Issues galore

[JudyP]

I ran HiJack this and got rid of everything but

F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDO WS\system32\sdra64.exe,

I have tried several times but it keeps showing up in HiJack.

[JudyP]

A new HiJack Log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:09:51 AM, on 5/17/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16827)
Boot mode: Normal

Running processes:
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsFileAgent.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\Iomega\System32\AppServices.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsDeviceConnect.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Tablet.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Internet Explorer\Iexplore.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\internet explorer\iexplore.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\Documents and Settings\me\Desktop\HiJackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyOverride = 127.0.0.1
F2 - REG:system.ini: UserInit=C:\WINDOWS\SYSTEM32\Userinit.exe,C:\WINDO WS\system32\sdra64.exe,
O1 - Hosts: ::1 localhost
O1 - Hosts: 94.232.248.66 browser-security.microsoft.com
O1 - Hosts: 94.232.248.66 antivirprotection.com
O1 - Hosts: 94.232.248.66 www.antivirprotection.com
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_3_12_0. dll
O3 - Toolbar: EarthLink Toolbar - {D7F30B62-8269-41AF-9539-B2697FA7D77E} - C:\Program Files\EarthLink TotalAccess\PnEL.dll
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0335A685-ED24-4F7B-A08E-3BD15D84E668} - http://dl.filekicker.com/send/file/1...L/PhPSetup.cab
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1006.cab
O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} (OnlineScanner Control) - http://www.eset.eu/buxus/docs/OnlineScanner.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/res...scbase6662.cab
O16 - DPF: {6BEA1C48-1850-486C-8F58-C7354BA3165E} (Install Class) - http://updates.lifescapeinc.com/inst...l/pinstall.cab
O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://us.dl1.yimg.com/download.yaho...ymmapi_416.dll
O16 - DPF: {E991BDE0-9816-4094-853E-6BDB60F0342D} - http://apps.corel.com/nos_dl_manager...etOpPlugin.ocx
O20 - Winlogon Notify: __c0042424 - C:\WINDOWS\system32\__c0042424.dat
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Adobe Active File Monitor (AdobeActiveFileMonitor) - Unknown owner - C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsFileAgent.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: CWShredder Service - Unknown owner - C:\Documents and Settings\me\Desktop\hijack\CWShredder.exe (file missing)
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Iomega App Services - Iomega Corporation - C:\PROGRA~1\Iomega\System32\AppServices.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - Networks Associates Technology, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: Photoshop Elements Device Connect (PhotoshopElementsDeviceConnect) - Unknown owner - C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsDeviceConnect.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: TabletService - Wacom Technology, Corp. - C:\WINDOWS\system32\Tablet.exe

--
End of file - 6442 bytes

[jholland1964]

Have you been able to run MBA-M? Your computer is grossly infected and either you are going to have to be able to run one of these tools or honestly reformat is the next step.
You don't have an anti-virus program installed on there, yet you played a multitude of games...good way to get infected. You have at least one back door trojan on there and probably many others. Your host file entries are back in your log meaning this thing is bringing in more and more.
You might try this:
Download Combofix save it to the DESKTOP. DON'T run it yet.
We are almost ready to start ComboFix, but before we do so, we need to take some preventative measures so that there are no conflicts with other programs when running ComboFix. At this point you should do the following:

* Close all open Windows including this one.
* Close or disable all running Antivirus, Antispyware, and Firewall programs as they may interfere with the proper running of ComboFix.

Once these two steps have been completed, double-click on the ComboFix icon found on your desktop. Please note, that once you start ComboFix you should not click anywhere on the ComboFix window as it can cause the program to stall. In fact, when ComboFix is running, do not touch your computer at all and just take a break as it may take a while for it to complete.
Windows may issue a prompt because ComboFix does not have a digital signature. This is perfectly normal and safe and you can click on the Run button to continue.
ComboFix is now preparing to run and when it has finished you will see the Disclaimer screen you should press the number 1 key and then press the enter key to continue.
ComboFix will create a System Restore point so that if any problems occur while using the program you can restore back to your previous configuration. When ComboFix has finished creating the restore point, it will then backup your Windows Registry.
Once the Windows Registry has finished being backed up, ComboFix will disconnect your computer from the Internet. Therefore, do not be surprised or concerned if you receive any warnings stating that you are no longer on the Internet as your connection will be completely restored at a later stage in the program.

ComboFix will now start scanning your computer for known infections. This procedure can take some time, so please be patient.
While the program is scanning your computer, it will change your clock format, so do not be concerned when you see this happen. When ComboFix is finished it will restore your clock settings to what they were previously. You will also see the text in the ComboFix window being updated as it goes through the various stages of its scan.

