sdra64.exe infection, cannot remove, please help

**Linfone** · 2010-03-05, 21:14

I have an infection, looks like a trojan or something. Malwarebytes doesn't run and Spybot cannot remove. sdra64.exe is the name.

Logfile of HijackThis v1.99.1
Scan saved at 3:09:17 PM, on 3/5/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
C:\Program Files\McAfee\VirusScan Enterprise\ScnCfg32.Exe
C:\HJT\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
F2 - REG:system.ini: UserInit=C:\WINDOWS\SYSTEM32\Userinit.exe,C:\WINDOWS\system32\sdra64.exe,
O2 - BHO: C:\WINDOWS\system32\eanih24.dll - {A3BA40A2-74F0-42BD-F434-00B15A2C8953} - C:\WINDOWS\system32\eanih24.dll
O4 - HKLM\..\Run: [tevuligako] Rundll32.exe "waleguti.dll",s
O4 - HKLM\..\RunOnce: [SpybotDeletingA9633] command /c del "C:\WINDOWS\SchedLgU.Txt"
O4 - HKLM\..\RunOnce: [SpybotDeletingC5880] cmd /c del "C:\WINDOWS\SchedLgU.Txt"
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Remote System Protection] rundll32.exe C:\WINDOWS\system32\eanih24.dll, HUI_proc
O4 - HKCU\..\Run: [asg984jgkfmgasi8ug98jgkfgfb] C:\DOCUME~1\GINLIN~1\LOCALS~1\Temp\setup.exe
O4 - Global Startup: LUMIX Simple Viewer.lnk = ?
O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\program files\bonjour\mdnsnsp.dll
O11 - Options group: [INTERNATIONAL] International
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english...an_unicode.cab
O16 - DPF: {238F6F83-B8B4-11CF-8771-00A024541EE3} (Citrix ICA Client) - https://newyork.access.credit-suisse...WEB/icaweb.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {6416C78A-E810-445C-8712-1785809FA433} (CCAOControl Object) - https://newyork.access.credit-suisse.../EPAClient.exe
O16 - DPF: {E008A543-CEFB-4559-912F-C27C2B89F13B} (Domino Web Access 7 Control) - https://qcmail.qc.cuny.edu/dwa7W.cab
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://etrade.webex.com/client/T26L/nbr/ieatgpc.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{784884D3-4B16-4FB2-BFE2-D03D7AE23D75}: NameServer = 217.23.14.75,4.2.2.1,167.206.254.1 167.206.254.2
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: ASF Agent (ASFAgent) - Intel Corporation - C:\Program Files\Intel\ASF Agent\ASFAgent.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Seagate Service (FreeAgentGoNext Service) - Seagate Technology LLC - C:\Program Files\Seagate\SeagateManager\Sync\FreeAgentService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Unknown owner - C:\Program Files\Java\jre6\bin\jqs.exe" -service -config "C:\Program Files\Java\jre6\lib\deploy\jqs\jqs.conf (file missing)
O23 - Service: McAfee Framework Service (McAfeeFramework) - Unknown owner - C:\Program Files\McAfee\Common Framework\FrameworkService.exe" /ServiceStart (file missing)
O23 - Service: McAfee McShield (McShield) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe
O23 - Service: McAfee Task Manager (McTaskManager) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe
O23 - Service: Intel(R) NMS (NMSSvc) - Intel Corporation - C:\WINDOWS\System32\NMSSvc.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: usbdevice - Unknown owner - C:\WINDOWS\system32\launch.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

**ken545** · 2010-03-06, 13:39

Hello

Welcome to Safer Networking.

Please read Before You Post
While best efforts are made to assist in removing infections safely, unexpected stuff can happen. It is advisable that you back up your important data before starting any clean up procedure. Neither Safer Networking Forums nor the Analyst providing the advice may be held responsible for any loss.

You do have a problem going on but before we proceed I need you to go to C:\HJT and delete the entire folder as the version your using is outdated. We will update it in a bit

Download ComboFix from one of these locations:

Link 1
Link 2

* IMPORTANT !!! Save ComboFix.exe to your Desktop

Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
See this Link for programs that need to be disabled and instruction on how to disable them.
Remember to re-enable them when we're done.
Double click on ComboFix.exe & follow the prompts.
As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply
*If there is no internet connection when Combofix has completely finished then restart your computer to restore back the connections.

