Welcome to Tech Support Forum home to more then 136,000 problems solved. Issues have included: Spyware, Malware, Virus Issues, Windows, Microsoft, Linux, Networking, Security, Hardware, and Gaming Getting your problem solved is as easy as:
1. Registering for a free account
2. Asking your question
3. Receiving an answer

Registered members:
* Get free support
* Communicate privately with other members (PM).
* Removal of this message
* See fewer ads.
* And much more..

 


Want to know how to post a question? click here Having problems with spyware and pop-ups? First Steps
Go Back   Tech Support Forum > Security Center > Virus/Trojan/Spyware Help > Resolved HJT Threads
Reload this Page Rootkit trojan - sdra64.exe and more?
User Name
Password
Site Map Register Donate Rules Blogs Mark Forums Read


Resolved HJT Threads Resolved spyware and popup issues.

 
 
LinkBack Thread Tools
Old 05-17-2009, 09:54 AM   #1 (permalink)
Registered User
 
Join Date: May 2009
Posts: 6
OS: win xp sp3


Rootkit trojan - sdra64.exe and more?
Any help would be greatly appreciated. Thanks in advance. Noticing some strange behavior, I ran HijackThis yesterday. I use it periodically. I noticed a new F2 item (sdra64.exe) had altered my registry. I attempted to modify the offending registry entry with no success (it just reappeared). I then decided to boot into safe mode and try there. Once again, no success. Although that seems to have induced more problems. Now when I boot up normally, and select a user profile from the logon screen, the computer hangs up. It'll display the appropriate background for the desktop, but none of the icons appear, nor the taskbar. I'm able to ctrl-alt-del and see the running processes, but not much else. I can however still boot into safe mode with network connectivity. Restore points seem to be gone. I can't seem to get the computer to boot from CD....automatic recovery is available, but just booting from the CD doesnt seem to be...it just defaults to a new installation, which I quit from. Desired logs are below and attached. If you have any suggestions, keep in mind I'm operating in safe mode.


DDS (Ver_09-05-14.01) - NTFSx86 NETWORK
Run by Tommy at 10:20:40.62 on Sun 05/17/2009
Internet Explorer: 7.0.5730.13
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1022.792 [GMT -4:00]

AV: Trend Micro Internet Security *On-access scanning enabled* (Updated) {7D2296BC-32CC-4519-917E-52E652474AF5}
FW: Trend Micro Personal Firewall *enabled* {3E790E9E-6A5D-4303-A7F9-185EC20F3EB6}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
C:\WINDOWS\system32\svchost -k rpcss
C:\WINDOWS\system32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k NetworkService
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Adobe\Reader 8.0\Reader\AcroRd32Info.exe
C:\Documents and Settings\Tommy\Desktop\dds.scr
C:\WINDOWS\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uStart Page = hxxp://us.mc368.mail.yahoo.com/mc/welcome?.rand=cojimjj54llv6
uDefault_Search_URL = hxxp://www.google.com/ie
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
mWinlogon: Userinit=c:\windows\system32\userinit.exe,c:\windows\system32\sdra64.exe,
TB: {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No File
uRun: [OE] "c:\program files\trend micro\internet security\tmas_oe\TMAS_OEMon.exe"
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [LXDBCATS] rundll32 c:\windows\system32\spool\drivers\w32x86\3\LXDBtime.dll,_RunDLLEntry@16
mRun: [VX3000] c:\windows\vVX3000.exe
mRun: [UfSeAgnt.exe] "c:\program files\trend micro\internet security\UfSeAgnt.exe"
mRun: [Sunkist2k] c:\program files\multimedia card reader\shwicon2k.exe
mRun: [SoundMAXPnP] c:\program files\analog devices\core\smax4pnp.exe
mRun: [nwiz] nwiz.exe /install
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [High Definition Audio Property Page Shortcut] HDAShCut.exe
mRun: [MSConfig] c:\windows\pchealth\helpctr\binaries\MSCONFIG.EXE /auto
mRun: [RemoteControl] "c:\program files\cyberlink\powerdvd\PDVDServ.exe"
mRun: [NeroFilterCheck] c:\windows\system32\NeroCheck.exe
mRun: [LifeCam] "c:\program files\microsoft lifecam\LifeExp.exe"
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office11\REFIEBAR.DLL
Trusted Zone: turbotax.com
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} - hxxp://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} - hxxp://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
DPF: {44990301-3C9D-426D-81DF-AAB636FA4345} - hxxp://www.symantec.com/techsupp/asa/ss/sa/sa_cabs/tgctlsr.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1171847509531
DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} - hxxp://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} - hxxp://www.nvidia.com/content/DriverDownload/srl/2.0.0.1/sysreqlab2.cab
DPF: {74DBCB52-F298-4110-951D-AD2FF67BC8AB} - hxxp://www.nvidia.com/content/DriverDownload/nforce/NvidiaSmartScan.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
DPF: {F137B9BA-89EA-4B04-9C67-2074A9DF61FD} - hxxp://cvs.pnimedia.com/upload/activex/v2_0_0_10/PCAXSetupv2.0.0.10.cab?
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL

============= SERVICES / DRIVERS ===============

R3 tmcfw;Trend Micro Common Firewall Service;c:\windows\system32\drivers\TM_CFW.sys [2007-12-16 333328]
S1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2008-2-29 8944]
S1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2008-2-29 51440]
S2 IntuitUpdateService;Intuit Update Service;c:\program files\common files\intuit\update service\IntuitUpdateService.exe [2008-10-10 13088]
S2 McrdSvc;Media Center Extender Service;c:\windows\ehome\mcrdsvc.exe [2005-8-5 99328]
S2 tmevtmgr;tmevtmgr;c:\windows\system32\drivers\tmevtmgr.sys [2008-2-22 52624]
S2 tmpreflt;tmpreflt;c:\windows\system32\drivers\tmpreflt.sys [2007-12-16 36368]
S3 lxdb_device;lxdb_device;c:\windows\system32\lxdbcoms.exe -service --> c:\windows\system32\lxdbcoms.exe -service [?]
S3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2006-2-16 4096]
S3 TmPfw;Trend Micro Personal Firewall;c:\progra~1\trendm~1\intern~1\TmPfw.exe [2008-2-22 488768]
S3 tmproxy;Trend Micro Proxy Service;c:\program files\trend micro\internet security\TmProxy.exe [2008-2-22 648456]

=============== Created Last 30 ================

2009-05-17 00:51 389,120 a------- c:\windows\system32\cmd.execf
2009-05-16 23:23 10,368 ac------ c:\windows\system32\dllcache\hidusb.sys
2009-05-16 23:23 10,368 a------- c:\windows\system32\drivers\hidusb.sys
2009-05-15 06:58 <DIR> --dsh--- c:\windows\system32\lowsec
2009-05-15 06:58 <DIR> --d----- c:\program files\Microsoft Common

==================== Find3M ====================

2009-05-16 14:46 189,072 a------- c:\windows\system32\PnkBstrB.exe
2009-05-16 13:37 138,920 a------- c:\windows\system32\drivers\PnkBstrK.sys
2009-04-02 16:00 52,752 a------- c:\windows\system32\drivers\tmactmon.sys
2009-04-02 16:00 52,624 a------- c:\windows\system32\drivers\tmevtmgr.sys
2009-04-02 16:00 142,864 a------- c:\windows\system32\drivers\tmcomm.sys
2009-03-06 10:22 284,160 a------- c:\windows\system32\pdh.dll
2009-03-02 20:18 826,368 a------- c:\windows\system32\wininet.dll
2009-02-28 10:03 75,064 a------- c:\windows\system32\PnkBstrA.exe
2009-02-20 14:09 78,336 a------- c:\windows\system32\ieencode.dll
2008-12-29 21:55 22,328 a------- c:\docume~1\tommy\applic~1\PnkBstrK.sys
2008-04-27 12:22 32 a------- c:\docume~1\alluse~1\applic~1\ezsid.dat

============= FINISH: 10:21:06.12 ===============


Thanks again, Tom
Attached Files
File Type: zip Attach.zip (2.6 KB, 5 views)
TommyC2 is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Important Information
Join the #1 Tech Support Forum Today - It's Totally Free!

