How to remove sdra64.exe from your systems




Tagged Under : , ,

Version: 16c
Revision: 42 Build 113

How to remove sdra64.exe from your systems

Introduction: when I was testing these malware on my crappy computer, I’ve found a slight weakness on these infected malware: “a.exe, b.exe and sdra64.exe”. It seems to download other stuff from the web and installed them into your systems without your permission. But, it’s a total nightmare, as I have to spend my five hours to remove these parasites from eating your computer!

Right, lets get yourself ready and print this document from another machine, if the infected files had removed your Wireless / LAN connections. But, you got to read these instruction carefully and don’t rush yourself! Also, I did all of these works / analysis from scratch, so you don’t have to fiddle about and get yourself frustrated. Just read this article slowly and make sure that you did it correctly…

—————————–

1.] Remove all P2P sharing software from your computer.
—————————–
uTorrent
Azureus
eMule
ect…
—————————–

Notes: most of the time the files that you had / have downloaded, they are considered as illegal-wares. They may also be bundled with malware, this could well be how you were infected. Get the point?

2.] Execute Notepad.exe / Notepad++.exe from your computer and copy these codes. After that, you’ll need to go to: “File >> Save As >> Type: Fix-XP.bat”.
You will also need to change the “Save as type to all files” and save it to your desktop.

@echo off
copy C:\WINDOWS\ServicePackFiles\i386\eventlog.dll c:\eventlog.dll
Exit

@echo off
copy C:\WINDOWS\system32\dllcache\scecli.dll c:\scecli.dll
Exit

3.] Double-click on Fix-XP.bat and let it repair your Eventlog Services.

4.] At this point, you’ll need to download: “The Avenger” by Swandog46 to your Desktop.
—————————
- Right click on the Zip folder and select “Extract All…”
- Follow the prompts and extract Avenger to your desktop

http://swandog46.geekstogo.com/avenger2

5.] Copy these codes and paste these into Avenger – Script Box. However, if you’re using the second script, which is shown in “Step 2”, then, you’ll need to copy the second one. But, please don’t use both, or else, there will be some confusion on your system.
—————————

Begin copying here:
Files to move:
c:\eventlog.dll | C:\WINDOWS\system32\eventlog.dll

Begin copying here:
Files to move:
c:\scecli.dll | C:\WINDOWS\system32\scecli.dll

—————————

6.] Click on Execute

7.] Answer “Yes” twice when prompted.

Notes: just to let you know: The system will restart twice. But, you don’t have to panic… its normal…

8.] Download ComboFix from these website and rename the application before you download!
—————————
If you are using Firefox, make sure that your download settings are as follows:

* Tools >> Options >> Main tab
* Set to “Always ask me where to Save the files”.

http://www.forospyware.com/sUBs/ComboFix.exe

http://download.bleepingcomputer.com/sUBs/ComboFix.exe

http://www.combofix.org/download.php

Important: You’ll need to rename ComboFix into Combo-Fix.
Also, It is important that you rename Combofix during the download, but not after.

Warning: Before you continue, please disable your anti-virus, script blocker and any anti-malware (real-time) protection before the scan. These security application may interfere with ComboFix or remove some of its embedded files which may cause “irregular results”. Also, please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.

9.] Double click on combo-Fix.exe & follow the prompts.

10.] When everything is done, Combofix will generate a Text file that contains your removal.

11.] Now, you’ll need to copy these scripts and save it to your desktop.

File Saved As: CFScript.txt
—————————

Collect::
c:\windows\svchasts.exe
c:\windows\system32\desote.exe
c:\windows\ucyzy.dat
c:\program files\Common Files\wapibosogi.lib
c:\AutoRun.vbs
c:\windows\Fonts\AcadEref.ttf
c:\windows\Installer\c62d6.msp
c:\windows\system32\drivers\rotscxltmrssww.sys
c:\windows\system32\drivers \_rotscxltmrssww_.sys.zip
c:\windows\system32\rotscxobwwavmy.dll
c:\windows\system32\rotscxoqfqjruf.dat
c:\windows\system32\rotscxqoeniplv.dat
c:\windows\system32\rotscxylltpkql.dll
c:\windows\system32\twain.dll
c:\windows\braviax.exe
c:\windows\cru629.dat
c:\windows\Installer\550c37.msi
c:\windows\oqixovevu.scr
c:\windows\orabuj.inf
c:\windows\ppp3.dat
c:\windows\ppp4.dat
c:\documents and settings\All Users\Documents\cejik.sys
c:\documents and settings\All Users\Documents\koqely.reg
c:\documents and settings\All Users\Documents\oqijatuzu.exe
c:\documents and settings\All Users\Documents\qyxazemose.exe
c:\windows\system32\lowsec
c:\windows\system32\lowsec\local.ds
c:\windows\system32\lowsec\user.ds
c:\windows\system32\minix32.exe
c:\windows\system32\sdra64.exe
c:\windows\system32\sonhelp.htm
c:\windows\system32\sysnet.dat
c:\windows\system32\tapi.nfo
c:\windows\system32\userini.exe