**Linfone** · 2010-03-06, 23:46

ComboFix 10-03-06.01 - Gin Lin 03/06/2010 16:30:35.2.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1023.596 [GMT -5:00]
Running from: C:\ComboFix.exe
AV: McAfee VirusScan Enterprise *On-access scanning enabled* (Updated) {918A2B0B-2C60-4016-A4AB-E868DEABF7F0}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\docume~1\GINLIN~1\LOCALS~1\Temp\csrss.exe
c:\docume~1\GINLIN~1\LOCALS~1\Temp\lsass.exe
c:\docume~1\GINLIN~1\LOCALS~1\Temp\services.exe
c:\docume~1\GINLIN~1\LOCALS~1\Temp\svchost.exe
c:\documents and settings\Gin Lin\Application Data\avp.ico
c:\documents and settings\Gin Lin\Application Data\Microsoft\Internet Explorer\Quick Launch\AntiVirus Plus.lnk
c:\documents and settings\Gin Lin\Start Menu\Programs\AntiVirus Plus
c:\documents and settings\Gin Lin\Start Menu\Programs\AntiVirus Plus\AntiVirus Plus.lnk
c:\documents and settings\Gin Lin\Start Menu\Programs\AntiVirus Plus\EULA.url
c:\documents and settings\Gin Lin\Start Menu\Programs\AntiVirus Plus\Uninstall.lnk
c:\program files\Windows NT\Accessories\svchost.exe
c:\windows\system32\certstore.dat
c:\windows\system32\config\systemprofile\Application Data\AntiVirus Plus
c:\windows\system32\config\systemprofile\Application Data\avp.ico
c:\windows\system32\ctfmon .exe
c:\windows\system32\jefizaya.dll
c:\windows\system32\lowsec
c:\windows\system32\lowsec\local.ds
c:\windows\system32\lowsec\user.ds
c:\windows\system32\lowsec\user.ds.lll
c:\windows\system32\pehuraba.exe
c:\windows\system32\repozuyi.dll
c:\windows\system32\rundll32 .exe
c:\windows\system32\sdra64.exe
c:\windows\system32\systeminfo3.dll
c:\windows\system32\tolufobi.dll
c:\windows\system32\wibivuje.dll
c:\windows\Tasks\{35DC3473-A719-4d14-B7C1-FD326CA84A0C}.job
c:\windows\Tasks\{66BA574B-1E11-49b8-909C-8CC9E0E8E015}.job
c:\windows\Tasks\bjvkwroo.job
c:\windows\Tasks\vrweqslf.job
c:\windows\zAdBHO.dll
F:\autorun.inf

Infected copy of c:\windows\system32\drivers\atapi.sys was found and disinfected
Restored copy from - c:\windows\system32\dllcache\atapi.sys
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_6TO4
-------\Legacy_IAS
-------\Legacy_IPRIP
-------\Legacy_SEAGATE
-------\Legacy_SSHNAS
-------\Service_6to4
-------\Service_Iprip
-------\Service_SSHNAS

((((((((((((((((((((((((( Files Created from 2010-02-06 to 2010-03-06 )))))))))))))))))))))))))))))))
.

