PDA

View Full Version : Am I clear of SDRS64?!! Please help!!



joelinit
2009-09-13, 21:49
Hello all!

Having clicked "deny" to a recent change, I had a continually refreshing column of Resident windows on the right hand side of my desktop that read...

"Resident denied the change of userinit (category System Startup user entry) based on your black list"

I then googled one of the popups I was getting from AVG which alerted me of a threat from "SDRS64" and found a series of posts explaining how to remove what is apparently a Trojan.

However, as it seems (i think?) i didn't yet have the trojan, as this is what Spybot was blocking (?) I wasn't actually able to complete these instructions - I did however follow this post "http://www.pcanswers.co.uk/blog/sdra64exe-remove-trojan-menace-21-05-09?page=1" as far as the point where I could see the registry key "C:\Windows\System32\Userinit.exe". Figuring this was the bad file I deleted it, and although now it appears it isn't a bad file, the popup windows have stopped, following a reboot.

This all seemed a bit too easy though and fearing the computer was still infected, I downloaded Malwarebytes and ran a check - it picked up 3 files and upon deleting them, it also reinstated the userinit registry key.

So that's now where I'm at - the column of Resident popups has stopped and userinit registry key reinstated. This all seems a bit easy though? Does Spybot need a big pat on the back for blocking the change to userinit and upon deleting this regkey has the Trojan threat now vanished, or am i potentially infected with something hiding on my compter?! I'm hoping you might be able to follow my ramblings!

And this is the log pasted below. The bottom command line is repeated hundreds of times which I presume is the column of Resident pop ups?

Thanks again in advance for any help!!

