virus till now.

NOD32 2.7.x reported this during post-startup, seems to occur randomly ....applications that were used are Avant browser, firefox, Windows Media Player, Skype and occassionally MS Word. Unfortunately, NOD32 did not seems to be able to rid of this trojan, just reported and killed it.

Time Module Object Name Threat Action User Information
1/05/2007 14:37:21 PM Kernel file c:\windows\system32\5e7b71fc.exe probably a variant of Win32/Agent.NEO trojan
1/05/2007 14:37:19 PM Kernel file c:\windows\system32\4f87538c.exe probably a variant of Win32/Agent.NEO trojan

These .exe files seems to come & go. Appeared to have created and started from some programs, possibly infected systems file or program.

I tried online scan as per instruction before posting, and run Spybot - Search & Destroy. But only tracking cookies was reported.

I had removed these .exe files, via clean boot from Haren CD. But it kept coming back.

This is the log I have:

Logfile of HijackThis v1.99.1
Scan saved at 6:43:23 PM, on 1/05/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Sygate\SPF\smc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Eset\nod32kui.exe
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Skype\Plugin Manager\SkypePM.exe
C:\Program Files\Eset\nod32krn.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\oodag.exe
C:\Program Files\Spyware Doctor\sdhelp.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Spybot\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.smh.com.au/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Wiwat
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe -startup
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://kingtheking.spaces.live.com//PhotoUpload/MsnPUpld.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: O&O Defrag - O&O Software GmbH - C:\WINDOWS\system32\oodag.exe
O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools Research Pty Ltd - C:\Program Files\Spyware Doctor\sdhelp.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: Sygate Personal Firewall Pro (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SPF\smc.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec AntiVirus - Unknown owner - C:\Program Files\Symantec AntiVirus\Rtvscan.exe (file missing)

Your help is appreciated.

Mr_JAk3
2007-05-03, 21:54
Hello and welcome to the Forums :)

1. Download this file - combofix.exe (http://download.bleepingcomputer.com/sUBs/ComboFix.exe)
2. Double click combofix.exe & follow the prompts.
3. When finished, it shall produce a log for you. Post that log in your next reply

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall

kgeee
2007-05-08, 13:58
Thanks for the reply Mr_JAk3.

Just to let you know that I found these files in the windows/systems32, there are the infected files (if I am not wrong):
4F87538C.VDLL
4F87538C.VEXE
4F87538CT.VEXE
5E7B71FC.VDLL
5E7B71FC.VEXE
5E7B71FCT.VEXE
60E3A814.Vexe
AC2B1A24.Vexe

It seems like one of the antivirus programs must have tag them to *.v*. I did scanned with portable NOD32 2.7.x and Kasperky.

Here is the output from the combofix.exe.

"Administrator" - 2007-05-08 20:30:57 Service Pack 2
ComboFix 07-05.07.3.V - Running from: "C:\Documents and Settings\Administrator\My Documents\"


(((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\WINDOWS\system32\delme.bat


((((((((((((((((((((((((((((((( Files Created from 2007-04-08 to 2007-05-08 ))))))))))))))))))))))))))))))))))


2007-04-21 20:51 <DIR> d-------- C:\Program Files\Common Files\PCSuite
2007-04-21 20:51 <DIR> d-------- C:\Program Files\Common Files\Nokia
2007-04-21 20:49 <DIR> d-------- C:\WINDOWS\SxsCaPendDel
2007-04-21 20:49 <DIR> d-------- C:\Program Files\PC Connectivity Solution
2007-04-21 20:48 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Installations
2007-04-11 18:38 <DIR> d-------- C:\Program Files\Common Files\Winternals
2007-04-08 16:15 1,032,192 --a------ C:\WINDOWS\explorer.exe