2010-03-06 21:48 . 2010-03-06 21:48 -------- d-----w- c:\windows\LastGood
2010-03-06 19:41 . 2010-03-06 19:41 -------- d-----w- c:\program files\PowerISO
2010-03-06 09:45 . 2010-03-06 09:45 5136 ----a-w- c:\windows\system32\f_lock.dll
2010-03-04 22:49 . 2010-03-04 22:49 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Apple Computer
2010-03-02 03:34 . 2010-03-02 03:34 -------- d--h--w- c:\windows\system32\GroupPolicy
2010-02-28 22:10 . 2010-03-01 22:57 0 ----a-w- c:\windows\system32\drivers\iownfsr.sys
2010-02-28 21:02 . 2010-02-28 21:02 -------- d-sh--w- c:\documents and settings\NetworkService\PrivacIE
2010-02-27 19:50 . 2010-02-27 20:07 0 ----a-w- c:\windows\system32\drivers\rqapxbyw.sys
2010-02-08 14:59 . 2010-02-08 14:59 -------- d-sh--w- c:\documents and settings\LocalService\PrivacIE
2010-02-05 18:06 . 2010-02-05 18:06 -------- d-----w- C:\Your PC Protector
2010-02-05 17:53 . 2010-03-03 00:54 -------- d-----w- c:\program files\schtml
2010-02-05 04:12 . 2010-02-05 04:12 -------- d-sh--w- c:\windows\system32\config\systemprofile\PrivacIE
2010-02-05 02:12 . 2010-02-05 02:12 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache
2010-02-05 02:10 . 2010-02-05 18:08 0 ----a-w- c:\windows\system32\41.exe.vir
2010-02-05 02:08 . 2010-02-05 02:08 327168 ----a-w- C:\sivc.exe
2010-02-05 01:42 . 2010-02-05 01:47 132608 ----a-w- c:\windows\system32\usbdrv.exe
2010-02-05 01:42 . 2010-02-05 01:47 10240 ----a-w- c:\windows\system32\launch.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-03-06 21:17 . 2010-02-05 18:49 4121277 ----a-r- C:\ComboFix.exe
2010-03-06 06:38 . 2004-09-24 13:37 96512 ----a-w- c:\windows\system32\drivers\atapi.sys
2010-03-05 20:20 . 2009-11-18 17:49 -------- d-----w- c:\program files\iTunes
2010-03-03 00:59 . 2007-05-17 03:06 -------- d-----w- c:\program files\Windows Defender
2010-03-03 00:50 . 2003-08-02 00:54 -------- d-----w- c:\program files\QuickTime
2010-02-27 20:01 . 2009-09-30 02:39 -------- d-----w- c:\documents and settings\Gin Lin\Application Data\BitTorrent
2010-02-27 19:43 . 2009-10-24 06:27 -------- d-----w- c:\documents and settings\Gin Lin\Application Data\Vso
2010-02-27 17:13 . 2010-01-30 05:51 -------- d-----w- c:\documents and settings\Gin Lin\Application Data\vlc
2010-02-27 17:11 . 2009-11-28 19:45 -------- d-----w- c:\documents and settings\Gin Lin\Application Data\dvdcss
2010-02-26 15:53 . 2010-01-31 21:32 -------- d-----w- c:\documents and settings\Gin Lin\Application Data\Any Video Converter Professional
2010-02-11 02:27 . 2009-09-30 02:39 -------- d-----w- c:\program files\BitTorrent
2010-02-05 20:36 . 2009-06-28 17:28 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-02-05 19:42 . 2010-02-05 19:42 -------- d-----w- c:\program files\trend micro
2010-02-05 04:15 . 2003-08-23 17:48 -------- d-----w- c:\program files\Spybot - Search & Destroy
2010-01-31 21:35 . 2010-01-31 21:32 -------- d-----w- c:\program files\Any Video Converter Professional
2010-01-31 21:07 . 2010-01-31 21:00 -------- d-----w- c:\program files\1-Click YouTube Downloader
2010-01-31 05:12 . 2003-05-20 04:42 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-01-31 05:08 . 2003-07-09 22:15 -------- d-----w- c:\program files\Elaborate Bytes
2010-01-30 05:48 . 2010-01-30 05:48 -------- d-----w- c:\program files\VideoLAN
2010-01-25 19:52 . 2010-01-25 19:52 -------- d-----w- c:\program files\DerivaGem
2010-01-23 21:22 . 2010-01-23 21:22 -------- d-----w- c:\program files\Cheetah Burner
2010-01-14 16:12 . 2009-10-03 08:04 181120 ------w- c:\windows\system32\MpSigStub.exe
2010-01-07 21:07 . 2009-06-28 17:28 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-01-07 21:07 . 2009-06-28 17:28 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-01-03 20:34 . 2007-12-12 21:55 32092 ---ha-w- c:\windows\system32\mlfcache.dat
2009-12-26 00:21 . 2003-07-23 03:12 31920 -c--a-w- c:\documents and settings\Gin Lin\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-12-26 00:15 . 2009-12-26 00:16 29480 ----a-w- c:\windows\system32\msxml3a.dll
2009-12-21 19:14 . 2004-09-24 13:37 916480 ----a-w- c:\windows\system32\wininet.dll
2008-08-16 21:42 . 2008-08-16 21:42 13112 ----a-w- c:\program files\mozilla firefox\plugins\cgpcfg.dll
2008-08-16 21:42 . 2008-08-16 21:42 70456 ----a-w- c:\program files\mozilla firefox\plugins\CgpCore.dll
2008-08-16 21:42 . 2008-08-16 21:42 91448 ----a-w- c:\program files\mozilla firefox\plugins\confmgr.dll
2008-08-16 21:42 . 2008-08-16 21:42 20800 ----a-w- c:\program files\mozilla firefox\plugins\ctxlogging.dll
2008-08-16 21:43 . 2008-08-16 21:43 206136 ----a-w- c:\program files\mozilla firefox\plugins\ctxmui.dll
2008-08-16 21:42 . 2008-08-16 21:42 31032 ----a-w- c:\program files\mozilla firefox\plugins\icafile.dll
2008-08-16 21:42 . 2008-08-16 21:42 40248 ----a-w- c:\program files\mozilla firefox\plugins\icalogon.dll
2008-05-21 12:41 . 2008-05-21 12:41 479232 ----a-w- c:\program files\mozilla firefox\plugins\msvcm80.dll
2008-05-21 12:41 . 2008-05-21 12:41 548864 ----a-w- c:\program files\mozilla firefox\plugins\msvcp80.dll
2008-05-21 12:41 . 2008-05-21 12:41 626688 ----a-w- c:\program files\mozilla firefox\plugins\msvcr80.dll
2008-06-05 17:58 . 2008-06-05 17:58 648504 ----a-w- c:\program files\mozilla firefox\plugins\sslsdk_b.dll
2008-08-16 21:42 . 2008-08-16 21:42 23864 ----a-w- c:\program files\mozilla firefox\plugins\TcpPServ.dll
1601-01-01 00:03 . 1601-01-01 00:03 71168 --sha-w- c:\windows\SYSTEM32\farewoka.dll
1601-01-01 00:03 . 1601-01-01 00:03 42496 --sha-w- c:\windows\SYSTEM32\jelukahu.exe
1601-01-01 00:03 . 1601-01-01 00:03 53248 --sha-w- c:\windows\SYSTEM32\nizefipu.dll
1601-01-01 00:03 . 1601-01-01 00:03 47104 --sha-w- c:\windows\SYSTEM32\pegojehe.dll
1601-01-01 00:03 . 1601-01-01 00:03 53248 --sha-w- c:\windows\SYSTEM32\razusula.dll
1601-01-01 00:03 . 1601-01-01 00:03 45568 --sha-w- c:\windows\SYSTEM32\rukurole.dll
.