Folder::
c:\program files\Windows Police Pro

DirLook::
c:\program files\awesome
C:\b624c1897f972641605426d99d3538

Registry::
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\Viewpoint\\Common\\ViewpointService.exe"=-
"c:\\Program Files\\uTorrent\\uTorrent.exe"=-

RegNull::
[HKEY_USERS\S-1-5-21-2186207459-4142083742-1883771569-1006\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{AF49AC62-35CC-90AD-1EC3-2AE9C244CBB5}*]

12.] Drag CFScript.txt into Combo-Fix.exe

Notes: When Combofix finishes running, there will be a log that pops – up. Please don’t be alarmed! It’s normal for ComboFix…

13.] Download OTL from these website…
—————————

http://oldtimer.geekstogo.com/OTL.exe

—————————

14.] Run the program and paste these codes into the “Custom Scans/Fixes” box.
—————————

:OTL
SRV - (RDPRGOSK [Disabled | Stopped]) -- File not found
[2009/08/28 17:01:10 | 00,017,976 | ---- | M] () -- C:\WINDOWS\ugyl.db
[2009/08/28 17:01:10 | 00,014,776 | ---- | M] () -- C:\Documents and Settings\All Users\Application Data\okebihyk.db
[2009/08/28 17:01:10 | 00,013,269 | ---- | M] () -- C:\Documents and Settings\tim\Application Data\epujap.db
[2009/08/28 17:01:10 | 00,012,616 | ---- | M] () -- C:\Documents and Settings\tim\Local Settings\Application Data\ybopot.lib

:Services

:Reg

:Files

:Commands
[purity]
[emptytemp]
[Reboot]

—————————

15.] Click the Run Fix button which is located at the top – left – corner.

Notes: let the program run; reboot the PC when it is done.

16.] Download Malwarebytes from these links and follow the prompts.
—————————

http://www.malwarebytes.org/mbam-download.php

http://www.softpedia.com/get/Antivirus/Malwarebytes-Anti-Malware.shtml

Notes: please do a deep scan and make sure that your database is up-to-date!
Also, If it asked you to restart the computer, please do so immediately.

17.] Last and not least, please copy these codes and save it as: CFScript.txt
—————————

KillAll::

File::
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\FGQ0JB3M\111_[1].exe
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\PH0SB3VN\lexus111[1].exe
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\QIS2LMNX\file[1].exe

Reboot::

—————————

18.] Drag the scripts into Combo-Fix.exe

19.] Now, you’ll need to cleanup your computer. But, don’t worry, you’re nearly there!

- Click Start >> Run >> Type: Combofix /u
- Click OK

20.] Go back and look for OLT. Then, double-click on OTL.exe and run it.

21.] Click on the CleanUp! Button.

Notes: you will be asked to reboot the machine to finish the Cleanup process. If you are asked to reboot the machine choose Yes.

22.] Finish!

Good Work! You have done a great job!!

Copyrighted By Lair360

Posted by admin in Virus Removal | (1) Comment | Read more



How to remove System32.exe and Userinit.exe




Tagged Under : , , ,

Version: 52.8
Revision: 68 Build 16

How to remove System32.exe and Userinit.exe

Introduction: This virus was design by a Vietnamese citizen. He is a criminal – hacker who is trying to distribute fake files to corrupt other user’s computer and your system32 sub – directories.

Part One: remove Userinit.exe and System32.exe
———————————
1.] Download Avira Anti-Virus [Free Edition].
————————–

http://avira.com

http://softpedia.com

————————–

2.] Execute the application and scan your computer.
But, if you want to do it faster, you can go to these directories.

