How to scrap sdra64.exe from your computer
Version: 14.2b
Revision: 15 Build 35
How to remove sdra64.exe from your computer.
Introduction: when I was at my friend’s house, his computer was sick beyond repair. So, I told him to get off his computer and let me handle his half-broken system. However, it took me hours to remove the infected files and directories.
1.] Download ComboFix from these websites and rename it as: Combo-Fix.exe.
However, you don’t need to use it now. If you do, there is a chance that ComboFix will crash.
http://download.bleepingcomputer.com/sUBs/ComboFix.exe
http://www.forospyware.com/sUBs/ComboFix.exe
Warning: It’s highly recommended that you must ‘disable’ all anti-virus before using ComboFix.
Notes: if you want to use ComboFix.exe, then please install Microsoft Recovery Console from your Windows XP CD. However, you must be connected to the NET before download.
2.] Click on the given link and download: Process Explorer – http://technet.microsoft.com/en-us/sysinternals/bb896653.aspx
Notes: if the link is broken, please remove “bb896653.aspx” and find ‘Process Explorer.’ It’s not that hard…
3.] Execute the program and look for this (hidden) process: sdra64.exe.
This process normally hides itself under: “Winlogon”.
4.] Press CTRL+F on your keyboard and type: sdra64.exe.
5.] Double click on the results. It should be listed as ‘winlogon.’ But, don’t END the actual process! You will need to highlight “sdra64.exe” and shut it down.
6.] On the toolbar, select: Handle >> Close Handle. After that, you could delete the file.
7.] Click Start >> Run >> Type: Regedit
8.] Expand each folder and look for this registry location…
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
9.] Look for this registry key and modify with caution.
Userinit = C:\WINDOWS\SYSTEM32\\Userinit.exe,C:\WINDOWS\system32\sdra64.exe,
- You need to delete the second part and accept the changes.
Userinit = C:\WINDOWS\SYSTEM32\\Userinit.exe,
10.] Close the registry and rename sdra64.exe to sdra64.vir. After that, you need to use “Notepad” and make a TXT file for Combo-Fix.exe (renamed version to avoid shutdown).
———— Copy Text —————
FileLook:: c:\Program Files\mb.exe Collect:: c:\windows \system32\lowsec\local.ds c:\windows \system32\lowsec\user.ds c:\windows\uyuxexiv.dll c:\windows\Kqigisucejalafo.dll c:\windows\system32\sdra64.exe Folder:: c:\windows\system32\lowsec
———— End —————
11.] Save this as: “CFScript.txt”.
12.] Drag the text file to Combo-Fix.exe and let it remove the infected files.
Notes: your desktop may go blank. This is normal and it will return, when ComboFix is done scanning. But, make sure that you are connected to the internet. After that, please follow the prompts for any updates or enquiries.
Warning: do not mouse-click combofix’s whilst it’s running. That may cause it to stall.
13.] Let the application disinfect your system. All you need to do is make a cup of tea or coffee and keep an eye on your computer.
14.] Check your ComboFix’s log files and take a look at the removal area. Make sure that the following infection is deleted.
c:\windows\Kqigisucejalafo.dll
c:\windows\system32\lowsec
c:\windows\system32\lowsec\local.ds
c:\windows\system32\lowsec\user.ds
c:\windows\system32\sdra64.exe
c:\windows\uyuxexiv.dll
15.] Go back to your registry and check “userinit” for any unwanted modification.
Normal: Userinit = C:\WINDOWS\SYSTEM32\\Userinit.exe,
Infected: Userinit = C:\WINDOWS\SYSTEM32\\Userinit.exe,C:\WINDOWS\system32\sdra64.exe,
16.] Download CCleaner and delete all your Computer’s temporary files and internet files.
17.] Reboot your computer and re-enable all of your security settings.
Recommended procedure: I would suggest you to download “MalwareBytes” and do a full system scan. It’s important to keep a backup of another anti-virus. You cannot trust just one… you need 2 just to keep things low!
http://www.malwarebytes.org/
Notes: to remove ‘ComboFix’ from your computer, please use this command from the Run Box.
Type: combofix /u
18.] Finish!
Copyrighted by Lair360