Code:

<pre>
c:\program files\Adobe\Reader 8.0\Reader\reader_sl .exe
c:\program files\Canon\Canon IJ Network Scan Utility\cnmnsut            .exe
c:\program files\Canon\MyPrinter\bjmyprt .exe
c:\program files\Canon\SolutionMenu\cnslmain .exe
c:\program files\Common Files\Adobe\ARM\1.0\adobearm .exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\applesyncnotifier .exe
c:\program files\Common Files\Microsoft Shared\DW\dwtrig20 .exe
c:\program files\Common Files\Real\Update_OB\realsched .exe
c:\program files\Common Files\ScanSoft Shared\SSBkgdUpdate\ssbkgdupdate .exe
c:\program files\iTunes\ituneshelper .exe
c:\program files\Java\jre6\bin\jusched .exe
c:\program files\QuickTime\qttask               .exe
c:\program files\ScanSoft\OmniPageSE4\opwarese4 .exe
c:\program files\Seagate\SeagateManager\FreeAgent Status\stxmenumgr .exe
c:\program files\Windows Defender\msascui .exe
c:\program files\Yahoo!\Search Protection\searchprotection .exe
c:\windows\SYSTEM32\SPOOL\DRIVERS\W32X86\3\wrtmon .exe
</pre>

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Yahoo! Pager"="c:\progra~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" [N/A]
"MsnMsgr"="c:\program files\Windows Live\Messenger\MsnMsgr.Exe" [N/A]
"Aim6"="" [N/A]
"Remote System Protection"="c:\windows\system32\eanih24.dll" [N/A]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"tevuligako"="waleguti.dll" [N/A]
"PWRISOVM.EXE"="c:\program files\PowerISO\PWRISOVM.EXE" [2009-11-09 180224]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"FlashPlayerUpdate"="c:\windows\system32\Macromed\Flash\FlashUtil10d.exe" [2009-10-28 257440]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\Currentversion\policies\explorer\Run]
"mslivemsn"="c:\program files\Windows NT\Accessories\svchost.exe" [N/A]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
LUMIX Simple Viewer.lnk - c:\program files\Panasonic\LUMIXSimpleViewer\PhLeAutoRun.exe [2007-8-12 57344]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\f_lock]
2010-03-06 09:45 5136 ----a-w- c:\windows\SYSTEM32\f_lock.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\AVG Anti-Spyware Guard]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"AIM"=c:\program files\AIM\aim.exe -cnetwait.odl

