Lair360 Blog » Virus Removal

How to remove sdra64.exe from your systems

admin — Sun, 08 Nov 2009 12:41:36 +0000

Version: 16c
Revision: 42 Build 113

How to remove sdra64.exe from your systems

Introduction: when I was testing these malware on my crappy computer, I’ve found a slight weakness on these infected malware: “a.exe, b.exe and sdra64.exe”. It seems to download other stuff from the web and installed them into your systems without your permission. But, it’s a total nightmare, as I have to spend my five hours to remove these parasites from eating your computer!

Right, lets get yourself ready and print this document from another machine, if the infected files had removed your Wireless / LAN connections. But, you got to read these instruction carefully and don’t rush yourself! Also, I did all of these works / analysis from scratch, so you don’t have to fiddle about and get yourself frustrated. Just read this article slowly and make sure that you did it correctly…

—————————–

1.] Remove all P2P sharing software from your computer.
—————————–
uTorrent
Azureus
eMule
ect…
—————————–

Notes: most of the time the files that you had / have downloaded, they are considered as illegal-wares. They may also be bundled with malware, this could well be how you were infected. Get the point?

2.] Execute Notepad.exe / Notepad++.exe from your computer and copy these codes. After that, you’ll need to go to: “File >> Save As >> Type: Fix-XP.bat”.
You will also need to change the “Save as type to all files” and save it to your desktop.

@echo off
copy C:\WINDOWS\ServicePackFiles\i386\eventlog.dll c:\eventlog.dll
Exit

@echo off
copy C:\WINDOWS\system32\dllcache\scecli.dll c:\scecli.dll
Exit

3.] Double-click on Fix-XP.bat and let it repair your Eventlog Services.

4.] At this point, you’ll need to download: “The Avenger” by Swandog46 to your Desktop.
—————————
- Right click on the Zip folder and select “Extract All…”
- Follow the prompts and extract Avenger to your desktop

http://swandog46.geekstogo.com/avenger2

5.] Copy these codes and paste these into Avenger – Script Box. However, if you’re using the second script, which is shown in “Step 2”, then, you’ll need to copy the second one. But, please don’t use both, or else, there will be some confusion on your system.
—————————

Begin copying here:
Files to move:
c:\eventlog.dll | C:\WINDOWS\system32\eventlog.dll

Begin copying here:
Files to move:
c:\scecli.dll | C:\WINDOWS\system32\scecli.dll

—————————

6.] Click on Execute

7.] Answer “Yes” twice when prompted.

Notes: just to let you know: The system will restart twice. But, you don’t have to panic… its normal…

8.] Download ComboFix from these website and rename the application before you download!
—————————
If you are using Firefox, make sure that your download settings are as follows:

* Tools >> Options >> Main tab
* Set to “Always ask me where to Save the files”.

http://www.forospyware.com/sUBs/ComboFix.exe

http://download.bleepingcomputer.com/sUBs/ComboFix.exe

http://www.combofix.org/download.php

Important: You’ll need to rename ComboFix into Combo-Fix.
Also, It is important that you rename Combofix during the download, but not after.

Warning: Before you continue, please disable your anti-virus, script blocker and any anti-malware (real-time) protection before the scan. These security application may interfere with ComboFix or remove some of its embedded files which may cause “irregular results”. Also, please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.

9.] Double click on combo-Fix.exe & follow the prompts.

10.] When everything is done, Combofix will generate a Text file that contains your removal.

11.] Now, you’ll need to copy these scripts and save it to your desktop.

File Saved As: CFScript.txt
—————————

Collect::
c:\windows\svchasts.exe
c:\windows\system32\desote.exe
c:\windows\ucyzy.dat
c:\program files\Common Files\wapibosogi.lib
c:\AutoRun.vbs
c:\windows\Fonts\AcadEref.ttf
c:\windows\Installer\c62d6.msp
c:\windows\system32\drivers\rotscxltmrssww.sys
c:\windows\system32\drivers \_rotscxltmrssww_.sys.zip
c:\windows\system32\rotscxobwwavmy.dll
c:\windows\system32\rotscxoqfqjruf.dat
c:\windows\system32\rotscxqoeniplv.dat
c:\windows\system32\rotscxylltpkql.dll
c:\windows\system32\twain.dll
c:\windows\braviax.exe
c:\windows\cru629.dat
c:\windows\Installer\550c37.msi
c:\windows\oqixovevu.scr
c:\windows\orabuj.inf
c:\windows\ppp3.dat
c:\windows\ppp4.dat
c:\documents and settings\All Users\Documents\cejik.sys
c:\documents and settings\All Users\Documents\koqely.reg
c:\documents and settings\All Users\Documents\oqijatuzu.exe
c:\documents and settings\All Users\Documents\qyxazemose.exe
c:\windows\system32\lowsec
c:\windows\system32\lowsec\local.ds
c:\windows\system32\lowsec\user.ds
c:\windows\system32\minix32.exe
c:\windows\system32\sdra64.exe
c:\windows\system32\sonhelp.htm
c:\windows\system32\sysnet.dat
c:\windows\system32\tapi.nfo
c:\windows\system32\userini.exe