29/12/2007 17:27:44 Allowed (based on user decision) value "AVG7_Run" (new data: "C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE") added in System Startup user entry!
29/12/2007 17:27:51 Allowed (based on user decision) value "AVG7_CC" (new data: "C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP") added in System Startup global entry!
29/12/2007 17:27:54 Allowed (based on user decision) value "avgwlntf" (new data: "") added in Winlogon Notifiers!
29/12/2007 17:32:05 Allowed (based on user decision) value "AVG7_Run" (new data: "") deleted in System Startup user entry!
29/12/2007 17:34:55 Allowed (based on user decision) value "BootExecute" (new data: "autocheck autochk *
lsdelete
") changed in Session manager!
30/12/2007 00:03:20 Allowed (based on user decision) value "ALUAlert" (new data: "") deleted in System Startup global entry!
30/12/2007 00:03:41 Allowed (based on user decision) value "ALUAlert" (new data: "C:\Program Files\Symantec\LiveUpdate\ALuNotify.exe") added in System Startup global entry!
30/12/2007 01:02:17 Allowed (based on user whitelist) value "ALUAlert" (new data: "") deleted in System Startup global entry!
02/06/2008 14:23:22 Allowed (based on user decision) value "NWEReboot" (new data: "") added in System Startup global entry!
04/08/2008 15:35:07 Denied (based on user decision) value "FlashPlayerUpdate" (new data: "C:\Windows\system32\Macromed\Flash\FlashUtil9e.exe") added in System Startup user entry!
03/09/2008 17:25:34 Allowed (based on user decision) value "FlashPlayerUpdate" (new data: "C:\Windows\system32\Macromed\Flash\FlashUtil9e.exe") added in System Startup user entry!
03/09/2008 22:53:54 Allowed (based on user decision) value "FlashPlayerUpdate" (new data: "") deleted in System Startup user entry!
03/11/2008 17:30:20 Allowed (based on user decision) value "Desktop SMS" (new data: "") deleted in System Startup global entry!
03/11/2008 17:30:23 Allowed (based on user decision) value "QuickTime Task" (new data: "") deleted in System Startup global entry!
03/11/2008 17:30:26 Allowed (based on user decision) value "iTunesHelper" (new data: "") deleted in System Startup global entry!
03/11/2008 17:30:40 Allowed (based on user decision) value "MSConfig" (new data: ""C:\Windows\system32\msconfig.exe" /auto") added in System Startup global entry!
08/11/2008 14:19:04 Allowed (based on user decision) value "FlashPlayerUpdate" (new data: "C:\Windows\system32\Macromed\Flash\FlashUtil9f.exe") added in System Startup user entry!
10/11/2008 13:06:24 Allowed (based on user decision) value "FlashPlayerUpdate" (new data: "") deleted in System Startup user entry!
08/12/2008 19:39:35 Denied (based on user decision) value "FlashPlayerUpdate" (new data: "C:\Windows\system32\Macromed\Flash\FlashUtil9f.exe") added in System Startup user entry!
03/01/2009 12:05:37 Allowed (based on user decision) value "{22BF413B-C6D2-4d91-82A9-A0F997BA588C}" (new data: "") added in Browser Helper Object!
03/01/2009 12:05:47 Allowed (based on user decision) value "Skype" (new data: ""C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized") added in System Startup user entry!
09/01/2009 14:33:33 Allowed (based on user decision) value "Boots Insert Detect" (new data: "C:\Program Files\Boots F2CD\Picture Suite\InsDetect.exe") added in System Startup user entry!
12/01/2009 18:37:19 Allowed (based on user decision) value "Boots Insert Detect" (new data: "") deleted in System Startup user entry!
12/01/2009 18:39:11 Allowed (based on user decision) value "FlashPlayerUpdate" (new data: "C:\Windows\system32\Macromed\Flash\NPSWF32_FlashUtil.exe -p") added in System Startup user entry!
13/01/2009 18:20:04 Allowed (based on user decision) value "FlashPlayerUpdate" (new data: "") deleted in System Startup user entry!
24/02/2009 12:38:12 Allowed (based on user decision) value "FlashPlayerUpdate" (new data: "C:\Windows\system32\Macromed\Flash\FlashUtil9f.exe") added in System Startup user entry!
25/02/2009 12:02:43 Allowed (based on user decision) value "FlashPlayerUpdate" (new data: "") deleted in System Startup user entry!
02/07/2009 21:43:46 Allowed (based on user decision) value "{0972B098-DEE9-4279-AC7E-4BAAA029102D}" (new data: "") added in ActiveX Distribution Unit!
25/08/2009 19:51:09 Allowed (based on user decision) value "FlashPlayerUpdate" (new data: "C:\Windows\system32\Macromed\Flash\FlashUtil10b.exe") added in System Startup user entry!
29/08/2009 14:48:23 Denied (based on user decision) value "FlashPlayerUpdate" (new data: "") deleted in System Startup user entry!
08/09/2009 16:33:51 Denied (based on user decision) value "FlashPlayerUpdate" (new data: "") deleted in System Startup user entry!
12/09/2009 14:32:17 Allowed (based on user decision) value "FlashPlayerUpdate" (new data: "") deleted in System Startup user entry!
12/09/2009 18:28:19 Denied (based on user decision) value "userinit" (new data: "C:\Users\susie\AppData\Roaming\sdra64.exe") added in System Startup user entry!
12/09/2009 18:28:37 Denied (based on user decision) value "userinit" (new data: "C:\Users\susie\AppData\Roaming\sdra64.exe") added in System Startup user entry!
12/09/2009 20:54:05 Denied (based on user decision) value "userinit" (new data: "C:\Users\susie\AppData\Roaming\sdra64.exe") added in System Startup user entry!
12/09/2009 20:54:08 Denied (based on user decision) value "userinit" (new data: "C:\Users\susie\AppData\Roaming\sdra64.exe") added in System Startup user entry!
12/09/2009 20:54:20 Denied (based on user decision) value "userinit" (new data: "C:\Users\susie\AppData\Roaming\sdra64.exe") added in System Startup user entry!

tashi
2009-09-13, 22:14
Hi joelinit,

Please see my post to your topic in the Spybot-S&D forum: http://forums.spybot.info/showthread.php?p=335934#post335934 then start a new topic here providing the HJT log with a link back to this thread.