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" -atboottime
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" -hide

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\AIM\\aim.exe"=
"c:\\WINDOWS\\SYSTEM32\\fxsclnt.exe"=
"c:\\Program Files\\utorrent\\utorrent.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\AIM6\\aim6.exe"=
"c:\\Program Files\\Pando Networks\\Pando\\pando.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\BitTorrent\\bittorrent.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Seagate\\SeagateManager\\FreeAgent Status\\stxmenumgr .exe"=
"c:\\Program Files\\Panasonic\\LUMIXSimpleViewer\\PhLeAutoRun.exe"=
"c:\\Program Files\\Canon\\MyPrinter\\bjmyprt .exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"56810:TCP"= 56810:TCP:Pando P2P TCP Listening Port
"56810:UDP"= 56810:UDP:Pando P2P UDP Listening Port

R0 sonyhcb;Sony Digital Imaging Base;c:\windows\SYSTEM32\DRIVERS\sonyhcb.sys [6/30/2005 10:27 AM 6097]
R2 ASFAgent;ASF Agent;c:\program files\intel\ASF Agent\ASFAgent.exe [5/8/2002 9:51 AM 212992]
R2 FreeAgentGoNext Service;Seagate Service;c:\program files\Seagate\SeagateManager\Sync\FreeAgentService.exe [9/25/2009 11:32 PM 189736]
R2 NetAlrt;NetAlrt;c:\windows\SYSTEM32\DRIVERS\Netalrt.sys [5/7/2002 4:05 PM 39680]
R2 PlatAlrt;PlatAlrt;c:\windows\SYSTEM32\DRIVERS\platalrt.sys [5/7/2002 4:06 PM 23744]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [12/27/2007 1:07 PM 24652]
S2 usbdevice;usbdevice;c:\windows\SYSTEM32\launch.exe [2/4/2010 8:42 PM 10240]
S2 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [11/3/2006 6:19 PM 13592]
S3 sonyhcs;Sony Digital Imaging Video;c:\windows\SYSTEM32\DRIVERS\sonyhcs.sys [6/30/2005 10:27 AM 299923]
.
Contents of the 'Scheduled Tasks' folder

2010-03-03 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 16:34]

2010-03-06 c:\windows\Tasks\User_Feed_Synchronization-{6852B72C-3D41-4E41-9234-DB4CC4C454B2}.job
- c:\windows\system32\msfeedssync.exe [2006-10-17 08:31]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
mStart Page = about:blank
mWindow Title =
DPF: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
DPF: {6416C78A-E810-445C-8712-1785809FA433} - hxxps://newyork.access.credit-suisse.com/CitrixLogonPoint/NewYork/EPAClient/EPAClient.exe
FF - ProfilePath - c:\documents and settings\Gin Lin\Application Data\Mozilla\Firefox\Profiles\ajhr3vkm.default\
FF - prefs.js: browser.search.defaulturl - hxxp://slirsredirect.search.aol.com/slirs_http/sredir?sredir=2706&invocationType=tb50fftrie7&query=
FF - prefs.js: browser.search.selectedEngine - AIM Search
FF - prefs.js: keyword.URL - hxxp://slirsredirect.search.aol.com/slirs_http/sredir?sredir=2706&invocationType=tb50fftrab&query=
FF - plugin: c:\documents and settings\Gin Lin\Application Data\Mozilla\plugins\np29DAA979-0AA1-42A4-A0A9-FDCAC3752F6E.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npViewpoint.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Media Player\npViewpoint.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
FF - user.js: browser.link.open_external - 1
FF - user.js: browser.link.open_external - 1
FF - user.js: browser.link.open_external - 1
FF - user.js: browser.link.open_external - 1
FF - user.js: browser.link.open_external - 1
FF - user.js: browser.link.open_external - 1
FF - user.js: browser.link.open_external - 1
FF - user.js: browser.link.open_external - 1
FF - user.js: browser.link.open_external - 1
FF - user.js: browser.link.open_external - 1
FF - user.js: browser.link.open_external - 1
FF - user.js: browser.link.open_external - 1
FF - user.js: browser.link.open_external - 1
FF - user.js: browser.link.open_external - 1
FF - user.js: browser.link.open_external - 1
FF - user.js: browser.link.open_external - 1
FF - user.js: browser.link.open_external - 1
FF - user.js: browser.link.open_external - 1
FF - user.js: browser.link.open_external - 1
FF - user.js: browser.link.open_external - 1
FF - user.js: browser.link.open_external - 1
FF - user.js: browser.link.open_external - 1
FF - user.js: browser.link.open_external - 1
FF - user.js: browser.link.open_external - 1
FF - user.js: browser.link.open_external - 1
FF - user.js: browser.link.open_external - 1
FF - user.js: browser.link.open_external - 1
FF - user.js: browser.link.open_external - 1
FF - user.js: browser.link.open_external - 1
FF - user.js: browser.link.open_external - 1
FF - user.js: browser.link.open_external - 1
FF - user.js: browser.link.open_external - 1
FF - user.js: browser.link.open_newwindow - 1
.
- - - - ORPHANS REMOVED - - - -