Folder::
c:\program files\Windows Police Pro

DirLook::
c:\program files\awesome
C:\b624c1897f972641605426d99d3538

Registry::
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\Viewpoint\\Common\\ViewpointService.exe"=-
"c:\\Program Files\\uTorrent\\uTorrent.exe"=-

RegNull::
[HKEY_USERS\S-1-5-21-2186207459-4142083742-1883771569-1006\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{AF49AC62-35CC-90AD-1EC3-2AE9C244CBB5}*]

12.] Drag CFScript.txt into Combo-Fix.exe

Notes: When Combofix finishes running, there will be a log that pops – up. Please don’t be alarmed! It’s normal for ComboFix…

13.] Download OTL from these website…
—————————

http://oldtimer.geekstogo.com/OTL.exe

—————————

14.] Run the program and paste these codes into the “Custom Scans/Fixes” box.
—————————

:OTL
SRV - (RDPRGOSK [Disabled | Stopped]) -- File not found
[2009/08/28 17:01:10 | 00,017,976 | ---- | M] () -- C:\WINDOWS\ugyl.db
[2009/08/28 17:01:10 | 00,014,776 | ---- | M] () -- C:\Documents and Settings\All Users\Application Data\okebihyk.db
[2009/08/28 17:01:10 | 00,013,269 | ---- | M] () -- C:\Documents and Settings\tim\Application Data\epujap.db
[2009/08/28 17:01:10 | 00,012,616 | ---- | M] () -- C:\Documents and Settings\tim\Local Settings\Application Data\ybopot.lib

:Services

:Reg

:Files

:Commands
[purity]
[emptytemp]
[Reboot]

—————————

15.] Click the Run Fix button which is located at the top – left – corner.

Notes: let the program run; reboot the PC when it is done.

16.] Download Malwarebytes from these links and follow the prompts.
—————————

http://www.malwarebytes.org/mbam-download.php

http://www.softpedia.com/get/Antivirus/Malwarebytes-Anti-Malware.shtml

Notes: please do a deep scan and make sure that your database is up-to-date!
Also, If it asked you to restart the computer, please do so immediately.

17.] Last and not least, please copy these codes and save it as: CFScript.txt
—————————

KillAll::

File::
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\FGQ0JB3M\111_[1].exe
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\PH0SB3VN\lexus111[1].exe
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\QIS2LMNX\file[1].exe

Reboot::

—————————

18.] Drag the scripts into Combo-Fix.exe

19.] Now, you’ll need to cleanup your computer. But, don’t worry, you’re nearly there!

- Click Start >> Run >> Type: Combofix /u
- Click OK

20.] Go back and look for OLT. Then, double-click on OTL.exe and run it.

21.] Click on the CleanUp! Button.

Notes: you will be asked to reboot the machine to finish the Cleanup process. If you are asked to reboot the machine choose Yes.

22.] Finish!

Good Work! You have done a great job!!

Copyrighted By Lair360

How to remove System32.exe and Userinit.exe

admin — Sun, 08 Nov 2009 12:33:24 +0000

Version: 52.8
Revision: 68 Build 16

How to remove System32.exe and Userinit.exe

Introduction: This virus was design by a Vietnamese citizen. He is a criminal – hacker who is trying to distribute fake files to corrupt other user’s computer and your system32 sub – directories.

Part One: remove Userinit.exe and System32.exe
———————————
1.] Download Avira Anti-Virus [Free Edition].
————————–

http://avira.com

http://softpedia.com

————————–

2.] Execute the application and scan your computer.
But, if you want to do it faster, you can go to these directories.

Right click on these folders and scan it with Avira.
————————–
C:\Windows\
C:\Windows\System32
C:\Windows\System32\System32.exe
C:\windows\system32\dllcache\win32\winlogon.exe
C:\windows\system32\dllcache\win32\csrss.exe

Notes: let the software kill all of the process. But, don’t hit the ignore button!
Also, please don’t forget to hit the delete button when the scan – engine has found the infected file!

