Computer Support Forum

Sdra64.exe gotten worse

Question: Sdra64.exe gotten worse

Very recently removed "Security Tool" virus but now have contracted sdra64.exe, know how to delete it, but the problem has got mysteriously worse.
When logging in on Admin(or any) account, it logs me straight back out, how can I get my windows XP to stay logged on, long enough to solve the problem? (It logs me out a second after I log in, even in safemode)
I can't run it with the command prompt because I can't GET to the command prompt otherwise I'd use it to get to the system restore screen, help?

Relevance 100%
Preferred Solution: Sdra64.exe gotten worse

I recommend downloading and running Reimage. It's a computer repair tool that has been proven to identify and fix many Windows problems with a high level of success.

I've used it in the past to identify and fix everything from blue screens (BSOD's), ActiveX errors, corrupt files and processes, dll/exe/sys errors, recover lost memory, Windows update problems, defragging, malware removal etc.

You can download it direct from this link http://downloadreimage.com/download.php. (This link will automatically start a download of Reimage that you can save to your computer.)

Answer: Sdra64.exe gotten worse

Hi,

Please do the following:


I hope you have acces to a PC that can burn CD's



We will need to make a BOOT CD

Print these instruction out so that you know what you are doing.

Two programs to download

First

Please download ISOBurner and save it to your desktop. This program will allow you to burn OTLPE.ISO to make a bootable CDDouble click the ISOBurner set up icon to install the program, from there on in it is fairly automatic.
There are Instructions for the iso burner here if you need them.

Second
Download OTLPE.iso save it to your desktop. Now burn OTLPE.iso to a CD using ISO Burner. {NOTE: This file is 292Mb in size so it may take some time to download.)
When downloaded double click OTLPE.iso > this will then open ISOBurner to burn the file to CD

Reboot the infected system using the boot CD you just created.
Note : If you do not know how to set your computer to boot from CD follow the steps here
Your system should now display a REATOGO-X-PE desktop.
you will find an icon on the desktop called OTLPE > Double-click on the OTLPE icon.
When asked "Do you wish to load the remote registry", select Yes
When asked "Do you wish to load remote user profile(s) for scanning", select Yes
Ensure the box "Automatically Load All Remaining Users" is checked and press OK
OTL should now start. Change the following settingsChange Drivers to SafeList

Press Run Scan to start the scan.
When finished, the file will be saved**in drive C:\OTL.txt
Copy this file to your USB drive if you do not have internet connection on this system
Please post the contents of the C:\OTL.txt file in your reply.

4 more replies
Relevance 47.97%

Hi all,

I started the day on a high note, before turning on the computer that is, thinking I was going to get some things done. This was not to be: So we start at:

FAIR:
After XP loaded it said that it had recovered from a serious error Product ID _251... so I did some digging around and got some info from microsoft's web pages complete with registry fixes (deleting bad entries, etc.)

I did a quick scan with malwarebytes and it found some stuff that I deleted and when I did a restart it didn't come up correctly.

Went into safe mode and it came up.
(made a HUGE mistake here. Did not copy files I wanted to save when I had the opportunity)
Closed out of safe mode and let it start normally.
Would not boot normally.
Tried to boot in to safe mode and now its recycling back to POST, we have gone to...
BAD:
Hmmm. So I thought how about putting the XP disk in and then do an install leaving file system intact.
When I got to the point of doing the install I chickened out because it said that it might delete the My Documents folder (had some things in there I didn't want to lose) I've done this procedure before and perhaps I should have taken the second opportunity to recover gracefully but I did not.

I hit F3 to cancel out of the install to try and boot from my other HD that has XP (but with some driver issues that I had yet fixed.)

I went into the CMOS to change boot order and notice that the hard drive (the one that I was trying to boot into is not showing ... Read more

Answer:HD/Filesystem prob:Went from fair to bad; then to worse, much worse

Test the HDD with the drive manufacturers disk tools (preferably using a different PC). Run the short and long tests. If either test fails or has errors, the drive is faulty.

4 more replies
Relevance 47.97%

My icons are disappearing
The computer is running slow
Viruses have completely taken over my computer
I am going through financial difficulties right now and would REALLY appreciate help.
I understand computers therefore I can take direction fairly well..
Just please tell me what I need to do.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:19:43 AM, on 5/8/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)
Boot mode: Normal

Running processes:
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\WINDOWS\system32\CTsvcCDA.EXE
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Intel\Intel Application Accelerator\iaantmon.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
C:\Program Files\Spyware Doctor\pctsAuxs.exe
C:\Program Files\Spyware Doctor\pctsSvc.exe
C:\Program Files\Dell Support Center\bin\sprtsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
C:\WINDOWS\system32\svcd\svchost.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDO... Read more

Answer:It's Getting Worse & Worse. PLEASE. I cannot afford to bring it anywhere:( LOG INSIDE

7 more replies
Relevance 46.33%

Hi everyone,
My bottom fan on my PC was being very loud, so I opened up my case and unplugged the power supply, and flicked off the power switch on the back. I unscrewed the bottom fan and dusted it a little bit, and then I put it back together how it was before.

The part that I unscrewed also contained my hard drive, and now that it is reseated I cannot boot.


At first I got an error when booting:
Loading operating system . . .
disk boot failure, insert system disk and press enter.

THEN, I tried making sure everything was connected well and tight, and now I am not getting anything displayed on my screen.

Apologies for the lack of knowledge and thanks for the help.

Jeremy
 

Answer:Boot problem, getting worse and worse

It is possible that when you removed the fan and hard drive, you plugged the hard drives SATA cable into a different SATA port on the motherboard. Get into the bios, and make sure that the hard drive is being detected properly
 

1 more replies
Relevance 46.33%

I bought a Think Pad in April last year which does not start anymore, no lights,nothing.I wanted to send it back to Lenovo for guarantee.Ther ist only ONE problem, there is no sticker on the laptop which shows me the serial numer. Obviously there supposed to be on, but it is missing!!!I do have the invoice which shows the purchase date, but no serial either.I already quit wasted some time to with this bull**bleep**, I hopefully do not need a layer for that.Here you see the last response of the "support" manager -Dear Michael Mueller,Unfortunately I have to inform you that you have no guarantee for this machine.Repair of machines that do not have a sticker can only be carried out by a Lenovo service partner.Lenovo Service Partner:https://pcsupport.lenovo.com/de/de/serviceproviderIf you have any further questions about this service case, please send us an e-mail to [email protected] or call us on the free phone number DE 0800 - 500 4618 / AT 0810-100-654 / CH 0800-55-54-54. Lenovo regularly conducts customer surveys on service quality.If you are selected, please take a few minutes to answer the questions.We thank you in advance.  Yours sincerely, Davor KrpanLenovo Technical Support IBM Hrvatska d.o.o. za proizvodnju i trgovinuMiramarska 23, 10 000 Zagreb, HrvatskaUpisan kod Trgova?kog suda u Zagrebu pod br. 080011422Temeljni kapital: 788,000.00 kuna - upla?en u cijelostiDirektor: ?eljka Ti?i??iro ra?un kod: RAIFFEISENBANK AUSTRIA d.d. Zagreb,... Read more

Answer:guarantee handling - bad worse than worse

I just forgot to mentioned, that the purchase was done through the Leonovo online shop itself -  VERSANDBESTÄTIGUNG Ihre Bestellung wurde versendetSehr geehrte(r) Michael Müller,vielen Dank für Ihre Bestellung im Lenovo Online-Shop, der von Digital River unterstützt wird.Die folgenden Produkte wurden versendet.Bestelldatum14. April 2017Bestellnummer23856585462Tracking-nummer1ZAF68846704024055Folgende Artikel wurden versendet: BestellmengeProdukt-SKUProduktnameVersandmengeVersandmenge gesamtBetrag120J1CTO1WWThinkPad 13 2G11800,52EURWenn Sie per Kreditkarte bezahlt haben, wurde Ihre Karte nun belastet.

1 more replies
Relevance 46.33%

I was curious if anyone out there knows anything about this...

I have a self-built computer, three years old now...and day by day it's getting worse and worse!

AMD Athalon XP @ 1.1 GHz
512MB PC2700 DDR-SDRAM
Windows XP Pro.
Radeon 9500 Pro. 128MB DDR

The problems started about six months ago--every time I'd turn on the computer, it'd scan the hard drive for errors, claiming an improper shutdown. Then, two months ago, it started going to a black screen saying a windows file is corrupt, use the XP CD to restore the file--but simply restarting the computer at that point would get it going (only came up on a fresh start).

Then in the recent times, the screen is completely black. I turn on the computer, and no signal is sent (I'm guessing) to the monitor, so it's just flashing the power light...but after waiting approximently 10seconds, and restarting ('reset button'), it would go to the other problems--file corrupt screen, then the error scan...and this latest time, it took 4 resets for the screen to catch a signal...

All wires are plugged in good, and everything seems to be functioning properly, except for, of course, this problem I have...and I really have no idea where to start on fixing this. I planned on keeping this computer for another year or so--and hope this can be fixed! Anyways, any ideas/suggestions, please let me know!

Thanks,
-X

Answer:My Computer - Getting Worse & Worse! Is there hope?

take the graphics card out and insert it back in firmly making sure it is sat properly in its slot. check the manufacturers websites for your motherboard and graphics card and see what the bios updates do, and see if they have any FAQ's to check if anyone else has been having similiar problems to you in terms of people who have the same motherboard or graphics card??

Email the manufacturer(s) for your motherboard company and graphics company.

2 more replies
Relevance 46.33%

Initially it was Edge not working properly, now it mostly crashes. Even the new "amazing" feature of tab previews doesn't work properly. Imagine, I moved back to Chrome after so many years of being a happy IE user. Cortana was a bit iffy with "Hey Cortana". Now she doesn't listen to what I say at all, even when I press the button. The notification center has its own mood. Often decides to hide until I restart for absolutely no reason at all. Same goes for the sound volume and other flyouts on the desktop.
In short, there is massive degradation of various major features with every new build. And since I post all the issues I find using the feedback app, I know it is not just me experiencing these things. This is disastrous.
So, is it just me or you experience similar issues yourself?

Answer:Is it just me or does Windows 10 get worse and worse with every new build?

It's just you.

10 more replies
Relevance 46.33%

i've had verizondsl for about half a year or so now, and from last month to present, the connection has been horrible.. sometimes it would just hang for up to a minute at a time, with the modem activity light blinking slowly (loss of connectivity).. before it started, speeds were decent, and although slow compared to the optimum cable i was used to, it was sufficient. now it's just pure garbage. if it weren't for the fact that we're getting free cable, i would immediately switch to roadrunner

i figure asking you guys is probly much more helpful than those scripted outsourced fools at tech support. i tried all that "reset your modem" "unplug the ethernet cord" "make sure you're computer is on" crap already and would like some REAL answers..

PS- at my old house, we used to have verizon as well, and after a while it just stopped all of a sudden and when we called to see what happened, they said since there was construction in the area, they must have switched our phone line over to one with a further CO, and we were now too far to service. verizon is teh gay.
 

Answer:verizondsl getting worse and worse speeds

Well try plugging the modem into the demark jack if you have one (by where the phone line comes into your house). See if this still happensl. If it doesn't maybe something happened to your internal phone lines. (this probalby won't be the issue I'm betting).

Beyond doing that phone your ISP and get them to file a support ticket or whatever they call it there. When I was having trouble with my DSL connection a couple years ago I phoned up, they sent a guy from the telephone company to test the line and they replaced a device at the CO and the connection has been perfect ever since.




The [H]orde needs You!
 

15 more replies
Relevance 43.87%
Question: sdra64.exe

Hi guys and gals, i have the above virus, aint got a clue how i got it, just re-installed vista and got AVG free.
please can someonebody help me and point me in the right direction to remove this little nasty.most of my mates reccommended this forum simply becaufse its the best

many many thanks

Answer:sdra64.exe

Hello and welcome to TSF.

We want all our members to perform the steps outlined in the link given below, before posting for assistance. There's a sticky at the top of this forum, and a
Quote:




Having problems with spyware and pop-ups? First Steps




link at the top of each page.

Please follow our pre-posting process outlined here:

http://www.techsupportforum.com/f50/...lp-305963.html

After running through all the steps, you shall have a proper set of logs. Please post them in a new topic, as this one shall be closed.

If you have trouble with one of the steps, simply move on to the next one, and make note of it in your reply.

1 more replies
Relevance 43.87%

There are a few files similar to this including an addon that i disabled on IE, somtimes IE shuts all the windows down automatically with no warning and no explanation. Also my computer has been sluggish lately. I'm not sure what it is but I know that sdra64.exe is a malicious virus. heres the complete log file I have recently cleaned my registrys so I don't think the problems there.Logfile of Trend Micro HijackThis v2.0.2Scan saved at 7:12:45 PM, on 5/28/2009Platform: Windows XP SP3 (WinNT 5.01.2600)MSIE: Internet Explorer v7.00 (7.00.6000.16827)Boot mode: NormalRunning processes:C:\WINDOWS\system32\csrss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\system32\spoolsv.exeC:\WINDOWS\Explorer.EXEC:\WINDOWS\system32\svchost.exeC:\WINDOWS\system32\ctfmon.exeC:\WINDOWS\system32\svchost.exeC:\Documents and Settings\Owner\My Documents\Downloads\civilization3\HiJackThis.exeC:\WINDOWS\system32\wbem\wmiprvse.exeR0 - HKCU\Software\Microsoft\Internet Explorer\M... Read more

Answer:I think its sdra64.exe

Hello and welcome to Bleeping ComputerWe apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.??If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.Upon completing the steps below another staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.If you have already posted a DDS log, please do so again, as your situation may have changed.Use the 'Add Reply' and add the new log to this thread.Thanks and again sorry for the delay.We need to see some information about what is happening in your machine.??Please perform the following scan:Download DDS by sUBs from one of the following links.??Save it to your desktop.DDS.scrDDS.pifDouble click on the DDS icon, allow it to run.A small box will open, with an explaination about the tool.??No input is needed, the scan is running.Notepad will open with the results.Foll... Read more

2 more replies
Relevance 43.87%
Question: SDRA64.exe??

Yesterday, my PC was working fine.
For the past week my PC has been having weird unexplained errors.

I decided to do a computer scan and a registry scan,
both returned numerous errors.
I repaired the registry, since it finished before the complete computer scan.
There were many errors in my setup files, in folders such system files.
My computer froze up before the scan could finish and I had to restart it by unplugging it because no other means would work.

When I restarted it, I tried logging in.
It was at the loading screen for awhile,then my desktop background showed up.
and error message appeared containing the words SDRA64.exe,
saying that it has encountered an error and needs to close?

I'm pretty sure I heard correctly when I heard that sdra64.exe is a virus or something of the sort but I'm not too great with computers, so I don't know.

After I clicked Don't Send for the error report,
nothing else appears on the desktop screen.
If you press ctrl alt delete, you can execute files and programs, but only certain ones, and I noticed that many important system files were missing.
Along with the start menu and all my desktop icons.
I decided to let it load, thinking maybe it was just taking a little while longer, but when I left it alone, it turned off automatically from system error.

HELP? My computer's not working at all, none of the profiles,nothing, I'm using a laptop at the moment.

How do I fix the problem if I can't even log in to any of the... Read more

More replies
Relevance 43.87%
Question: sdra64 help

Hey all ..

am at my wits end with this nasty lil trojan .. first warning i had was off AVG .. that found it but couldnt do anything with it , so ran Malwarebytes that found and cleaned a few nasties in there ... but still had it so

I accessed registry and found 2 entries there relating to it .. one in winlogin and one in appdata/roaming ... found 2 coresponding files in system 32 and the appdata folder.......

using safe mode i deleted both the files and the entries

Malwarebytes and AVG and bitdefender all give clean bills of health but i still cant access microsoft updates or malwarebytes updates .. both return error codes so guessing the trojan has somehow blocked these sites and still getting new tabs opening either alternative websites to the one im on/searched for or advertising.

cant find any trace of this left on my system but obviously the sly lil bugger is still hiding somewhere

HELP!!!!!!!!!!!!!!!!!!!!! lol

Answer:sdra64 help

Hello I think we need a deeper look,please go here....Preparation Guide ,do steps 6 - 9.Create a DDS log and post it in the new topic from step 9.If Gmer won't run,skip it and move on.Let me know if that went well.

1 more replies
Relevance 43.87%
Question: sdra64.exe

Hi,I am running Windows XP Professional, Service Pack 3.My computer got a nasty problem from some website. It started when my Symantec alerted me that I had an infection with W32.Waledac, which it supposedly cleaned up.But now, on startup, my computer gives an error: "Exporer.exe - Application error. The application failed to initialize properly (0xc0000142)"I then have to start up explorer manually from the Task manager. Then the firewall is switched off each time- I have to start that manually too.Finally, when I search for a website on Google, and click on the first link on the list, it directs me to some random strange websites instead of the website I am trying to get to.I scanned with Symantec and AdAware and they did not find a thing. Spybot repeatedly finds RightMedia and Win32.Agent.pz. I remove, but as soon as I get back on the internet, it's back (especially when I use Internet explorer - using Firefox seems to help some).I went into the registry and it has an entry after userinit that contains sdra64.exe (see hijack this log below). I delete it, but it is back immediately.Then I downloaded 'Autoruns'. I started up in Safe mode and ran Autoruns and disabled the sdra64. But when I tried to erase sdra64 from the windows/system32 directory, it doesn't let me. It says it is used by some other process and denies permission to erase it. So, it is running even though I start up in safe mode. I can't get rid of it! Please help.Thanks!!!Hijack his ... Read more

Answer:sdra64.exe

Problem solved!!!

