Lair360 Blog

Version: 14.2b
Revision: 15 Build 35

How to remove sdra64.exe from your computer.

Introduction: when I was at my friend’s house, his computer is really unhealthy! So, I told him to get off his computer and let me handle his machine. Nevertheless, it took me hours to remove these infected files and directories.

1.] Download ComboFix from these websites and rename it as: Combo-Fix.exe.
However, you don’t need to use it now. If you do, there is a chance that Combo-Fix will be shutdown!

http://download.bleepingcomputer.com/sUBs/ComboFix.exe

http://www.forospyware.com/sUBs/ComboFix.exe

Warning: It’s highly recommended that you must disable all anti-virus before you use ComboFix.

Notes: if you want to use ComboFix.exe, you must install Microsoft Recovery Console with your Windows XP CD. However, you must be connected to the internet to download the latest Recovery Console Updates.

2.] Click on this link and download: Process Explorer – http://technet.microsoft.com/en-us/sysinternals/bb896653.aspx

Notes: if the link is broken, please remove “bb896653.aspx” and find “Process Explorer”

3.] Execute the program and look for this hidden process: sdra64.exe

Notes: this process hides itself under “Winlogon”.

4.] Press CTRL+F on your keyboard and type: sdra64.exe.

5.] Double click on the search results, it should be listed as winlogon. However, don’t end the actual process! You need to highlight “sdra64.exe” on the second box and end the infected process.

6.] On the toolbar select Handle >> Close Handle. After that, you could delete the file.

7.] Click Start >> Run >> Type: Regedit

8.] Expand each folder and look for this registry location…

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon

9.] Look for this registry key and modify with caution.

Userinit = C:\WINDOWS\SYSTEM32\\Userinit.exe,C:\WINDOWS\system32\sdra64.exe,

- You need to delete the second part and accept the changes.

Userinit = C:\WINDOWS\SYSTEM32\\Userinit.exe,

10.] Close the registry and rename sdra64.exe to sdra64.vir. After that, you need to use “Notepad” and make a TXT file for Combo-Fix.exe (renamed version to avoid shutdown).

———— Copy Text —————

FileLook::
c:\Program Files\mb.exe

Collect::
c:\windows \system32\lowsec\local.ds
c:\windows \system32\lowsec\user.ds
c:\windows\uyuxexiv.dll
c:\windows\Kqigisucejalafo.dll
c:\windows\system32\sdra64.exe

Folder::
c:\windows\system32\lowsec

———— End —————

11.] Save this as: “CFScript.txt”.

12.] Drag the text file to Combo-Fix.exe and let it remove the infected files.

Notes: your desktop may go blank. This is normal and it will return, when ComboFix is done. But, make sure that you are connected to the internet and click OK.
After that, just follow the prompts for any updates.

Warning: do not mouse-click combofix’s window whilst it’s running.
That may cause it to stall.

13.] Let the application remove the threats.
All you need to do is make a cup of tea or coffee and keep an eye on your computer.

14.] Check your ComboFix log files and take a look at the removal area.
Make sure that the following infection is deleted.

c:\windows\Kqigisucejalafo.dll
c:\windows\system32\lowsec
c:\windows\system32\lowsec\local.ds
c:\windows\system32\lowsec\user.ds
c:\windows\system32\sdra64.exe
c:\windows\uyuxexiv.dll

15.] Go back into the registry – library and check “userinit” for any unwanted modification.

Normal: Userinit = C:\WINDOWS\SYSTEM32\\Userinit.exe,
Infected: Userinit = C:\WINDOWS\SYSTEM32\\Userinit.exe,C:\WINDOWS\system32\sdra64.exe,

16.] Download CCleaner and delete all your Computer’s temporary files and internet files.

17.] Reboot your computer and re-enable all of your security settings.

Recommended procedure: I would suggest you to download “MalwareBytes” and do a full system scan. It’s important to keep a backup of another anti-virus. You cannot trust just one… you need 2 just to keep things low!

http://www.malwarebytes.org/

Notes: to remove ‘ComboFix’ from your computer, please use this command from the Run Box.

Type: combofix /u

18.] Finish!

Copyrighted by Lair360 – 2009