When ComboFix has finished running, you will see a screen stating that it is preparing the log report
This can take a while, so please be patient. If you see your Windows desktop disappear, do not worry. This is normal and ComboFix will restore your desktop before it is finished. Eventually you will see a new screen that states the program is almost finished and telling you the programs log file, or report, will be located at C:\ComboFix.txt.
When ComboFix has finished, it will automatically close the program and change your clock back to its original format. It will then display the log file automatically
You should now post this log here when all is complete.

[JudyP]

I cant get MBA-M, ComboFX, or SDFix to run in regular mode or safe mode. HiJack still won't delete those 2 files even after numerous attempts and reboots.

Any suggestions? Besides blowing up my computer?

[cauzomb]

Here's a couple suggestions from another forum/user with the same issue regarding sdra64.exe

Switch off internet. run spybot search and destroy, fix any issues reported by spybot. Restart without the internet on or pluged in, then delete sdra64.exe from the windows/system32 directory, then restart the computer in safe mode. Use autoruns to clean up the registry, run spybot again. Restart computer.

[JudyP]

I cant get Spybot to run either. UGH.......

[jholland1964]

I cant get Spybot to run either. UGH.......

Even in Safe Mode? MBA-M won't run in safe mode either? It is primarily set up to do a full scan only in Normal Mode but in cases like this then it can be run in Safe Mode

UNPLUG THE INTERNET CABLE FROM THE COMPUTER
Do this:
Click Start.
Open My Computer.
Select the Tools menu and click Folder Options.
Select the View Tab.
Under the Hidden files and folders heading select Show hidden files and folders.
Uncheck the Hide protected operating system files (recommended) option.
Click Yes to confirm.
Click OK.

Boot to safe mode and then double click My Computer, Double Click "C" drive and go to the Windows Folder, then to the system32 folder and open it, look for and remove the items shown in RED
Don't delete the entire folder ONLY the items noted in red.

C:\WINDOWS\system32\sdra64.exe
C:\WINDOWS\system32\jkshfuiehi.dll
C:\WINDOWS\system32\__c0042424.dat

Leave the internet unplugged and reboot to normal mode. Try running MBA-M, if it won't run then try Combofix.

[cauzomb]

Have you tried renaming the tools executable file name? blam.exe or something like that?

The malware could have protections against running these programs, some of them could be a memory address range; or just actual file names..

Judy, do you know if mbam or combofix or any of the other programs will still run after
renaming the .exe?

Sorry, I'm still not on an xp machine online, otherwise I could have tested myself.

If you can't delete the files or get the apps to run, there's another option; an alternate boot disc with antivirus software. Lets try the other methods first though as many of these malware apps need to be "active" so the anti-malware program can find all it's viril tendrils and chop them off before it can delete files and kill the main infection.. If you don't get the tendrils, they can grow themselfs back into a big infection.

I have also read some recommendations to use SDfix and have also read some of the reports on several malware information sites regarding sdra64.exe ~According to these reports, this bug is said to be a trojan downloader called zbot?

keystroke logger, slash bank account information miner, slash proxy server ~able to phone home with any mined info etc..

It may not happen now or soon, but if you did your online banking, or have purchased anything online durring the time that the infection files were on your computer, they could have already got your banking/financial info and laying in wait, could happen a day, a week, a year later. All the sudden bam, you got no money or tons of weird stuff showing up on your statements, could be one or two small things, or a few big expensive things.. If you have not done any online banking or purchases with this infected computer then there is little to worry about, but if you have used this for financial stuff; make yourself a little sticky note to keep an eye on the statements.

If you notice odd transactions that were not made by you, contact your banking provider, ask them for assistance regarding unauthorised use of your accounts. Make personal notes of the date and time that you noticed the infection or issues with the computer, it may help in their investigation if you get to an issue regarding unauthorised purchases..

[cauzomb]

There may also be a hidden folder in c:\windows\system32 called lowsec, associated with the sdra64.exe infection

[jholland1964]

Cauz, not sure if combofix will run if renamed but mba-m can. Poster has all ready tried SDFix without success.
I agree with your warning concerning online banking or shopping, anything that would require a bank account number or credit card number. If you have done ANY of the above I would contact the bank and credit card company and let them know that you do have an infected computer and very likely they will give you new numbers and also flag your accounts so that an alert will go out for questionable activity.

One other thing to check, and be sure you are OFFLINE...go to All Programs, point to Accessories, point to System Tools, and then click Scheduled Tasks. Delete EVERYTHING from there.

Then go to Start, Run, msconfig and stop the following from auto starting:

realteks
TkBellExe
QuickTime Task
SunJavaUpdateSched
DellSupport
DellTransferAgent
E6TaskPanel
sysav
SVCHOST.EXE

Reboot the computer and try the clean up steps again.