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


2070-04-10 01:26:13 298,104 ----a-w C:\WINDOWS\system32\imon.dll
2070-04-10 01:26:12 512,096 ----a-w C:\WINDOWS\system32\drivers\amon.sys
2070-04-10 01:26:12 15,424 ----a-w C:\WINDOWS\system32\drivers\nod32drv.sys
2070-04-10 00:34:43 -------- d-----w C:\Program Files\Sygate
2070-04-09 21:11:44 4,212 ---h--w C:\WINDOWS\system32\zllictbl.dat
2070-04-09 18:57:04 -------- d-----w C:\Program Files\Symantec
2070-04-09 18:56:59 -------- d-----w C:\Program Files\Common Files\Symantec Shared
2070-04-09 18:46:02 48,768 ----a-w C:\WINDOWS\system32\S32EVNT1.DLL
2070-04-09 18:46:02 110,952 ----a-w C:\WINDOWS\system32\drivers\SYMEVENT.SYS
2070-04-09 10:26:20 -------- d-----w C:\Program Files\Smarty Uninstaller Pro
2070-04-09 10:23:05 -------- d-----w C:\Program Files\OO Software
2070-04-09 09:24:06 -------- d-----w C:\Program Files\Common Files\InstallShield
2007-05-08 09:50:12 -------- d-----w C:\DOCUME~1\ADMINI~1\APPLIC~1.\Skype
2007-05-01 10:01:18 43,739 ----a-w C:\WINDOWS\system32\updsffdsg1.Vexe
2007-05-01 09:59:26 26,136 ----a-w C:\WINDOWS\system32\AC2B1A24.Vexe
2007-05-01 09:59:23 26,126 ----a-w C:\WINDOWS\system32\60E3A814.Vexe
2007-05-01 09:59:11 43,765 ----a-w C:\WINDOWS\system32\5E7B71FCT.VEXE
2007-05-01 09:59:08 43,765 ----a-w C:\WINDOWS\system32\5E7B71FC.VEXE
2007-05-01 09:59:05 37,190 ----a-w C:\WINDOWS\system32\5E7B71FC.VDLL
2007-05-01 09:59:00 43,739 ----a-w C:\WINDOWS\system32\4F87538CT.VEXE
2007-05-01 09:58:57 43,739 ----a-w C:\WINDOWS\system32\4F87538C.VEXE
2007-05-01 09:58:51 37,237 ----a-w C:\WINDOWS\system32\4F87538C.VDLL
2007-04-21 10:51:46 -------- d-----w C:\Program Files\DIFX
2007-04-21 10:51:18 -------- d-----w C:\Program Files\Nokia
2007-04-07 10:53:21 1,168 ----a-w C:\WINDOWS\mozver.dat
2007-04-07 05:48:27 -------- d-----w C:\DOCUME~1\ADMINI~1\APPLIC~1.\Talkback
2007-04-02 10:31:18 -------- d-----w C:\Program Files\MSN Messenger
2007-03-30 09:02:18 -------- d-----w C:\DOCUME~1\ADMINI~1\APPLIC~1.\Nokia
2007-03-30 08:51:10 -------- d-----w C:\DOCUME~1\ADMINI~1\APPLIC~1.\PC Suite
2007-02-22 00:15:12 90,624 ----a-w C:\WINDOWS\system32\nmwcdcls.dll
2007-02-12 07:22:48 538,256 ----a-w C:\WINDOWS\system32\SymNeti.dll
2007-02-12 07:22:46 161,424 ----a-w C:\WINDOWS\system32\SymRedir.dll


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
"{53707962-6F74-2D53-2644-206D7942484F}"="C:\PROGRA~1\SPYBOT~1\SDHelper.dll"
"{5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB}"="C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll"
"{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}"="C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll"
"{B56A7D7D-6927-48C8-A975-17DF180C71AC}"="C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"SmcService"="C:\\PROGRA~1\\Sygate\\SPF\\smc.exe -startgui"
"nod32kui"="\"C:\\Program Files\\Eset\\nod32kui.exe\" /WAITSERVICE"
"SunJavaUpdateSched"="\"C:\\Program Files\\Java\\jre1.6.0_01\\bin\\jusched.exe\""
"PCSuiteTrayApplication"="C:\\Program Files\\Nokia\\Nokia PC Suite 6\\LaunchApplication.exe -startup"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"Skype"="\"C:\\Program Files\\Skype\\Phone\\Skype.exe\" /nosplash /minimized"
"ctfmon.exe"="C:\\WINDOWS\\system32\\ctfmon.exe"

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"Spyware Doctor"=""
"Nokia.PCSync"="C:\\Program Files\\Nokia\\Nokia PC Suite 6\\PcSync2.exe /NoDialog"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"SynchronousMachineGroupPolicy"=dword:00000000
"SynchronousUserGroupPolicy"=dword:00000000