I switched off the internet. Cleaned up with spybot. Restarted without the internet on. I was then able to delete sdra64.exe from the windows/system32 directory. I then restarted the computer in safe mode. Used autoruns to clean up the registry. Ran spybot again. Restarted computer normally.

Problems are gone.

Thanks guys. Although nobody answered in the short time I had this posted, reading the entries here was a lot of help.

2 more replies
Relevance 43.87%
Question: sdra64.exe

Good day,
my son's computer got a few malware including a pesky sdra64.exe. I've tried couple of recommendations on the web but the malware keeps persisting.

I've used the instructions from previous posts and have already cleaned the system.

Can you help?

jk
 

Answer:sdra64.exe

Hi,
Following up with my previous email, downloaded all mg needed files and started the cleaning process. but now I have another problem
Here is what happended..

1- Followed all good practices (I thin w/o a mistake?)
2- Installed superanti spyware, see attached log
3- installed malware and followed instructions see attached log.
4- system bootup.
Both Superanti spyware and malware saw sdra64.exe and attempted to clean.

Now, I have a new probelm at normal startup or safemode when I login, it automatically logs me out. I tried disabeling option on safemode screen but it did not help.

I used Linux, zenwlak to hack into the laptop, and extract the logfiles for you review.

Thanks in advance,
Please advise?
 

5 more replies
Relevance 43.87%
Question: sdra64.exe

hi, im hoping someone can help me with this. i have done some research and know i have a bad virus. some programs wont run, mostly security programs like spybot, malwarebytes, hijackthis, and system restore. i renamed hijackthis to fumble to run it. here is the log: im prety sure i need to fix the f2 and o17's but from what i read there is a lot more to itany help would be appreciatedLogfile of Trend Micro HijackThis v2.0.2Scan saved at 10:34:18 AM, on 6/18/2009Platform: Windows XP SP2 (WinNT 5.01.2600)MSIE: Internet Explorer v7.00 (7.00.6000.16850)Boot mode: NormalRunning processes:C:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\Explorer.EXEC:\WINDOWS\system32\spoolsv.exeC:\Program Files\Avira\AntiVir Desktop\sched.exeC:\Program Files\Essentials Codec Pack\WECPUpdate.exeC:\Program Files\Avira\AntiVir Desktop\avguard.exeC:\Program Files\Common Files\AOL\ACS\AOLacsd.exeC:\WINDOWS\System32\Ati2evxx.exeC:\WINDOWS\System32\svchost.exeC:\Program Files\UPHClean\uphclean.exeC:\Program Files\Viewpoint\Common\ViewpointService.exeC:\WINDOWS\wanmpsvc.exeC:\Program Files\Yahoo!\SoftwareUpdate\Yahoo... Read more

Answer:sdra64.exe

Hello and welcome to Bleeping ComputerWe apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine. If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.Upon completing the steps below another staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.If you have already posted a DDS log, please do so again, as your situation may have changed.Use the 'Add Reply' and add the new log to this thread.Thanks and again sorry for the delay.We need to see some information about what is happening in your machine. Please perform the following scan:Download DDS by sUBs from one of the following links. Save it to your desktop.DDS.scrDDS.pifDouble click on the DDS icon, allow it to run.A small box will open, with an explaination about the tool. No input is needed, the scan is running.Notepad will open with the results.Foll... Read more

2 more replies
Relevance 43.87%
Question: SDRA64 - HJT Log

I'm trying to fix a friend's PC that had/has sdra64.exe on it. I've used Clean Up, Malwarebytes, Spybot S&D and AVG 9 but I'm still having problems.

The PC will start up fine in safe mode now and all scans are coming up clean. However, when I try to boot normally I get a blue screen with the following error message..........

Page_Fault_In_Non_Paged_Area

I've had a look online and one of the reason for this can be corrupted anti virus. I've removed AVG but I'm still getting the error message. A couple of weeks ago he had a rogue anti virus program called "antivir" but we seemed to remove that successfully.

I don't really want to reinstall Windows unless I can help it. Could someone have a look at the HJT log to see if I've missed anything?...........

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 13:53:43, on 20/01/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Safe mode with network support
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = https://login.yahoo.com/config/logi...3a//mail.yahoo.com%3f.partner%3dbt-1&pkg=&owd=
R3 - URLSearchHook:... Read more

Answer:SDRA64 - HJT Log

6 more replies
Relevance 43.87%
Question: sdra64.exe

After noticing my computer acting strangely last night, I ran AdAware last night. AdAware turned up nothing but some tracking cookies. After the AdAware scan I ran HiJackThis, and noticed a few funny things. I deleted all of them successfully except for one-sdra64.exe. After doing some research on how to remove this virus/trojan/whatever, I found out that it had certain registry keys which I was able to find successfully. However, when this key is deleted it comes back instantly, apparently due to the exe itself. The file is, according to every online resource I have been able to find, in the system 32 folder. However, when looking for it, I am unable to find the file. My computer is acting fine currently, but when I boot up I still notice a funny process that I have never seen before last night (it is some random numbers, if you guys need this process just ask.), and HiJackThis is still showing sdra64.exe This virus is kicking my ass currently and I could use some help ridding my computer of it.

More replies
Relevance 43.87%
Question: sdra64.exe (again)

I had some strange behaviour on my PC (it has AVG and Spybot as the resident anti-virus) so I ran Malwarebytes anti-malware. This identified and cleaned a number of infections, but said that it had to clear three files on reboot - one was lowsec, can't remember the names of the others. I took the restart option but now my PC can't get past the logon screen. It logs on and immediately logs off.

I have tried just about every combination of safe mode on start up, but can never get past the log on to a command prompt or anything else.

Obviously I can't post a list of stuff that's running, because I can't get into it!

Help please! Thanks.

Answer:sdra64.exe (again)

You'll need to find your Windows XP installation disk. It's the only way we can help you. Once you find your XP installation disk:

You will need to go into the Recovery Console. To do this, follow these steps:Insert your Windows XP CD into your CD drive.
Shutdown your computer.
Turn on your computer, and immediately press f12
Keep on rapidly pressing f12. You should get a one time boot screen. Use the arrow keys and choose your CD rom drive. Note: If you get to the windows login screen, you have gone too far. Shut the computer down and try again.

You should then get a box that says: press any key to boot to the cd...
Make sure you press a key quickly!
You should now get a blue screen with white text. Allow the CD to load. This may take some time.
You will then be presented with the recovery console.
You should see this text:
Press the "R" button to enter Recovery Console.

If you have a dual-boot or multiple-boot system, choose the installation that you need to access from the Recovery Console. When prompted, type the Administrator password. (If there is no administrator password, just press the enter key)

You should now be at the prompt.

You will need to enter the following text in bold exactly as it is. (d being the letter assigned to your CDROM. If it's different on your system, make the necessary adjustment):

expand d:\i386\userinit.ex_ c:\windows\system32\userinit.exe

and press Enter. If it asks you if you want to overwrite, click &quo... Read more

8 more replies
Relevance 43.87%
Question: sdra64.exe

I apologize for being so earnest to post my last thread without taking the time to read the protocol for posting on this forum. I now have the necessary logs for my problem.

I'll elucidate as to what's been occurring. Thursday, I was bombarded with WinPatrol alerts about a sdra64.exe file wanting to make registry changes. Obviously, I denied it and Googled the filename. After getting acquainted with the nature of this trojan, I ran AVG (free). It found a handful of pesky malware bits and removed them accordingly, though the especially threatening trojan couldn't be healed; instead, it could only be moved to the vault. I thought it to be attributed to the sdra64.exe file given that WinPatrol continued to alert me of its presence even after the AVG scan, so I continued researching online.

I found a similar incidence on another forum where an individual found success in utilizing Spyware Doctor. I immediately downloaded the program, understanding it to be a free trial version. It worked fine up to the end of the scan, as it discovered much more malware and the trojan at hand. However, once prompting me to heal, it required that I register and thereby purchase the program. Feeling gypped, I exited from the program. It then prompted me by saying that it required a reboot and gave no other option. So I rebooted. Once rebooted, I removed Spyware Doctor. However, I am beginning to realize that since the last reboot I have yet to be bothered by WinPatrol. This i... Read more

Answer:sdra64.exe

Hello and Welcome to TSF.

Please Subscribe to this Thread to get immediate notification of replies as soon as they are posted. To do this click Thread Tools, then click Subscribe to this Thread. Make sure it is set to Instant notification by email, then click Add Subscription.

Please note that the forum is very busy and if I don't hear from you within three days this thread will be closed.

------------------------------------------------------

One or more of the identified infections is a backdoor trojan.

This type of infection allows hackers to remotely control your computer, log keystrokes, steal critical system information, and download and execute files without your knowledge.

If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Please read this: How Do I Handle Possible Identify Theft, Internet Fraud, and CC Fraud?

------------------------------------------------------

Please note that these fixes are not instantaneous. Most infections require more than one round to properly eradicate.

Please stay with me until given the 'all clear' even if symptoms seemingly abate.

Kindly follow my instructions and please do no fixing on your own or running of scanners unless requested by a helper.

---... Read more

4 more replies
Relevance 43.87%

Hi,

My computer got infected with sdra64.exe. Needless to say it was via Pirate Bay. Ever since I cannot connect to the internet because I have limited or no connectivity, rootkit is infected, and my NAV keeps catching the following 4 infections: "Backdoor.trojan", Hacktool.tookit", "W32.Spybot.Worm" and "W32.Downadup". The Ad-Watch keeps on blocking the registry modification caused by: C:\WINDOWS\System32\userini.exe,C:\WINDOWS\System32\sdra64.exe.

I tried to run the "dds.scr", but my computer is recognizing that program as AutoCAD Script. I do have AutoCAD, but I don't know how to disable the script.

I was able to get the "gmer.exe" report and I am attaching it in a zipped format, as instructed. For the obvious reasons I cannot provide the "dds.scr" report until instructed on how to disable scripting.

P.S. I found this information on "deleting" Windows scripting host. Is this what I have to do?

Windows 2000/Me/XP/2003
WSH is installed by default.

To prevent scripts with a .VBS extension from being run:
Log on as an Administrator.
On the Desktop, or in Windows Explorer, right-click on 'My Computer'.
Select 'Open' from the menu.
In the My Computer window, open the Tools menu and select 'Folder Options'.
Open the File Types tabbed page
Look for 'VBScript Script File' in the list of file types (if you can't find it, you don't need to do anything else).
Click on the Delete... Read more

Answer:Got sdra64.exe and more. Please help.

Hello and Welcome to TSF.

Please Subscribe to this Thread to get immediate notification of replies as soon as they are posted. To do this click Thread Tools, then click Subscribe to this Thread. Make sure it is set to Instant notification by email, then click Add Subscription.

Please note that the forum is very busy and if I don't hear from you within three days this thread will be closed.

------------------------------------------------------


Quote:




Needless to say it was via Pirate Bay.




Have we learned a valuable lesson here?

------------------------------------------------------

One or more of the identified infections steal information. That includes all passwords, log ins to forums, your email details & other websites, and most of all your Bank, Credit Card, or PayPal details. If this system is used for web based email, online banking, or has credit card information on it, all passwords should be changed immediately by using a known, clean computer. Banking and credit card institutions, if any, should be notified of the possible security breech. It also seems to be able to steal all your emails so anything you have emailed to anyone is no longer confidential.

I also suggest that you read this article.

------------------------------------------------------

See if RSIT will run: Download RSIT by random/random and Save it to your Desktop.
Double-click RSIT.exe to run the tool.
Click Continue at the disc... Read more

2 more replies
Relevance 43.87%
Question: SDRA64.EXE - Help!

Hello.I'm a moron.Yes. Yes, I know that seems a little harsh but it's true!I'm not sure how it happened, but I picked up this trojan. I ran antivir and Spybot search and destroy and it did nothing.Scotty kept picking up that the file wanted to be ran, but I kept clicking no.I found a guild on how to run Combofix, and without reading the rules started running it.In the scan it was deleting items, turning my desktop off and such, which, now I've read the rules, know is normal.Now I should also have read that I wasn't meant to run Combofix without an experts consent as it were, but I blew that one.Eitherway. It restarted my computer and has generated a log, but I wont post until someone asks if it is okay.I want to know if my boyfriends computer [ He's not going to be impressed, which is why I panicked ] is going to be okay.Scotty now keeps repeating his message:I keep clicking no, and I don't know what to do. It keeps repeating it.After I click no, another message comes up, saying the file is missing.I have the log, if anyone wants to see it.Please help! I don't want to get into trouble!

Answer:SDRA64.EXE - Help!

This is the second error message.And this is the third.

18 more replies
Relevance 43.46%

i done everything that i been told to do about the sdra64.exe here goes...

if i missed anything someone please tell me
many thanks
lets hope i can get rid of this nasty critter





DDS (Ver_09-10-26.01) - NTFSx86
Run by paul at 17:26:11.28 on 07/11/2009
Internet Explorer: 7.0.6002.18005
Microsoft? Windows Vista? Home Premium 6.0.6002.2.1252.44.1033.18.1533.812 [GMT 0:00]

AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
SP: AVG Anti-Virus Free *enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}

============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k secsvcs
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Microsoft LifeCam\MSCamS32.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\system32\svchost.exe -k i... Read more

Answer:sdra64.exe problem.

Hello and Welcome to TSF.

Please Subscribe to this Thread to get immediate notification of replies as soon as they are posted. To do this click Thread Tools, then click Subscribe to this Thread. Make sure it is set to Instant notification by email, then click Add Subscription.

Please note that the forum is very busy and if I don't hear from you within three days this thread will be closed.

------------------------------------------------------

Please note that these fixes are not instantaneous. Most infections require more than one round to properly eradicate.

Please stay with me until given the 'all clear' even if symptoms seemingly abate.

Kindly follow my instructions and please do no fixing on your own or running of scanners unless requested by a helper.

------------------------------------------------------

Due to the restrictions on Vista, all tools should be started by right-click > Run as Administrator

If you click 'Start' and have no 'Run' function, please right-click Start > Properties > Start menu tab > Customize button > scroll down to and tick 'Run command' box > OK > Apply > OK.

------------------------------------------------------

Please visit this webpage for download links, and instructions for running ComboFix:

http://www.bleepingcomputer.com/comb...o-use-combofix

* Ensure you have disabled all antivirus and antimalware programs so they do not interfere with the running of ComboFix.

Get he... Read more

10 more replies
Relevance 43.46%

When I re-booted today, I received a message that windows has closed sdra64.exe file to keep my system intergrity or some such message. I googled about this file and foundout that it is a virus. Ran combofix and am posting the log:
I have two questions:

I read that is is a keylogger. As I did not re-boot for probably many days, do you think any of my passswords etc would have been compromised already?Should I try to change all my passwords?

Am I safe now?

ComboFix 10-05-29.05 - owner 05/30/2010 6:35.3.4 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3326.2548 [GMT -4:00]
Running from: c:\documents and settings\owner\Desktop\ComboFix.exe
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Arun.ARUNXPS\Application Data\Dealio
c:\documents and settings\Arun.ARUNXPS\Application Data\Dealio\kb127\res\alerts.gif
c:\documents and settings\Arun.ARUNXPS\Application Data\Dealio\kb127\res\alerts_over.gif
c:\documents and settings\Arun.ARUNXPS\Application Data\Dealio\kb127\res\alerts_rec.gif
c:\documents and settings\Arun.ARUNXPS\Application Data\Dealio\kb127\res\alerts_rec_over.gif
c:\documents and settings\Arun.ARUNXPS\Application Data\Dealio\kb127\res\chevron-small.gif
c:\documents and settings\Arun.ARUNXPS\Application Data\Dealio\kb127\res\deal_report.jpg
c:\documents and sett... Read more

More replies
Relevance 43.46%
Question: SDRA64 hassle

I noticed that I couldn't get onto Windows Update today after I wiped and reinstalled brand new today. I did a hijackthis to find SDRA64 attached to winlogon.
I've also been getting NTDLL errors, and ran a SFC to see if it would help (which it didn't), and I think it may be related.
Pulling my hair out over this, I wonder if you guys can help?


DDS (Ver_09-05-14.01) - NTFSx86
Run by Shgra at 17:54:01.03 on 04/06/2009
Internet Explorer: 6.0.2900.5512 BrowserJavaVersion: 1.6.0_13
Microsoft Windows XP Professional 5.1.2600.3.1252.44.1033.18.3582.2816 [GMT 1:00]


============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
C:\WINDOWS\system32\svchost -k rpcss
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k NetworkService
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\Wacom_Tablet.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\WTablet\Wacom_TabletUser.exe
C:\WINDOWS\system32\Wacom_Tablet.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Documents and Settings\Shgra\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\WhatPulse\WhatPulse.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\System32\dmadmin.exe
C:\Program Files\Dropbox\D... Read more

Answer:SDRA64 hassle

Hello and Welcome to TSF.

Please Subscribe to this Thread to get immediate notification of replies as soon as they are posted. To do this click Thread Tools, then click Subscribe to this Thread. Make sure it is set to Instant notification by email, then click Add Subscription.