TechSupportForum.com is a leading support website for your computer needs. We offer free, friendly and personalized computer support. Why pay to have your computer fixed when you can do it for free.

Join TechSupportforum.com Today - Click Here

Old 05-18-2009, 12:36 PM   #2 (permalink)
Moderator, Analyst, Security Team ; Rangemaster, TSF Academy
 
amateur's Avatar
 
Join Date: Jun 2006
Location: USA
Posts: 7,450
OS: XP SP3


Re: Rootkit trojan - sdra64.exe and more?
Hello and welcome to TSF.

Quote:
I attempted to modify the offending registry entry with no success (it just reappeared). I then decided to boot into safe mode and try there. Once again, no success. Although that seems to have induced more problems.
Registry is a dangerous place to play around unless you know exactly what you're doing. Did you backup your registry before you experimented with it?

Quote:
I can however still boot into safe mode with network connectivity.
Although we would not recommend surfing the net while in Safe Mode with networking, it may come handy now.

Please download ComboFix from one of these locations:

Link 1
Link 2
Link 3

* IMPORTANT !!! Save ComboFix.exe to your Desktop
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools.
  • Double click on ComboFix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.



Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:



Click on Yes, to continue scanning for malware.

# Your desktop may go blank. This is normal. It will return when ComboFix is done. ComboFix may reboot your machine. This is normal.

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.
__________________
My services are free. However, you can donate to TSF to help keep it running.




Member of ASAP since 2005
Member of UNITE since 2006
amateur is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 05-19-2009, 06:59 PM   #3 (permalink)
Registered User
 
Join Date: May 2009
Posts: 6
OS: win xp sp3


Re: Rootkit trojan - sdra64.exe and more?
ama,

Thanks for the reply. Agreed, the registry is not a place to tinker for fun. Rest assured, I knew exactly what registry entry the zbot had modified and was trying to set it back to it's original entry. Yep, had a backup before hand.

I have to admit that in between my post and your reply, I downloaded and ran a zbotkiller from the following kapersky link.

http://support.kaspersky.com/faq/?qid=208280039

It did resolve the symptoms I was experiencing, removed the offending registry entry and files I couldn't delete. Once those were gone, my normal login came back without a hitch and I no longer have to troubleshoot solely in safe mode.

I did run combofix as you suggested. Here's the log:

ComboFix 09-05-16.05 - Tommy 05/19/2009 20:44.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1022.661 [GMT -4:00]
Running from: c:\documents and settings\Tommy\Desktop\ComboFix.exe
AV: Trend Micro Internet Security *On-access scanning disabled* (Updated) {7D2296BC-32CC-4519-917E-52E652474AF5}
FW: Trend Micro Personal Firewall *disabled* {3E790E9E-6A5D-4303-A7F9-185EC20F3EB6}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\program files\Common\helper.sig
c:\program files\Microsoft Common
c:\recycler\S-1-5-21-1004336348-1715567821-725345543-1005\Dc1\09\01\07\A94D5E985BE6A9FF-4B8CB302B509E719.itc
c:\recycler\S-1-5-21-1004336348-1715567821-725345543-1005\Dc1\09\13\11\A94D5E985BE6A9FF-1DB8ADF88E938BD9.itc
c:\recycler\S-1-5-21-1004336348-1715567821-725345543-1005\Dc1\11\14\15\A94D5E985BE6A9FF-DC66C6E70A940FEB.itc
c:\recycler\S-1-5-21-1004336348-1715567821-725345543-1005\Dc1\12\01\04\A94D5E985BE6A9FF-1DB8ADF88E93841C.itc
c:\recycler\S-1-5-21-1004336348-1715567821-725345543-1005\Dc1\12\14\11\A94D5E985BE6A9FF-DC66C6E70A940BEC.itc
c:\recycler\S-1-5-21-1004336348-1715567821-725345543-1005\Dc1\13\01\12\A94D5E985BE6A9FF-DC66C6E70A93FC1D.itc
c:\recycler\S-1-5-21-1004336348-1715567821-725345543-1005\Dc1\13\02\00\A94D5E985BE6A9FF-DC66C6E70A94002D.itc
c:\recycler\S-1-5-21-1004336348-1715567821-725345543-1005\Dc1\14\12\03\A94D5E985BE6A9FF-1DB8ADF88E9393CE.itc
c:\recycler\S-1-5-21-1004336348-1715567821-725345543-1005\Dc10.url
c:\recycler\S-1-5-21-1004336348-1715567821-725345543-1005\Dc2.m4a
c:\recycler\S-1-5-21-1004336348-1715567821-725345543-1005\Dc3.JPG
c:\recycler\S-1-5-21-1004336348-1715567821-725345543-1005\Dc4.JPG
c:\recycler\S-1-5-21-1004336348-1715567821-725345543-1005\Dc5.JPG
c:\recycler\S-1-5-21-1004336348-1715567821-725345543-1005\Dc6.JPG
c:\recycler\S-1-5-21-1004336348-1715567821-725345543-1005\Dc7.url
c:\recycler\S-1-5-21-1004336348-1715567821-725345543-1005\Dc8.url
c:\recycler\S-1-5-21-1004336348-1715567821-725345543-1005\Dc9.url
c:\recycler\S-1-5-21-1004336348-1715567821-725345543-1005\INFO2

.
((((((((((((((((((((((((( Files Created from 2009-04-20 to 2009-05-20 )))))))))))))))))))))))))))))))
.