3.] Erase all of these folders in your USB stick with Avira.
However, if you leave it alone, it’s going to regenerate the virus – that would mean: you’ll need to repeat step five!

Part Two: modify windows Shell and Userinit.exe registry
———————————

Warning: once you reboot without userinit.exe and system32.exe, windows cannot access windows successes – fully!
So, please don’t stop and wonder off at stage three…

Notes: to locate these files, please follow these instructions.
————————–
a.] In “Folder Option,” just hit the “View” tab and un – tick or select these options.

Hidden files and folders >> select: Show hidden files and folders.
Hidden files and folders >> un – tick: Hide protected operating system files (Recommended).

Items to be removed from USB memory sticks.
————————–
Autorun.inf
Secret.exe
Phimnguoilon.exe / Phim nguoi lon.exe
————————–

4.] Fix the registry location within these directories…

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon

a.] Click on Userinit (REG_SZ)
b.] Right click and select “Modify…”
c.] Change the directories.

Important: Please include the trailing comma. But, please be aware that ‘Windows’ was installed in C:\Windows; Userinit.exe file is actually present in the System32 folder. You may want to verify that as well.

Wrong: C:\Windows\userinit.exe
Right: C:\Windows\System32\userinit.exe,

Important: You must make sure that the registry location and directory is correct before the initial reboot. But, if you left it UN – changed; the windows logon and access is completely disabled. So, please double check before you hit the “Restart” button!!

Advice: For better performances, you can also put ‘Userinit.exe’ into this registry location. It will boot faster after reboot.

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Winlogon

a.] Go to Start >> Run and insert: regedit.
b.] Direct yourself to the correspondent registry location.
c.] At the left panel, just look for ‘Winlogon’ and move your mouse to the right panel.
d.] Right click and Select New >> String Value
e.] Rename it as ‘Userinit’ – without the quotes.
f.] Right click on your new registry – strings and select: Modify
g.] Copy the ‘value data’ which is shown underneath…
————————–
C:\Windows\System32\userinit.exe,
————————–

Important: Please include the trailing comma. But, please be aware that ‘Windows’ was installed in C:\Windows; Userinit.exe file is actually present in the System32 folder. You may want to verify that as well.

h.] Paste the data; click ‘OK’ and exit the registry.

After reboot, use iobit windows care personal and CCleaner to repair, clean and remove all the junk files.

5.] Reboot and run Avira again.

Warning: please check your registry entries (again) for any changes and repeat step four to step five. But, you don’t have to run the anti-virus again.

Part Three: double check your folders for “system32.exe and csrss.exe”
———————————
Problems: For most users, they also got one of their ‘Shell’ registry infected with a file called: System32.exe. To solve this problem, please continue and clear this hidden virus.

1.] Since Avira removed this file: System32.exe = “C:\Windows\System32\system32.exe,” you have to go to the registry and fix the location. But, don’t you even dare delete the registry entries!!

a.] Click Start >> Run >> Type: regedit >> Click OK or press Enter.
b.] Navigate through the registry folders and look for this registry location…

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\

Notes: look for a file called: “Shell” [without the quotes].

2.] Right click on the value; select modify; delete the entire line from “Shell” and copy this to your registry: explorer.exe

3.] After this process, please reboot your computer ‘again’ and let the new setting take effect!

4.] Your computer is ready to go!

Background history of “csrss.exe”

Introductions: firstly, the ‘csrss.exe’ file, it should be in: “C:\Windows\System32\” or “C:\Windows\system32\dllcache.” However, it shouldn’t be in the ‘config’ directory and this directory: “C:\windows\system32\dllcache\win32\csrss.exe” or anywhere else…

Notes: Please change the directories on these registry locations to the correct links….

HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Winlogon
Userinit = ‘C:\Windows\System32\userinit.exe,’ (REG_SZ)

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
Shell= “explorer.exe” (REG_SZ)

Notes: If these directories are missing, please re-create them.

These are the registry to delete…

1.] Go to this directory: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\…

2.] Look under “Image File Execution Options” folders and locate this sub-folder: “explorer.exe” [without the quotes]

Notes: It creates sub-key “explorer.exe” and the value under it:
Debugger=c:\windows\csrss.exe

3.] Delete it!