Please note that the forum is very busy and if I don't hear from you within three days this thread will be closed.

------------------------------------------------------

One or more of the identified infections is a backdoor trojan.

This type of infection allows hackers to remotely control your computer, log keystrokes, steal critical system information, and download and execute files without your knowledge.

If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Please read this: How Do I Handle Possible Identify Theft, Internet Fraud, and CC Fraud?

------------------------------------------------------

Please explain why this computer has no antivirus program installed and running. This is an open invitation for infection.

It can take as little as eight seconds to infect an unprotected computer.

Please keep this computer offline except when downloading tools and posting in the forum until we get one installed.

----------... Read more

2 more replies
Relevance 43.46%

I got hacked a few days ago. After that I scanned my computer and realize it was infected with sdra64.exe. I went online to search for solution, followed it but it was still not resolved. I'm using KIS 2009 and every time I scanned my computer it detected the following direction is infected with sdra64.exe: C:\Windows\SysWOW64\sdra64.exe. I do not find any sdra64.exe in system32, both in the folder and registry key.

Could anyone help me with this
Thank you.

Leo
 

Answer:Help! I cannot remove sdra64.exe

Hi

Please do the following:

Download OTL and save it to your desktop.
Double click on the icon to run it.
Make sure all other windows are closed and to let it run uninterrupted.
When the window appears, underneath Output at the top, make sure Standard output is selected.
Under the Extra Registry section, check Use SafeList
Download the following file scan.txt to your Desktop. Click here to download it. You may need to right click on it and select "Save"
Double click inside the Custom Scan box at the bottom
A window will appear saying "Click Ok to load a custom scan from a file or Cancel to cancel"
Click the Ok button and navigate to the file scan.txt which we just saved to your desktop
Select scan.txt and click Open. Writing will now appear under the Custom Scan box
Click the Run Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.
Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time and post them in your topic
 

1 more replies
Relevance 43.46%

This file keeps popping up to enter my Startup Programs. I use WinPatrol to alert me when something is trying to do this. As soon as I say "No" to keep it from adding it, WinPatrol pops right back up asking again. WinPatrol path shows: c:\windows\system32\sdra64.exe. After changing my "view" options so I can see all files in my Window\system32 file to try to delete it, I can't find it. I've done Windows searches for it and looked in temp files but have found nothing.

Here is a HJT log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:37:11 PM, on 3/21/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16791)
Boot mode: Normal

Running processes:
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\savedump.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
C:\PROGRA~1\AVG\AVG8\avgrs... Read more

Answer:sdra64.exe infection

Hello and Welcome to TSF.

We no longer use HijackThis as our initial analysis tool.

We want all our members to perform the steps outlined in the link I'll give you below, before posting for assistance. There's a sticky at the top of this forum, and a
Quote:




Having problems with spyware and pop-ups? First Steps




link at the top of each page.

------------------------------------------------------

Please follow our pre-posting process outlined here:

http://www.techsupportforum.com/f50/...lp-305963.html

After running through all the steps, you shall have a proper set of logs. Please post them in a new thread, as this one shall be closed.

If you have trouble with one of the steps, simply move on to the next one, and make note of it in your reply.

Please note that the Virus/Trojan/Spyware Help forum is extremely busy, and it may take a while to receive a reply.

------------------------------------------------------

1 more replies
Relevance 43.46%

I hope this is in the right place, move it, if it is not.
I really, really, REALLY need your help as I'm at the end of my tether. I am in possession of a notebook mini-laptop which contracted Sdra64.exe which made itself known following a full system "Spybot Search & Destroy" scan. I would just go to the System Recovery area but I cannot, as everytime I try to log into my laptop (via Administrator) it immediately logs me out again following a brief glimpse of my desktop background. (No icons, start bar or anything, a second later, it goes back to the log in screen).
I cannot use a boot disk as it's a notebook laptop hence no disk drive, so I really don't know what to do! Help me please!

(My mini-laptop's make is Lenovo, ideapad S9e & runs on Windows XP) Keep replies in laymen terms, I'm fairly computer-illiterate.
 

More replies
Relevance 43.46%

Hi guys,

The title pretty much says it all. I came across a file called sdra64.exe and, after a brief search on Google, identified it as definitely not good. Any input on removing it will be greatly appreciated.

Thanks in advance.

LeBoW.

Answer:Infected with sdra64.exe

According to Threat Expert, some submissions of sdra64.exe are identified as a variant of the Virut family of malware by Symantec & McAfee but most are Zbot/Infostealer.Banker. As such that does not mean its a full blown infection especially if other indicators are not present. In any event I recommend investigating further for other virut related files as a precaution.Please perform a scan with Kaspersky Online Virus Scanner.-- Requires free Java Runtime Environment (JRE) to be installed before scanning for malware as ActiveX is no longer being used.-- This scan will not remove any detected file threats but it will show where they are located so they can be cleaned with other tools.[/i]Vista users: need to right-click either the IE or FF Start Menu or Quick Launch Bar icons and select Run As Administrator) from the context menu.Read the "Advantages - Requirements and Limitations" then press the ... button.You will be prompted to install an application from Kaspersky. Click the Run button. It will start downloading and installing the scanner and virus definitions.When the downloads have finished, you should see 'Database is updated. Ready to scan'. Click on the ... button.Make sure these boxes are checked. By default, they should be. If not, please check them and click on the ... button afterwards:Detect malicious programs of the following categories:
Viruses, Worms, Trojan Horses, Rootkits
Spyware, Adware, Dialers and other potentially dangerous programsScan compound fil... Read more

13 more replies
Relevance 43.46%
Question: SDRA64.exe Removal

Hello,
Seems that I have this and Lowsec on my business computer. Scared to death someone got my info.
A few weird things happen. I can only log into one user account on the machine at one time. Also, I get an error on the Keith account saying it could not open rundll, and IE does not work on that account. I can open a command window and ping google.com, and use my email, but IE will not connect I believe due to a DNS error. Kaspersky tells me at startup is sees the sdra64 and Lowsec files, but does not get rid of them.
Here is the DDS and Attatch files
DDS (Ver_09-05-14.01) - NTFSx86
Run by Trish at 16:19:53.90 on Thu 05/14/2009
Internet Explorer: 7.0.5730.11
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.510.77 [GMT -7:00]

AV: Kaspersky Internet Security *On-access scanning enabled* (Updated) {2C4D4BC6-0793-4956-A9F9-E252435469C0}
FW: Kaspersky Internet Security *enabled* {2C4D4BC6-0793-4956-A9F9-E252435469C0}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
SVCHOST.EXE
C:\WINDOWS\System32\svchost.exe -k netsvcs
SVCHOST.EXE
C:\WINDOWS\system32\spoolsv.exe
SVCHOST.EXE
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Dell Support Center\... Read more

Answer:SDRA64.exe Removal

Hello and welcome to Bleeping ComputerWe apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine. If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.Upon completing the steps below another staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.If you have already posted a DDS log, please do so again, as your situation may have changed.Use the 'Add Reply' and add the new log to this thread.Thanks and again sorry for the delay.We need to see some information about what is happening in your machine. Please perform the following scan:Download DDS by sUBs from one of the following links. Save it to your desktop.DDS.scrDDS.pifDouble click on the DDS icon, allow it to run.A small box will open, with an explaination about the tool. No input is needed, the scan is running.Notepad will open with the results.Foll... Read more

16 more replies
Relevance 43.46%
Question: sdra64.exe trojan

Any assistance with this would help greatly. Thanks.
DDS (Ver_09-05-14.01) - NTFSx86
Run by Chris at 16:43:02.52 on Mon 06/15/2009
Internet Explorer: 7.0.5730.11
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.998.413 [GMT -7:00]

AV: Trend Micro Client-Server Security Agent AntiVirus *On-access scanning enabled* (Updated) {2635D189-4D41-426C-B8A1-53CBD43E9625}
AV: Trend Micro Client-Server Security Agent AntiVirus *On-access scanning enabled* (Updated) {3DB445CF-8D67-4D9A-992A-E0A091B6440A}
AV: Trend Micro Client-Server Security Agent AntiVirus *On-access scanning disabled* (Outdated) {90C24244-E1C6-4751-B507-B6D5C5581CE7}
FW: Trend Micro Client-Server Security Agent Firewall *disabled* {2635D189-4D41-426C-B8A1-53CBD43E9625}
FW: Trend Micro Client-Server Security Agent Firewall *disabled* {3DB445CF-8D67-4D9A-992A-E0A091B6440A}
FW: Trend Micro Client-Server Security Agent Firewall *enabled* {90C24244-E1C6-4751-B507-B6D5C5581CE7}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\brsvc01a.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\brss01a.exe
svchost.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS�... Read more

Answer:sdra64.exe trojan

Hello! My name is Sam and I will be helping you. In order to see what's going on with your computer I will ask for you to post various logs from the tools that we will use to resolve your issue. Please also share with me any information about how your computer is reacting and behaving each step of the way as we work through this process.We need to create an OTL ReportPlease download OTL from hereSave it to your desktop.Double click on the icon on your desktop.Click the "Scan All Users" checkbox.Push the "Run Scan" button.The scan should take just a few minutes.Copy the log that opens up and paste it back here in your next reply.=============The next log will show us any hidden files that are present.Download GMER from here:Unzip it to the desktop.Open the program and click on the Rootkit tab.Make sure all the boxes on the right of the screen are checked, EXCEPT for ?Show All?.Click on Scan.When the scan has run click Copy and paste the results (if any) into this thread.

2 more replies
Relevance 43.46%

Hi,

I just made a stupid mistake and executed a spam attachment. I think I've successfully removed it but since I've a lot of financial data on this machine I'd feel a lot better if any of you can confirm that I did a successful virus removal.

For the record I am running on an HP Pavillion a1420n using Windows Media Center. I've 4 gig of memory installed and am using a wireless lan. I have AVG 8.5.422, Spyware Doctor version 5.0.0.69, and Zone Alarm 8.0.298.0 installed and running. I keep all my malware detectors updated and I update windows weekly in addition to its automatic updates.

I infected myself in an XP user account by executing an email attachment. I did do an AVG scan of the attachment before I executed it and it found nothing. It seemed to load and execute SDRA64.EXE into my username\application data folder and created a registry entry to execute it when that user account starts up. What tipped me off that something was amiss was when the attachment tried accessing a folder in an admin account and XP prevented that with a warning message box. The admin account it was trying to access is "PAPA" and my user account is "PAPA USER".

Task manager found SDRA64 but wouldn't let me terminate the process. Hijackthis found it in HKCU/../run

O4 - HKCU\..\Run: [userinit] C:\Documents and Settings\Papa User.YALOV-COMPUTER\Application Data\sdra64.exe

and again I couldn't delete it. I did an AVG virus scan of the Windows ... Read more

Answer:SDRA64.EXE removed???

I just thought I'd attach the file that caused all my problems. I'm curious if your malware protection software can identify it. DO NOT execute the attachment!!! I keep all my malware protection software up to date and none of it detected this. See previous post.
 

2 more replies
Relevance 43.46%

I got this virus, ?sdra64.exe,? and I don?t know how to get rid of it. I tried following these instructions
?An easier way is to do this: open up cmd.exe.

type: cd \windows\system32
type: cacls sdra64.exe /d system
Reboot.
Delete sdra64.exe and cleanup the registry entry in WinLogon. What we did was remove the access control list for the sdra64.exe file, which means it cannot execute on reboot, and thus it won?t prevent you from editing the registry or delete it after reboot. ?

I managed to delete C:\Windows\System32sdra64.exe, from C:\Windows\System32\Userinit.exe, which I guess stops it from running when I restart. But when I tried to re-name or delete ?sdra64.exe? from my system32 folder it would still say it was in use.
A few days went by and for some reason I don?t even see the virus in my folder anymore. I never did anything so I don?t know why it would disappear on its own. I don?t have constant pop ups telling me that my computer is infected and that I need to go buy product X. I ran AVG antivirus scanner twice in a row and I picked up viruses each time so I have a feeling sdra64 is still on my computer. Could someone please help me, thanks.
DDS (Ver_09-06-26.01) - NTFSx86
Run by James at 20:12:30.98 on Mon 07/06/2009
Internet Explorer: 6.0.2900.5512 BrowserJavaVersion: 1.6.0_10
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1470 [GMT -4:00]

AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) ... Read more

Answer:Infected with sdra64.exe

Hello infamous495 and welcome to Bleeping ComputerWe apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine. If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.Upon completing the steps below another staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.If you have already posted a DDS log, please do so again, as your situation may have changed.Use the 'Add Reply' and add the new log to this thread.Thanks and again sorry for the delay.We need to see some information about what is happening in your machine. Please perform the following scan:Download DDS by sUBs from one of the following links. Save it to your desktop.DDS.scrDDS.pifDouble click on the DDS icon, allow it to run.A small box will open, with an explaination about the tool. No input is needed, the scan is running.Notepad will open with the ... Read more

2 more replies
Relevance 43.05%

Hi. I am new to this forum and hope I'm posting correctly and to the right place. Will you read my Combofix log? I'm using Windows Vista. I was told by a computer tech friend to use "combofix" and now can't reach him. I read your sites about what steps to follow first but now its too late. My computer seems to be working ok now. I will post my log here in the hijack thread and hopefully I can get some expert advice about if I need to do anything else after you have read it. Thanks. ComboFix 09-12-29.04 - Owner 12/29/2009 22:08:42.2.2 - x86Microsoft? Windows Vista? Ultimate 6.0.6002.2.1252.1.1033.18.3062.2078 [GMT -6:00]Running from: c:\users\Owner\Desktop\ComboFix.exeAV: Trend Micro Internet Security *On-access scanning disabled* (Updated) {7D2296BC-32CC-4519-917E-52E652474AF5}SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}.((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))).c:\windows\system32\sdra64.exe.((((((((((((((((((((((((( Files Created from 2009-11-28 to 2009-12-30 ))))))))))))))))))))))))))))))).2009-12-30 04:18 . 2009-12-30 04:18 -------- d-----w- c:\users\Public\AppData\Local\temp2009-12-30 04:18 . 2009-12-30 04:18 -------- d-----w- c:\users\Default\AppData\Local\temp2009-12-29 10:01 . 2009-12-30 04:03 63 ----a-w- c:\windows\system\SysSD.dll2009-12-29 10:0... Read more

Answer:C:\Windows\system32\Sdra64.exe

Hello and welcome to Bleeping ComputerWe apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine. Please include a clear description of the problems you're having, along with any steps you may have performed so far.Please refrain from running tools or applying updates other than those we suggest while we are cleaning up your computer. The reason for this is so we know what is going on with the machine at any time. Some programs can interfere with others and hamper the recovery process.Even if you have already provided information about your PC, we need a new log to see what has changed since you originally posted your problem.Please download OTL from following mirror:This is THE MirrorSave it to your desktop.Double click on the icon on your desktop.Click the "Scan All Users" checkbox.Push the button.Two reports will open, copy and paste them in a reply here:OTL.txt <-- Will be openedExtra.txt <-- Will be minimizedIn the upper right hand corner ... Read more

18 more replies
Relevance 43.05%

C:\WINDOWS\System32\userini.exe,C:\WINDOWS\System32\sdra64.exe

Ever since I found this file Ad-Wach is keeping it at bay, buy constantly blocking it. However, it tried to execute a couple of trojans on my system and now my internet connection is dying. Please help.

Answer:Found sdra64.exe in Sys32

Ask a mod to take this or take it yourself to Spyware - that is a keylogger and can pose serious risk.

2 more replies
Relevance 43.05%

i did a search around on this site for information about this and could only find closed discussion threads with no helpful information so i'm starting a new one .. and the only information i could find anywhere on the web was useless to me as the method described elsewhere would only have worked if i was using windows xp, which i'm not .. right, so.. can anybody give me any advice? can't see the registry in regedit, but i know where the trojan's hiding, and it's in C:\Users\Me\AppData\Roaming .. and it's there, but it won't let me delete it directly.. spybot search and destroy can't seem to find it but it did its best so i'm not mad at it.. um.. and i asked windows defender's software explorer to remove the program but it keeps popping right back up, that hasn't seemed to have helped .. what do the experts here recommend?Edit: Moved topic from Vista to the more appropriate forum. ~ Animal

Answer:need useful advice on how to remove this sdra64 guy

thanks for moving the thread but what i really need is information on how to kill this malware please

5 more replies
Relevance 43.05%

Hi,
This my first post so be patient. I noticed that i had a problem with IE and after searching the net found i had a virus. It seems it attaches a line to the 'userinit' in the reg to run a file called desktoplayer.exe. Even if you can get to remove it it returns once the computer is re-started. I have run a program called Combofix which does seem to remove it but it returns!!! What can i do?

Answer:Desktoplayer.exe and sdra64.exe virus

Still having the problem. Any thoughts?

4 more replies
Relevance 43.05%

Hi,
The Firefox browser window is not displayed the first time after the computer has been started up and running Windows XP Professional Version 2002 SP3. In Task Manager the firefox.exe is running. When the firefox.exe process is ended and restarted, it will take a very long time to display the browser window. When I looked at the task manager again I noticed that wmiprvse was running at about 25%. When I end both the wmiprvse and firefox processes, the wmiprvse process restarts with 0 to 1% and the firefox browser is displayed in a reasonable time.