2009-05-17 03:23 . 2008-04-13 18:45 10368 -c--a-w c:\windows\system32\dllcache\hidusb.sys
2009-05-17 03:23 . 2008-04-13 18:45 10368 ----a-w c:\windows\system32\drivers\hidusb.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-05-20 00:44 . 2008-10-22 00:07 -------- d-----w c:\program files\Common
2009-05-19 23:40 . 2008-12-30 01:54 189072 ----a-w c:\windows\system32\PnkBstrB.exe
2009-05-19 22:01 . 2008-12-30 01:55 138920 ----a-w c:\windows\system32\drivers\PnkBstrK.sys
2009-05-17 02:11 . 2007-08-11 13:23 -------- d-----w c:\program files\Lx_cats
2009-04-02 20:00 . 2008-02-22 20:48 52752 ----a-w c:\windows\system32\drivers\tmactmon.sys
2009-04-02 20:00 . 2008-02-22 20:48 52624 ----a-w c:\windows\system32\drivers\tmevtmgr.sys
2009-04-02 20:00 . 2008-02-22 20:48 142864 ----a-w c:\windows\system32\drivers\tmcomm.sys
2009-03-06 14:22 . 2004-10-08 12:01 284160 ----a-w c:\windows\system32\pdh.dll
2009-03-05 19:43 . 2007-06-17 12:25 24872 ----a-w c:\documents and settings\Abby\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-03-03 00:18 . 2004-10-08 12:01 826368 ----a-w c:\windows\system32\wininet.dll
2009-02-28 14:03 . 2008-12-30 01:54 75064 ----a-w c:\windows\system32\PnkBstrA.exe
2009-02-24 02:21 . 2007-02-19 01:03 24872 ----a-w c:\documents and settings\Tommy\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-02-20 18:09 . 2004-10-08 12:01 78336 ----a-w c:\windows\system32\ieencode.dll
.

((((((((((((((((((((((((((((((((((((((((((((( AWF ))))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-11-04 15:59 . 2007-10-11 00:51 39792 c:\program files\Adobe\Reader 8.0\Reader\bak\Reader_sl.exe
2007-05-11 08:06 . 2007-05-11 08:06 40048 c:\program files\Adobe\Reader 8.0\Reader\reader_sl.exe

2007-02-08 17:32 . 2005-05-20 01:11 925696 c:\program files\Analog Devices\Core\bak\smax4pnp.exe

2007-02-08 17:32 . 2005-09-07 23:35 716800 c:\program files\Analog Devices\SoundMAX\bak\Smax4.exe

2004-12-13 15:30 . 2008-02-19 20:16 58984 c:\program files\Common Files\Symantec Shared\bak\ccApp.exe

I was surprised to see it delete some files. Clearly, I may not have known I had other issues too. Thoughts?

Thanks in advance for your time, Tom
Last edited by TommyC2; 05-19-2009 at 07:01 PM.
TommyC2 is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 05-19-2009, 08:48 PM   #4 (permalink)
Moderator, Analyst, Security Team ; Rangemaster, TSF Academy
 
amateur's Avatar
 
Join Date: Jun 2006
Location: USA
Posts: 7,450
OS: XP SP3


Re: Rootkit trojan - sdra64.exe and more?
Hi,

The combofix log is incomplete. Please post the complete log. It should be located at C:\combofix.txt.
__________________
My services are free. However, you can donate to TSF to help keep it running.




Member of ASAP since 2005
Member of UNITE since 2006
amateur is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 05-20-2009, 05:11 AM   #5 (permalink)
Registered User
 
Join Date: May 2009
Posts: 6
OS: win xp sp3


Re: Rootkit trojan - sdra64.exe and more?
Sorry. Here it is.

ComboFix 09-05-16.05 - Tommy 05/19/2009 20:44.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1022.661 [GMT -4:00]
Running from: c:\documents and settings\Tommy\Desktop\ComboFix.exe
AV: Trend Micro Internet Security *On-access scanning disabled* (Updated) {7D2296BC-32CC-4519-917E-52E652474AF5}
FW: Trend Micro Personal Firewall *disabled* {3E790E9E-6A5D-4303-A7F9-185EC20F3EB6}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\program files\Common\helper.sig
c:\program files\Microsoft Common
c:\recycler\S-1-5-21-1004336348-1715567821-725345543-1005\Dc1\09\01\07\A94D5E985BE6A9FF-4B8CB302B509E719.itc
c:\recycler\S-1-5-21-1004336348-1715567821-725345543-1005\Dc1\09\13\11\A94D5E985BE6A9FF-1DB8ADF88E938BD9.itc
c:\recycler\S-1-5-21-1004336348-1715567821-725345543-1005\Dc1\11\14\15\A94D5E985BE6A9FF-DC66C6E70A940FEB.itc
c:\recycler\S-1-5-21-1004336348-1715567821-725345543-1005\Dc1\12\01\04\A94D5E985BE6A9FF-1DB8ADF88E93841C.itc
c:\recycler\S-1-5-21-1004336348-1715567821-725345543-1005\Dc1\12\14\11\A94D5E985BE6A9FF-DC66C6E70A940BEC.itc
c:\recycler\S-1-5-21-1004336348-1715567821-725345543-1005\Dc1\13\01\12\A94D5E985BE6A9FF-DC66C6E70A93FC1D.itc
c:\recycler\S-1-5-21-1004336348-1715567821-725345543-1005\Dc1\13\02\00\A94D5E985BE6A9FF-DC66C6E70A94002D.itc
c:\recycler\S-1-5-21-1004336348-1715567821-725345543-1005\Dc1\14\12\03\A94D5E985BE6A9FF-1DB8ADF88E9393CE.itc
c:\recycler\S-1-5-21-1004336348-1715567821-725345543-1005\Dc10.url
c:\recycler\S-1-5-21-1004336348-1715567821-725345543-1005\Dc2.m4a
c:\recycler\S-1-5-21-1004336348-1715567821-725345543-1005\Dc3.JPG
c:\recycler\S-1-5-21-1004336348-1715567821-725345543-1005\Dc4.JPG
c:\recycler\S-1-5-21-1004336348-1715567821-725345543-1005\Dc5.JPG
c:\recycler\S-1-5-21-1004336348-1715567821-725345543-1005\Dc6.JPG
c:\recycler\S-1-5-21-1004336348-1715567821-725345543-1005\Dc7.url
c:\recycler\S-1-5-21-1004336348-1715567821-725345543-1005\Dc8.url
c:\recycler\S-1-5-21-1004336348-1715567821-725345543-1005\Dc9.url
c:\recycler\S-1-5-21-1004336348-1715567821-725345543-1005\INFO2

.
((((((((((((((((((((((((( Files Created from 2009-04-20 to 2009-05-20 )))))))))))))))))))))))))))))))
.

2009-05-17 03:23 . 2008-04-13 18:45 10368 -c--a-w c:\windows\system32\dllcache\hidusb.sys
2009-05-17 03:23 . 2008-04-13 18:45 10368 ----a-w c:\windows\system32\drivers\hidusb.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-05-20 00:44 . 2008-10-22 00:07 -------- d-----w c:\program files\Common
2009-05-19 23:40 . 2008-12-30 01:54 189072 ----a-w c:\windows\system32\PnkBstrB.exe
2009-05-19 22:01 . 2008-12-30 01:55 138920 ----a-w c:\windows\system32\drivers\PnkBstrK.sys
2009-05-17 02:11 . 2007-08-11 13:23 -------- d-----w c:\program files\Lx_cats
2009-04-02 20:00 . 2008-02-22 20:48 52752 ----a-w c:\windows\system32\drivers\tmactmon.sys
2009-04-02 20:00 . 2008-02-22 20:48 52624 ----a-w c:\windows\system32\drivers\tmevtmgr.sys
2009-04-02 20:00 . 2008-02-22 20:48 142864 ----a-w c:\windows\system32\drivers\tmcomm.sys
2009-03-06 14:22 . 2004-10-08 12:01 284160 ----a-w c:\windows\system32\pdh.dll
2009-03-05 19:43 . 2007-06-17 12:25 24872 ----a-w c:\documents and settings\Abby\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-03-03 00:18 . 2004-10-08 12:01 826368 ----a-w c:\windows\system32\wininet.dll
2009-02-28 14:03 . 2008-12-30 01:54 75064 ----a-w c:\windows\system32\PnkBstrA.exe
2009-02-24 02:21 . 2007-02-19 01:03 24872 ----a-w c:\documents and settings\Tommy\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-02-20 18:09 . 2004-10-08 12:01 78336 ----a-w c:\windows\system32\ieencode.dll
.