Optional – Part four: use ComboFix.exe to fix / remove other viruses
———————————
1.] Download ComboFix from these links…
———————————
ComboFix: http://www.combofix.org/
Mirror: http://subs.geekstogo.com/ComboFix.exe
———————————

2.] Make a folder in your C:\ drive.
3.] Drag your ComboFix.exe into that folder.
4.] Disable all anti-virus application, anti-spyware application and all software that has HIPS function.

Notes: if you want to safely disable their system guard for ComboFix.exe to clean your computer, I would recommend you to disable it in: “Computer Management” consol.

Click Start >> Right click: My Computer >> Select: Manage >> Services and Applications >> Services

5.] Double check your security guards to see if it’s disabled. After that, just execute ComboFix.

Notes: ComboFix will warn you if you haven’t disable the security guards. But, click Ok if you already disabled the Shield…

6.] The scanner will trigger another box which contains a list of infected files.

7.] After the scan, it will ask you to reboot your computer. All you need to do is click the “Ok” button or hit the “Enter” key (on your keyboard).

8.] After reboot, just don’t touch anything and let it remove these parasite!
The files which will be remove are shown in combofix.

9.] When everything is cleared and dusted, you’ll need to wait for a while.
This is because; the application is generating a ‘Log.txt’ file about ComboFix removal process.

20.] Install CCleaner and clear your Internet Explorer + Firefox temporary files and internet system cache.

Part five: remove ComboFix.exe from your computer
———————————
1.] Click Start >> Run >> Type: Combofix /u
2.] Click Ok or press “Enter” on your keyboard
3.] Disable your System Restore and re-enable it…
4.] Re-activate your ‘System Shield’ and reboot your computer.
5.] Finish!

Copyrighted by Lair360

How to remove windowsclick infection

admin — Sun, 08 Nov 2009 12:23:36 +0000

Version: 39.2
Revision: 46 Build 154

How to remove windowsclick infection

Introduction: this malware had infected my machine and I didn’t notice it. But, when I was surfing Google website with Firefox, the links had redirected my current website to a nasty website that served fake anti-virus.

Right, lets get to work and get this out of your system before it is too late!

1.] Download these software with “Firefox” and save it to your C:/ drive.

Important: please look at ComboFix procedure if everything else fails.
After the repair, please follow this guide, again, for a complete scan and removal.

Notes: if you’re using Firefox as your main – browser, you’ll need to right – click and open a new tab. If you don’t, the actual malware will redirect you to a new link.
————————-
Avira Free Edition: http://www.avira.com/en/pages/index.php
Mirror: http://filehippo.com/download_antivir/

ComboFix: http://www.combofix.org/
Mirror: http://subs.geekstogo.com/ComboFix.exe
Mirror: http://www.forospyware.com/sUBs/ComboFix.exe
Mirror: http://download.bleepingcomputer.com/sUBs/ComboFix.exe

SpywareTerminator: http://spywareterminator.com

CCleaner: http://filehippo.com/download_ccleaner/
————————–

Part One: remove Trojan.Agent.RL and RKIT/TDss.eyj.xxx
————————–
2.] Install SpywareTerminator and Avira.
3.] Update their database.

Notes: if you encounter an error with SpywareTerminator Shield, please ignore it and use the scanner…

4.] Do a “Quick Scan” (Fast Spyware Scan) with SpywareTerminator.
5.] Remove all infected files and this file: CmdLineExt03.dll
6.] Exit Spywareterminator and click on Avira Anti-Virus. The application is located on your window’s taskbar (red umbrella icon).
7.] Double click on the application and select: Local Protection >> Scanner >> Rootkit Search
8.] Select all available drive and run the scan…

Notes: if the application asked you for permission, just select “Quarantine” and continue.

Similar Infected file…
————————–
c:\windows\system32\uacrvkuvdgg.dll
c:\windows\system32\drivers\uaccseutoro.sys
————————–

9.] When Avira finished removing the following “backdoor-rootkit” infection, just click no and cancel the reboot operation…

10.] Right click on Avira and disable “AntiVir Guard”.

Advice: press Crtl + Alt + Del to bring up the process menu. After that, just select the second tab and look this processes: Avguard.exe. But, don’t worry about the errors…its only for ComboFix procedure…

Notes: leave your internet connection as “Enable” for ComboFix.exe
————————–

Part Two: remove UACcseutoro.sys and acovcnt.exe
————————–
11.] Make a folder in your C:/ drive.
12.] Drag your ComboFix into that folder and rename it as: FixCombo.exe.