During browsing, a tab is randomly opened and a random webpage is displayed. These webpages can be removed.

Over the past couple of weeks I have run full scans of my boot drive with the latest versions of the following applications:
A-Squared Free
Avira AntiVir
Malwarebytes' Anti-Malware
Ad-Aware
SuperAntiSpy

Each time, hi-risk trojans have been found and deleted/quarantined. A few occasions I have run regedit to remove bad entries in the HKEY_LOCAL_MACHINE\SOFTWARE|Microsoft\WindowsNT\CurrentVersion\Winlogon\Userinit or Shell registries. e.g. rundll32.exe, twex.exe, sdra64.exe and cdav.ixo ukqudnn. I used the 60 second timer method for removing the bad entry.
Today it is "msjiyf32.exe" in the Userinit registry.

Since then I've been following your Preparation guide which got stuck at the RootRepeal stage when it was scanning F:Program Files/audiograbber.
DDS (Ver_09-12-01.01) - NTFSx86
... Read more

Answer:sdra64 and rootrepeal not working

Hello! My name is Sam and I will be helping you. In order to see what's going on with your computer I'll ask for you to post various logs from the tools that we will use to resolve your issue. Please also share with me any information about how your computer is reacting and behaving each step of the way as we work through this process.Please download ComboFix from one of these locations:Link 1Link 2Link 3Important!You should NOT use Combofix unless you have been instructed to do so by a Malware Removal Expert. It is intended by its creator to be used under the guidance and supervision of an Malware Removal Expert, not for private use.Using this tool incorrectly could lead to disastrous problems with your operating system such as preventing it from ever starting again. Make sure that you save ComboFix.exe to your DesktopDisable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools

Double click on ComboFix.exe & follow the prompts.

As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

Follow ... Read more

20 more replies
Relevance 43.05%

Dont want to push anyone dut this has been open from 30th July. I am taking a holiday from 16th to 23rd of August so wont be available then to make reply's

Answer:Desktoplayer and sdra64 virus

Hi,Welcome to Bleeping Computer. My name is m0le and I will be helping you with your log.Please subscribe to this topic, if you haven't already. You can subscribe by clicking the Options box to the right of your topic title and selecting Track This Topic.Please avoid installing/uninstalling or updating any programs and attempting any unsupervised fixes or scans. This can make helping you impossible.Please reply to this post so I know you are there.The forum is busy and we need to have replies as soon as possible. If I haven't had a reply after 3 days I will bump the topic and if you do not reply by the following day after that then I will close the topic.----------------------------------------------Please download ComboFix from one of these locations:BleepingcomputerForoSpyware* IMPORTANT !!! Save ComboFix.exe to your Desktop making sure you rename it comfix.exeDisable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. (Click on this link to see a list of programs that should be disabled. The list is not all inclusive.)Double click on Comfix.exe & follow the prompts.As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a... Read more

13 more replies
Relevance 43.05%

Went to edit startup using MSCONFIG and noticed entry for userinit....roaming/SDRA64.exe which was checked for startup but I haven't seen it before. Checked on internet and advised that it is some sort of virus/spyware which needs to be removed but don't know how. Thanks.DDS (Ver_10-03-17.01) - NTFSx86 Run by David at 16:03:24.91 on 01/06/2010Internet Explorer: 8.0.6001.18904Microsoft? Windows Vista? Home Premium 6.0.6002.2.1252.44.1033.18.2046.785 [GMT 1:00]SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}============== Running Processes ===============C:\Windows\system32\wininit.exeC:\Windows\system32\lsm.exeC:\Windows\system32\svchost.exe -k DcomLaunchC:\Windows\system32\svchost.exe -k rpcssC:\Windows\System32\svchost.exe -k secsvcsC:\Windows\system32\Ati2evxx.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestrictedC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestrictedC:\Windows\system32\svchost.exe -k netsvcsC:\Program Files\Creative\Shared Files\CTAudSvc.exeC:\Windows\system32\svchost.exe -k GPSvcGroupC:\Windows\system32\SLsvc.exeC:\Windows\system32\svchost.exe -k LocalServiceC:\Program Files\Dell\DellDock\DockLogin.exeC:\Windows\system32\svchost.exe -k NetworkServiceC:\Windo... Read more

Answer:Infected with SDRA64 virus

Hello and welcome to Bleeping ComputerWe apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine. If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.Upon completing the steps below another staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.If you have already posted a DDS log, please do so again, as your situation may have changed.Use the 'Add Reply' and add the new log to this thread.Thanks and again sorry for the delay.We need to see some information about what is happening in your machine. Please perform the following scan:Download DDS by sUBs from one of the following links. Save it to your desktop.DDS.scrDDS.pifDouble click on the DDS icon, allow it to run.A small box will open, with an explaination about the tool. No input is needed, the scan is running.Notepad will open with the results.Foll... Read more

2 more replies
Relevance 43.05%

A couple of months back I picked up the "Internet Antivirus Pro" virus which slipped past McAfree and dealt with it via StopZilla. But it still kept gettin gpicked up and deleted. No other problems.However recently both IE/Firefox either don't open or allow you to open the first page that you go to (however you get there) but then they crash as soon as you go to any other page...As well as other freezing, non-access (eg CTRL+ALT+DEL often doesn't work) and crashing issues and a very strange font change to the whole windows...Hunting around I found through various forums that my userinit registry key had been altered to:c:\windows\system32\userinit.exe,c:\documents and settings\localservice\application,c:\documents and settings\localservice\application,c:\windows\temp\bn.exe,C:\Documents and Settings\LocalService\Application,C:\Documents and Settings\LocalService\Application,C:\Documents and Settings\LocalService\Application,C:\Documents and Settings\LocalService\Application,C:\Documents and Settings\LocalService\Application,C:\Documents and Settings\LocalService\Application,C:\Documents and Settings\LocalService\ApplicationWith the use of "Process Explorer" I was able to halt and remove bn.exe and by relabelling the registry key and then restarting I was able to reduce the key to:c:&#... Read more

Answer:Dealing with the aftermath of sdra64.exe, bn.exe, etc

I have run malwarebytes which detected and removed 19 infections.Log attached.Still issues - sometimes the blue task bar is grey with a different font, wireless sometimes just never connects, sometimes it says I have no sound card installed...Very sad....

5 more replies
Relevance 43.05%

HiMy XP Pro SP2 system appears to be infected by sdra64.exe - and its invisible friend? The problem began a couple of days back after Wndows Firewall reported an infection from worm.win32.netsky. MBAM at first appeared to have fixed the problem. But it soon became clear that all was not well. I kept getting misdirected and redirected within IE7. Selecting Google hits almost invariably took me to an unwanted site.After these misdirections/redirections:I usually found (and deleted) cookies from one or more of the following sites:-64.111.212.22966.230.188.67feed.ndot.comwww2.shopodo.co.ukMBAM scans always:-found and disinfected srda64.exe. A typical log is attached at the end of this post.left no trace of sdra64.exe by filename or registry entry.But as soon as I start to navigate on the web sdra64.exe reappears and the clean up cycle starts again.So at the moment, I'm stuck with an unwelcome intruder and would appreciate any help you can offer in finding and removing him!!Many thanks______________________________________________________________________________________________Update at 22:45 GMT on 27 Jan 2010Sdra64.exe attacks continue. Followed by MBAM cleanup. More ominously other infections are occurring. Today, MBAM has found and removed PDFUPD.EXE (Spyware.Zbot), and SAS has found and removed an SVCHOST.EXE virus. Both strangely had File Modification dates of 26 Jan 2010 - yesterday.The plot thickens!! __________________________... Read more

Answer:Persistent sdra64.exe infection

Hi Brawgates,Once again welcome to Virus/Trojan/Spyware/Malware Removal (VTSMR) forum and apologies for the delay. I am going to assist you with your problem.Please refrain from making any changes to your system (scanning or running other tools, updating Windows, installing applications, removing files, etc.) from now on as it might interfere with our fixes. Please let me know in your next reply if you agree with this.One or more of the identified infections is a backdoor trojan.A backdoor Trojan can allow an attacker to gain control of the system, log keystrokes, steal passwords, access personal data, send malevolent outgoing traffic, and close the security warning messages displayed by some anti-virus and security programs.If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.Though the trojan has been identified and can be killed, because of it's backdoor functionality, your PC is likely compromised. Some experts in the security community believe that once infected with this type of trojan, the best course of action would be a reformat and reinstall of the Operating System. Please read these for more information:How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?When Should I Format, How Should I ReinstallWe can ... Read more

7 more replies
Relevance 43.05%

Im using an Aspire one laptop windows XPI think I have browser hijack. I recently stop using Internet explorer cause I keep getting redirected to random websites. I switched to firefox & so far I haven't been redirect lately. I just wanna make sure its gone. Also ..I saw thisF2 - REG:system.ini: UserInit=C:\WINDOWS\SYSTEM32\Userinit.exe,C:\WINDOWS\system32\sdra64.exe, on my hijackthislog. Analyzed it on http://www.hijackthis.de/ and it seems bad...please help me clean my laptop..thanksP.S. My McAfee free subscription expired. I want a free antivirus program. know any free good ones?HERES THE REST OF MY HIJACKTHISLOG:Logfile of Trend Micro HijackThis v2.0.2Scan saved at 1:55:38 PM, on 2/4/2010Platform: Windows XP SP3 (WinNT 5.01.2600)MSIE: Internet Explorer v8.00 (8.00.6001.18702)Boot mode: NormalRunning processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\csrss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\system32\spoolsv.exeC:\WINDOWS\system32\svchost.exeC:\Program Files\Intel\Intel Matrix Storage Manager\IAANTMon.exeC: ... Read more

Answer:sdra64.exe, browser hijack

still waiting for a respond =]===========Hello While we understand your frustration at having to wait, please note that Bleeping Computer deals with several hundred requests for assistance such as yours on a daily basis. As a result, our backlog is quite large as are other comparable sites that help others with malware issues. Although our HJT Team members work on hundreds of requests each day, they are all volunteers who work logs when they can and are able to do so. No one is paid by Bleeping Computer for their assistance to our members.Further, our malware removal staff is comprised of team members with various levels of skill and expertise to deal with thousands of malware variants, some more complex than others. Although we try to take DDS/HJT logs in order (starting with the oldest), it is often the skill level of the particular helper and sometimes the operating system that dictates which logs get selected first. Some infections are more complicated than others and require a higher skill level to remove. Without that skill level attempted removal could result in disastrous results. In other instances, the helper may not be familiar with the operating system that you are using, since they use another. In either case, neither of us want someone to assist you who is not familiar with your issue and attempt to fix it.We ask that once you have posted your log and are waiting, please DO NOT "bump" your thread or make further replies until it has been responded to b... Read more

5 more replies
Relevance 43.05%

Once of my clients got a lot of infection from some site he visited. I got rid of almost everything using a combination of ComboFix, Malwarebytes, SAS, and Spybot.

I can delete sdra64.exe, lowsec, and any of the .tmp files associated with them by killing their handles in the winlogon.exe. The problem is, as soon as I connect to the Internet, netstat shows me that it is connecting to 218.93.205.19, and after a few seconds, sdra64.exe, lowsec, and a few .tmp files are all back, and the security center notifier tells me win firewall is turned off.

A scan after this happens tells me that win firewall exception is added for winlogon.exe, so something tells me winlogon.exe is infected. I have checked all the GPExtension and Notify reg entries but nothing seems awry.

I will post my hijackthis log in my next post, but please help, this PC has been on my bench for 3 days and the customer is getting mad.

Thanks so much!!!
 

Answer:SDRA64.EXE, LOWSEC, & it's downloader

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:08:47 PM, on 3/20/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16791)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
c:\WINDOWS\system32\ZuneBusEnum.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Zune\ZuneLauncher.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files\Microsoft IntelliType Pro\itype.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Microsoft ActiveSync\wcescomm.exe
C:\Program Files\Electronic Arts\EADM\Core.exe
C:\Program Files\Common Files\Ahead... Read more

1 more replies
Relevance 43.05%

hi here my problem 2 days ago
i got that virus shutting down my firewall anti virus avg opening pop up errors etc couldnt do anything but still had a screen try to run spybot
came back back a hour later the computer was frozen turn it off restart it and now black screen
cant even go safe mode
dont know what to do i am a photographer and got all my work on pc i really dont want to loose it
please please help
thanks a lot for reading and for ur time
david

Answer:sdra64 lowsec no more screen bad bad help please

and i forgot to say that i dont have the xp cd was pre install
i got a netbook so i can dl things and transfer to usb
but not on cd
thanks again

19 more replies
Relevance 43.05%

I have two computers (so far) infected with this trojan loader. It appears to have arrived as an email .zip attachment.

For others with this problem, the loader makes changes that appear to be recorded by Windows Defender.

I wasted one computer by immediately hacking the registry.

The second I did a restore to several days prior to the incident and that restored the winlogon info aqnd hopefully the others as well.

Hope this helps y'all

VL
 

More replies
Relevance 43.05%

Hi guys, thanks so much for helping everyone out. Truly a great thing here. So it all started lots of disk errors in my event log (bad block of memory), then word and powerpoint stopped working (fixed that), and after running many different anti-virus and spyware removers I have found sdra64.exe and cannot remove it. Sophos has a few spyware/malware viruses in quarantine but the clean up function is disabled. My firewall is automatically shutoff without authorization.

I have tried to remove the viruses on the comp with different programs to no avail. Since you guys know your stuff very well, I am hoping you cna help me out.
DDS (Ver_09-03-16.01) - NTFSx86
Run by Alex at 2:45:01.82 on Wed 04/01/2009
Internet Explorer: 8.0.6001.18372
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1013.498 [GMT -5:00]

AV: Sophos Anti-Virus *On-access scanning enabled* (Updated)
AV: Norton Internet Security *On-access scanning enabled* (Updated)
FW: Norton Internet Security *enabled*

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
C:\WINDOWS\system32\svchost -k rpcss
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program Files\Sophos\Sophos Anti-Virus\SavService.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\svchost.exe -k NetworkService
C:\WINDOWS\system32\svchost.ex... Read more

Answer:Infected with sdra64.exe and other malware

Update: I think my computer died.

It won't boot up anymore... it takes it's sweet sweet time on the Windows progress bar screen, then goes black for quite a while, then the Windows Startup screen shows up and finally it ends with the pretty sunset I have as my wallpaper on my desktop.

I should still be able to boot it in safe mode right?

So yeah, I would hate my cop's lifespan to have been only three months. Please help me out.

Muchas gracias,
Alex

3 more replies
Relevance 43.05%

OS Name Microsoft Windows XP Home Edition
Version 5.1.2600 Service Pack 3 Build 2600
OS Manufacturer Microsoft Corporation
System Name TOSHIBA-USER
System Manufacturer TOSHIBA
System Model Satellite M35X
System Type X86-based PC
Processor x86 Family 6 Model 13 Stepping 6 GenuineIntel ~599 Mhz
BIOS Version/Date TOSHIBA V1.60, 11/30/2004
SMBIOS Version 2.31
Windows Directory C:\WINDOWS
System Directory C:\WINDOWS\system32
Boot Device \Device\HarddiskVolume1
Locale United States
Hardware Abstraction Layer Version = "5.1.2600.5512 (xpsp.080413-2111)"
User Name TOSHIBA-USER\Joseph
Time Zone Eastern Standard Time
Total Physical Memory 1,536.00 MB
Available Physical Memory 635.18 MB
Total Virtual Memory 2.00 GB
Available Virtual Memory 1.95 GB
Page File Space 2.03 GB
Page File C:\pagefile.sys

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:59:20 AM, on 12/31/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\WINDOWS\Explorer.exe
C:\WINDOWS\system32\brsvc01a.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\brss01a.exe
C:\WINDOWS\system32\Brmfrmps.exe
C:\WINDOWS\system32\drivers\CDAC11BA.EXE
C:\Program Files\Symantec_Client_... Read more

More replies
Relevance 43.05%

Hi,
My computer is infected with sdra64.exe, and I'm sure there are other problems. This just occured, and I have verified that the sdra64.exe entry exists in the registry as part of the Userinit key. The line, C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\sdra64.exe, is currently shown. Consistent with everything I've read, when I try to edit this key, the virus writes it right back.

I tried running SDFix, but that didn't solve the problem. I have the log from that if interested. So, I could really use some help or advice. Thanks in advance!