((((((((((((((((((((((((((((((((((((((((((((( AWF ))))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-11-04 15:59 . 2007-10-11 00:51 39792 c:\program files\Adobe\Reader 8.0\Reader\bak\Reader_sl.exe
2007-05-11 08:06 . 2007-05-11 08:06 40048 c:\program files\Adobe\Reader 8.0\Reader\reader_sl.exe

2007-02-08 17:32 . 2005-05-20 01:11 925696 c:\program files\Analog Devices\Core\bak\smax4pnp.exe

2007-02-08 17:32 . 2005-09-07 23:35 716800 c:\program files\Analog Devices\SoundMAX\bak\Smax4.exe

2004-12-13 15:30 . 2008-02-19 20:16 58984 c:\program files\Common Files\Symantec Shared\bak\ccApp.exe

2007-02-08 17:38 . 2004-11-03 04:24 32768 c:\program files\CyberLink\PowerDVD\bak\PDVDServ.exe

2007-05-17 21:45 . 2007-05-17 21:45 279912 c:\program files\Microsoft LifeCam\bak\LifeExp.exe

2005-02-26 00:54 . 2005-02-26 00:54 131072 c:\program files\Multimedia Card Reader\bak\shwicon2k.exe

2007-02-19 05:46 . 2007-02-19 05:46 100056 c:\program files\SymNetDrv\bak\SNDMon.exe

2007-12-25 19:38 . 2007-04-10 21:46 709992 c:\windows\bak\vVX3000.exe
2007-12-25 19:41 . 2007-04-10 21:46 709992 c:\windows\vVX3000.exe

2007-02-08 17:17 . 2005-08-05 21:56 64512 c:\windows\ehome\bak\ehtray.exe
2007-02-08 17:17 . 2005-08-05 21:56 64512 c:\windows\ehome\ehtray.exe

2007-02-08 17:38 . 2001-07-09 18:50 155648 c:\windows\system32\bak\NeroCheck.exe

.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"OE"="c:\program files\Trend Micro\Internet Security\TMAS_OE\TMAS_OEMon.exe" [2007-12-16 492808]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"LXDBCATS"="c:\windows\System32\spool\DRIVERS\W32X86\3\LXDBtime.dll" [2006-03-02 73728]
"VX3000"="c:\windows\vVX3000.exe" [2007-04-10 709992]
"UfSeAgnt.exe"="c:\program files\Trend Micro\Internet Security\UfSeAgnt.exe" [2009-01-31 1398024]
"Sunkist2k"="c:\program files\Multimedia Card Reader\shwicon2k.exe" [N/A]
"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [N/A]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2007-12-05 81920]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-12-05 8523776]
"RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [N/A]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [N/A]
"LifeCam"="c:\program files\Microsoft LifeCam\LifeExp.exe" [N/A]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-01-06 290088]
"nwiz"="nwiz.exe" - c:\windows\system32\nwiz.exe [2007-12-05 1626112]
"High Definition Audio Property Page Shortcut"="HDAShCut.exe" - c:\windows\system32\HdAShCut.exe [2004-10-27 61952]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2006-12-20 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2007-04-19 16:41 294912 ----a-w c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"c:\\Program Files\\Microsoft Games\\Age of Empires II\\age2_x1\\age2_x1.exe"=
"c:\\WINDOWS\\system32\\dplaysvr.exe"=
"c:\\Program Files\\GamePark\\gameparkclient_en.exe"=
"c:\\Program Files\\GamePark\\GameparkUpdate.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"c:\\Program Files\\Microsoft LifeCam\\LifeCam.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\WINDOWS\\system32\\PnkBstrA.exe"=
"c:\\WINDOWS\\system32\\PnkBstrB.exe"=
"c:\\Program Files\\Activision\\Call of Duty 4 - Modern Warfare\\iw3mp.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [2/29/2008 4:03 PM 8944]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [2/29/2008 4:03 PM 51440]
R2 IntuitUpdateService;Intuit Update Service;c:\program files\Common Files\Intuit\Update Service\IntuitUpdateService.exe [10/10/2008 6:45 AM 13088]
R2 tmpreflt;tmpreflt;c:\windows\system32\drivers\tmpreflt.sys [12/16/2007 7:29 PM 36368]
R3 tmcfw;Trend Micro Common Firewall Service;c:\windows\system32\drivers\TM_CFW.sys [12/16/2007 7:29 PM 333328]
S2 tmevtmgr;tmevtmgr;c:\windows\system32\drivers\tmevtmgr.sys [2/22/2008 4:48 PM 52624]
S3 lxdb_device;lxdb_device;c:\windows\system32\lxdbcoms.exe -service --> c:\windows\system32\lxdbcoms.exe -service [?]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [2/16/2006 4:51 PM 4096]
S3 TmPfw;Trend Micro Personal Firewall;c:\progra~1\TRENDM~1\INTERN~1\TmPfw.exe [2/22/2008 4:48 PM 488768]
S3 tmproxy;Trend Micro Proxy Service;c:\program files\Trend Micro\Internet Security\TmProxy.exe [2/22/2008 4:48 PM 648456]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - PNKBSTRB
.
Contents of the 'Scheduled Tasks' folder

2009-05-13 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 17:34]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://us.mc368.mail.yahoo.com/mc/welcome?.rand=cojimjj54llv6
uDefault_Search_URL = hxxp://www.google.com/ie
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
Trusted Zone: turbotax.com
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-05-19 20:46
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
LXDBCATS = rundll32 c:\windows\System32\spool\DRIVERS\W32X86\3\LXDBtime.dll,_RunDLLEntry@16???????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1012)
c:\program files\SUPERAntiSpyware\SASWINLO.dll

- - - - - - - > 'winlogon.exe'(2224)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
.
Completion time: 2009-05-20 20:47
ComboFix-quarantined-files.txt 2009-05-20 00:47
ComboFix2.txt 2009-01-17 21:37

Pre-Run: 144,277,004,288 bytes free
Post-Run: 144,951,119,872 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Windows XP Media Center Edition" /noexecute=optin /fastdetect

176 --- E O F --- 2009-05-13 07:04
TommyC2 is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 05-20-2009, 05:23 AM   #6 (permalink)
Moderator, Analyst, Security Team ; Rangemaster, TSF Academy
 
amateur's Avatar
 
Join Date: Jun 2006
Location: USA
Posts: 7,450
OS: XP SP3


Re: Rootkit trojan - sdra64.exe and more?
Thanks. It appears that Combofix was run twice. I'd like to see the other log too.

Please go to Start>Run and copy/paste the following:

C:\QooBox\ComboFix2.txt

A text file will open. Please post the contents of the file.
__________________
My services are free. However, you can donate to TSF to help keep it running.




