TripleRipple

Hi I have been in the IT profession for over 12 years and I am very patient. However my patience has ran out today with a very persistant nasty malware/virus. I was about to give up and just start with a fresh install of Windows XP for this system but I thought I would give this forum a shot first. I am working on my nieces laptop that is very infected with...well I am not sure what. She had security 2009 malware on it when I got it. And I noticed other items as well. A Trojan according to a google search sdra64.exe in the process tab of Task Monitor on her Windows XP Dell inspiron 8600 laptop. I tried to install your program (based on google searches it is a good product). However that failed. I performed the suggested trick of renaming the install file name and that worked to install Malwarebytes Anti Malware however something is preventing it from running correctly. I downloaded and ran a program called SDFix to try to get rid of sdra64.exe. That seemed to help a bit although I see an entry in the log I am about to post for it again so maybe it is not gone yet. I downloaded McAffee stinger to try to remove anything else. It picked up and removed another 7 or 8 viruses/malware apparently. Of course I performed all of these task in safe mode with networking I tried your product again and still no success. In the process monitor a rogue version of iexplore keeps starting. I must still have something kicking around that I can not get rid of. It will not let me install or run any other anti spyware/malware products such as superantispyware etc. without renaming it. Once renamed it will install but not run. Finally I downloaded HijackThis and tried to install that. It would not let me do that either until I renamed the file. What I have must be particularly saavy and well aware that there are products out there to get rid of it. Without further ado...here is my log Thank you so far for all the great work you do helping people with these issues. I have reviewed a few posts in this forum, and your team is really gifted. Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 8:57:59 PM, on 8/15/2009 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.6000.16791) Boot mode: Safe mode with network support Running processes: C:\WINDOWS\system32\csrss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\ctfmon.exe C:\Program Files\Trend Micro\HijackThis\HijackThis.exe C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\WINDOWS\system32\wbem\wmiprvse.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.weatheroffice.gc.ca/city/pages/...0_metric_e.html R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://windowsupdate.microsoft.com/ R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=localhost:7171 R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\sdra64.exe, O2 - BHO: 729553 helper - {2267F93C-600C-420E-A229-3317AADD3951} - (no file) O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file) O2 - BHO: 870159 helper - {9E263D08-4127-4B99-9043-4FB044E6FCBC} - (no file) O2 - BHO: BHO - {BBD4551A-9B23-41cd-9BCD-818AA2DA7B63} - C:\WINDOWS\system32\iehelper.dll (file missing) O2 - BHO: 796525 helper - {E7F15AC4-E0A9-43F0-921B-70DFEA621220} - (no file) O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\Quickset.exe O4 - HKLM\..\RunOnce: [Malwarebytes' Anti-Malware] C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe /install /silent O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM') O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default user') O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000 O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1146967859473 O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1146968261712 O16 - DPF: {CC450D71-CC90-424C-8638-1F2DBAC87A54} (ArmHelper Control) - file:///C:/Program%20Files/Polly%20Pride%20Pet%20Detective/Images/armhelper.ocx O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab O17 - HKLM\System\CCS\Services\Tcpip\..\{B83278B3-9CC0-47B9-A202-1B29036B5B20}: NameServer = 85.255.112.169,85.255.112.111 O17 - HKLM\System\CCS\Services\Tcpip\..\{E2A15C2E-8065-4CBD-ACF4-1F2E602DBE24}: NameServer = 85.255.112.169,85.255.112.111 O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.112.169,85.255.112.111 O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 85.255.112.169,85.255.112.111 O17 - HKLM\System\CS3\Services\Tcpip\Parameters: NameServer = 85.255.112.169,85.255.112.111 O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.112.169,85.255.112.111 O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe -- End of file - 5141 bytes