[Cobain_86]

G,Day Reader,

I need help with Removing AVG 6.0 (virus scan) and it keeps popping up screens with Run AVG 6.0 because there is a trojan in my machine. Now, am I crazy to delete it or shall someone tell me how to remove these "trojans"

Cobain_86

[Advertisements]

You want to remove the malware not the AV software!
Can you tell me - have you tried letting AVG scan & disinfect the drive to remove the trojans? If so, what happened?

Also, download hijack this from this link :
http://www.majorgeek...wnload3155.html

Close any programs you have running (in particular, internet explorer ones), run hijack this & select the 'system scan & save log file' option.
Copy & paste the contents of the log in here.

[Samm]

You want to remove the malware not the AV software!
Can you tell me - have you tried letting AVG scan & disinfect the drive to remove the trojans? If so, what happened?

Also, download hijack this from this link :
http://www.majorgeek...wnload3155.html

Close any programs you have running (in particular, internet explorer ones), run hijack this & select the 'system scan & save log file' option.
Copy & paste the contents of the log in here.

[Cobain_86]

G,Day

Thanks for getting bk to me so soon!

Now when I run the program - it scans it but I'm on freeware and it won't get rid of the virus'.

I have downloaded Hijack This program that you mentioned - do I run that to get rid of this problem??

Cheers

Cobain

[Cobain_86]

Here is the Hijack this log file - Tell me what you think??

Cheers

[Samm]

Here is the Hijack this log file - Tell me what you think??

Cheers

Where exactly?

[Cobain_86]

My attachment won't go on. It says that I can't paste it there from that location. Where can I do it - Ive done it from the desktop, My Documents.

Cobain

[Samm]

When you run HJT, there should be 2 windows - the main one and a second one that just contains text. You should be able to copy & paste from the text one.
If not, open the folder where hijack this is saved to, and look for a file called hijackthis.log.
Rename it hijackthis.txt & attach it to a post.

[Cobain_86]

Sorry - I should have thought of this myself!

here it is below - tell me what you think??

Cobain


Logfile of HijackThis v1.99.1
Scan saved at 6:11:41 PM, on 5/06/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\tcpcheck.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Grisoft\AVG6\avgcc32.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\udpcheck.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Documents and Settings\User\Desktop\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.qfind.net/search.php?qq=%s
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.qfind.net/search.php?qq=%s
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.qfind.net/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.qfind.net/search.php?qq=%s
R1 - HKLM\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.qfind.net/search.php?qq=%s
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = http://www.qfind.net/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by OptusNet
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\\NeroCheck.exe
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Media Access] C:\Program Files\Media Access\MediaAccK.exe
O4 - HKLM\..\Run: [AVG_CC] C:\Program Files\Grisoft\AVG6\avgcc32.exe /startup
O4 - HKLM\..\Run: [tcp checker] tcpcheck.exe
O4 - HKLM\..\RunServices: [tcp checker] tcpcheck.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [tcp checker] tcpcheck.exe
O4 - HKCU\..\RunServices: [tcp checker] tcpcheck.exe
O8 - Extra context menu item: &Search - http://bar.mywebsear...?p=ZNxdm88544AU
O8 - Extra context menu item: Add banner url(s) to AdsCleaner - C:\Program Files\AdsCleaner Trial\System\Scripts\off_banner.htm
O8 - Extra context menu item: Add selected links to Link Container - C:\Program Files\AdsCleaner Trial\System\Scripts\off_collector_sel.htm
O8 - Extra context menu item: Bookmark all links in AdsCleaner - C:\Program Files\AdsCleaner Trial\System\Scripts\off_all.htm
O8 - Extra context menu item: Bookmark selected link(s) in AdsCleaner - C:\Program Files\AdsCleaner Trial\System\Scripts\off_sel.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Open all links in new windows - C:\Program Files\AdsCleaner Trial\System\Scripts\off_open_all.htm
O8 - Extra context menu item: Open selected link(s) in new windows - C:\Program Files\AdsCleaner Trial\System\Scripts\off_open_sel.htm
O8 - Extra context menu item: Say to AdsCleaner Team about banner - C:\Program Files\AdsCleaner Trial\System\Scripts\off_report_ad.htm
O8 - Extra context menu item: Show domain links - C:\Program Files\AdsCleaner Trial\System\Scripts\off_domain_links.htm
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.optusnet.com.au
O16 - DPF: ConferenceRoom Java Client - http://chat.bigpond.com/java/cr.cab
O16 - DPF: Yahoo! Pool 2 - http://download.game...ts/y/pote_x.cab
O16 - DPF: {15AD6789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://static.windup...e/bridge-c8.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zon...er.cab28177.cab
O16 - DPF: {469C7080-8EC8-43A6-AD97-45848113743C} - http://akamai.downlo...thv32_EN_XP.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://spaces.msn.co...ad/MsnPUpld.cab
O16 - DPF: {6AA93DF6-6757-4338-9087-F7601DE18402} - http://akamai.downlo...ICE_1040_XP.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zon...nt.cab28177.cab
O16 - DPF: {94F5DCB7-816C-4B94-A2C1-856C6E323C5B} - http://akamai.downlo...ice_4_EN_XP.cab
O16 - DPF: {C3DFA998-A486-11D4-AA25-00C04F72DAEB} (MSN Photo Upload Tool) - http://sc.groups.msn...UC/MsnPUpld.cab
O16 - DPF: {EEECA057-AD0F-44A7-8BE5-8634CEDBDBD1} - http://akamai.downlo...tpe32_EN_XP.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zon...wn.cab28578.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{4139BB73-A965-45AD-BC85-B66955975F96}: NameServer = 203.2.75.132 198.142.0.51
O23 - Service: AVG6 Service (AvgServ) - GRISOFT s.r.o - C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: MSSQLServerADHelper - Unknown owner - C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqladhlp.exe (file missing)
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Srv32 - Unknown owner - C:\WINDOWS\system32\srv32.exe (file missing)
O23 - Service: TCPIP Managing Service (TCPIPManagingService) - Brought to you by the Bandwidth Bandits - C:\WINDOWS\SYSTEM32\tcpcheck.exe

[Samm]

Oh dear!
You are riddled with the vbbot-B trojan.
You also have Media Access Adware & the mywebsearch hijacker on your system.
Theres one or two other entries there I'm highly dubious about but would need more info before being able to say for sure.

I also think that the Ads Cleaner software is a complete waste of space.

I could probably sort this lot out for you but there's people on this site more qualified at this than I am. What you should really do is jump to the 'Malware removal - hijack logs go here' section in G2G, start a new thread in there & paste your log into it.

They specialise in removing malware like this, so you will be in good hands.

If you have any problems at all, just let me know.