Member of ASAP since 2005
Member of UNITE since 2006
amateur is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 05-20-2009, 05:27 AM   #7 (permalink)
Registered User
 
Join Date: May 2009
Posts: 6
OS: win xp sp3


Re: Rootkit trojan - sdra64.exe and more?
Sure enough...this log is from back in Jan.

ComboFix 09-01-17.02 - Tommy 2009-01-17 16:33:42.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1022.722 [GMT -5:00]
Running from: c:\documents and settings\Tommy\Desktop\ComboFix.exe
AV: Trend Micro Internet Security *On-access scanning disabled* (Updated)
FW: Trend Micro Personal Firewall *disabled*
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\program files\Common\helper.dll
c:\program files\Common\helper.sig
c:\windows\system32\msziptools.dll

.
((((((((((((((((((((((((( Files Created from 2008-12-17 to 2009-01-17 )))))))))))))))))))))))))))))))
.

2009-01-17 00:37 . 2009-01-17 00:37 <DIR> d-------- c:\documents and settings\Abby\Application Data\SUPERAntiSpyware.com
2009-01-09 19:14 . 2009-01-09 19:14 <DIR> d-------- C:\swsetup
2009-01-08 22:24 . 2009-01-08 22:24 <DIR> d-------- c:\documents and settings\Administrator\Application Data\SUPERAntiSpyware.com
2008-12-29 21:12 . 2007-05-16 16:45 3,497,832 --a------ c:\windows\system32\d3dx9_34.dll
2008-12-29 21:12 . 2007-05-16 16:45 1,124,720 --a------ c:\windows\system32\D3DCompiler_34.dll
2008-12-29 21:12 . 2007-05-16 16:45 443,752 --a------ c:\windows\system32\d3dx10_34.dll
2008-12-29 21:12 . 2007-05-31 19:30 266,088 --a------ c:\windows\system32\xactengine2_8.dll
2008-12-29 21:12 . 2007-05-31 19:29 18,280 --a------ c:\windows\system32\x3daudio1_2.dll
2008-12-29 21:11 . 2007-03-12 16:42 3,495,784 --a------ c:\windows\system32\d3dx9_33.dll
2008-12-29 21:11 . 2006-11-29 13:06 3,426,072 --a------ c:\windows\system32\d3dx9_32.dll
2008-12-29 21:11 . 2007-03-12 16:42 1,123,696 --a------ c:\windows\system32\D3DCompiler_33.dll
2008-12-29 21:11 . 2007-03-15 16:57 443,752 --a------ c:\windows\system32\d3dx10_33.dll
2008-12-29 21:11 . 2007-04-04 18:55 261,480 --a------ c:\windows\system32\xactengine2_7.dll
2008-12-29 21:11 . 2007-01-24 15:27 255,848 --a------ c:\windows\system32\xactengine2_6.dll
2008-12-29 21:11 . 2006-12-08 12:02 251,672 --a------ c:\windows\system32\xactengine2_5.dll
2008-12-29 20:55 . 2009-01-17 15:44 137,688 --a------ c:\windows\system32\drivers\PnkBstrK.sys
2008-12-29 20:55 . 2008-12-29 20:55 22,328 --a------ c:\documents and settings\Tommy\Application Data\PnkBstrK.sys
2008-12-29 20:54 . 2009-01-05 22:56 <DIR> d-------- c:\windows\system32\LogFiles
2008-12-29 20:54 . 2009-01-17 15:43 202,040 --a------ c:\windows\system32\PnkBstrB.exe
2008-12-29 20:54 . 2008-12-31 22:13 66,872 --a------ c:\windows\system32\PnkBstrA.exe
2008-12-29 20:54 . 2008-12-29 20:54 319 --a------ c:\windows\game.ini
2008-12-29 20:41 . 2008-12-29 20:41 <DIR> d-------- c:\program files\Activision

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-01-17 21:33 --------- d-----w c:\program files\Common
2009-01-17 05:35 --------- d-----w c:\program files\Lx_cats
2009-01-12 02:05 --------- d-----w c:\program files\Yahoo!
2009-01-12 01:49 --------- d-----w c:\program files\Trend Micro
2009-01-09 02:44 --------- d-----w c:\program files\IGZones
2008-12-30 01:54 --------- d--h--w c:\program files\InstallShield Installation Information
2008-12-13 01:35 --------- d-----w c:\documents and settings\Tommy\Application Data\Apple Computer
2008-12-11 10:57 333,952 ----a-w c:\windows\system32\drivers\srv.sys
2008-12-07 14:20 --------- d-----w c:\program files\Google
2008-11-17 20:04 2,306,113 ----a-w c:\windows\system32\GPhotos.scr
2008-10-23 12:36 286,720 ----a-w c:\windows\system32\gdi32.dll
2008-04-27 16:22 32 ----a-w c:\documents and settings\All Users\Application Data\ezsid.dat
.

((((((((((((((((((((((((((((((((((((((((((((( AWF ))))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
----a-w 39,792 2007-10-11 00:51:55 c:\program files\Adobe\Reader 8.0\Reader\bak\Reader_sl.exe
----a-w 40,048 2007-05-11 0832 c:\program files\Adobe\Reader 8.0\Reader\reader_sl.exe

----a-r 925,696 2005-05-20 01:11:06 c:\program files\Analog Devices\Core\bak\smax4pnp.exe

----a-w 716,800 2005-09-07 23:35:36 c:\program files\Analog Devices\SoundMAX\bak\Smax4.exe

----a-w 58,984 2008-02-19 20:16:17 c:\program files\Common Files\Symantec Shared\bak\ccApp.exe

----a-w 32,768 2004-11-03 04:24:46 c:\program files\CyberLink\PowerDVD\bak\PDVDServ.exe

----a-w 279,912 2007-05-17 21:45:32 c:\program files\Microsoft LifeCam\bak\LifeExp.exe

----a-w 131,072 2005-02-26 00:54:48 c:\program files\Multimedia Card Reader\bak\shwicon2k.exe

----a-w 100,056 2007-02-19 05:46:36 c:\program files\SymNetDrv\bak\SNDMon.exe

----a-r 709,992 2007-04-10 21:46:48 c:\windows\bak\vVX3000.exe
----a-w 709,992 2007-04-10 21:46:48 c:\windows\vVX3000.exe

----a-w 64,512 2005-08-05 21:56:34 c:\windows\ehome\bak\ehtray.exe
----a-w 64,512 2005-08-05 21:56:34 c:\windows\ehome\ehtray.exe