Which is http://forums.spybot.info/showthread.php?t=51854

Cheers.

Edit
New thread: http://forums.spybot.info/showthread.php?t=51858

joelinit
2009-09-13, 23:15
Hello all!

Please find below by HJT log file in addition to this link to a topic I'd earlier posted without the log! (sorry!)

http://forums.spybot.info/showthread.php?p=335928#post335928

Any advice would be hugely appreciated!

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 21:15:24, on 13/09/2009
Platform: Windows Vista (WinNT 6.00.1904)
MSIE: Internet Explorer v8.00 (8.00.6001.18813)
Boot mode: Normal

Running processes:
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Windows Defender\MSASCui.exe
C:\Windows\RtHDVCpl.exe
C:\Program Files\TOSHIBA\Power Saver\TPwrMain.exe
C:\Program Files\TOSHIBA\SmoothView\SmoothView.exe
C:\Program Files\TOSHIBA\FlashCards\TCrdMain.exe
C:\Windows\system32\taskeng.exe
C:\Program Files\TOSHIBA\Utilities\KeNotify.exe
C:\Program Files\TOSHIBA\ConfigFree\NDSTray.exe
C:\Windows\System32\igfxtray.exe
C:\Windows\System32\hkcmd.exe
C:\Windows\System32\igfxpers.exe
C:\Program Files\Apoint2K\Apoint.exe
C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
C:\Program Files\Symantec\LiveUpdate\ALUNOTIFY.EXE
C:\Program Files\AVG\AVG8\avgtray.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\Apoint2K\ApMsgFwd.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\TOSHIBA\TOSCDSPD\TOSCDSPD.exe
C:\Program Files\Apoint2K\Apntex.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSwMgr.exe
C:\Program Files\Skype\Plugin Manager\skypePM.exe
C:\Windows\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\Program Files\Mozilla Firefox\firefox.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://scabozez.cn/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [RtHDVCpl] RtHDVCpl.exe
O4 - HKLM\..\Run: [TPwrMain] %ProgramFiles%\TOSHIBA\Power Saver\TPwrMain.EXE
O4 - HKLM\..\Run: [HSON] %ProgramFiles%\TOSHIBA\TBS\HSON.exe
O4 - HKLM\..\Run: [SmoothView] %ProgramFiles%\Toshiba\SmoothView\SmoothView.exe
O4 - HKLM\..\Run: [00TCrdMain] %ProgramFiles%\TOSHIBA\FlashCards\TCrdMain.exe
O4 - HKLM\..\Run: [KeNotify] C:\Program Files\TOSHIBA\Utilities\KeNotify.exe
O4 - HKLM\..\Run: [HWSetup] C:\Program Files\TOSHIBA\Utilities\HWSetup.exe hwSetUP
O4 - HKLM\..\Run: [SVPWUTIL] C:\Program Files\TOSHIBA\Utilities\SVPWUTIL.exe SVPwUTIL
O4 - HKLM\..\Run: [NDSTray.exe] NDSTray.exe
O4 - HKLM\..\Run: [topi] C:\Program Files\TOSHIBA\Toshiba Online Product Information\topi.exe -startup
O4 - HKLM\..\Run: [NvSvc] RUNDLL32.EXE C:\Windows\system32\nvsvc.dll,nvsvcStart
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [IgfxTray] C:\Windows\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\Windows\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\Windows\system32\igfxpers.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [Toshiba Registration] C:\Program Files\Toshiba\Registration\ToshibaRegistration.exe
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
O4 - HKLM\..\Run: [ALUAlert] C:\Program Files\Symantec\LiveUpdate\ALuNotify.exe
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKCU\..\Run: [TOSCDSPD] C:\Program Files\TOSHIBA\TOSCDSPD\TOSCDSPD.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - Global Startup: Adobe Gamma Loader.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\npjpi160.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\npjpi160.dll
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Programs\PartyGaming\PartyPoker\RunApp.exe
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Programs\PartyGaming\PartyPoker\RunApp.exe
O9 - Extra button: eBay - {C08CAF1D-C0A3-40D5-9970-06D067EAC017} - http://www.webtip.ch/cgi-bin/toshiba/tracker_url.pl?EN (file missing)
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O13 - Gopher Prefix:
O16 - DPF: {0972B098-DEE9-4279-AC7E-4BAAA029102D} (PhotoboxPhotowaysUploader5 Control) - http://assets.photobox.com/assets/aurigma/ImageUploader5.cab?20090702113641
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - AppInit_DLLs: avgrsstx.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Agere Modem Call Progress Audio (AgereModemAudio) - Agere Systems - C:\Windows\system32\agrsmsvc.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe (file missing)
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe (file missing)
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
O23 - Service: SBSD Security Center Service (SBSDWSCService) - Safer Networking Ltd. - C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe
O23 - Service: TOSHIBA Optical Disc Drive Service (TODDSrv) - TOSHIBA Corporation - C:\Windows\system32\TODDSrv.exe
O23 - Service: TOSHIBA Power Saver (TosCoSrv) - TOSHIBA Corporation - C:\Program Files\TOSHIBA\Power Saver\TosCoSrv.exe
O23 - Service: TOSHIBA Bluetooth Service - TOSHIBA CORPORATION - c:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtSrv.exe
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe

