Issues galore

[JudyP]

Ok...here is what has been happening:
----------------------------------------------------
"Boot to safe mode and then double click My Computer, Double Click "C" drive and go to the Windows Folder, then to the system32 folder and open it, look for and remove the items shown in RED
Don't delete the entire folder ONLY the items noted in red.

C:\WINDOWS\system32\sdra64.exe
C:\WINDOWS\system32\jkshfuiehi.dll
C:\WINDOWS\system32\__c0042424.dat"

I can only remove jkshfuiehi.dll. THe other 2 say they are being used by a program, to stop the program to delete.

--------------------------------------------------------
"Have you tried renaming the tools executable file name? blam.exe or something like that?"

I have tried renaming the tools and tried them in safe and regular modes.
---------------------------------------------------------
"One other thing to check, and be sure you are OFFLINE...go to All Programs, point to Accessories, point to System Tools, and then click Scheduled Tasks. Delete EVERYTHING from there. "

When I point to system tools and click scheduled tasks, it goes to my documents folder??
------------------------------------------

"Then go to Start, Run, msconfig and stop the following from auto starting:"

When I type msconfig, it says "Windows cannot find misconfig. Make sure you typed the name correctly, and then try again. To search for a file, click the Start button, and then click Search."

[JudyP]

I did get in to my System Configuration tool. On the start up I only have Adobe Gamma Loader and Adobe Gamma?

[jholland1964]

Give me another HJT log

[JudyP]

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:50:25 AM, on 5/18/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16827)
Boot mode: Normal

Running processes:
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsFileAgent.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\Iomega\System32\AppServices.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsDeviceConnect.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Tablet.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\Internet Explorer\Iexplore.exe
C:\Program Files\Internet Explorer\Iexplore.exe
C:\Program Files\Internet Explorer\Iexplore.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Internet Explorer\Iexplore.exe
C:\Documents and Settings\me\Desktop\HiJackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyOverride = 127.0.0.1
F2 - REG:system.ini: UserInit=C:\WINDOWS\SYSTEM32\Userinit.exe,C:\WINDO WS\system32\sdra64.exe,
O1 - Hosts: ::1 localhost
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_3_12_0. dll
O3 - Toolbar: EarthLink Toolbar - {D7F30B62-8269-41AF-9539-B2697FA7D77E} - C:\Program Files\EarthLink TotalAccess\PnEL.dll
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0335A685-ED24-4F7B-A08E-3BD15D84E668} - http://dl.filekicker.com/send/file/1...L/PhPSetup.cab
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1006.cab
O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} (OnlineScanner Control) - http://www.eset.eu/buxus/docs/OnlineScanner.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/res...scbase6662.cab
O16 - DPF: {6BEA1C48-1850-486C-8F58-C7354BA3165E} (Install Class) - http://updates.lifescapeinc.com/inst...l/pinstall.cab
O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://us.dl1.yimg.com/download.yaho...ymmapi_416.dll
O16 - DPF: {E991BDE0-9816-4094-853E-6BDB60F0342D} - http://apps.corel.com/nos_dl_manager...etOpPlugin.ocx
O20 - Winlogon Notify: __c0042424 - C:\WINDOWS\system32\__c0042424.dat
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Adobe Active File Monitor (AdobeActiveFileMonitor) - Unknown owner - C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsFileAgent.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: CWShredder Service - Unknown owner - C:\Documents and Settings\me\Desktop\hijack\CWShredder.exe (file missing)
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Iomega App Services - Iomega Corporation - C:\PROGRA~1\Iomega\System32\AppServices.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - Networks Associates Technology, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: Photoshop Elements Device Connect (PhotoshopElementsDeviceConnect) - Unknown owner - C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsDeviceConnect.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: TabletService - Wacom Technology, Corp. - C:\WINDOWS\system32\Tablet.exe

--
End of file - 6165 bytes

[jholland1964]

I am truly sorry to say, I see no option to do anything else other than a total reformat, since you cannot run any of these clean up programs nor remove any of the infected files.

[cauzomb]

Found some other suggestions

1. Boot from my Windows XP installer.
2. Log on to recovery console.
3. Go to system32 directory folder.
4. Delete the file (del sdra64.exe).
5. Log on to Windows (on safe mode, don't know if will work on normal mode).
6. Go to regedit.
7. Modify the Userinit values

[cauzomb]

I'll get the user init values for you in a sec.. GOT it;
in the registry key

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]

Find the userinit.exe value

C:\Windows\System32\Userinit.exe,C:\Windows\System 32sdra64.exe,

Delete the part that says "C:\Windows\system32sdra64.exe" leaving only the first part so that your userinit key looks like "C:\Windows\system32\userinit.exe"

If you don't know how to use regedit; when you boot into safemode; open the start menu select run then type regedit

To find the userinit key, select the "edit" tool menu, then select find, then type in sdra64.exe or navigate the registry by selecting the section of the registry via the TREE on the left hand side of regedit
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]

double click on the userinit key or right click on the key and select modify values, this will bring up the box that allows you to delete the sdra64 entry..

You should also be able to delete the other files from the recovery console prompt;

One of them is listed in your hijackthis scan

O20 - Winlogon Notify: __c0042424 - C:\WINDOWS\system32\__c0042424.dat

from the recovery prompt type

del c:\windows\system32\__c0042424.dat

If you don't have a windows xp installation disc there are other boot disc's that you can have a friend download and burn to a bootable CD in order to gain access to the hard drive, without loading the infected opperating system.

[cauzomb]

If you are able to delete sdra64.exe and the other .dat file via a boot disc; then once you get rid of sdra64.exe in the registry, you should be able to run the rest of the steps in the sticky to clean up... I have read that avast free antivirus and or kapersky will do it, but if mbam will run after deleting the files and registry values; update it and allow it to clean and fix anything, also recommend following judy's instructions for combofix after getting rid of these files the hard way.

I think this one sdra64.exe is stopping the rest of your clean up applications, it's probly a rootkit and will load with windows in both safe mode and normal mode, that's why it's difficult to get rid of; the userinit registry value is why it won't delete; because that is saying it's a system/protected file, to load and run the file when windows boots; and the other value in the previous scan that says "disable regedit=1" means that regedit is disabled.. If you try to change the registry in normal mode with the file still remaining on the computer, it will fix itself nearly instantly. It has to be done in safe mode; after deleting the bad files from a non infected boot disc that is able to read the NTFS partition with full read/write permissions; that's why it's best to use your windows installation disc and log into the recovery console as administrator.

[JudyP]

I guess I will just reformat. My computer needs a good cleaning anyhow. And time wise, I just do not have the time or the mental ability to spend after the week I have had.

How do I do this? How do I reformat when all I got from Dell is a Reinstallation CD?

[jholland1964]

I guess I will just reformat. My computer needs a good cleaning anyhow. And time wise, I just do not have the time or the mental ability to spend after the week I have had.

How do I do this? How do I reformat when all I got from Dell is a Reinstallation CD?

That is all you need to reformat and reinstall the operating system. Surely you also received a Drivers and Utilities Disk.