----a-w 155,648 2001-07-09 18:50:42 c:\windows\system32\bak\NeroCheck.exe

.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"OE"="c:\program files\Trend Micro\Internet Security\TMAS_OE\TMAS_OEMon.exe" [2007-12-16 492808]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="c:\windows\ehome\ehtray.exe" [2005-08-05 64512]
"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [N/A]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [N/A]
"RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [N/A]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-12-05 8523776]
"Sunkist2k"="c:\program files\Multimedia Card Reader\shwicon2k.exe" [N/A]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-05-11 40048]
"LXDBCATS"="c:\windows\System32\spool\DRIVERS\W32X86\3\LXDBtime.dll" [2006-03-02 73728]
"VX3000"="c:\windows\vVX3000.exe" [2007-04-10 709992]
"LifeCam"="c:\program files\Microsoft LifeCam\LifeExp.exe" [N/A]
"UfSeAgnt.exe"="c:\program files\Trend Micro\Internet Security\UfSeAgnt.exe" [2008-07-29 1398024]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2007-12-05 81920]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-03-30 267048]
"High Definition Audio Property Page Shortcut"="HDAShCut.exe" [2004-10-27 c:\windows\system32\HdAShCut.exe]
"nwiz"="nwiz.exe" [2007-12-05 c:\windows\system32\nwiz.exe]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2006-12-20 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2007-04-19 11:41 294912 c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--------- 2008-04-13 19:12 1695232 c:\program files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\msnmsgr]
--a------ 2007-10-18 11:34 5724184 c:\program files\Windows Live\Messenger\msnmsgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"c:\\Program Files\\Microsoft Games\\Age of Empires II\\age2_x1\\age2_x1.exe"=
"c:\\WINDOWS\\system32\\dplaysvr.exe"=
"c:\\Program Files\\GamePark\\gameparkclient_en.exe"=
"c:\\Program Files\\GamePark\\GameparkUpdate.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"c:\\Program Files\\Microsoft LifeCam\\LifeCam.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\WINDOWS\\system32\\PnkBstrA.exe"=
"c:\\WINDOWS\\system32\\PnkBstrB.exe"=
"c:\\Program Files\\Activision\\Call of Duty 4 - Modern Warfare\\iw3mp.exe"=

R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [2008-02-29 8944]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [2008-02-29 51440]
R3 tmcfw;Trend Micro Common Firewall Service;c:\windows\system32\drivers\TM_CFW.sys [2007-12-16 333328]
R4 tmpreflt;tmpreflt;c:\windows\system32\drivers\tmpreflt.sys [2007-12-16 36368]
S3 lxdb_device;lxdb_device;c:\windows\system32\lxdbcoms.exe -service --> c:\windows\system32\lxdbcoms.exe -service [?]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [2006-02-16 4096]
S3 TmPfw;Trend Micro Personal Firewall;c:\progra~1\TRENDM~1\INTERN~1\TmPfw.exe [2008-02-22 488768]
S3 tmproxy;Trend Micro Proxy Service;c:\program files\Trend Micro\Internet Security\TmProxy.exe [2008-02-22 648456]
S4 tmevtmgr;tmevtmgr;c:\windows\system32\drivers\tmevtmgr.sys [2008-02-22 52240]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - PNKBSTRB
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://us.mc368.mail.yahoo.com/mc/welcome?.rand=cojimjj54llv6
uDefault_Search_URL = hxxp://www.google.com/ie
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
Trusted Zone: *.turbotax.com

O16 -: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
c:\windows\Downloaded Program Files\Microsoft XML Parser for Java.osd
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-01-17 16:35:53
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
LXDBCATS = rundll32 c:\windows\System32\spool\DRIVERS\W32X86\3\LXDBtime.dll,_RunDLLEntry@16???????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(984)
c:\program files\SUPERAntiSpyware\SASWINLO.dll

- - - - - - - > 'winlogon.exe'(3460)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
.
Completion time: 2009-01-17 16:37:37
ComboFix-quarantined-files.txt 2009-01-17 21:37:35

Pre-Run: 212,422,811,648 bytes free
Post-Run: 212,972,179,456 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Windows XP Media Center Edition" /noexecute=optin /fastdetect

181 --- E O F --- 2009-01-14 08:02:24
TommyC2 is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 05-20-2009, 07:34 AM   #8 (permalink)
Moderator, Analyst, Security Team ; Rangemaster, TSF Academy
 
amateur's Avatar
 
Join Date: Jun 2006
Location: USA
Posts: 7,450
OS: XP SP3


Re: Rootkit trojan - sdra64.exe and more?
Hi,

Thank you.

Quote:
Adobe Reader 8.1.1
Your Adobe Reader is out of date. Older versions have vulnerabilities. You may want to uninstall it and download the latest version, Adobe® Reader® 9.1.

=======================


The following are some leftovers from Symantec/Norton which seems to have already been uninstalled. You can go ahead and delete these folders:

c:\program files\SymNetDrv
c:\program files\Common Files\Symantec Shared

=======================
  • Open notepad (Start>All programs>accessories>notepad ) (It must be notepad, not wordpad, or it won’t work)
  • Copy the entire contents of the Quote Box below to Notepad.
  • Name the file as CFScript.txt
  • Change the Save as Type to All Files
  • and Save it on the desktop
  • Click Format and ensure Wordwrap is unchecked.

Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Code:
AWF::
c:\program files\CyberLink\PowerDVD\bak\PDVDServ.exe
c:\program files\Microsoft LifeCam\bak\LifeExp.exe
c:\program files\Analog Devices\SoundMAX\bak\Smax4.exe
c:\program files\Analog Devices\Core\bak\smax4pnp.exe
c:\program files\Multimedia Card Reader\bak\shwicon2k.exe
c:\windows\system32\bak\NeroCheck.exe

Folder::
c:\windows\bak
c:\windows\ehome\bak

Registry::
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendAntiVirus]
"DisableMonitoring"=dword:00000000
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendFirewall]
"DisableMonitoring"=dword:00000000
Save this as CFScript.txt, in the same location as ComboFix.exe



Refering to the picture above, drag CFScript.txt into ComboFix.exe

When finished, it shall produce a log for you. Post that log in your next reply.

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall

============================

Perform an online scan with Firefox or Internet Explorer at Kaspersky Online Scanner

**Note**

To optimize scanning time and produce a more sensible report for review:
  • Close any open programs
  • Turn off the real time scanner of any existing antivirus program while performing the online scan.
Click Accept, when prompted to download and install the program files and database of malware definitions.
  • Click Run at the Security prompt.
  • The program will then begin downloading and installing and will also update the database.
  • Please be patient as this can take several minutes.
  • Once the update is complete, click on My Computer under the green Scan bar to the left to start the scan.
  • Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it.
  • Do NOT be alarmed by what you see in the report. Many of the finds have likely been quarantined.
  • Click View scan report at the bottom.
  • Click the Save Report As... button.
  • Click the Save as Text button to save the file to your desktop so that you may post it in your next reply.

Note for Internet Explorer 7 users: If at any time you have trouble viewing the accept button of the license, click on the Zoom tool located at the bottom right of the IE window and set the zoom to 75%. Once the license is accepted, reset to 100%.

=======================

Please post back the Combofix.txt, Kaspersky report and feedback on how the computer is behaving now.
__________________
My services are free. However, you can donate to TSF to help keep it running.




Member of ASAP since 2005
Member of UNITE since 2006
amateur is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 05-20-2009, 10:11 PM   #9 (permalink)
Registered User
 
Join Date: May 2009
Posts: 6
OS: win xp sp3


Re: Rootkit trojan - sdra64.exe and more?
amatuer,

Thanks for the reply again. I complied with all directions. Here's the combofix log:

ComboFix 09-05-20.A0 - Tommy 05/20/2009 21:51.3 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1022.664 [GMT -4:00]
Running from: c:\documents and settings\Tommy\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Tommy\Desktop\CFScript.txt
AV: Trend Micro Internet Security *On-access scanning disabled* (Updated) {7D2296BC-32CC-4519-917E-52E652474AF5}
FW: Trend Micro Personal Firewall *disabled* {3E790E9E-6A5D-4303-A7F9-185EC20F3EB6}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\bak
c:\windows\bak\vVX3000.exe
c:\windows\ehome\bak
c:\windows\ehome\bak\ehtray.exe

.
((((((((((((((((((((((((( Files Created from 2009-04-21 to 2009-05-21 )))))))))))))))))))))))))))))))
.