Right click on these folders and scan it with Avira.
————————–
C:\Windows\
C:\Windows\System32
C:\Windows\System32\System32.exe
C:\windows\system32\dllcache\win32\winlogon.exe
C:\windows\system32\dllcache\win32\csrss.exe

Notes: let the software kill all of the process. But, don’t hit the ignore button!
Also, please don’t forget to hit the delete button when the scan – engine has found the infected file!

3.] Erase all of these folders in your USB stick with Avira.
However, if you leave it alone, it’s going to regenerate the virus – that would mean: you’ll need to repeat step five!

Part Two: modify windows Shell and Userinit.exe registry
———————————

Warning: once you reboot without userinit.exe and system32.exe, windows cannot access windows successes – fully!
So, please don’t stop and wonder off at stage three…

Notes: to locate these files, please follow these instructions.
————————–
a.] In “Folder Option,” just hit the “View” tab and un – tick or select these options.

Hidden files and folders >> select: Show hidden files and folders.
Hidden files and folders >> un – tick: Hide protected operating system files (Recommended).

Items to be removed from USB memory sticks.
————————–
Autorun.inf
Secret.exe
Phimnguoilon.exe / Phim nguoi lon.exe
————————–

4.] Fix the registry location within these directories…

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon

a.] Click on Userinit (REG_SZ)
b.] Right click and select “Modify…”
c.] Change the directories.

Important: Please include the trailing comma. But, please be aware that ‘Windows’ was installed in C:\Windows; Userinit.exe file is actually present in the System32 folder. You may want to verify that as well.

Wrong: C:\Windows\userinit.exe
Right: C:\Windows\System32\userinit.exe,

Important: You must make sure that the registry location and directory is correct before the initial reboot. But, if you left it UN – changed; the windows logon and access is completely disabled. So, please double check before you hit the “Restart” button!!

Advice: For better performances, you can also put ‘Userinit.exe’ into this registry location. It will boot faster after reboot.

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Winlogon

a.] Go to Start >> Run and insert: regedit.
b.] Direct yourself to the correspondent registry location.
c.] At the left panel, just look for ‘Winlogon’ and move your mouse to the right panel.
d.] Right click and Select New >> String Value
e.] Rename it as ‘Userinit’ – without the quotes.
f.] Right click on your new registry – strings and select: Modify
g.] Copy the ‘value data’ which is shown underneath…
————————–
C:\Windows\System32\userinit.exe,
————————–

Important: Please include the trailing comma. But, please be aware that ‘Windows’ was installed in C:\Windows; Userinit.exe file is actually present in the System32 folder. You may want to verify that as well.

h.] Paste the data; click ‘OK’ and exit the registry.

After reboot, use iobit windows care personal and CCleaner to repair, clean and remove all the junk files.

5.] Reboot and run Avira again.

Warning: please check your registry entries (again) for any changes and repeat step four to step five. But, you don’t have to run the anti-virus again.

Part Three: double check your folders for “system32.exe and csrss.exe”
———————————
Problems: For most users, they also got one of their ‘Shell’ registry infected with a file called: System32.exe. To solve this problem, please continue and clear this hidden virus.

1.] Since Avira removed this file: System32.exe = “C:\Windows\System32\system32.exe,” you have to go to the registry and fix the location. But, don’t you even dare delete the registry entries!!

a.] Click Start >> Run >> Type: regedit >> Click OK or press Enter.
b.] Navigate through the registry folders and look for this registry location…

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\

Notes: look for a file called: “Shell” [without the quotes].

2.] Right click on the value; select modify; delete the entire line from “Shell” and copy this to your registry: explorer.exe

3.] After this process, please reboot your computer ‘again’ and let the new setting take effect!

4.] Your computer is ready to go!

Background history of “csrss.exe”

Introductions: firstly, the ‘csrss.exe’ file, it should be in: “C:\Windows\System32\” or “C:\Windows\system32\dllcache.” However, it shouldn’t be in the ‘config’ directory and this directory: “C:\windows\system32\dllcache\win32\csrss.exe” or anywhere else…

Notes: Please change the directories on these registry locations to the correct links….

HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Winlogon
Userinit = ‘C:\Windows\System32\userinit.exe,’ (REG_SZ)

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
Shell= “explorer.exe” (REG_SZ)

Notes: If these directories are missing, please re-create them.