The contents of my DDS.txt file are as follows:
DDS (Ver_09-03-16.01) - NTFSx86
Run by Matthew at 20:01:57.96 on Sun 04/26/2009
Internet Explorer: 7.0.5730.13 BrowserJavaVersion: 1.6.0_05
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1023.508 [GMT -5:00]

AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated)

============== Running Processes ===============

C:\WINDOWS\System32\nslsvice.exe
C:\WINDOWS\system32\nsl.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
C:\WINDOWS\system32\svchost -k rpcss
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\System32\svchost.exe -k NetworkService
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\System32\svchost.exe -k LocalService
C:\WINDOWS\system32&#... Read more

Answer:Help Removing sdra64.exe and Other Malware

Hello Freefal311.If by chance you have resolved your issues, or got help or getting help elsewhere currently, please let me know. Otherwise, proceed with the following.You will want to print out or copy these instructions to Notepad for Safe Mode/offline reference!These steps are for member FreeFal311 only. If you are a lurker, do NOT try this on your system! If you are not FreeFal311 and have a similar problem, do NOT post here; start your own topicDo not run or start any other programs while these utilities and tools are in use!Do NOT run any other tools on your own or do any fixes other than what is listed here.If you have questions, please ask before you do something on your own.But it is important that you get going on these following steps.=Close any of your open programs while you run these tools.=Set Windows to show all files and all folders. On your Desktop, double click My Computer, from the menu options, select tools, then Folder Options, and then select VIEW Tab and look at all of settings listed. "CHECK" (turn on) Display the contents of system folders. Under column, Hidden files and folders----choose ( *select* ) Show hidden files and folders. Next, un-check Hide extensions for known file types. Next un-check Hide protected operating system files. =Download The Avenger by Swandog46 from here.Unzip/extract it to a folder on your desktop.Double click on avenger.exe to run The Avenger.Click OK.Make sure that the box next to Scan for rootkit... Read more

2 more replies
Relevance 43.05%

Hi,

I got infected with sdra64.exe and a couple of days ago (when I didn't know I had this on my computer) I knew I got infected with something. I ran Malwarebyes Anti-Malware and it found 20 infections and removed them all.

Today I kept getting a notification on Windows XP asking permission to startup sdra64.exe and I ran Malwarebytes Anti-Malware again. It found 60 infections and removed all but 4 of them. Wanted to restart the computer so I let it.

It was still infected with sdra64.exe so I started looking online for fixes and decided to try Anti-Malware one more time and it will not run. I tried to run it and it a bubble pops up on the taskbar stating Warning! "Running of application is impossible. The file C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe is infected. Please activate your antivirus program"

I now also have Windows Antivirus Pro popping up and running a fake scan on my computer about viruses trying to make me purchase the program. I'm NOT going to do that.

I also tried to go to Start - Run - msconfig and got the same error saying it can't run and it is infected.

I'm at a loss and need MAJOR help. The computer is no longer functions.

I'm currently using a different computer for the boards. HELP!!!

Answer:Infected with sdra64.exe and other things :(

Immunize a usb drive and that clean computerPlease download Flash_Disinfector.exe by sUBs and save it to your desktop.Double-click Flash_Disinfector.exe to run it and follow any prompts that may appear.The utility may ask you to insert your flash drive and/or other removable drives. Please do so and allow the utility to clean up those drives as well.Hold down the Shift key when inserting the drive until Windows detects it to keep autorun.inf from executing if it is present.Wait until it has finished scanning and then exit the program.Reboot your computer when done.Note: As part of its routine, Flash_Disinfector will create a hidden folder named autorun.inf in each partition and every USB drive that was plugged in when you ran it. Do not delete this folder...it will help protect your drives from future infection by keeping the autorun file from being installed on the root drive and running other malicious files.I need you to retrieve those last 2 MBAM logs if you can

2 more replies
Relevance 43.05%

Any help would be greatly appreciated. Thanks in advance. Noticing some strange behavior, I ran HijackThis yesterday. I use it periodically. I noticed a new F2 item (sdra64.exe) had altered my registry. I attempted to modify the offending registry entry with no success (it just reappeared). I then decided to boot into safe mode and try there. Once again, no success. Although that seems to have induced more problems. Now when I boot up normally, and select a user profile from the logon screen, the computer hangs up. It'll display the appropriate background for the desktop, but none of the icons appear, nor the taskbar. I'm able to ctrl-alt-del and see the running processes, but not much else. I can however still boot into safe mode with network connectivity. Restore points seem to be gone. I can't seem to get the computer to boot from CD....automatic recovery is available, but just booting from the CD doesnt seem to be...it just defaults to a new installation, which I quit from. Desired logs are below and attached. If you have any suggestions, keep in mind I'm operating in safe mode.


DDS (Ver_09-05-14.01) - NTFSx86 NETWORK
Run by Tommy at 10:20:40.62 on Sun 05/17/2009
Internet Explorer: 7.0.5730.13
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1022.792 [GMT -4:00]

AV: Trend Micro Internet Security *On-access scanning enabled* (Updated) {7D2296BC-32CC-4519-917E-52E652474AF5}
FW: Trend Micro Personal Firewall *enabled* {3E790E9E-6A5D-4303-A7F9-185... Read more

Answer:Rootkit trojan - sdra64.exe and more?

Hello and welcome to TSF.


Quote:




I attempted to modify the offending registry entry with no success (it just reappeared). I then decided to boot into safe mode and try there. Once again, no success. Although that seems to have induced more problems.




Registry is a dangerous place to play around unless you know exactly what you're doing. Did you backup your registry before you experimented with it?


Quote:




I can however still boot into safe mode with network connectivity.




Although we would not recommend surfing the net while in Safe Mode with networking, it may come handy now.

Please download ComboFix from one of these locations:

Link 1
Link 2
Link 3

* IMPORTANT !!! Save ComboFix.exe to your Desktop
Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools.
Double click on ComboFix.exe & follow the prompts.
As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
Follow the prompts to allow ComboFix to dow... Read more

11 more replies
Relevance 43.05%

winxp sp3 norton av caught 2 virus (pp2.exe 1doz.exe) I was able to clean them, then other things started to go wrong. Spybot kept asking me if I wanted to change userinit.exe, answered no many times. I broke internet connection and rebooted to safemode. Found sdra64.exe in registry after userint, spybot no longer worked, downloaded another copy of spybot, but it doesn't seem to work. Here is Hijack log. Please help

SpLogfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:32:38 PM, on 3/22/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16791)
Boot mode: Normal

Running processes:
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
D:\Program Files\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Network ICE\BlackICE\blackd.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Executive Software\Diskeeper\DkService.exe
C:\Program Files\Seagate\SeagateManager\Sync\FreeAgentService.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\McA... Read more

More replies
Relevance 43.05%

Hello,

I wonder if anyone can help. A friend of mine asked me to help fix her computer that has been acting slightly oddly. Here's the symptoms:

Win XP SP3, AVG 8

Windows Firewall is repeatedly turning itself off (red shield evident in system tray).
High AVG related CPU usage (could be a red herring)

I first off did a HijackThis scan and one particular item came to my attention, referencing the file sdra64.exe in the system.ini. A quick google search showed that it was a potential rootkit.

One of the google links brought me here, and I'd be very grateful of some help to remove this little nasty. Normally I would just flatten and re-install, but in this case, there are no Windows re-install disks.

Here is the DDS log file:

DDS (Ver_09-03-16.01) - NTFSx86
Run by Highfield at 16:30:28.98 on 06/05/2009
Internet Explorer: 7.0.5730.13 BrowserJavaVersion: 1.5.0_12
Microsoft Windows XP Professional 5.1.2600.3.1252.44.1033.18.1023.553 [GMT 1:00]

AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated)

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
C:\WINDOWS\system32\svchost -k rpcss
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\System32\svchost.exe -k NetworkService
C:\WINDOWS\System32\svchost.exe -k LocalService
C:\WINDOWS\System32\svchost.exe -k LocalService
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\LogMeIn\x86\RaMaint.exe
C:... Read more

Answer:sdra64.exe, lowsec Rootkit

Hello and Welcome. Please subscribe to this thread to get immediate notification of replies as soon as they are posted. To do this click Thread Tools, then click Subscribe to this Thread. Make sure it is set to Instant Notification, then click Subscribe.

Before beginning the fix, read this post completely. If there's anything that you do not understand, kindly ask your questions before proceeding. It is IMPORTANT that you don't miss a step & perform everything in the correct order/sequence.

Please note that the forum is very busy and if I don't hear from you within three days this thread will be closed.

---------------------------------------------------------------------------------------------

Please note that these fixes are not instantaneous. Most infections require more than one round to properly eradicate.

Stay with me until given the 'all clear' even if symptoms diminish. Lack of symptoms does not always mean the job is complete.

Kindly follow my instructions and please do no fixing on your own or running of scanners unless requested by me or another helper at this forum.

---------------------------------------------------------------------------------------------

One or more of the identified infections is a backdoor trojan.

This type of infection allows hackers to remotely control your computer, steal critical system information and download and execute files without your knowledge.

If you do any banking or other financial trans... Read more

12 more replies
Relevance 42.64%

Hello my new bestest friends. I need help ! (as does everyone who comes here) My computer has been running like a bag of you know what for about 3 weeks. IE became corrupt and will not start even after uninstalling and re installing Versions 6 & 7. However this is not the problem as I am currently using safari and finding it great. The problem lies with my computer and it's sluggishness, ever since IE became corrupt my computer seems to have slowed. I am getting occasional Internal memory (blue dos screen) errors and several other little glitches like windows XP's search program will not close after I perform a file search. I have performed several Virus & spyware checks such as AVG and Spyware Doctor also several registry progs like registry Booster.AVG comes up clean, however Spyware Doctor and Registry Booster both show a lot of Registry errors inluding heaps of lnk file and url files. I removed most of these the first time around but discovered it to have deleted all my shortcuts and bookmarks that I much needed (well not so much the shortcuts) It did not remove the actual .exe files but was a major hassle as my dektop shortcuts where wiped. So I performed a system restore and now have everything back.I am wondering are/have these files become corrupt or is this just overkill on the software (spyware Doc & reg booster) behalf?? I have also noticed in my Hijack this log that there are several (missing files).I am so in need of help as i use my computer to p... Read more

Answer:Need Help Computer Getting Worse And Worse!

Hello Krisso,

Welcome to Bleeping Computer

Sorry about the delay. If you still need help, please post a new HijackThis log to make sure nothing has changed, and I'll be happy to look at it for you.

Thanks,
tea

2 more replies
Relevance 42.23%

Hi theresdra64.exe was detected by an old 2005 copy of Norton Antivirus, which I had to remove when it crashed. I replaced Norton with AVG free which detected msgpc.sys Generic.AQVG.I tried to remove these myself, but this was made more difficult by not being able to boot into Safe Mode (got BSOD 0x0000007E). I fixed that by doing a Repair Install of XP pro SP3.Symptoms are "system sluggishness", disk thrashing, network system files going missing and the OS asking me what program I want to use to open drive D:I think I need an expert to help with this.I hope you can help.regardsEdiHere is my DDS log:DDS (Ver_09-12-01.01) - NTFSx86 Run by Student at 20:15:37.00 on 2010-02-09Internet Explorer: 6.0.2900.5512 BrowserJavaVersion: 1.6.0_07Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1022.579 [GMT 0:00]AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}============== Running Processes ===============C:\WINDOWS\system32\Ati2evxx.exeC:\WINDOWS\system32\svchost -k DcomLaunchsvchost.exeC:\WINDOWS\System32\svchost.exe -k netsvcsC:\WINDOWS\system32\Ati2evxx.exesvchost.exeC:\Program Files\AVG\AVG9\avgchsvx.exeC:\Program Files\AVG\AVG9\avgrsx.exesvchost.exeC:\Program Files\AVG\AVG9\avgcsrvx.exeC:\WINDOWS\system32\spoolsv.exeC:\WINDOWS\Explorer.EXEC:\Program Files&... Read more

Answer:sdra64.exe and msgpc.sys Generic.AQVG

Hi,Welcome to Bleeping Computer. My name is m0le and I will be helping you with your log.Please subscribe to this topic, if you haven't already. You can subscribe by clicking the Options box to the right of your topic title and selecting Track This Topic.Please avoid installing/uninstalling or updating any programs and attempting any unsupervised fixes or scans. This can make helping you impossible.Please reply to this post so I know you are there.The forum is busy and we need to have replies as soon as possible. If I haven't had a reply after 3 days I will bump the topic and if you do not reply by the following day after that then I will close the topic.Once I receive a reply then I will return with your first instructions.Thanks

12 more replies
Relevance 42.23%

One of my PC's in the house is a shared desktop for my wife, kids and me. Sometime yesterday evening the PC displayed a "Windows Virus 2009" removal tool. My wife was logged in at the time loading music to her iPod from iTunes when the above message displayed. I told her to close the window but by then it was too late. The malware/virus was already installed and doing its worst.

I ran HijackThis scan and noted that the F2 section had a modification of the system.ini with a reference to C:\Windows\system32\sdra64.exe.

From what I can gather this is related to the Mal.Zbot.I virus.

I followed one of the other threads on here that said to run HiJackThis (which I did yesterday - logs attached). I also downloaded and ran the DDS tool and the ComboFix tool (logs attached).

I am using Windows XP Pro SP3, Symantec AV (10.1.5.5000 with latest updates), Windows Defender, Windows Firewall. All above products have daily updates turned on (or to check when the PC turns on).

My Windows 7 Beta laptop did not get this virus nor did my other Windows XP Pro SP3 machine (it has been off since Sunday evening and has not been back on since this issue arose).

I am not too terribly bad at diagnosing and fixing these types of issues, but this is one of the nastier virus/malwares that I've seen.

The biggest question is now that I have ran DDS and ComboFix and have the latest HiJackThis report (after running DDS and ComboFix), what do I need to delete to complete ... Read more

Answer:Infected with malware - sdra64.exe detected

Hello and welcome to Bleeping ComputerWe apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help.If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine. If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.Upon completing the steps below another staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.If you have already posted a DDS log, please do so again, as your situation may have changed.Use the 'Add Reply' and add the new log to this thread.Thanks and again sorry for the delay.We need to see some information about what is happening in your machine. Please perform the following scan:Download DDS by sUBs from one of the following links. Save it to your desktop.DDS.comDDS.scrDDS.pifDouble click on the DDS icon, allow it to run.A small box will open, with an explaination about the tool. No input is needed, the scan is running.Notepad will open with the results.Follow the instructio... Read more

2 more replies
Relevance 42.23%

Hi, our computer has problems. It started with Spyware Protect 2009, which I think we cleaned off. But now I see sdra64.exe and can't get rid of it.
Ever since Spyware Protect showed up, when any exe is launched, I get a verisign window popping up prompting me to open my profile. I put a jpg of this in the zip file. When the verisign window pops up, it appears on the task bar as whatever program I just launched but that program doesn't actually launch until I cancel the verisign window. I was thinking this window was verclsid.exe being called, so I renamed that file to verclsid-.exe. Nothing changed.
Next I overwrote rundll32.exe in system32 with another copy from elsewhere on the computer. I was thinking maybe it was corrupted causing the verisign calls. Nope.
Next I downloaded combofix and tried to run it a couple of times to no avail. Didn't do anything. Then finally it seemed to work, but I chickened out because of your many warnings and exited.

I likely won't be able to respond until Saturday evening, but I wanted to get in line. Thanks for any help you can provide.

DDS (Ver_09-05-14.01) - NTFSx86
Run by Pete at 20:41:54.18 on Thu 05/28/2009
Internet Explorer: 7.0.5730.11 BrowserJavaVersion: 1.6.0_05
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.766.341 [GMT -5:00]


============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
C:\WINDOWS\system32\svchost -k rpcss
C:\WINDOWS\System32\svchost.... Read more

Answer:Spyware Protect, sdra64.exe, and maybe other stuff

Hello and Welcome. Please subscribe to this thread to get immediate notification of replies as soon as they are posted. To do this click Thread Tools, then click Subscribe to this Thread. Make sure it is set to Instant Notification, then click Subscribe.

Before beginning the fix, read this post completely. If there's anything that you do not understand, kindly ask your questions before proceeding. Ensure that there aren't any opened browsers when you are carrying out the procedures below. Save the following instructions in Notepad as this webpage would not be available when you're carrying out the fix.

It is IMPORTANT that you don't miss a step & perform everything in the correct order/sequence.

---------------------------------------------------------------------------------------------

Please note that these fixes are not instantaneous. Most infections require more than one round to properly eradicate.

Stay with me until given the 'all clear' even if symptoms diminish. Lack of symptoms does not always mean the job is complete.

Kindly follow my instructions and please do no fixing on your own or running of scanners unless requested by me or another helper at this forum.

---------------------------------------------------------------------------------------------

One or more of the identified infections is a backdoor trojan.

This type of infection allows hackers to remotely control your computer, steal critical system information and downloa... Read more

19 more replies
Relevance 42.23%

i was recently infected with the sdra64.exe bug which i removed using instructions i found on the web. ( hxxp://mrmusicmaker.blogspot.com/2009/04/how-to-remove-sdra64exe-yourself-for.html ) i followed those instructions fully, not skipping any step.. however the instructions say that the sdra64.exe file would be in the System32 folder, but i found my bug in the C:\Users\Cris Black\AppData\Roaming folder... i now have a recurring message. this message usually only happens once or twice during the time that i have my computer powered on... though, since i am on the move a lot, i rarely have my laptop on more than 2 hours or so at a time... there seems to be no clear cause for the message, as i'm generally using different programs when the problem comes. there is not one program, that i can tell, that is the catalyst.the text of the error message that appears first in a trendmicro window alerting me to it, and then in a windows error report window... the windows error window is the one from which i took the following text... seupd.exe stopped working and was closedA problem caused the application to stop working correctly.Windows will notify you if a solution is available.i worry that i still have some of the sdra64 bug in my system or that the removal has caused this new problem... how can i fix this?i am currently running Windows Vista (32 bit) Service Pack 2 on a Dell XPS M1530 laptopmy security software is Trend Micro Internet Security Pro and S... Read more

Answer:sdra64.exe infection with seupd.exe problem

Hello and welcome to Bleeping ComputerWe apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine. If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.Upon completing the steps below another staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.If you have already posted a DDS log, please do so again, as your situation may have changed.Use the 'Add Reply' and add the new log to this thread.Thanks and again sorry for the delay.We need to see some information about what is happening in your machine. Please perform the following scan:Download DDS by sUBs from one of the following links. Save it to your desktop.DDS.scrDDS.pifDouble click on the DDS icon, allow it to run.A small box will open, with an explaination about the tool. No input is needed, the scan is running.Notepad will open with the results.Foll... Read more

2 more replies
Relevance 42.23%

I have a Win2k3 Server, that appears to have a sdra64 infection. It is a Virtual Machine. I need help getting rid of it.