BHO-{93c4ec67-e601-4fea-a561-276cc05efe25} - hatemeva.dll
AddRemove-AntiVirus Plus - c:\windows\system32\config\systemprofile\Application Data\AntiVirus Plus\AntiVirus Plus.55530.dll
AddRemove-HijackThis - c:\hjt\HijackThis.exe
AddRemove-Spybot - Search & Destroy_is1 - c:\windows\unins000.exe

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-03-06 17:34
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (LocalSystem)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,5b,d5,0e,1f,21,18,c2,46,91,97,f9,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,5b,d5,0e,1f,21,18,c2,46,91,97,f9,\
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(772)
c:\windows\system32\f_lock.dll
c:\program files\Bonjour\mdnsNSP.dll

- - - - - - - > 'explorer.exe'(2676)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\program files\Dell\Dell File Manager\CTDFM.DLL
c:\program files\Dell\Dell File Manager\DFMHK.dll
c:\program files\Dell\Dell File Manager\CTDFMRES.DLL
c:\program files\Microsoft Office\Office10\msohev.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Lavasoft\Ad-Aware 2007\aawservice.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\McAfee\Common Framework\FrameworkService.exe
c:\program files\McAfee\VirusScan Enterprise\Mcshield.exe
c:\program files\McAfee\VirusScan Enterprise\VsTskMgr.exe
c:\program files\McAfee\Common Framework\naPrdMgr.exe
c:\windows\System32\nvsvc32.exe
c:\windows\system32\fxssvc.exe
c:\program files\Viewpoint\Viewpoint Manager\ViewMgr.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2010-03-06 17:49:32 - machine was rebooted
ComboFix-quarantined-files.txt 2010-03-06 22:49
ComboFix2.txt 2010-02-05 19:41
ComboFix3.txt 2007-07-16 23:01

Pre-Run: 44,959,502,336 bytes free
Post-Run: 45,198,880,768 bytes free

- - End Of File - - B5F8AE6D908D35936DE0D817534DC3FC

**ken545** · 2010-03-07, 03:59

Hello,

You have quite a variety of malware on this system, and this is most likely how you infected it.

utorrent
BitTorrent

Your downloading files from an unknown source, malware writers know this and this is there latest avenue of attack. Its your call to uninstall those programs but have to warn you that if you get infected again and any file sharing programs are present then help will be denied.

Keep Combofix on your desktop, we will need it again in a bit.

Please download ATF Cleaner by Atribune to your desktop.

Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.

Your system may start up slower after running ATF Cleaner, this is expected but will be back to normal after the first or second boot up
Please note: If you use online banking or are registered online with any other organizations, ensure you have memorized password and other personal information as removing cookies will temporarily disable the auto-login facility.

Please download Malwarebytes from Here or Here

Double-click mbam-setup.exe and follow the prompts to install the program.
At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
If an update is found, it will download and install the latest version.
Once the program has loaded, select Perform quick scan, then click Scan.
When the scan is complete, click OK, then Show Results to view the results.
Be sure that everything is checked, and click Remove Selected .
When completed, a log will open in Notepad. Please save it to a convenient location and post the results.
Note: If you receive a notice that some of the items couldn't be removed, that they have been added to the delete on reboot list, please reboot.

Post the report and also a new HJT log please

Thread: sdra64.exe infection, cannot remove, please help

Thread Tools

Display

sdra64.exe infection, cannot remove, please help

Posting Permissions