These are the registry to delete…

1.] Go to this directory: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\…

2.] Look under “Image File Execution Options” folders and locate this sub-folder: “explorer.exe” [without the quotes]

Notes: It creates sub-key “explorer.exe” and the value under it:
Debugger=c:\windows\csrss.exe

3.] Delete it!

Optional – Part four: use ComboFix.exe to fix / remove other viruses
———————————
1.] Download ComboFix from these links…
———————————
ComboFix: http://www.combofix.org/
Mirror: http://subs.geekstogo.com/ComboFix.exe
———————————

2.] Make a folder in your C:\ drive.
3.] Drag your ComboFix.exe into that folder.
4.] Disable all anti-virus application, anti-spyware application and all software that has HIPS function.

Notes: if you want to safely disable their system guard for ComboFix.exe to clean your computer, I would recommend you to disable it in: “Computer Management” consol.

Click Start >> Right click: My Computer >> Select: Manage >> Services and Applications >> Services

5.] Double check your security guards to see if it’s disabled. After that, just execute ComboFix.

Notes: ComboFix will warn you if you haven’t disable the security guards. But, click Ok if you already disabled the Shield…

6.] The scanner will trigger another box which contains a list of infected files.

7.] After the scan, it will ask you to reboot your computer. All you need to do is click the “Ok” button or hit the “Enter” key (on your keyboard).

8.] After reboot, just don’t touch anything and let it remove these parasite!
The files which will be remove are shown in combofix.

9.] When everything is cleared and dusted, you’ll need to wait for a while.
This is because; the application is generating a ‘Log.txt’ file about ComboFix removal process.

20.] Install CCleaner and clear your Internet Explorer + Firefox temporary files and internet system cache.

Part five: remove ComboFix.exe from your computer
———————————
1.] Click Start >> Run >> Type: Combofix /u
2.] Click Ok or press “Enter” on your keyboard
3.] Disable your System Restore and re-enable it…
4.] Re-activate your ‘System Shield’ and reboot your computer.
5.] Finish!

Copyrighted by Lair360

Posted by admin in Virus Removal | (1) Comment | Read more



How to remove windowsclick infection




Tagged Under : , , ,

Version: 39.2
Revision: 46 Build 154

How to remove windowsclick infection

Introduction: this malware had infected my machine and I didn’t notice it. But, when I was surfing Google website with Firefox, the links had redirected my current website to a nasty website that served fake anti-virus.

Right, lets get to work and get this out of your system before it is too late!

1.] Download these software with “Firefox” and save it to your C:/ drive.

Important: please look at ComboFix procedure if everything else fails.
After the repair, please follow this guide, again, for a complete scan and removal.

Notes: if you’re using Firefox as your main – browser, you’ll need to right – click and open a new tab. If you don’t, the actual malware will redirect you to a new link.
————————-
Avira Free Edition: http://www.avira.com/en/pages/index.php
Mirror: http://filehippo.com/download_antivir/

ComboFix: http://www.combofix.org/
Mirror: http://subs.geekstogo.com/ComboFix.exe
Mirror: http://www.forospyware.com/sUBs/ComboFix.exe
Mirror: http://download.bleepingcomputer.com/sUBs/ComboFix.exe

SpywareTerminator: http://spywareterminator.com

CCleaner: http://filehippo.com/download_ccleaner/
————————–

Part One: remove Trojan.Agent.RL and RKIT/TDss.eyj.xxx
————————–
2.] Install SpywareTerminator and Avira.
3.] Update their database.

Notes: if you encounter an error with SpywareTerminator Shield, please ignore it and use the scanner…

4.] Do a “Quick Scan” (Fast Spyware Scan) with SpywareTerminator.
5.] Remove all infected files and this file: CmdLineExt03.dll
6.] Exit Spywareterminator and click on Avira Anti-Virus. The application is located on your window’s taskbar (red umbrella icon).
7.] Double click on the application and select: Local Protection >> Scanner >> Rootkit Search
8.] Select all available drive and run the scan…

Notes: if the application asked you for permission, just select “Quarantine” and continue.

Similar Infected file…
————————–
c:\windows\system32\uacrvkuvdgg.dll
c:\windows\system32\drivers\uaccseutoro.sys
————————–

9.] When Avira finished removing the following “backdoor-rootkit” infection, just click no and cancel the reboot operation…

10.] Right click on Avira and disable “AntiVir Guard”.