Thanks,


Keith

More replies
Relevance 42.23%

Hello,this started to look like an AV 2008 virus. There was an icon in the Sys tray. MBAM would not run in regular mode, so I rebooted in Safe Mode and ran it. I ran it a few times and cleared out numerous things.Windows Update page will not display. Also, when i click on linksfrom Google or elsewhere, they get hijacked and send me to other pages. I suspect the two viruses listed above are part of the problem because I found entries it the event log regarding them:Event Type: ErrorEvent Source: Symantec AntiVirusEvent Category: NoneEvent ID: 5Date: 6/3/2010Time: 12:08:11 PMUser: N/AComputer: USEL3744Description: Risk Found!Risk: Backdoor.Tidserv in File: D:\Documents and Settings\user\Local Settings\Temp\12C.tmp by: Auto-Protect scan. Action: Cleaned by Deletion. Action Description: Event Type: ErrorEvent Source: Application ErrorEvent Category: NoneEvent ID: 1000Date: 6/3/2010Time: 9:12:44 AMUser: N/AComputer: USEL3744Description:Faulting application sdra64.exe, version 2.4.4587.1000, faulting module sdra64.exe, version 2.4.4587.1000, fault address 0x000274b2.For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.Data:0000: 41 70 70 6c 69 63 61 74 Applicat0008: 69 6f 6e 20 46 61 69 6c ion Fail0010: 75 72 65 20 20 73 64 72 ure sdr0018: 61 36 34 2e 65 78 65 20 a64.exe 0020: 32 2e 34 2e 34 35 38 37 2.4.45870028: 2e 31 30 30 30 20 69 6e .1000 in0030: 20 73 64 72 61 36 34 2e sdra64.0038:... Read more

Answer:Possible sdra64.exe, Backdoor.Tidserv infection

Hi and welcome. My name is Extremeboy (or EB for short), and I will be helping you with your log. I apologize for the delay.If you still require assistance we would like to see the current condition of your system so please post a new set of DDS Logs as well as a GMER log and a description of any remaining problems or symptoms you may still have please.If for any reason you did not post a DDS log or GMER log please refer to this page and in step #6 and Step #7 and Step #8 for further instructions on downloading and running DDS & GMER. If you have any problems when running the tools or unable to produce a report for any reason, just let me know in your next reply.For your next reply I would like to see:-The DDS logs---DDS.txt and Attach logs-GMER log-Description of any remaining problems you may still have.With Regards,Extremeboy

2 more replies
Relevance 42.23%

I appear to be infected with both Win32.Agent.pz and sdra64.exe> My problem is very similar to a topic posted 2 days ago on Mar17: "sdra64.exe, Cannot remove infection (sdra64.exe)"> The poster was able to solve his problem. But I'm unfamiliar with some of the things he did. And, I cannot find sdra64.exe in system32 folder. (maybe because WinPatrol has trappped it as described below)********* SpyBot Details **************1) Spybot reports Win32.Agent infection. Unable to remove using spybot S&D after trying several times.--- Search result list ---Win32.Agent.pz: [SBI $7EC6899E] Settings (Registry value, nothing done)HKEY_USERS\S-1-5-19\Software\Microsoft\Windows NT\CurrentVersion\Network\UIDWin32.Agent.pz: [SBI $8980C6CD] Settings (Registry value, nothing done)HKEY_USERS\S-1-5-20\Software\Microsoft\Windows NT\CurrentVersion\Network\UIDWin32.Agent.pz: [SBI $0F1C75F7] Settings (Registry value, nothing done)HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Network\UIDRight Media: Tracking cookie (Internet Explorer: Compaq_Administrator) (Cookie, nothing done)********* HJT Details **************2) sdra64.exe was actually "trapped" by WinPatrolPlus as trying to configure itself as a startup program. This happened immediately after AVG active scanning isolated some other nasties. I cannot eliminate it using WPP.Logfile... Read more

Answer:Win32.Agent.pz and sdra64.exe infections

I have solved my problem; please close this request for help.

Here's how:
After reading several other "sdra64" topics, I found one where someone had good luck with Avast anti-virus. So, I downloaded trial version.

I used it 3 times, once using "standard" scan, and twice using "thorough" scan. I restarted between each scan. It found Win32:Rootkit-gen; JS:ScriptPE-inf; and Win32:Adware-gen. The 3rd scan came up clean. I like the product a lot, but it has what can only be described as a bizarre interface.

Then ran Spybot. Spybot reported the "Win32.Agent.pz" registry entries again. After fixing those; restarted; ran Spybot again and it appears now I'm clean.

FWIW, I was using AVG 8.5 with the Resident Shield when it first reported trapping "Trojan horse Adload_r.HW" and "Virus found Win32/Heur". However, I never used AVG 8.5 to do a full-scan. Perhaps AVG would have found all the nasties that Avast did -- I just don't know.

2 more replies
Relevance 42.23%

G'day guys and gals.I jsut read this thread http://www.bleepingcomputer.com/forums/t/265002/infected-with-sdra64exe-running-vista/ and read some of the responses from the techs and Im rathe worried now. Im the process of backing up my files (but I have so many) and gonna blow up my C drive and instal Windows 7 since its a good excuse to get it.But about 80% of my programs are installed to my 1TB drive (I call it my E:) so Im putting my documents and desktop things there so when I format I dont have to download or lose anything important.What my fear is, will I still be able to access them as if they were still part of my C drive after the format. For example, I get Windows 7, then I try and access my 1TB drive and instead of accessing the game, or the program, it wont and I have to install it, update it and dl the patches again (Yes Im an MMO gamer)Anyway, I've been trying all these ways to delete this damn virus. I've tried all the solutions and I found out they arent for Vista. Thsi is the only place that seems to know what they are doing. I did the solution where you end the svchost.exe tasks and the registry like the orignal poster did and ended up having my pc reset.... and worse, I have about 13 svchost.exe processes running at the moment.Id like some help if you guys know what to do. Im in the process of buying Windows seven and MAYBE a new Hard drive so I can keep my current C: as a back up jsut in case.My other dumb question is, if I install a new hard drive with a n... Read more

Answer:sdra64.exe in C:\Users\Leo\AppData\Roaming

I dont wanna sound annoying, but Im kinda stressed atm.... isnt there anyone who has an I idea what to do? my only solution is to get a new HDD and a new OS and hope that if I connect my old hard drive to drag some files over it wont re-infect my new OS.

I would appreciate any kind of help atm. Im not the kind of person that handles this kind of stuff well.

3 more replies
Relevance 42.23%

I've recently noticed my computer chugging away while I was doing some light browsing and decided to run a quick scan. Spybot pulled up win32.zbot and attempted to clean it. Hijack this shows the desktoplayer.exe and occasionally <filename>srv.exe or <filename>srvsrv.exe items added to a registry key where UserInit=c:\windows\system32\userinit.exe is usually found solo. The problem is deep rooted, deleting the end off the key entry does nothing, it will automatically rewrite itself right away. Kapersky virus removal tool runs and has pulled up many many instances of the same trojans (where spybot and superantispyware give me a clean bill of health). I havent written down the names, but whatever they are, they spread to different areas of my desktop each time I reboot and scan.After running a few of these scans, I've occasionally been getting a BSOD. It doesn't pause on the screen, so I can't tell you anything about the error message. I dont know if this is as a direct result of the infection or more of a problem with all the files that have been quarentined.DDS (Ver_10-03-17.01) - NTFSx86 Run by Chris at 15:01:09.28 on Sat 09/04/2010Internet Explorer: 6.0.2900.2180 BrowserJavaVersion: 1.6.0_21Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.2047.1385 [GMT -4:00]============== Running Processes ===============C:\WINDOWS\system32\svchost -k DcomLaunchsvchost.exeC:\WINDOWS\System32\svchost.exe ... Read more

Answer:desktoplayer.exe, sdra64.exe, <filename>srv.exe infection

Hello and welcome to Bleeping Computer. *Please Subscribe to this Thread to get immediate notification of replies. See HERE*It is important not to make any further changes or run any other tools/updates unless instructed to. This may hinder the cleaning process of your machine.*Please be patient, all Bleeping Computer helpers are volunteers and have lives outside this forum.*You must reply within 5 days otherwise this topic will be closed.====================================Your PC is infected with a very nasty virus, aside from the difficulty of its removal; some system files are also infected and contain backdoor trojan. My recommendation is to do a reformat and reinstall the OS. Please note that we're dealing with a file infector so trying to clean the PC is a long process and I can't guarantee a satisfying outcome. Also, due to the nature and the severity of the infection, trying to do the repair is very crucial and some unexpected problems may happen (worst case scenario is that the PC will become unbootable) and will give us no other option but reformat. Please let me know if you concur with me before we proceed.One or more of the identified infections is a Rootkit/backdoor trojan.This allows hackers to remotely control your computer, steal critical system information and download and execute files.I would counsel you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any o... Read more

18 more replies
Relevance 42.23%

Hi people,

I've been infected with this extremely bothersome malware for quite a while now, and it's a nightmare to get rid of.

Following guides on the internet to remove it have proved pointless - as they all talk about accessing the HKEY through the regedit program in order to remove it. However I am running Vista, and Spybot S&D has showed me that the location of the file is along the ..Appdata\Roaming\sdra64.exe path.

Another thing. I had a problem running Rootrepeal, which kept throwing up the following error messages:

"FOPS - DeviceIoControl Error! Error Code = 0xc0000024 Extended Info (0x000000dc)
Could not initialise driver. Please contact the author."

Anyhoo, the dds.txt report is below. Thank you so much for your help in advance - this thing's becoming a headache quickly!



=============================================

DDS (Ver_09-10-13.01) - NTFSx86
Run by Amrit at 14:03:04.45 on 17/10/2009
Internet Explorer: 7.0.6000.16916 BrowserJavaVersion: 1.6.0_15
Microsoft? Windows Vista? Home Premium 6.0.6000.0.1252.44.1033.18.1014.148 [GMT 1:00]

AV: ESET Smart Security 3.0 *On-access scanning enabled* (Updated) {E5E70D32-0101-4F12-8FB0-D96ACA4F34C0}
AV: Bitdefender Antivirus *On-access scanning disabled* (Updated) {6C4BB89C-B0ED-4F41-A29C-4373888923BB}
SP: BitDefender Antispyware *disabled* (Updated) {8B2012EC-32D4-494F-BC03-832DB3BDF911}
SP: ESET Smart Security 3.0 *enabled* (Updated) {E5E70D32-0101-4B98-A4D6-D1D15C3... Read more

Answer:Infected with sdra64.exe (running Vista)

Hi,

Sorry for delayed response. Forums have been really busy. If you still need help with this post a fresh dds log, please.

10 more replies
Relevance 42.23%

My XP sp2 was browsing weird, did an HJT check and found this entry UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\sdra64.exe, I have a feeling it might be really bad. I followed the first steps (hopefully correctly) and I've attached the zipped files and here is the DDS text:

DDS (Ver_09-02-01.01) - NTFSx86
Run by Owner at 11:50:06.04 on Sun 03/01/2009
Internet Explorer: 6.0.2900.2180 BrowserJavaVersion: 1.6.0_10
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.1015.594 [GMT -5:00]

AV: AOL Antivirus *On-access scanning disabled* (Outdated)
FW: AOL Firewall *enabled*

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
C:\WINDOWS\system32\svchost -k rpcss
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
C:\WINDOWS\System32\svchost.exe -k NetworkService
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\CTsvcCDA.EXE
C:\Program Files\Creative\Shared Files\CTDevSrv.exe
C:\WINDOWS\system32\svchost.exe -k hpdevmgmt
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltpspd.exe
C:\PROGRA~1\mcafee.com\ANTIVI~1\mcshield.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MPFSERVICE.exe
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\WINDOWS\System32\svchost.exe -... Read more

Answer:found this C:\WINDOWS\system32\sdra64.exe, I think I need help!

Hello and Welcome. Please subscribe to this thread to get immediate notification of replies as soon as they are posted. To do this click Thread Tools, then click Subscribe to this Thread. Make sure it is set to Instant Notification, then click Subscribe.

Before beginning the fix, read this post completely. If there's anything that you do not understand, kindly ask your questions before proceeding. It is IMPORTANT that you don't miss a step & perform everything in the correct order/sequence.

Please note that the forum is very busy and if I don't hear from you within three days this thread will be closed.

---------------------------------------------------------------------------------------------

Please note that these fixes are not instantaneous. Most infections require more than one round to properly eradicate.

Stay with me until given the 'all clear' even if symptoms diminish. Lack of symptoms does not always mean the job is complete.

Kindly follow my instructions and please do no fixing on your own or running of scanners unless requested by me or another helper at this forum.

---------------------------------------------------------------------------------------------

One or more of the identified infections is a keylogger program that can capture all user keystrokes (including confidential details such username, password, credit card number, etc.).

This type of infection allows hackers to remotely control your computer, steal critical s... Read more

19 more replies
Relevance 42.23%

I am experiencing a several slow computer when on the internet or off the internet. Malware bytes didn't find anything. I noticed the sdra64 on the hijack this log. Also I can't get rid of the ask.com toolbar even though I removed it via add/remove programs. I was installed on my computer when I downloade formatfactory, which I have since gotten rid of. Thanks in advance.

Below is my hijack this log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:36:25 PM, on 2/18/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\BitDefender\BitDefender Update Service\livesrv.exe
C:\Program Files\BitDefender\BitDefender 2010\vsserv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
C:\Program Files\Dell Support Center\bin\sprtsvc.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\WINDOWS\system32\SearchIndexer.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
... Read more

Answer:Computer possible infected with sdra64.exe virus

16 more replies
Relevance 42.23%

Hi there,

I was wondering if I could get someone to talk me through the removal of a Zbot infection. I'd normally roll on with this myself, but I'd rather not take any chances as the computer I'm fixing is occasionally used by a family member for banking and shopping. The standard online solution suggests terminating svchost.exe processes, then deleting the offending registry entry as the computer is about to shut itself down automatically in order to prevent it from rewriting sdra64's entry into the registry.

Operating system is Windows XP Media Center Edition, should be fully patched, the browser of choice is Firefox and the fault was reported to me when it was picked up by AVG Free in an overnight scan. I've run MBAM and HijackThis to generate some logs and general diagnoses. I've also isolated this connection via a little detective work with ProcExp and TCPView - Googling the IP address points towards a Swedish registrant and is connected with Zbot attacks:

svchost.exe:900 TCP (snipped name).home:2446 95.143.192.16:http CLOSE_WAIT

Thanks for any help you can provide with this. If there are any diagnostics you'd like to run in order to further document this piece of malware, I'd be happy to run them and send the results along.

The HijackThis and MalwareBytes logs are as follows...

HJT

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 18:33:58, on 10/03/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explor... Read more

Answer:Zbot, sdra64 and its lowsec cohorts

Bumping this after a day as recommended in the Welcome Guide. Any advice would still be very much appreciated!

Edit: Booted to a Linux CD and manually removed the file, then booted into safe mode and clipped the registry entry. Watching traffic on TCPView and the entry's gone. Malwarebytes has cleaned up the rest of the related files and they've stayed away. AVG scan so far is coming back completely clean.
 

1 more replies
Relevance 42.23%

Hello Techsupport!

Recently my computer suffered a blow with what seems to be some sort of spyware monster. I was sorrounded in pop ups, and new applications appeared in my taskbar, that wasn't all, however. I've faced spyware before, but this time, it became too much. I was overwhelmed with the popups(System defender, Security Tool) so I decided to restart the system. In the last moments, I noticed a window that was requesting the XP SP2 CD because some files had been corrupted, I knew at this point that I was screwed. Upon rebooting I found that the windows XP loading screen would appear for a brief moment and then the system would keep rebooting. Safe mode did the same thing, and so in desperation, I ran Vcleaner from a different hard drive in hopes of getting rid of this thing. Vcleaner did not find anything, and so I made some backups and decided to run a repair installation of Windows XP. While doing so, some files would refuse to install, and when I located them, the screen kept telling me to replace them, so I then ignored the errors and finished the installation.

Upon finishing the repair installation, I found that the "Please wait" screen had lasted numerous hours, so I rebooted the system and I finally was able to get into my user. This brings me to the current situation. When Windows is booted normally, a tray icon displays some gibbrish about credit card information being given away via a virus named Lsas.Blaster.Keylogger. I also noticed that the... Read more

Answer:Lsas.Blaster.Keylogger, SDRA64...etc

Hello and welcome to TSF.

HijackThis is no longer the preferred initial analysis tool in this forum.

We want all our members to perform the steps outlined in the link given below, before posting for assistance. There's a sticky at the top of this forum, and a
Quote:




Having problems with spyware and pop-ups? First Steps




link at the top of each page.

