Wicked Combo (Security 2009 and sdra64.exe Trojan)

[TripleRipple]

Hi

I have been in the IT profession for over 12 years and I am very patient. However my patience has ran out today with a very persistant nasty malware/virus. I was about to give up and just start with a fresh install of Windows XP for this system but I thought I would give this forum a shot first.

I am working on my nieces laptop that is very infected with...well I am not sure what. She had security 2009 malware on it when I got it. And I noticed other items as well. A Trojan according to a google search sdra64.exe in the process tab of Task Monitor on her Windows XP Dell inspiron 8600 laptop.

I tried to install your program (based on google searches it is a good product). However that failed. I performed the suggested trick of renaming the install file name and that worked to install Malwarebytes Anti Malware however something is preventing it from running correctly.

I downloaded and ran a program called SDFix to try to get rid of sdra64.exe. That seemed to help a bit although I see an entry in the log I am about to post for it again so maybe it is not gone yet.

I downloaded McAffee stinger to try to remove anything else. It picked up and removed another 7 or 8 viruses/malware apparently. Of course I performed all of these task in safe mode with networking

I tried your product again and still no success. In the process monitor a rogue version of iexplore keeps starting. I must still have something kicking around that I can not get rid of. It will not let me install or run any other anti spyware/malware products such as superantispyware etc. without renaming it. Once renamed it will install but not run.

Finally I downloaded HijackThis and tried to install that. It would not let me do that either until I renamed the file. What I have must be particularly saavy and well aware that there are products out there to get rid of it. Without further ado...here is my log

Thank you so far for all the great work you do helping people with these issues. I have reviewed a few posts in this forum, and your team is really gifted.

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 8:57:59 PM, on 8/15/2009

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16791)

Boot mode: Safe mode with network support

Running processes:

C:\WINDOWS\system32\csrss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

C:\Program Files\Internet Explorer\IEXPLORE.EXE

C:\WINDOWS\system32\wbem\wmiprvse.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.weatheroffice.gc.ca/city/pages/...0_metric_e.html

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://windowsupdate.microsoft.com/

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=localhost:7171

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local

F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\sdra64.exe,

O2 - BHO: 729553 helper - {2267F93C-600C-420E-A229-3317AADD3951} - (no file)

O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)

O2 - BHO: 870159 helper - {9E263D08-4127-4B99-9043-4FB044E6FCBC} - (no file)

O2 - BHO: BHO - {BBD4551A-9B23-41cd-9BCD-818AA2DA7B63} - C:\WINDOWS\system32\iehelper.dll (file missing)

O2 - BHO: 796525 helper - {E7F15AC4-E0A9-43F0-921B-70DFEA621220} - (no file)

O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\Quickset.exe

O4 - HKLM\..\RunOnce: [Malwarebytes' Anti-Malware] C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe /install /silent

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default user')

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1146967859473

O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1146968261712

O16 - DPF: {CC450D71-CC90-424C-8638-1F2DBAC87A54} (ArmHelper Control) - file:///C:/Program%20Files/Polly%20Pride%20Pet%20Detective/Images/armhelper.ocx

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab

O17 - HKLM\System\CCS\Services\Tcpip\..\{B83278B3-9CC0-47B9-A202-1B29036B5B20}: NameServer = 85.255.112.169,85.255.112.111

O17 - HKLM\System\CCS\Services\Tcpip\..\{E2A15C2E-8065-4CBD-ACF4-1F2E602DBE24}: NameServer = 85.255.112.169,85.255.112.111

O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.112.169,85.255.112.111

O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 85.255.112.169,85.255.112.111

O17 - HKLM\System\CS3\Services\Tcpip\Parameters: NameServer = 85.255.112.169,85.255.112.111

O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.112.169,85.255.112.111

O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe

O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

--

End of file - 5141 bytes

[miekiemoes]

Hi,

Your system is severly infected. Problem with these infections nowadays is, it causes a lot of damage. Even if we clean the malware off your system, I can't guarantee that your system will be clean afterwards, because these infections/bundles leave a lot of leftovers behind that most scanners won't even recognise and logs won't show.

Also, I can't promise you we can repair all the damage it caused... Even after cleaning the malware, you can still get errors afterwards because of the damage. Solving these is not always possible since it will be searching for a needle in a haystack to find the right cause and solution.

So, we can try to clean this up and do what we can, but keep in mind that we can't solve ALL problems this malware already caused.

In light of this it would be wise for you to back up any files and folders that you don't want to lose before we start. Reason I am telling this is because when a system is so terribly infected and we try to clean this up manually, the damage that is already present may interfere with our removal attempts.

Also, Please back up your important data first while you can still access your Windows. Reason is because you are dealing with one of these Trojans/Bots that have the functionality to kill your OS.

Read this article for more info: When a Bot master goes mad - Kill the OS and here A Zeus botnet self-destructs

First please take a look and see if any of these posts help you to get MBAM running or not.

Potential Malware infection issues to review to get MBAM running

• MBAM wont install or will not run. - CLB Rootkit driver=TDSS/Seneka/GAOPDX/UAC
  
• MBAM wont install or will not run. - SystemSecurity
  
• MB won't run(Fix) - Total-Security (FakeAlert)
  
• MBAM wont run (Fix) - av360 (Fakealert)
  

If none of above apply in your case, then try if Malwarebytes works when you rename mbam.exe. This is the file located in the Program Files\Malwarebytes' Anti-Malware folder. So rename mbam.exe to blah.exe (or so). It also happens in some cases that malware blocks EVERY process except for what is in its own whitelist, so these include system important processes. So that's why it may be a good idea to rename mbam.exe to iexplore.exe or so.

Also try to run Mbam from Windows Safe mode.

But, a priority here is, please install an Antivirus!!

* Please install Avira Antivirus: http://www.free-av.com/

Perform a full scan with Avira and let it delete everything it is finding.

Then reboot.

After reboot, open your Avira and select "reports".

There doubleclick the report from the Full scan you have done. Click the "Report File" button and copy and paste this report in your next reply.

[miekiemoes]

Due to the lack of feedback, this Topic is closed.

If you need this topic reopened for continuations of existing problems, please request this by sending me a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.