Advice: press Crtl + Alt + Del to bring up the process menu. After that, just select the second tab and look this processes: Avguard.exe. But, don’t worry about the errors…its only for ComboFix procedure…

Notes: leave your internet connection as “Enable” for ComboFix.exe
————————–

Part Two: remove UACcseutoro.sys and acovcnt.exe
————————–
11.] Make a folder in your C:/ drive.
12.] Drag your ComboFix into that folder and rename it as: FixCombo.exe.

Notes: if it doesn’t work, please use this method for execution!
————————–
Right click on the actual link and click: “Save Link As”. After that, you’ll need to rename the file into one of these names. However, if that doesn’t work, just make it up…

Renamed files: tool.exe | Fixfile.exe | toolb.exe | FixCombi.exe | FixCombo.exe

13.] Execute the application.
14.] ComboFix will warn you if you haven’t disable Avira. But, click Ok if you already disable Avira’s Shield.
15.] The scanner will trigger another box which contains a list of infected files. The list will look like this…
Notes: I’ve put two different list. This is because, the malware can change its name with random characters. But, they can be detected by combofix without any problems…

c:\windows\system32\acovcnt.exe
c:\windows\system32\drivers\UACcseutoro.sys
c:\windows\system32\UACalwoglkx.dll
c:\windows\system32\UACbdkqyjia.log
c:\windows\system32\UACktlsummn.log
c:\windows\system32\UACndsuqqrv.log
c:\windows\system32\UACplaqlmxs.dat
c:\windows\system32\UACrvkuvdgg.dll
c:\windows\system32\UACtfiwcpqk.dll
c:\windows\system32\UACwkmlpjat.dll
——————————————————————-
c:\windows\system32\drivers\UACtnfmndkx.sys
c:\windows\system32\tmp67.tmp
c:\windows\system32\UACblevabwi.log
c:\windows\system32\UACefnatakr.dll
c:\windows\system32\UACfsaprdmv.dll
c:\windows\system32\UACkjfmxcxi.dll
c:\windows\system32\UAClwnqcbve.dat
c:\windows\system32\UACnfwquyvx.log
c:\windows\system32\UACrjghjnnw.log
c:\windows\system32\UACsdntxukq.dll
c:\windows\temp\uac52f0.tmp

17.] After the scan, it will ask you to reboot your computer.
All you need to do is click the “Ok” button or hit the “Enter” key (on your keyboard).

18.] At the next reboot, just don’t touch anything and let it remove these pest!
The files which will be remove are shown on combofix…
————————–
c:\documents and settings\Userfolder\Application Data\inst.exe
c:\windows\a3kebook.ini
c:\windows\akebook.ini
c:\windows\ANS2000.INI
c:\windows\AutoUpdateWin31.dll
c:\windows\IE4 Error Log.txt
c:\windows\system32\acovcnt.exe
c:\windows\system32\drivers\UACcseutoro.sys
c:\windows\system32\UACalwoglkx.dll
c:\windows\system32\UACbdkqyjia.log
c:\windows\system32\UACktlsummn.log
c:\windows\system32\UACndsuqqrv.log
c:\windows\system32\UACplaqlmxs.dat
c:\windows\system32\UACrvkuvdgg.dll
c:\windows\system32\drivers\UACtnfmndkx.sys
c:\windows\system32\tmp67.tmp
c:\windows\temp\uac52f0.tmp
c:\windows\system32\UACblevabwi.log
c:\windows\system32\UACefnatakr.dll
c:\windows\system32\UACfsaprdmv.dll
c:\windows\system32\UACkjfmxcxi.dll
c:\windows\system32\UAClwnqcbve.dat
c:\windows\system32\UACnfwquyvx.log
c:\windows\system32\UACrjghjnnw.log
c:\windows\system32\UACsdntxukq.dll
c:\windows\system32\UACtfiwcpqk.dll
c:\windows\system32\UACwkmlpjat.dll
K:\Autorun.inf
————————–

19.] When everything is cleared and dusted, you’ll need to wait for a while.
This is because; the application is generating a ‘Log.txt’ file about ComboFix removal process.

20.] Install CCleaner and clear your Internet Explorer + Firefox temporary files and internet system cache.