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoRemoteRecursiveEvents"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer\Run]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoRecentDocsMenu"=dword:00000001
"NoLowDiskSpaceChecks"=dword:00000001
"NoSaveSettings"=dword:00000000
"NoWindowsUpdate"=dword:00000000

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\run]


HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa
Authentication Packages msv1_0\0nwprovau\0\0
Security Packages kerberos\0msv1_0\0schannel\0wdigest\0\0
Notification Packages scecli\0\0


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"CTFMON.EXE"="C:\\WINDOWS\\system32\\ctfmon.exe"
"MsnMsgr"="\"C:\\Program Files\\MSN Messenger\\MsnMsgr.Exe\" /background"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"KernelFaultCheck"="C:\\WINDOWS\\system32\\dumprep 0 -k"
"SynTPLpr"="\"C:\\Program Files\\Synaptics\\SynTP\\SynTPLpr.exe\""

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Svchost]
HTTPFilter HTTPFilter\0\0
LocalService Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0
NetworkService DnsCache\0\0
DcomLaunch DcomLaunch\0TermService\0\0
rpcss RpcSs\0\0
imgsvc StiSvc\0\0
termsvcs TermService\0\0

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost
UxTuneUp



Contents of the 'Scheduled Tasks' folder
C:\WINDOWS\tasks\1-Click Maintenance.job

********************************************************************

catchme 0.3.660 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net
Rootkit scan 2007-05-08 20:36:44
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden services ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0


********************************************************************

Completion time: 2007-05-08 20:37:12
C:\ComboFix-quarantined-files.txt ... 2007-05-08 20:37

Thanks.

Mr_JAk3
2007-05-08, 21:24
Hello :)

Yes those are infected files that have been renamed.

Go to virustotal.com (http://www.virustotal.com)
Copy the following to the box next to "Browse" button:
C:\WINDOWS\explorer.exe
Click on Send
Wait for the scan to end.

Copy & Paste the scan results to here.

:bigthumb:

kgeee
2007-05-11, 13:45
Sorry couldn't get back any early. This is the result.
Complete scanning result of "explorer.exe", received in VirusTotal at 05.11.2007, 12:37:17 (CET).

Antivirus Version Update Result
AhnLab-V3 2007.5.10.0 05.11.2007 no virus found
AntiVir 7.4.0.15 05.11.2007 no virus found
Authentium 4.93.8 05.10.2007 no virus found
Avast 4.7.997.0 05.11.2007 no virus found
AVG 7.5.0.467 05.10.2007 no virus found
BitDefender 7.2 05.11.2007 no virus found
CAT-QuickHeal 9.00 05.10.2007 no virus found
ClamAV devel-20070416 05.11.2007 no virus found
DrWeb 4.33 05.11.2007 no virus found
eSafe 7.0.15.0 05.10.2007 no virus found
eTrust-Vet 30.7.3627 05.11.2007 no virus found
Ewido 4.0 05.11.2007 no virus found
FileAdvisor 1 05.11.2007 No threat detected
Fortinet 2.85.0.0 05.11.2007 no virus found
F-Prot 4.3.2.48 05.10.2007 no virus found
F-Secure 6.70.13030.0 05.11.2007 no virus found
Ikarus T3.1.1.7 05.11.2007 no virus found
Kaspersky 4.0.2.24 05.11.2007 no virus found
McAfee 5028 05.10.2007 no virus found
Microsoft 1.2503 05.11.2007 no virus found
NOD32v2 2257 05.11.2007 no virus found
Norman 5.80.02 05.11.2007 no virus found
Panda 9.0.0.4 05.10.2007 no virus found
Prevx1 V2 05.11.2007 no virus found
Sophos 4.17.0 05.08.2007 no virus found
Sunbelt 2.2.907.0 05.05.2007 no virus found
Symantec 10 05.11.2007 no virus found
TheHacker 6.1.6.112 05.10.2007 no virus found
VBA32 3.12.0 05.10.2007 no virus found
VirusBuster 4.3.7:9 05.10.2007 no virus found
Webwasher-Gateway 6.0.1 05.11.2007 no virus found

Aditional Information
File size: 1032192 bytes
MD5: a0732187050030ae399b241436565e64
SHA1: 69f33740413da112630be73ebb805a23b69f2f7f
Bit9 info: http://fileadvisor.bit9.com/services/extinfo.aspx?md5=a0732187050030ae399b241436565e64

Thanks.