Notes: if it doesn’t work, please use this method for execution!
————————–
Right click on the actual link and click: “Save Link As”. After that, you’ll need to rename the file into one of these names. However, if that doesn’t work, just make it up…

Renamed files: tool.exe | Fixfile.exe | toolb.exe | FixCombi.exe | FixCombo.exe

13.] Execute the application.
14.] ComboFix will warn you if you haven’t disable Avira. But, click Ok if you already disable Avira’s Shield.
15.] The scanner will trigger another box which contains a list of infected files. The list will look like this…
Notes: I’ve put two different list. This is because, the malware can change its name with random characters. But, they can be detected by combofix without any problems…

c:\windows\system32\acovcnt.exe
c:\windows\system32\drivers\UACcseutoro.sys
c:\windows\system32\UACalwoglkx.dll
c:\windows\system32\UACbdkqyjia.log
c:\windows\system32\UACktlsummn.log
c:\windows\system32\UACndsuqqrv.log
c:\windows\system32\UACplaqlmxs.dat
c:\windows\system32\UACrvkuvdgg.dll
c:\windows\system32\UACtfiwcpqk.dll
c:\windows\system32\UACwkmlpjat.dll
——————————————————————-
c:\windows\system32\drivers\UACtnfmndkx.sys
c:\windows\system32\tmp67.tmp
c:\windows\system32\UACblevabwi.log
c:\windows\system32\UACefnatakr.dll
c:\windows\system32\UACfsaprdmv.dll
c:\windows\system32\UACkjfmxcxi.dll
c:\windows\system32\UAClwnqcbve.dat
c:\windows\system32\UACnfwquyvx.log
c:\windows\system32\UACrjghjnnw.log
c:\windows\system32\UACsdntxukq.dll
c:\windows\temp\uac52f0.tmp

17.] After the scan, it will ask you to reboot your computer.
All you need to do is click the “Ok” button or hit the “Enter” key (on your keyboard).

18.] At the next reboot, just don’t touch anything and let it remove these pest!
The files which will be remove are shown on combofix…
————————–
c:\documents and settings\Userfolder\Application Data\inst.exe
c:\windows\a3kebook.ini
c:\windows\akebook.ini
c:\windows\ANS2000.INI
c:\windows\AutoUpdateWin31.dll
c:\windows\IE4 Error Log.txt
c:\windows\system32\acovcnt.exe
c:\windows\system32\drivers\UACcseutoro.sys
c:\windows\system32\UACalwoglkx.dll
c:\windows\system32\UACbdkqyjia.log
c:\windows\system32\UACktlsummn.log
c:\windows\system32\UACndsuqqrv.log
c:\windows\system32\UACplaqlmxs.dat
c:\windows\system32\UACrvkuvdgg.dll
c:\windows\system32\drivers\UACtnfmndkx.sys
c:\windows\system32\tmp67.tmp
c:\windows\temp\uac52f0.tmp
c:\windows\system32\UACblevabwi.log
c:\windows\system32\UACefnatakr.dll
c:\windows\system32\UACfsaprdmv.dll
c:\windows\system32\UACkjfmxcxi.dll
c:\windows\system32\UAClwnqcbve.dat
c:\windows\system32\UACnfwquyvx.log
c:\windows\system32\UACrjghjnnw.log
c:\windows\system32\UACsdntxukq.dll
c:\windows\system32\UACtfiwcpqk.dll
c:\windows\system32\UACwkmlpjat.dll
K:\Autorun.inf
————————–

19.] When everything is cleared and dusted, you’ll need to wait for a while.
This is because; the application is generating a ‘Log.txt’ file about ComboFix removal process.

20.] Install CCleaner and clear your Internet Explorer + Firefox temporary files and internet system cache.

Part Three: remove ComboFix.exe from your computer
————————–
21.] Click Start >> Run >> Type: Combofix /u
22.] Click Ok or press “Enter” on your keyboard
23.] Disable your System Restore and re-enable it…

Click Start >> Control Panel >> System >> System Restore

24.] Exit “System Properties” and go to “Microsoft.com” for new updates to block these threats from killing your computer…

Alternative method to remove “windowsclick” if your PC is seriously infected…
————————–
1.] Insert your Windows XP disk into your CD-ROM drive.
2.] Wait for it to load and press: ‘R’ to boot into the recovery console.
3.] When the console is ready, press 1 if you only have one “Windows XP” installation on the harddrive, After that, just hit “Enter” (without the quotes).
4.] Type in the “Administrator’s” password and hit “Enter” (without the quotes).
5.] Now, you’ll need to type this command: listsvc and press “Enter” on your keyboard.
6.] Look for a svc called: UACD.sys / UACd.sys
7.] Press “ESC” to stop listing and go back to ‘cmd’ prompt.
8.] Now, all you need to do is type this: “disable UACd.sys” (without quotes).
9.] Exit recovery console – don’t forget to take your XP CD out and reboot the computer.
10.] Go back to stage “ONE” and remove this idiot virus!