2009-05-21 01:45 . 2009-05-21 01:45 -------- d-----w c:\program files\Common Files\Adobe AIR
2009-05-21 01:42 . 2009-05-21 01:51 -------- d-----w c:\documents and settings\All Users\Application Data\NOS
2009-05-21 01:42 . 2009-05-21 01:50 -------- d-----w c:\program files\NOS
2009-05-17 03:23 . 2008-04-13 18:45 10368 -c--a-w c:\windows\system32\dllcache\hidusb.sys
2009-05-17 03:23 . 2008-04-13 18:45 10368 ----a-w c:\windows\system32\drivers\hidusb.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-05-21 01:54 . 2007-12-25 19:39 -------- d-----w c:\program files\Microsoft LifeCam
2009-05-21 01:51 . 2007-02-08 17:41 -------- d-----w c:\program files\Multimedia Card Reader
2009-05-21 01:44 . 2007-02-19 01:49 -------- d-----w c:\program files\Common Files\Adobe
2009-05-20 02:20 . 2008-12-30 01:54 189072 ----a-w c:\windows\system32\PnkBstrB.exe
2009-05-20 01:42 . 2008-12-30 01:55 138920 ----a-w c:\windows\system32\drivers\PnkBstrK.sys
2009-05-20 00:44 . 2008-10-22 00:07 -------- d-----w c:\program files\Common
2009-05-17 02:11 . 2007-08-11 13:23 -------- d-----w c:\program files\Lx_cats
2009-04-02 20:00 . 2008-02-22 20:48 52752 ----a-w c:\windows\system32\drivers\tmactmon.sys
2009-04-02 20:00 . 2008-02-22 20:48 52624 ----a-w c:\windows\system32\drivers\tmevtmgr.sys
2009-04-02 20:00 . 2008-02-22 20:48 142864 ----a-w c:\windows\system32\drivers\tmcomm.sys
2009-03-06 14:22 . 2004-10-08 12:01 284160 ----a-w c:\windows\system32\pdh.dll
2009-03-05 19:43 . 2007-06-17 12:25 24872 ----a-w c:\documents and settings\Abby\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-03-03 00:18 . 2004-10-08 12:01 826368 ----a-w c:\windows\system32\wininet.dll
2009-02-28 14:03 . 2008-12-30 01:54 75064 ----a-w c:\windows\system32\PnkBstrA.exe
2009-02-24 02:21 . 2007-02-19 01:03 24872 ----a-w c:\documents and settings\Tommy\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-02-20 18:09 . 2004-10-08 12:01 78336 ----a-w c:\windows\system32\ieencode.dll
.

((((((((((((((((((((((((((((( SnapShot@2009-05-20_00.46.33 )))))))))))))))))))))))))))))))))))))))))
.
- 2009-05-15 10:58 . 2009-05-17 14:09 32768 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2009-05-15 10:58 . 2009-05-21 01:42 32768 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2007-02-08 18:10 . 2009-05-21 01:42 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
- 2007-02-08 18:10 . 2009-05-17 14:09 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2007-02-08 18:10 . 2009-05-21 01:42 16384 c:\windows\system32\config\systemprofile\Cookies\index.dat
- 2007-02-08 18:10 . 2009-05-17 14:09 16384 c:\windows\system32\config\systemprofile\Cookies\index.dat
+ 2007-02-08 17:38 . 2001-07-09 18:50 155648 c:\windows\system32\NeroCheck.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"OE"="c:\program files\Trend Micro\Internet Security\TMAS_OE\TMAS_OEMon.exe" [2007-12-16 492808]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"LXDBCATS"="c:\windows\System32\spool\DRIVERS\W32X86\3\LXDBtime.dll" [2006-03-02 73728]
"VX3000"="c:\windows\vVX3000.exe" [2007-04-10 709992]
"UfSeAgnt.exe"="c:\program files\Trend Micro\Internet Security\UfSeAgnt.exe" [2009-01-31 1398024]
"Sunkist2k"="c:\program files\Multimedia Card Reader\shwicon2k.exe" [2005-02-26 131072]
"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2005-05-20 925696]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2007-12-05 81920]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-12-05 8523776]
"RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2004-11-03 32768]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"LifeCam"="c:\program files\Microsoft LifeCam\LifeExp.exe" [2007-05-17 279912]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-01-06 290088]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-27 35696]
"nwiz"="nwiz.exe" - c:\windows\system32\nwiz.exe [2007-12-05 1626112]
"High Definition Audio Property Page Shortcut"="HDAShCut.exe" - c:\windows\system32\HdAShCut.exe [2004-10-27 61952]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2006-12-20 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2007-04-19 16:41 294912 ----a-w c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"c:\\Program Files\\Microsoft Games\\Age of Empires II\\age2_x1\\age2_x1.exe"=
"c:\\WINDOWS\\system32\\dplaysvr.exe"=
"c:\\Program Files\\GamePark\\gameparkclient_en.exe"=
"c:\\Program Files\\GamePark\\GameparkUpdate.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"c:\\Program Files\\Microsoft LifeCam\\LifeCam.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\WINDOWS\\system32\\PnkBstrA.exe"=
"c:\\WINDOWS\\system32\\PnkBstrB.exe"=
"c:\\Program Files\\Activision\\Call of Duty 4 - Modern Warfare\\iw3mp.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [2/29/2008 4:03 PM 8944]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [2/29/2008 4:03 PM 51440]
R2 IntuitUpdateService;Intuit Update Service;c:\program files\Common Files\Intuit\Update Service\IntuitUpdateService.exe [10/10/2008 6:45 AM 13088]
R2 tmpreflt;tmpreflt;c:\windows\system32\drivers\tmpreflt.sys [12/16/2007 7:29 PM 36368]
R3 tmcfw;Trend Micro Common Firewall Service;c:\windows\system32\drivers\TM_CFW.sys [12/16/2007 7:29 PM 333328]
S2 tmevtmgr;tmevtmgr;c:\windows\system32\drivers\tmevtmgr.sys [2/22/2008 4:48 PM 52624]
S3 lxdb_device;lxdb_device;c:\windows\system32\lxdbcoms.exe -service --> c:\windows\system32\lxdbcoms.exe -service [?]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [2/16/2006 4:51 PM 4096]
S3 TmPfw;Trend Micro Personal Firewall;c:\progra~1\TRENDM~1\INTERN~1\TmPfw.exe [2/22/2008 4:48 PM 488768]
S3 tmproxy;Trend Micro Proxy Service;c:\program files\Trend Micro\Internet Security\TmProxy.exe [2/22/2008 4:48 PM 648456]
.
Contents of the 'Scheduled Tasks' folder