Please follow our pre-posting process outlined here:

http://www.techsupportforum.com/f50/...lp-305963.html

After running through all the steps, you shall have a proper set of logs. Please post them in a new topic, as this one shall be closed.

If you have trouble with one of the steps, simply move on to the next one, and make note of it in your reply.

1 more replies
Relevance 42.23%

Greetings TechSupport,

I appear to be infected with both Win32.Agent.pz and sdra64.exe

1) Spybot reports Win32.Agent infection. Unable to remove using spybot S&D after trying several times.

--- Search result list ---
Win32.Agent.pz: [SBI $7EC6899E] Settings (Registry value, nothing done)
HKEY_USERS\S-1-5-19\Software\Microsoft\Windows NT\CurrentVersion\Network\UID
Win32.Agent.pz: [SBI $8980C6CD] Settings (Registry value, nothing done)
HKEY_USERS\S-1-5-20\Software\Microsoft\Windows NT\CurrentVersion\Network\UID
Win32.Agent.pz: [SBI $0F1C75F7] Settings (Registry value, nothing done)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Network\UID
Right Media: Tracking cookie (Internet Explorer: Compaq_Administrator) (Cookie, nothing done)

2) sdra64.exe was actually "trapped" by WinPatrolPlus as trying to configure itself as a startup program. I cannot eliminate it with WPP.

Here's an HJT log:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:28:07 PM, on 3/19/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\WINDOWS\Expl... Read more

Answer:sdra64.exe and Win32.Agent.pz infections

I have solved my problem; please close this request for help.
Here's how:
After reading several other "sdra64" topics, I found one where someone had good luck with Avast anti-virus. So, I downloaded trial version.
I used it 3 times, once using "standard" scan, and twice using "thorough" scan. I restarted between each scan. It found Win32:Rootkit-gen; JS:ScriptPE-inf; and Win32:Adware-gen. The 3rd scan came up clean. I like the product a lot, but it has what can only be described as a bizarre interface.
Then ran Spybot. Spybot reported the "Win32.Agent.pz" registry entries again. After fixing those; restarted; ran Spybot again and it appears now I'm clean.
FWIW, I was using AVG 8.5 with the Resident Shield when it first reported trapping "Trojan horse Adload_r.HW" and "Virus found Win32/Heur". However, I never used AVG 8.5 to do a full-scan. Perhaps AVG would have found all the nasties that Avast did -- I just don't know.
 

1 more replies
Relevance 41.82%

Hi there, I'm running Windows XP and I seem to have picked up the sdra64.exe trojan - the HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\userinit entry has been changed to C:\Windows\System32\Userinit.exe,C:\Windows\System32\sdra64.exe and resets itself when changed back.

I've tried the fix suggested here to no avail: http://pcanswers.techradar.com/blog/sdra64exe-remove-trojan-menace-21-05-09

Scanning with AVG, Malwarebytes and SuperAntiSpy picks up infected files, but they just come back again when healed, and my browser is being redirected to sites like http://www.kdirectory.co.uk/results.asp?qry=Trojan&rfid=mw03_vertamedia-100021&bp=trojan

Below are log files for Hijackthis and the 3 programs above, all run in safe mode. Any help would be much appreciated. Many thanks, Josh.

---------------------------------------------------------------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 19:41:13, on 19/02/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Safe mode with network support
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\AVG\AVG9\avgchsvx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOW... Read more

Answer:sdra64.exe trojan infection/browser hijacking

9 more replies
Relevance 41.82%

Hi guys, I've got a Vaio S4XP running Windows XP Pro. Ran the Sony Recovery Tool earlier this week, to restore factory settings. All done, I went and added SP3. No probs.

Today, when installing .net framework (3.5) Google Chrome stopped working (application failed to initialise). May be incompatability with .net 3.5, may be because, at the same time, I installed some malware in error.

Norton antvirus has been telling me the windows logon utility is requesting internet access. HiJackThis highlighted a new entry, sdra64.exe. I tried to remove it using the "ok changes in regedit JUST before shutdown timer completes after requesting svchost be terminated" technique, but haven't managed to do it yet.

So, whilst chrome is failing to initialise, I've been using IE7, with about 50% of links clicked failing. Google suggest this may be a clicker.c? virus.

About to combofix, but getting the error about Virut? So any advice most appreciated! Know HJT, but please explain any other acronyms!

Have read guides about forums, so will await advice from experts before posting HJT logs or running comboFix.
Thanks in advance
Jonny the newbie.

Answer:Help requested to remove sdra64.exe, Virut, clicker.cn...

sdra64.exe = RootkitPlease download Win32kDiag.exe by AD and save it to your desktop.alternate download 1alternate download 2This tool will create a diagnostic report for me to review.Double-click on Win32kDiag.exe to run and let it finish. When it states Finished! Press any key to exit..., press any key on your keyboard to close the program. A file called Win32kDiag.txt should be created on your Desktop.Open that file in Notepad and copy/paste the entire contents (from Starting up... to Finished! Press any key to exit...) in your next reply.Go to > Run..., then copy and paste this command into the open box: cmdClick OK.At the command prompt C:\>, copy and paste the following command and press Enter:DIR /a/s %windir%\scecli.dll %windir%\netlogon.dll %windir%\eventlog.dll >Log.txt & START notepad Log.txtA file called log.txt should be created on your Desktop.Open that file and copy/paste the contents in your next reply.

1 more replies
Relevance 41.41%

I appreciate your help here.

I have done a regedit looking for userinit.exe and see it has a string of 3 different exe files that, after researching seem to be bad news. I have posted the required documents below as well as the registery entry that I think is bad - C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\twext.exe,C:\WINDOWS\system32\sdra64.exe,

I have run a registery cleaner as well as PC-cillin which is always on, as well as Spybot and yet I cannot get it fixed. I also restored my computer to a week earlier and still get the error. Logs are posted below as requested. Spybot is giving me this error - "Registery change denied as :User Blacklist.. Resident denied the change of hte Userinit (category WinLogon) based on the black list."
Thank you for your help.

DDS (Ver_09-03-16.01) - NTFSx86
Run by Andrew & Kati at 9:01:58.87 on Fri 04/17/2009
Internet Explorer: 7.0.5730.11
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.2046.1084 [GMT 1:00]

AV: PC-cillin Internet Security - Virus Protection *On-access scanning enabled* (Outdated)
FW: PC-cillin Internet Security - Firewall *disabled*

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
C:\WINDOWS\system32\svchost -k rpcss
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\s... Read more

Answer:sdra64.exe, userinit.exe, twext.exe - Spybot picks this up and denies them

Hello.Backdoor ThreatIMPORTANT NOTE: Unfortunatly One or more of the identified infections is a backdoor trojan.This allows hackers to remotely control your computer, steal critical system information and download and execute files.I would counsel you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.Though the trojan has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?When Should I Format, How Should I ReinstallWe can still clean this machine but I can't guarantee that it will be 100% secure afterwards. Let me know what you decide to do.With Regards,Extremeboy

5 more replies
Relevance 41.41%

About a week ago I discovered a range of malware infections on my PC. I ran MBAM which cleaned a number of malicious files, including sdra64.exe (Spyware.Zbot), 218.tmp (Trojan.Dropper) and user.ds (Stolen.data).Other malicious files appeared a few days later, and were again cleaned by MBAM.The PC was exhibiting exactly the same symptoms as another post (slow running, freezing, freezing with a constant beep, and finally an Advanced Card Verification pop up window). The other post with similar symptoms is here: http://www.bleepingcomputer.com/forums/t/288658/advanced-card-verification-infection/ This made me suspect an a rootkit infection, and a scan with mbr.exe detected MBR rootkit hooks. In the recovery console I ran mbrfix, which seemed to clear the infection, and for two or three days the PC has been running really well.However today a McAfee pop up intercepted a trojan, and running MBAM revealed infections with Vundo and Hiloti trojans. At this point I decided that it's time to get some expert advice.Thanks in advance for your help!DDS logDDS (Ver_09-12-01.01) - NTFSx86 Run by phil at 12:32:14.14 on 05/02/2010Internet Explorer: 7.0.5730.13Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3326.2640 [GMT 0:00]AV: VirusScan Enterprise + AntiSpyware Enterprise *On-access scanning enabled* (Updated) {918A2B0B-2C60-4016-A4AB-E868DEABF7F0}============== Running Processes ===============C:\WINDOWS\system32\Ati2evxx.exeC:\WINDOWS\system32\svchost -k DcomLaunchsvchos... Read more

Answer:Trojan and rootkit infection - Vundo / Hiloti / sdra64.exe

Hello and welcome to Bleeping Computer! We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine. If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.Upon completing the steps below another staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.If you have already posted a DDS log, please do so again, as your situation may have changed.Use the 'Add Reply' and add the new log to this thread.Thanks and again sorry for the delay.We need to see some information about what is happening in your machine. Please perform the following scan:Download DDS by sUBs from one of the following links. Save it to your desktop.DDS.scrDDS.pifDouble click on the DDS icon, allow it to run.A small box will open, with an explaination about the tool. No input is needed, the scan is running.Notepad will open with the results.Fo... Read more

20 more replies
Relevance 41.41%

Hi, my computer was first infected after downloading a file I should have known better than to torrent. The key symptom was getting Google links redirected all over the place. After running HijackThis, SpybotSD, SuperAntiSpyware, Malwarebytes, and Spyware Doctor, I was able to remove most of what was going on. I also manually deleted stuff in regedit. It was fine for a couple of days, but then the redirecting started again. I should mention I only use Firefox.

Major culprits seemed to include the following:

1) sdra64 (this was the original suspicious thing in HJT and I deleted it through regedit)
2) Virtumonde (though this may be a false positive since it only came up once on Spyware Doctor)
3) IRCbot

Now, all my spyware scans come back clean from the above Trojans, yet my browser still keeps redirecting to rle822x.cn.
Also, my computer is having issues going into Safe Mode.

Much thanks in advance for the help. DDS log below. Others attached.

================================

DDS (Ver_09-12-01.01) - NTFSx86
Run by superfusia at 19:36:59.89 on Thu 12/10/2009
Internet Explorer: 7.0.5730.11 BrowserJavaVersion: 1.6.0_15
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3050.2073 [GMT -5:00]

AV: McAfee VirusScan *On-access scanning enabled* (Outdated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Personal Firewall *enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}

============== Running Processes ===============

C:\WINDOWS\system32 ... Read more

Answer:Browser/Link Redirects/ sdra64/virtumonde/ircbot

Sry, I'm impatient. Doing a full system restore/reboot instead. Appreciate the forum - keep up the good work.

2 more replies
Relevance 41.41%

Hello BleepingComputer, I was checking the process list in the task manager a couple of weeks ago when I saw a process called "asam.exe". I searched it up in google and found out that was a virus/malware. I tried to remove it but I failed. The only thing I managed to accomplish was to disable it on start up w/ msconfig. I checked back two days ago to see if it was gone. "Asam.exe" had indeed been disabled but in its place was another suspicious process called "sdra64". I searched that up on google as well and found out that it was a baddie just like Asam. I tried to disable it the same way as I did with "asam.exe" but it didn't work. As in it keeps appearing on the process list every time I restart my computer.My other problems include redirects when using google and lots of restarts because of BSOD. My overall computer speed has also been reduced from a couple of months ago. Before I posted this, I was following the "Preparation Guide for Use Before Using Malware Removal Tools and Requesting Help" thread. I downloaded the GMER file and I tried to scan with it. Halfway through I get a BSOD. I've tried this multiple times of regular boot and a few times on Safe Mode but I still keep getting BSOD.DDS (Ver_10-03-17.01) - NTFSx86 Run by owner at 10:52:28.64 on 02/09/2010Internet Explorer: 8.0.6001.18904 BrowserJavaVersion: 1.6.0_10Microsoft? Windows Vista? Home Premium 6.0.6001.1.1252.2.1033.18.1918.1067 [GMT -4:00]SP: ... Read more

Answer:Infected with sdra64, asam, redirects, and LOTS of BSOD

Hello and welcome to Bleeping ComputerWe apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine. If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.Upon completing the steps below another staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.If you have already posted a DDS log, please do so again, as your situation may have changed.Use the 'Add Reply' and add the new log to this thread.Thanks and again sorry for the delay.We need to see some information about what is happening in your machine. Please perform the following scan:Download DDS by sUBs from one of the following links. Save it to your desktop.DDS.scrDDS.pifDouble click on the DDS icon, allow it to run.A small box will open, with an explaination about the tool. No input is needed, the scan is running.Notepad will open with the ... Read more

15 more replies
Relevance 41.41%

My computer was recently infected with various malware including sdra64.exe. I ran malwarebytes to clear the infection. Although everything was reported as clear, I ran an ESET online scan today which found malware, but unfortunately it crashed before saving a log. My DDS log is below. I tried to run a GMER scan, but each time I ran GMER my computer restarted itself after a couple of minutes of scanning.Any help in identifying and removing the problem would be much appreciated.Many thanks jennieoDDS (Ver_10-03-17.01) - NTFSx86 Run by jennieo at 10:17:04.82 on 19/03/2010Internet Explorer: 6.0.2900.5512 BrowserJavaVersion: 1.6.0_11Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1918.999 [GMT 0:00]AV: VirusScan Enterprise + AntiSpyware Enterprise *On-access scanning enabled* (Updated) {918A2B0B-2C60-4016-A4AB-E868DEABF7F0}============== Running Processes ===============C:\WINDOWS\system32\Ati2evxx.exeC:\WINDOWS\system32\svchost -k DcomLaunchsvchost.exeC:\WINDOWS\System32\svchost.exe -k netsvcssvchost.exesvchost.exeC:\WINDOWS\system32\Ati2evxx.exeC:\WINDOWS\system32\spoolsv.exesvchost.exeC:\Program Files\Bonjour\mDNSResponder.exeC:\Program Files\Java\jre6\bin\jqs.exeC:\Program Files\McAfee\VirusScan Enterprise\EngineServer.exeC:\Program Files\McAfee\Common Framework\FrameworkService.exeC:\Program Files\... Read more

Answer:Persistent rootkit/malware infection - initially sdra64.exe

Hi,Welcome to Bleeping Computer. My name is m0le and I will be helping you with your log.Please subscribe to this topic, if you haven't already. You can subscribe by clicking the Options box to the right of your topic title and selecting Track This Topic.Please avoid installing/uninstalling or updating any programs and attempting any unsupervised fixes or scans. This can make helping you impossible.Please reply to this post so I know you are there.The forum is busy and we need to have replies as soon as possible. If I haven't had a reply after 3 days I will bump the topic and if you do not reply by the following day after that then I will close the topic.----------------------------------------------Please try to run RootRepeal, a similar program to GmerWe Need to check for Rootkits with RootRepealDownload RootRepeal from the following location and save it to your desktop.First LocationSecond LocationThird LocationOpen on your desktop.Click the tab.Click the button.Check all seven boxes: Push OkCheck the box for your main system drive (Usually C:), and press Ok.Allow RootRepeal to run a scan of your system. This may take some time.Once the scan completes, push the button. Save the log to your desktop, using a distinctive name, such as RootRepeal.txt. Include this report in your next reply, please.

20 more replies
Relevance 41.41%

Hi! I previously posted a topic on this in the Am I infected forum, here which has the main details of my infection. Despite malwareBytes saying it has removed the infection, it has still failed to remove the system\lowset directory and sdra64.exe. There is also another computer in my house which uses the same router. Should I debug that one and reset the router as has been advised to other users here?Here is my DDS Log:DDS (Ver_09-07-30.01) - NTFSx86 Run by Zoe temp at 22:38:18.75 on 29/08/2009Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_11Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1015.210 [GMT 1:00]AV: ESET NOD32 Antivirus 4.0 *On-access scanning disabled* (Updated) {E5E70D32-0101-4F12-8FB0-D96ACA4F34C0}FW: ZoneAlarm Firewall *enabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}============== Running Processes ===============C:\WINDOWS\system32\svchost -k DcomLaunchsvchost.exeC:\WINDOWS\System32\svchost.exe -k netsvcssvchost.exesvchost.exeC:\WINDOWS\system32\ZoneLabs\vsmon.exeC:\WINDOWS\system32\spoolsv.exesvchost.exeC:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exeC:\Program Files\Java\jre6\bin\jqs.exeC:\WINDOWS\system32\lxdicoms.exeC:\WINDOWS\system32\svchost.exe -k imgsvcC:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exeC:\WINDOWS\Explorer.EXEC:\Program Files\Java\jre6\bin\jusched.exeC:\WINDOWS\system32\igfxtray.exeC:\WINDOWS\system32\igfxpers.exeC:\WINDOWS\System32\DLA\DLACTRLW.EXEC:\Program Files\Synaptics\SynTP\SynTPEnh.exeC:\Prog... Read more

Answer:Win32\rootkit.agent.odg trojan / Zlob / sdra64.exe

Hello and welcome to Bleeping ComputerWe apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine. If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.Upon completing the steps below another staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.If you have already posted a DDS log, please do so again, as your situation may have changed.Use the 'Add Reply' and add the new log to this thread.Thanks and again sorry for the delay.We need to see some information about what is happening in your machine. Please perform the following scan:Download DDS by sUBs from one of the following links. Save it to your desktop.DDS.scrDDS.pifDouble click on the DDS icon, allow it to run.A small box will open, with an explaination about the tool. No input is needed, the scan is running.Notepad will open with the results.Foll... Read more

19 more replies
Relevance 41%

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:24:38 PM, on 1/16/2010
Platform: Windows Vista SP1 (WinNT 6.00.1905)
MSIE: Internet Explorer v7.00 (7.00.6001.18349)
Boot mode: Normal

Running processes:
C:\Windows\system32\taskeng.exe
C:\Program Files\BitDefender\BitDefender 2010\bdagent.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe
C:\Windows\PixArt\Pac207\Monitor.exe
C:\Program Files\Trend Micro\Web Protection Add-On\TMWebProtectTray.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ArcCon.ac
C:\Program Files\BitDefender\BitDefender 2010\seccenter.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Windows\system32\wuauclt.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_us&c=84&bd=Pavilion&pf=cndt
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_us&c=84&bd=Pavilion&pf=cndt
R1 - HKLM\Software\Microsoft\In... Read more

More replies
Relevance 34.44%

Sorry to be such a bother but this problem is driving me bonkers!
Every turn develops into a new drama-here's the situation so far-

(1.) When I go to click on a program (any program) my computer either immediately or soon afterwards pops up a window that says "program error-process has already been exited-has generated errors and will be closed by windows. You will need to restart the program. An error log is being created." Of course restarting the process only sends me in circles-the same thing continues to happen-sometimes, obviously, I'm able to start the program but usually during the course of operation the "program error" window pops up and it's back to musical chairs again!
My system is, O/S Windows 2000 Pro, P4-1.6GHz 400MHz/P4FAN (P4-1600AR), Motherboard-D850MVL -MB Intel D850MV w/LAN, Rambus 256MB (2).