Copyrighted By Lair360

How to remove sdra64.exe from your computer

admin — Sun, 08 Nov 2009 11:55:37 +0000

Version: 14.2b
Revision: 15 Build 35

How to remove sdra64.exe from your computer.

Introduction: when I was at my friend’s house, his computer is really unhealthy! So, I told him to get off his computer and let me handle his machine. Nevertheless, it took me hours to remove these infected files and directories.

1.] Download ComboFix from these websites and rename it as: Combo-Fix.exe.
However, you don’t need to use it now. If you do, there is a chance that Combo-Fix will be shutdown!

http://download.bleepingcomputer.com/sUBs/ComboFix.exe

http://www.forospyware.com/sUBs/ComboFix.exe

Warning: It’s highly recommended that you must disable all anti-virus before you use ComboFix.

Notes: if you want to use ComboFix.exe, you must install Microsoft Recovery Console with your Windows XP CD. However, you must be connected to the internet to download the latest Recovery Console Updates.

2.] Click on this link and download: Process Explorer – http://technet.microsoft.com/en-us/sysinternals/bb896653.aspx

Notes: if the link is broken, please remove “bb896653.aspx” and find “Process Explorer”

3.] Execute the program and look for this hidden process: sdra64.exe

Notes: this process hides itself under “Winlogon”.

4.] Press CTRL+F on your keyboard and type: sdra64.exe.

5.] Double click on the search results, it should be listed as winlogon. However, don’t end the actual process! You need to highlight “sdra64.exe” on the second box and end the infected process.

6.] On the toolbar select Handle >> Close Handle. After that, you could delete the file.

7.] Click Start >> Run >> Type: Regedit

8.] Expand each folder and look for this registry location…

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon

9.] Look for this registry key and modify with caution.

Userinit = C:\WINDOWS\SYSTEM32\\Userinit.exe,C:\WINDOWS\system32\sdra64.exe,

- You need to delete the second part and accept the changes.

Userinit = C:\WINDOWS\SYSTEM32\\Userinit.exe,

10.] Close the registry and rename sdra64.exe to sdra64.vir. After that, you need to use “Notepad” and make a TXT file for Combo-Fix.exe (renamed version to avoid shutdown).

———— Copy Text —————

FileLook::
c:\Program Files\mb.exe

Collect::
c:\windows \system32\lowsec\local.ds
c:\windows \system32\lowsec\user.ds
c:\windows\uyuxexiv.dll
c:\windows\Kqigisucejalafo.dll
c:\windows\system32\sdra64.exe

Folder::
c:\windows\system32\lowsec

———— End —————

11.] Save this as: “CFScript.txt”.

12.] Drag the text file to Combo-Fix.exe and let it remove the infected files.

Notes: your desktop may go blank. This is normal and it will return, when ComboFix is done. But, make sure that you are connected to the internet and click OK.
After that, just follow the prompts for any updates.

Warning: do not mouse-click combofix’s window whilst it’s running.
That may cause it to stall.

13.] Let the application remove the threats.
All you need to do is make a cup of tea or coffee and keep an eye on your computer.

14.] Check your ComboFix log files and take a look at the removal area.
Make sure that the following infection is deleted.

c:\windows\Kqigisucejalafo.dll
c:\windows\system32\lowsec
c:\windows\system32\lowsec\local.ds
c:\windows\system32\lowsec\user.ds
c:\windows\system32\sdra64.exe
c:\windows\uyuxexiv.dll

15.] Go back into the registry – library and check “userinit” for any unwanted modification.

Normal: Userinit = C:\WINDOWS\SYSTEM32\\Userinit.exe,
Infected: Userinit = C:\WINDOWS\SYSTEM32\\Userinit.exe,C:\WINDOWS\system32\sdra64.exe,

16.] Download CCleaner and delete all your Computer’s temporary files and internet files.

17.] Reboot your computer and re-enable all of your security settings.

Recommended procedure: I would suggest you to download “MalwareBytes” and do a full system scan. It’s important to keep a backup of another anti-virus. You cannot trust just one… you need 2 just to keep things low!

http://www.malwarebytes.org/

Notes: to remove ‘ComboFix’ from your computer, please use this command from the Run Box.