2009-05-20 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 17:34]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://us.mc368.mail.yahoo.com/mc/welcome?.rand=cojimjj54llv6
uDefault_Search_URL = hxxp://www.google.com/ie
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-05-20 21:53
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
LXDBCATS = rundll32 c:\windows\System32\spool\DRIVERS\W32X86\3\LXDBtime.dll,_RunDLLEntry@16???????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1012)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
.
Completion time: 2009-05-21 21:55
ComboFix-quarantined-files.txt 2009-05-21 01:55
ComboFix2.txt 2009-05-20 00:47
ComboFix3.txt 2009-01-17 21:37

Pre-Run: 144,408,272,896 bytes free
Post-Run: 144,460,226,560 bytes free

146 --- E O F --- 2009-05-13 07:04



And here's the Kapersky log:

--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7.0 REPORT
Thursday, May 21, 2009
Operating System: Microsoft Windows XP Professional Service Pack 3 (build 2600)
Kaspersky Online Scanner version: 7.0.26.13
Program database last update: Thursday, May 21, 2009 03:51:03
Records in database: 2207669
--------------------------------------------------------------------------------

Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes

Scan area - My Computer:
C:\
D:\
E:\

Scan statistics:
Files scanned: 73410
Threat name: 7
Infected objects: 18
Suspicious objects: 0
Duration of the scan: 01:11:54


File name / Threat name / Threats count
C:\Program Files\Trend Micro\HijackThis\backups\backup-20090503-214732-221.dll Infected: Trojan.Win32.ExeDot.gk 1
C:\Program Files\Trend Micro\HijackThis\backups\backup-20090506-220816-950.dll Infected: Trojan.Win32.ExeDot.gk 1
C:\Program Files\Trend Micro\Internet Security\Quarantine\10.tmp Infected: Trojan.Win32.KillAV.oe 1
C:\Program Files\Trend Micro\Internet Security\Quarantine\11.tmp Infected: Trojan.Win32.KillAV.oe 1
C:\Program Files\Trend Micro\Internet Security\Quarantine\1F.tmp Infected: Trojan-Downloader.Win32.DlKroha.k 1
C:\Program Files\Trend Micro\Internet Security\Quarantine\1F8.tmp Infected: Trojan.Win32.Vapsup.neh 1
C:\Program Files\Trend Micro\Internet Security\Quarantine\20.tmp Infected: Trojan-Downloader.Win32.DlKroha.k 1
C:\Program Files\Trend Micro\Internet Security\Quarantine\33[1].exe Infected: Trojan.Win32.Inject.zzx 1
C:\Program Files\Trend Micro\Internet Security\Quarantine\6A.tmp Infected: not-a-virus:RiskTool.Win32.HideWindows 1
C:\Program Files\Trend Micro\Internet Security\Quarantine\8.tmp Infected: Trojan.Win32.KillAV.oe 1
C:\Program Files\Trend Micro\Internet Security\Quarantine\9.tmp Infected: Trojan.Win32.KillAV.oe 1
C:\Program Files\Trend Micro\Internet Security\Quarantine\A.tmp Infected: Trojan.Win32.KillAV.oe 1
C:\Program Files\Trend Micro\Internet Security\Quarantine\B.tmp Infected: Trojan.Win32.KillAV.oe 1
C:\Program Files\Trend Micro\Internet Security\Quarantine\C.tmp Infected: Trojan.Win32.KillAV.oe 1
C:\Program Files\Trend Micro\Internet Security\Quarantine\D.tmp Infected: Trojan.Win32.KillAV.oe 1
C:\Program Files\Trend Micro\Internet Security\Quarantine\E.tmp Infected: Trojan.Win32.KillAV.oe 1
C:\Program Files\Trend Micro\Internet Security\Quarantine\F.tmp Infected: Trojan.Win32.KillAV.oe 1
C:\Program Files\Trend Micro\Internet Security\Quarantine\rdl83.tmp Infected: Trojan-Mailfinder.Win32.Agent.wd 1

The selected area was scanned.


After having done this, am I correct in assuming that following my use of the kapersky zbot killer, I was still infected with the recycler virus? Combofix then caught and removed that. And the above kapersky scan does not show anything that hasn't been identified and quarantined already? Just trying to keep up. I've updated Acrobat, installed the latest Java and the computer is behaving fine.

Thanks again, Tom
TommyC2 is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 05-21-2009, 08:35 AM   #10 (permalink)
Moderator, Analyst, Security Team ; Rangemaster, TSF Academy
 
amateur's Avatar
 
Join Date: Jun 2006
Location: USA
Posts: 7,450
OS: XP SP3


Re: Rootkit trojan - sdra64.exe and more?
Hi,

Quote:
After having done this, am I correct in assuming that following my use of the kapersky zbot killer, I was still infected with the recycler virus? Combofix then caught and removed that.
Since I didn't see a log from the time you were infected, I cannot say what infection you had, but you still had a trojan downloader along with some others which Combofix took care of and also identified the remnants of another infection.

Quote:
And the above kapersky scan does not show anything that hasn't been identified and quarantined already?
That's correct. The infected items are in the backup folders of HijackThis and the TrendMicro Quarantine. You can manually empty the contents of these folders:

C:\Program Files\Trend Micro\HijackThis\backups
C:\Program Files\Trend Micro\Internet Security\Quarantine

Quote:
Just trying to keep up. I've updated Acrobat, installed the latest Java and the computer is behaving fine.
That's good to hear.

If you have no further malware issues, you're all set to go.
  • Click Start then Run
  • Now type Combofix /u in the runbox and click OK. Notice the space between the Combofix and the /




This will uninstall ComboFix. It will also implement some cleanup procedures and reset System Restore to prevent reinfection from old restore points.

It’s vital that you keep all your software up-to-date as older versions may have some security vulnerabilities. Secunia Software Inspector Scan can help you find out which programs need to be updated.

Please respond to this thread one more time so we can mark this thread as resolved.

Surf Safely and Think Prevention!

If you wish to support and contribute to the ongoing development of ComboFix, donations via PayPal are accepted by the Author of the tool.
__________________
My services are free. However, you can donate to TSF to help keep it running.




Member of ASAP since 2005
Member of UNITE since 2006
amateur is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 05-24-2009, 06:32 AM   #11 (permalink)
Registered User
 
Join Date: May 2009
Posts: 6
OS: win xp sp3


Re: Rootkit trojan - sdra64.exe and more?
Thanks much. Yep, I consider this resolved.

Tom
TommyC2 is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 05-24-2009, 06:53 AM   #12 (permalink)
Moderator, Analyst, Security Team ; Rangemaster, TSF Academy
 
amateur's Avatar
 
Join Date: Jun 2006
Location: USA
Posts: 7,450
OS: XP SP3


Re: Rootkit trojan - sdra64.exe and more?
You're welcome. Glad to have been able to help. Stay safe!
__________________
My services are free. However, you can donate to TSF to help keep it running.




Member of ASAP since 2005
Member of UNITE since 2006
amateur is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
 

« Previous Thread | Next Thread »

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are Off
Pingbacks are Off
Refbacks are Off



All times are GMT -7. The time now is 06:36 AM.

Contact Us - Tech Support Forum - Archive - Privacy Statement - Top


Copyright 2001 - 2009, Tech Support Forum
Home Tips Plus | Outdoor Basecamp | Automotive Support Forum

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85