(2.) Now if I didn't already have enough problems I've apparently been infected with the Fortnight.E virus-it gets worse, in turn, I infected my ex-wife with the virus via an email (well, I'm sure you can imagine my situation-it would be better to have my nipples dipped in honey and dangled over a pool of hungry piranhas-she's pissed! Of course, the fact that the virus installed porno weblinks into her favorite file made matters even more unbearable-you'd think she was a nun or something! At any rate,
I have run a Panda On-Line AV-Scan-several Norton AV scans-SpyBot, Ad-Aware and SpySweeper-nothing works!
... Read more

Answer:Sos....from Bad 2 Worse!

6 more replies
Relevance 34.44%
Question: from bad to worse

please help-got a new laptop trying to use the wi fi.there is no wireless connection icon any where.maybe there no driver,im guessing. do i need to use the disc that came with my router.my other laptop works fine.maybe i need to use another keycode,i dont know please help.thanks

Answer:from bad to worse

I think you're already running a thread on this: click herePlease don't double-post.

1 more replies
Relevance 34.44%

i now cannot access my e-mail since doing an update every time i click on the e-mail icon nothing happens its just blank, nutty norm again

Answer:its seems to get worse

What email icon?????????????

3 more replies
Relevance 34.44%
Question: From Bad to Worse

Hello to all the experts here at Bleeping Computers.

I was in the process of following your steps from the "Preparation Guide" when my computer decided to crash big time.
Initially I had my homepage hijacked by something called start.search.us. That by itself didn't seem to be a big deal. I was proceeding through the steps and made it to step 8 (Create a GMER Log). Approximately 5 minutes into the scan my entire screen went all screwy. It looked like the GMER scan program filled the screen and scrambled itself.

Now my computer won't work at all. After a restart, the computer locks up on the black screen with the green progress bar (Microsoft Corp underneath). I tried a safe mode reboot but it stops loading at the following line of text, "Windows\System32\Drivers\avgidshx.sys" This was the same line of text that was being scanned during the GMER scan.

After another restart (so many I lost count) my computer reads the following, "Windows failed to start. A recent hardware or software change might be the cause. To fix the problem:...." Several options are listed but even after inserting the original operating disc to repair, I can't get past the green progress bar thing.

Help!!! I'm moments away from turning this laptop into a very unaerodynamic flying brick.

(I'm typing this on my wife's Macbook, in case anyone was wondering how I could post)

More replies
Relevance 34.44%

I tried to run a payment on a website and the submit button did nothing but make the cursor blink which it still is.  I looked under inspect Element and there was a JS file that downloaded.  I looked at it and it looked fishy.  I tried to run the normal cleaning techniques (ADW Cleaner, JRT, RKiill etc) and they all returned a messagge. "the service cannot accept control messages at this time "
 
It is slowly getting worse by the minute so I am not sure that this will even get to someone in tim,e cause I know u guys are backed up but if possible I dont know what to do I tried to use msconfig.exe , and the search functions to get safe mode to work but I just get either nothing happening or the same message.  I am afraid that if I turn off the computer to shift into safe mode that it will loack up..  Any helop would be appreciated.

Answer:I have something bad going on and ts getting worse byt the second

Sorry, but it seems that your pc is infected with a virus or malware which is going to take some more work and a deeper look. No sense running a bunch of tools here.Please follow this Preparation Guide, post in a new topic and include a link to this thread.Let me know if all went well.

3 more replies
Relevance 34.44%

Like all AOL software, I'm wondering if the new AIM version is worse than the previous. Has anyone tried it yet?

It seems to have a lot of the features that AIM mods have introduced. I use DeadAIM myself, and have loved it for years. I tend to like things minimal. I've tried GAIM and Trillian, but I only use AIM, and GAIM messes up direct connections and profiles. I've tried AIMutation (sp?) and didn't like it much either.

What do you guys think?
 

Answer:AIM 6: worse because it's new?

i like it, but alot of people don't.
you just have to tweak it to the way you want it.
 

3 more replies
Relevance 34.44%

I've had 10 for a few months now. During that time I've had several automatic updates. Most have been unnoticeable, a few others were anti productive. The first and the last (two days ago) have been horrible. When I first downloaded 10 I immediately lost my CD/DVD drive. No matter where I look my computer can't find the old one. It also disabled sound from anything I recorded. The latest update is making me log in if I leave the computer for more than a couple of minutes. It also makes me wait before the log in window pops up. I'm beginning to think that switching from 8 to 10 was not a good decision.

Answer:Just when you think it can't be worse!

Would you consider doing an in-place upgrade install, also known as Repair install ?
Repair Install Windows 10 with an In-place Upgrade

0 more replies
Relevance 34.44%

I've been trying to fix this computer for several days now, and it keeps getting worse instead of better

I know from my Ad-Aware scans that it has coolwebsearch on it, but CWShredder doesnt find anything wrong when I run it. ad-Aware does and keeps fixing it, but it's back within seconds. I've also run spybot search, about buster, and pest patrol. My HJT logs are getting worse, not better.

I would be much obliged if someone could help me; I can't figure out what else to do.
Thanks!
-Vanessa

Here is my HJT log, let me know what if anything else will help.

Logfile of HijackThis v1.97.7
Scan saved at 11:41:07 PM, on 2/4/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Norton Internet Security\ISSVC.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\HPConfig.exe
C:\Program Files\HPQ\Notebook Utilities\HPWirelessMgr.exe
C:\Program... Read more

Answer:It's Getting Worse....

I downloaded the newer version of HJT...new log file is:

Logfile of HijackThis v1.99.0
Scan saved at 12:13:41 AM, on 2/5/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Norton Internet Security\ISSVC.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\HPConfig.exe
C:\Program Files\HPQ\Notebook Utilities\HPWirelessMgr.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\iety.exe
C:\WINDOWS\system32\wscript.exe
C:\WINDOWS\system32\wscript.exe
C:\WINDOWS\system32\msbo32.exe
C:\DOCUME~1\ness\LOCALS~1\Temp\Temporary Directory 9 for hijackthis.zip\HijackThis.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\wscript.exe
C:\WINDOWS\system32\cmd.exe
C:\WINDOWS\system... Read more

3 more replies
Relevance 34.44%

Hi, I have been using PC tools for the last couple of years with no bother. However, when I wanted to put it on my laptop I lost the ability to access the internet. They told me (eventuallY) to reboot using my windows XP home edition disc. having done that I was initially able to access the internet, but I could not open links or download any thing, and now explorer won't open at all, I just get error reporting. Things have gone from bad to worse and I need some help.Thanks

Answer:going from bad to worse

sorry - spyware doctor

2 more replies
Relevance 34.44%

I just finished a download that had some pretty nasty side effects. I am getting a pop up saying "It is recommended to update you antispyware protection to prevent data loss. Please install the most up-to-date antispyware for you" then an ok button. This isn't the only one, there are about 2 or 3 that seem random, none of which seem encouraging at all. Please help.Logfile of Trend Micro HijackThis v2.0.2Scan saved at 10:48:46 PM, on 1/26/2009Platform: Windows XP SP3, v.5657 (WinNT 5.01.2600)MSIE: Internet Explorer v7.00 (7.00.6000.20935)Boot mode: NormalRunning processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\Ati2evxx.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\system32\Ati2evxx.exeC:\Program Files\LSI SoftModem\agrsmsvc.exeC:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exeC:\Program Files\Bonjour\mDNSResponder.exeC:\Program Files\Java\jre6\bin\jqs.exeC:\WINDOWS\system32\svchost.exeC:\Program Files\TVersity\Media Server\MediaServer.exeC:\WINDOWS\explorer.exeC:\Program Files\Unlocker\Un... Read more

Answer:pop ups and probably worse

Hi,Your system is severly infected. Problem with these infections nowadays is, it causes a lot of damage. Even if we clean the malware off your system, I can't guarantee that your system will be clean afterwards, because these infections/bundles leave a lot of leftovers behind that most scanners won't even recognise and logs won't show.Also, I can't promise you we can repair all the damage it caused... Even after cleaning the malware, you can still get errors afterwards because of the damage. Solving these is not always possible since it will be searching for a needle in a haystack to find the right cause and solution.So, we can try to clean this up and do what we can, but keep in mind that we can't solve ALL problems this malware already caused.In light of this it would be wise for you to back up any files and folders that you don't want to lose before we start. Reason I am telling this is because when a system is so terribly infected and we try to clean this up manually, the damage that is already present may interfere with our removal attempts. Actually, this doesn't suprise me at all.I notice that you never scanned with an Antivirus previously before starting this thread - because you don't even have an Antivirus installed!This is somewhat suicidal in today's digital world.That's why I want you to install one first!!* Please install Avira Antivirus: http://www.free-av.com/This is a free Antivirus.Perform a full scan with Avira and let it delete everything it i... Read more

18 more replies
Relevance 34.44%

Hello, I never write posts to ask questions when it comes computers, but this time I saw myself having to do so.
I have had many problems recently, and it just got to the point where stuff just doesnt work anymore.
I upgraded to Win 10 about 10 days after its launch. I loved it. I had that often problem everyone had but I could solve it.
About 20 days ago, everything worked greatly. Then, I don't remember what exactly happened, but all of a sudden I couldn't access the Groove Music App. Then I realized I couldnt open any other Windows built in apps, not even store worked. However, Edge and apps like calendar for some reason do work. So in an attempt to repair this, I messed up the Appdata folders's permissions. I had recently installed this context menu button when I right clicked, that let me take ownership of a folder, so I took the ownership "administrators."
Then, the hidden items check box in the View Tab on Explorer suddenly unchecked itself when I checked it. I looked up online and there it said it had to do with the Administrator account, but hell, I am the admin account on my PC, so this just didnt make sense. Then I read a simple reboot would help, so I rebooted and it was fixed.
This is where I mention my recent installs. Around the time, I installed this now piece of software on my pc, and this software was Bit defender Total Security. I had replaced my previous antivirus, Avast Internet Security, with this. Now, I highly doubt this program contributed to this in ... Read more

Answer:Help! My pc is getting worse

That last part went wrong somehow, here are the links:
click here
href
10-windowsstore/store-not-opening-in-windows-10-this-app-cant-open/c0de1565-9c33-4604-a1cd-b4ce18b72117?page=2&auth=1
10-windowsstore/windows-10-app-store-will-not-run-cannt-add-a-user/682d6bd8-39ae-4ee4-b0fc-c19027b44552?rtAction=1444233209744&auth=1
storeandappswontopenreregistering/
1-windowsstore/windows-store-app-not-opening-in-windows-81/9882357f-ae86-4e4d-ba37-209aa960063c

7 more replies
Relevance 34.44%

Hi,
I made a post about my windows 7 explorer crashing, it seem to only happen when I move files from my internal to my external hard drive. it was still happening, nothing i tried fixed it.but NOW its gotten worse. Its crashing on a loop...every single second.this happens as SOON as I SIGN ON...in seconds it crashing and looping
and I cannot do a thing but use my internet...I get a message that tells me my program
fences (stardock program) has detected that there is problem with 7, and it disables itself, Then windows7 explorer crashes. sends info. then restarts...If I start a video or a program before it closes (which is seconds) then it will run. I have been up for HOURS trying to get this solved. I have NO clue what is going on. I ran Anti-Spyware free edition, found 8 harmful things, had them deleted. I also ran my microsoft essentials...BEFORE that..and it Finds nothing...it NEVER does. but anti does...that confuses me.

SO what is going on? what do I do? PLEASE anyone, I am computer illiterate...
I have windows 7 (genuine)
32bit home premium.
I was tryng to get the rest of the info. but I can't as the explorer is completely locked up as I type this...please help I am so frustrated, I want to make Bill Gates come fix my computer lol...who has his number!?
ASLO! After it crashes and re-opens it keeps bringing up the c drive file location library? every single time, so now i have a list of these file locations open...also I JUST get a message saying that my firewall is... Read more

Answer:Oh no its worse! Help!

Can you get into Safe mode instead? If so, does it happen in safe mode?
Safe Mode

EdiT:--------------------------------------
Do you have a system restore point you can revert to?
http://www.sevenforums.com/tutorials/700-system-restore.html

Oops sorry just read last line of your post.

9 more replies
Relevance 34.44%
Question: Bad to Worse.

Hi all,  So not only does the Control Panel on my T520's nVidia card fail to work, but safe mode doesn't either. It gets stuck in a reboot loop for memory reasons. Using last known boot configuration I can get it to boot normally but the networking cards/drivers don't work. They are detected in Windows 7 but ipconfig only gives the Tunneling adapters.  Any ideas? Or should I just send it in for servicing?













Solved!

Go to Solution.

Answer:Bad to Worse.

Hi kingofthering
 
If you need to use the machine temporary or to ensure your Nvidia GPU is defect, you could change the graphics settings in the BIOS to Integrated Graphics.
 
If you are not technical savvy or / and wish to save the hassle, it's probably good to send it in for servicing.
Have a nice day!
Peter
W520 (4284-A99)
Does someone?s post help you? Give them kudos as a reward, as they will do better to improve | Mark it as solved if the solution works for you, so it could be reference for others in the future
=====================================
Sound Enthusiast and Enhancement (Post comments, share mixes, etc.)
http://forums.lenovo.com/t5/General-Discussion/Dol?by-Home-Theater-v4-for-most-Lenovo-Laptops/td-p/6...
http://forums.lenovo.com/t5/IdeaPad-Slate-Tablets/?IdeaPad-Tablet-Sound-Enhancement-Thread/td-p/7150

9 more replies
Relevance 34.44%

Hi,

I just wanted to start by saying a very big thankyou to all of you that help people on this forum. It is very generous of you and it is appreciated.

I have been infected by this fake security application that says "Windows Security has found critical process activity on your system". It keeps redirecting our web searches. In safe mode I have ran malware bytes, super anti spyware and created a hijack this log all before finding this forum. Both these scans found problems initially however upon following the instructions of this forum no more were found. I tightened up my zonealarm resetting it to default and searching programs that try to run as they popped up, mshta.exe was one of the programs.

I have followed the instruction on this web site to the best of my knowledge and i will attach the logs of the various scans. All scans went well except for the combo fix scan that ran through to stage 50, flashed a page suggesting it was deleting files and then restarted my computer. I repeated it with the same result.

I now have a message that says "SQL Server could not find the default instance (MSSQLSERVER) - please specify the name of an existing instance on the invocation of sqlservr.exe." whenever i start my computer and it takes a long time before all the applications are loaded and ready to be accessed. It seems to run faster if the internet is turned off?

I am posting this from another computer.


Here are the logs - Thankyou for yo... Read more

Answer:Please Help, its getting worse

I am not seeing much in the way of malware on your system. Let's do this and see where you are after:

Download The Avenger by Swandog469, and save it to your Desktop.

* Extract+ avenger.exe from the Zip file and save it to your desktop

Please disable all anti-virus and anti-spyware programs while we do the following (re-enable when you are finished):

Run C:\MGtools\analyse.exe by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator). This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:




R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:50370
O2 - BHO: Ask Toolbar BHO - {FE063DB1-4EC0-403e-8DD8-394C54984B2C} - (no file)
O3 - Toolbar: (no name) - {FE063DB9-4EC0-403e-8DD8-394C54984B2C} - (no file)
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present --Unless you set this.
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Control Panel present --Unless you set this.Click to expand...

After clicking Fix, exit HJT.

* Run avenger.exe by double-clicking on it.
* -Do not change any check box options!!
* Copy everything in the Quote box below, and paste it into the Input script here: part of the window:



Files to delete:
C:\WINDOWS\Tasks\At1.job
C:\WINDOWS\Ta... Read more

5 more replies