Type: combofix /u

18.] Finish!

Copyrighted by Lair360 – 2009

Kick BlockWatcher out the house!

admin — Sun, 08 Nov 2009 10:49:33 +0000

Version: 11.1
Revision: 32 Build: 12

Updates: this post was revised to meet the safety – standards for all users.

Kick BlockWatcher out the house!

Introduction: last-night, I was analyzing a Rouge Anti-Virus. The name of the anti-virus is “BlockWatcher”.

According to my research, the fake anti-virus looks exactly identical to “BlockScanner”.
But, for now, here is some background information, about this infection.

BlockWatcher is a poorly designed security tool, but its real purpose is forcing the user into purchasing fake program. The only way “Block Scanner” differs from its ancestors is the name on the logo. If you take a look at SoftBarrier, ShieldSafeness and BlockScanner you will see that they are all identical.

1.] Download these application and put them on your desktop.

a.] Right click on these links and Save it As: “Combo-Fix.exe”
————-
Link#1: http://download.bleepingcomputer.com/sUBs/ComboFix.exe
Link#2: http://www.forospyware.com/sUBs/ComboFix.exe

b.] Download this Ant-virus and Install it to your computer with the latest updates.
————-
Link#1: http://www.softpedia.com/progDownload/Malwarebytes-Anti-Malware-Download-81598.html
Link#2: http://www.malwarebytes.org/mbam-download.php

2.] Copy this script and Save it As: “CFScript.txt”, then drop the file into the application.
However, you must install “Windows Recovery Consol” for the application to work.
This can be downloaded with Combofix or installing it with your Windows Disk.

Warning: Before you begin, you must disable all Anti-Virus / Anti-Spyware application.
This is for safety, if you’re running Combofix.

File::
c:\Documents and Settings\All Users\Desktop\BlockWatcher.lnk
c:\Program Files\BlockWatcher Software\BlockWatcher\BlockWatcher.exe
c:\WINDOWS\10068tro9zd85.exe
c:\WINDOWS\10258z9amb5t73a.bin
c:\WINDOWS\10518virzs5f9.ocx
c:\WINDOWS\temp\yxh5.tmp.exe
c:\WINDOWS\system32\yxh5.tmp.exe
c:\WINDOWS\system32\19z89s5y663.dll
c:\WINDOWS\system32\1a605tzal32359.dll
c:\WINDOWS\system32\1aa8tzi952064.cpl 

Folder::
c:\Program Files\BlockWatcher Software
c:\Program Files\BlockWatcher Software\BlockWatcher
c:\Documents and Settings\All Users\Start Menu\Programs\BlockWatcher

Registry::
[HKEY_CURRENT_USER\Software\BlockWatcher]
[HKEY_LOCAL_MACHINE\SOFTWARE\BlockWatcher]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"BlockWatcher"=-
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"BlockWatcher"=-
"yxh5.tmp.exe"=-

3.] Let the application repair / disinfect your computer. Also, when it’s running, please avoid touching your keyboard or the switch button.

4.] At this stage, you’ll need to use MalwareBytes and perform a full system scan.
After that, you’ll need to download CCleaner and remove all of the junk files.

Link: http://ccleaner.com

5.] You’re Done!

Copyrighted By Lair360

How to remove W32 – Explorer.exe

admin — Sat, 22 Aug 2009 14:51:30 +0000

Version: 13.2g
Revision: 122 Build 12c

How to remove W32 – Explorer.exe

Introduction: recently, my computer was attacked by a bunch of spammers. But, guess what? One of the email had an infected attachment. So, I decided to analyze the source and write an article to revert the infection. Anyway, you don’t have to worry… I am testing it on my Virtual Server. Its pretty sealed and protected!

All of my Windows Files and everything else are Fake! These malware are stupid and they are only written by idiots to fool your computer and steal your privacy! Also, there is a warning: take care of your computer! Especially, looking at your emails and downloading attachments. Any of these unknown email, there is a chance that your computer is going to get really Sick!

Now, if you’re infected with “W32/ExploreZip.pak” virus, then please print this article and disconnect your computer from the internet! After that, you’ll need to take a deep breath and take it easy…

——————————————-

Warning: if you’re on a server, you’ll need to tell your company to shut down all active computers! If you don’t, this infection will spread itself into another computer by LAN connections – mostly, the server’s “Shared Documents”.

Overview: This particular Worm travels, by sending email messages to random users. It drops the file: “explore.exe” and modifies either the “WIN.INI” or modifies the Registry. However, this malware is still active and I am not sure how it comes into my inbox (Gmail). But, the user who sent the attachment, he / she is a very stupid user!