--
End of file - 9985 bytes

ken545
2009-09-16, 23:26
Hello joelinit

Welcome to Safer Networking.

Please read Before You Post (http://forums.spybot.info/showthread.php?t=288)
That said, All advice given by anyone volunteering here, is taken at your own risk.
While best efforts are made to assist in removing infections safely, unexpected stuff can happen.


Sorry for the mix up, but just reply to this thread only by using the SUBMIT REPLY and do not start any new topics





Please download RootRepeal one of these locations and save it to your desktop
Here (http://ad13.geekstogo.com/RootRepeal.exe)
Here (http://download.bleepingcomputer.com/rootrepeal/RootRepeal.exe)
Here (http://rootrepeal.psikotick.com/RootRepeal.exe)

Open http://billy-oneal.com/forums/rootRepeal/rootRepealDesktopIcon.png on your desktop.
Click the http://billy-oneal.com/forums/rootRepeal/reportTab.png tab.
Click the http://billy-oneal.com/forums/rootRepeal/btnScan.png button.
Check just these boxes:
http://forums.whatthetech.com/uploads/monthly_08_2009/post-75503-1250480183.gif
Push Ok
Check the box for your main system drive (Usually C:, and press Ok.
Allow RootRepeal to run a scan of your system. This may take some time.
Once the scan completes, push the http://billy-oneal.com/forums/rootRepeal/saveReport.png button. Save the log to your desktop, using a distinctive name, such as RootRepeal.txt. Include this report in your post.





Download DDS by sUBs from one of the following links. Save it to your desktop.

DDS.com (http://www.techsupportforum.com/sectools/sUBs/dds)
DDS.scr (http://download.bleepingcomputer.com/sUBs/dds.scr)
DDS.pif (http://www.forospyware.com/sUBs/dds)

Double click on the DDS icon, allow it to run.
A small box will open, with an explaination about the tool. No input is needed, the scan is running.
Notepad will open with the results, click no to the Optional_Scan
Follow the instructions that pop up for posting the results.
Close the program window, and delete the program from your desktop.

Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control Here (http://www.bleepingcomputer.com/forums/topic114351.html)

ken545
2009-09-24, 14:17
Still need help Joe ?

ken545
2009-09-28, 14:27
Due to inactivity, this thread will now be closed.

If it has been four days or more since your last post, and the helper assisting you posted a response to that post to which you did not reply, your topic will not be reopened. At that point, if you still require help, please start a new topic and include a new HijackThis log with a link to your previous thread. Please do not add any logs that might have been requested in the closed topic, you would be starting fresh.