Part Three: remove ComboFix.exe from your computer
————————–
21.] Click Start >> Run >> Type: Combofix /u
22.] Click Ok or press “Enter” on your keyboard
23.] Disable your System Restore and re-enable it…

Click Start >> Control Panel >> System >> System Restore

24.] Exit “System Properties” and go to “Microsoft.com” for new updates to block these threats from killing your computer…

Alternative method to remove “windowsclick” if your PC is seriously infected…
————————–
1.] Insert your Windows XP disk into your CD-ROM drive.
2.] Wait for it to load and press: ‘R’ to boot into the recovery console.
3.] When the console is ready, press 1 if you only have one “Windows XP” installation on the harddrive, After that, just hit “Enter” (without the quotes).
4.] Type in the “Administrator’s” password and hit “Enter” (without the quotes).
5.] Now, you’ll need to type this command: listsvc and press “Enter” on your keyboard.
6.] Look for a svc called: UACD.sys / UACd.sys
7.] Press “ESC” to stop listing and go back to ‘cmd’ prompt.
8.] Now, all you need to do is type this: “disable UACd.sys” (without quotes).
9.] Exit recovery console – don’t forget to take your XP CD out and reboot the computer.
10.] Go back to stage “ONE” and remove this idiot virus!

Copyrighted By Lair360

Posted by admin in Virus Removal | No Comments | Read more



How to remove sdra64.exe from your computer




Tagged Under : , , , ,

Version: 14.2b
Revision: 15 Build 35

How to remove sdra64.exe from your computer.

Introduction: when I was at my friend’s house, his computer is really unhealthy! So, I told him to get off his computer and let me handle his machine. Nevertheless, it took me hours to remove these infected files and directories.

1.] Download ComboFix from these websites and rename it as: Combo-Fix.exe.
However, you don’t need to use it now. If you do, there is a chance that Combo-Fix will be shutdown!

http://download.bleepingcomputer.com/sUBs/ComboFix.exe

http://www.forospyware.com/sUBs/ComboFix.exe

Warning: It’s highly recommended that you must disable all anti-virus before you use ComboFix.

Notes: if you want to use ComboFix.exe, you must install Microsoft Recovery Console with your Windows XP CD. However, you must be connected to the internet to download the latest Recovery Console Updates.

2.] Click on this link and download: Process Explorer – http://technet.microsoft.com/en-us/sysinternals/bb896653.aspx

Notes: if the link is broken, please remove “bb896653.aspx” and find “Process Explorer”

3.] Execute the program and look for this hidden process: sdra64.exe

Notes: this process hides itself under “Winlogon”.

4.] Press CTRL+F on your keyboard and type: sdra64.exe.

5.] Double click on the search results, it should be listed as winlogon. However, don’t end the actual process! You need to highlight “sdra64.exe” on the second box and end the infected process.

6.] On the toolbar select Handle >> Close Handle. After that, you could delete the file.

7.] Click Start >> Run >> Type: Regedit

8.] Expand each folder and look for this registry location…

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon

9.] Look for this registry key and modify with caution.

Userinit = C:\WINDOWS\SYSTEM32\\Userinit.exe,C:\WINDOWS\system32\sdra64.exe,

- You need to delete the second part and accept the changes.

Userinit = C:\WINDOWS\SYSTEM32\\Userinit.exe,

10.] Close the registry and rename sdra64.exe to sdra64.vir. After that, you need to use “Notepad” and make a TXT file for Combo-Fix.exe (renamed version to avoid shutdown).

———— Copy Text —————

FileLook::
c:\Program Files\mb.exe

Collect::
c:\windows \system32\lowsec\local.ds
c:\windows \system32\lowsec\user.ds
c:\windows\uyuxexiv.dll
c:\windows\Kqigisucejalafo.dll
c:\windows\system32\sdra64.exe

Folder::
c:\windows\system32\lowsec

———— End —————

11.] Save this as: “CFScript.txt”.

12.] Drag the text file to Combo-Fix.exe and let it remove the infected files.

Notes: your desktop may go blank. This is normal and it will return, when ComboFix is done. But, make sure that you are connected to the internet and click OK.
After that, just follow the prompts for any updates.

Warning: do not mouse-click combofix’s window whilst it’s running.
That may cause it to stall.

13.] Let the application remove the threats.
All you need to do is make a cup of tea or coffee and keep an eye on your computer.