Mr_JAk3
2007-05-11, 22:11
Hi again, we'll continue :)

You should print these instructions or save these to a text file. Follow these instructions carefully.

Please download AVG Anti-Spyware to your Desktop or to your usual Download Folder.
http://www.ewido.net/en/download/
Install AVG Anti-Spyware by double clicking the installer.
Follow the prompts. Make sure that Launch AVG Anti-Spyware is checked.
On the main screen under Your Computer's security.
Click on Change state next to Resident shield. It should now change to inactive.
Click on Change state next to Automatic updates. It should now change to inactive.
Next to Last Update, click on Update now. (You will need an active internet connection to perform this)
Wait until you see the Update succesfull message.
Right-click the AVG Anti-Spyware Tray Icon and uncheck Start with Windows.
Right-click the AVG Anti-Spyware Tray Icon and select Exit. Confirm by clicking Yes.
If you are having problems with the updater, you can use this link to manually update ewido.
AVG Anti-Spyware manual updates (http://www.ewido.net/en/download/updates/).
Download the Full database to your Desktop or to your usual Download Folder and install it by double clicking the file. Make sure that AVG Anti-Spyware is closed before installing the update.

Download ATF Cleaner (http://www.atribune.org/ccount/click.php?id=1) by Atribune to your desktop.
Do NOT run yet.

Please download the Killbox (http://www.downloads.subratam.org/KillBox.zip).
Unzip it to the desktop but do NOT run it yet.

==================

Please run Killbox.

Select "Delete on Reboot".

Copy the file names below to the clipboard by highlighting them and pressing Control-C:

C:\WINDOWS\system32\updsffdsg1.Vexe
C:\WINDOWS\system32\AC2B1A24.Vexe
C:\WINDOWS\system32\60E3A814.Vexe
C:\WINDOWS\system32\5E7B71FCT.VEXE
C:\WINDOWS\system32\5E7B71FC.VEXE
C:\WINDOWS\system32\5E7B71FC.VDLL
C:\WINDOWS\system32\4F87538CT.VEXE
C:\WINDOWS\system32\4F87538C.VEXE
C:\WINDOWS\system32\4F87538C.VDLL

Return to Killbox, go to the File menu, and choose "Paste from Clipboard".

Select "All Files".

Click the red-and-white "Delete File" button. Click "Yes" at the Delete on Reboot prompt. Click "No" at the Pending Operations prompt.

If your computer does not restart automatically, please restart it manually.

Restart your computer to the safe mode:
Restart your computer
Start tapping the F8 key when the computer restarts.
When the start menu opens, choose Safe mode
Press Enter. The computer then begins to start in Safe mode.

Run ATF Cleaner Under Main choose: Select All
Click the Empty Selected button.
If you use Firefox browserClick Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browserClick Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.

Close ALL open Windows / Programs / Folders. Please start AVG Anti-Spyware and run a full scan.
Click on Scanner on the toolbar.
Click on the Settings tab.
Under How to act?
Click on Recommended Action and choose Quarantine from the popup menu.
Under How to scan?
All checkboxes should be ticked.
Under Possibly unwanted software:
All checkboxes should be ticked.
Under Reports:
Select Automatically generate report after every scan and uncheck Only if threats were found.
Under What to scan?
Select Scan every file.
Click on the Scan tab.
Click on Complete System Scan to start the scan process.
Let the program scan the machine.
When the scan has finished, follow the instructions below.
IMPORTANT : Don't click on the "Save Scan Report" button before you did hit the "Apply all Actions" button.
Make sure that Set all elements to: shows Quarantine (1), if not click on the link and choose Quarantine from the popup menu. (2)
At the bottom of the window click on the Apply all Actions button. (3)
http://img509.imageshack.us/img509/4851/scanavgjk2.jpg
When done, click the Save Scan Report button. (4)
Click the Save Report as button.
Save the report to your Desktop.
Right-click the AVG Anti-Spyware Tray Icon and select Exit. Confirm by clicking Yes.
Reboot in Normal Mode.

================

When you're ready, please post the following logs to here:
- AVG's report
- a fresh HijackThis log

tashi
2007-05-23, 00:13
Due to lack of a response, this topic has been archived.

If you need it re-opened please send me a private message (pm) and provide a link to the thread. Applies only to the original poster, anyone else with similar problems please start a new topic.