What you’ll need for this procedure…
——————————————–
Notepad++ [http://notepad-plus.sourceforge.net]

1.] Click Start >> Run >> Type: REGEDIT
2.] Wait for the registry to appear and navigate yourself to these locations and look for this registry binary. However, you’ll need to be very careful!

HKEY_CURRENT_USER\Software\Microsoft\WindowsNT\CurrentVersion\Windows
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows

Notes: if the binaries doesn’t exist, you’ll need to expand “Windows” directories and look into another folder called: Run.

Binary to locate and remove: run=C:\WINNT\System32\Explore.exe

Notes: You’ll need to do the same to these files, if they exist within the registry library.

File Name: explore, zipped_f, zipped_files or _setup

3.] Reboot your computer, then remove the following file: “C:\WINNT\System32\Explore.exe” from your “System32″ Folders.

4.] Repeat Step 3 for “_SETUP.EXE and ZIPPED_FILES.EXE”.

5.] Find this file: “WIN.INI” and remove either of these commands, if they exist.

run=c:\winnt\system32\explore.exe
run=c:\winnt\_setup.exe

6.] Scan your computer with Avira Antivirus or Kaspersky.
After that, just clear computer’s temporary files with CCleaner.

7.] Finish!

Copyrighted By Lair360

How to remove Win32/Conficker.AA infections

admin — Sun, 15 Feb 2009 15:09:10 +0000

Version: 32.3
Revision: 65 Build 10

How to remove Win32/Conficker.AA infections

Introduction: Win32/Conficker.AA worm is also known as W32/Worm.AHGV, Net-Worm.Win32.Kido.bg, Worm:Win32/Conficker, W32/Conficker.worm.gen, Mal/Conficker.
This dangerous infection uses “Microsoft Windows Server Service – RPC Handling Remote Code Execution Vulnerability (MS08-67)” in order to infect other computers in the local network. This worm also blocks users from accessing to other security websites; it deletes all the System Restore points prior to infection, and to protect itself from deletion it!

Problems: If your computer is infected with this worm, you may not experience any symptoms, or you may experience any of the following symptoms:
———————————
-Account lockout and the system policies are being tripped.
-Automatic Updates, Background Intelligent Transfer Service (BITS), Windows Defender, and Error Reporting Services are disabled.
-Domain controllers respond slowly to client requests.
-The network connection is congested.
-Various security-related Web sites cannot be accessed or shutdown.

1.] Download one of these tools and remove “Win32/Conficker” infections.
———————————

http://www.bitdefender.com/site/Downloads/downloadFile/1584/FreeRemovalTool

http://www.softpedia.com/get/Antivirus/Anti-Downadup.shtml

ftp://ftp.f-secure.com/anti-virus/tools/beta/f-downadup.zip
———————————

2.] After downloading, just extract the contents to a folder.

3.] Disconnect from the network and unplug your network cable.
If you have wireless connections, please disable your connections and ‘power off’ your router.

4.] Disable “Windows System Restore” to clean all your infected restore points.

Click Start >> Control Panel >> System >> System Restore

5.] Execute the application and choose the best scanning option.

If it asked you to reboot your system, please deny it (don’t click ok) and continue…

6.] After the removal, please go to your registry and check this directory.
This is a safety precaution for all users!
———————————
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon

- Make sure that you have this: Userinit [REG_SZ] = C:\Windows\System32\userinit.exe,
———————————
If not, please change it and replace the infected strings with the above or the information which is given below.

Value Name: Userinit
Value Type: REG_SZ
Value Data: C:\Windows\System32\userinit.exe,

7.] Reboot your computer when it completes disinfection.

8.] Plug in your network cable and check your firewall before connecting.

9.] Now, we will need to enable: “Windows System Restore,” and create a restore point.
——————————–
- To enable Windows System Restore, right-click on My Computer >> select Properties >> click on System Restore tab >> Uncheck the option: “Turn off system restore on all drives” >> in the warning box, just select: Yes >> Click: Apply >> OK.

Notes: Once “System Restore” is enabled, it will create a ‘restore point’ for you…

10.] Download CCleaner and delete all your Internet Temporary files and system caches.

11.] Done and dusted!

Optional: if you haven’t got “Microsoft Security Bulletin MS08-067″ service update, please use this link; download the patch; install the patch and reboot your system.

Link: http://www.microsoft.com/technet/security/Bulletin/MS08-067.mspx