14.] Check your ComboFix log files and take a look at the removal area.
Make sure that the following infection is deleted.

c:\windows\Kqigisucejalafo.dll
c:\windows\system32\lowsec
c:\windows\system32\lowsec\local.ds
c:\windows\system32\lowsec\user.ds
c:\windows\system32\sdra64.exe
c:\windows\uyuxexiv.dll

15.] Go back into the registry – library and check “userinit” for any unwanted modification.

Normal: Userinit = C:\WINDOWS\SYSTEM32\\Userinit.exe,
Infected: Userinit = C:\WINDOWS\SYSTEM32\\Userinit.exe,C:\WINDOWS\system32\sdra64.exe,

16.] Download CCleaner and delete all your Computer’s temporary files and internet files.

17.] Reboot your computer and re-enable all of your security settings.

Recommended procedure: I would suggest you to download “MalwareBytes” and do a full system scan. It’s important to keep a backup of another anti-virus. You cannot trust just one… you need 2 just to keep things low!

http://www.malwarebytes.org/

Notes: to remove ‘ComboFix’ from your computer, please use this command from the Run Box.

Type: combofix /u

18.] Finish!

Copyrighted by Lair360 – 2009

Posted by admin in Virus Removal | (2) Comments | Read more



Kick BlockWatcher out the house!




Tagged Under : , ,

Version: 11.1
Revision: 32 Build: 12

Updates: this post was revised to meet the safety – standards for all users.

Kick BlockWatcher out the house!

Introduction: last-night, I was analyzing a Rouge Anti-Virus. The name of the anti-virus is “BlockWatcher”.

According to my research, the fake anti-virus looks exactly identical to “BlockScanner”.
But, for now, here is some background information, about this infection.

BlockWatcher is a poorly designed security tool, but its real purpose is forcing the user into purchasing fake program. The only way “Block Scanner” differs from its ancestors is the name on the logo. If you take a look at SoftBarrier, ShieldSafeness and BlockScanner you will see that they are all identical.

1.] Download these application and put them on your desktop.

a.] Right click on these links and Save it As: “Combo-Fix.exe”
————-
Link#1: http://download.bleepingcomputer.com/sUBs/ComboFix.exe
Link#2: http://www.forospyware.com/sUBs/ComboFix.exe

b.] Download this Ant-virus and Install it to your computer with the latest updates.
————-
Link#1: http://www.softpedia.com/progDownload/Malwarebytes-Anti-Malware-Download-81598.html
Link#2: http://www.malwarebytes.org/mbam-download.php

2.] Copy this script and Save it As: “CFScript.txt”, then drop the file into the application.
However, you must install “Windows Recovery Consol” for the application to work.
This can be downloaded with Combofix or installing it with your Windows Disk.

Warning: Before you begin, you must disable all Anti-Virus / Anti-Spyware application.
This is for safety, if you’re running Combofix.

File::
c:\Documents and Settings\All Users\Desktop\BlockWatcher.lnk
c:\Program Files\BlockWatcher Software\BlockWatcher\BlockWatcher.exe
c:\WINDOWS\10068tro9zd85.exe
c:\WINDOWS\10258z9amb5t73a.bin
c:\WINDOWS\10518virzs5f9.ocx
c:\WINDOWS\temp\yxh5.tmp.exe
c:\WINDOWS\system32\yxh5.tmp.exe
c:\WINDOWS\system32\19z89s5y663.dll
c:\WINDOWS\system32\1a605tzal32359.dll
c:\WINDOWS\system32\1aa8tzi952064.cpl 

Folder::
c:\Program Files\BlockWatcher Software
c:\Program Files\BlockWatcher Software\BlockWatcher
c:\Documents and Settings\All Users\Start Menu\Programs\BlockWatcher

Registry::
[HKEY_CURRENT_USER\Software\BlockWatcher]
[HKEY_LOCAL_MACHINE\SOFTWARE\BlockWatcher]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"BlockWatcher"=-
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"BlockWatcher"=-
"yxh5.tmp.exe"=-

3.] Let the application repair / disinfect your computer. Also, when it’s running, please avoid touching your keyboard or the switch button.

4.] At this stage, you’ll need to use MalwareBytes and perform a full system scan.
After that, you’ll need to download CCleaner and remove all of the junk files.

Link: http://ccleaner.com

5.] You’re Done!

Copyrighted By Lair360

Posted by admin in Virus Removal | No Comments | Read more



« Older Entries