Lair360 Blog

Version: 16c
Revision: 42 Build 113

How to remove sdra64.exe from your systems

Introduction: when I was testing these malware on my crappy computer, I’ve found a slight weakness on these infected malware: “a.exe, b.exe and sdra64.exe”. It seems to download other stuff from the web and installed them into your systems without your permission. But, it’s a total nightmare, as I have to spend my five hours to remove these parasites from eating your computer!

Right, lets get yourself ready and print this document from another machine, if the infected files had removed your Wireless / LAN connections. But, you got to read these instruction carefully and don’t rush yourself! Also, I did all of these works / analysis from scratch, so you don’t have to fiddle about and get yourself frustrated. Just read this article slowly and make sure that you did it correctly…

—————————–

1.] Remove all P2P sharing software from your computer.
—————————–
uTorrent
Azureus
eMule
ect…
—————————–

Notes: most of the time the files that you had / have downloaded, they are considered as illegal-wares. They may also be bundled with malware, this could well be how you were infected. Get the point?

2.] Execute Notepad.exe / Notepad++.exe from your computer and copy these codes. After that, you’ll need to go to: “File >> Save As >> Type: Fix-XP.bat”.
You will also need to change the “Save as type to all files” and save it to your desktop.

@echo off
copy C:\WINDOWS\ServicePackFiles\i386\eventlog.dll c:\eventlog.dll
Exit

@echo off
copy C:\WINDOWS\system32\dllcache\scecli.dll c:\scecli.dll
Exit

3.] Double-click on Fix-XP.bat and let it repair your Eventlog Services.

4.] At this point, you’ll need to download: “The Avenger” by Swandog46 to your Desktop.
—————————
- Right click on the Zip folder and select “Extract All…”
- Follow the prompts and extract Avenger to your desktop

http://swandog46.geekstogo.com/avenger2

5.] Copy these codes and paste these into Avenger – Script Box. However, if you’re using the second script, which is shown in “Step 2”, then, you’ll need to copy the second one. But, please don’t use both, or else, there will be some confusion on your system.
—————————

Begin copying here:
Files to move:
c:\eventlog.dll | C:\WINDOWS\system32\eventlog.dll

Begin copying here:
Files to move:
c:\scecli.dll | C:\WINDOWS\system32\scecli.dll

—————————

6.] Click on Execute

7.] Answer “Yes” twice when prompted.

Notes: just to let you know: The system will restart twice. But, you don’t have to panic… its normal…

8.] Download ComboFix from these website and rename the application before you download!
—————————
If you are using Firefox, make sure that your download settings are as follows:

* Tools >> Options >> Main tab
* Set to “Always ask me where to Save the files”.

http://www.forospyware.com/sUBs/ComboFix.exe

http://download.bleepingcomputer.com/sUBs/ComboFix.exe

http://www.combofix.org/download.php

Important: You’ll need to rename ComboFix into Combo-Fix.
Also, It is important that you rename Combofix during the download, but not after.

Warning: Before you continue, please disable your anti-virus, script blocker and any anti-malware (real-time) protection before the scan. These security application may interfere with ComboFix or remove some of its embedded files which may cause “irregular results”. Also, please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.

9.] Double click on combo-Fix.exe & follow the prompts.

10.] When everything is done, Combofix will generate a Text file that contains your removal.

11.] Now, you’ll need to copy these scripts and save it to your desktop.

File Saved As: CFScript.txt
—————————

Collect::
c:\windows\svchasts.exe
c:\windows\system32\desote.exe
c:\windows\ucyzy.dat
c:\program files\Common Files\wapibosogi.lib
c:\AutoRun.vbs
c:\windows\Fonts\AcadEref.ttf
c:\windows\Installer\c62d6.msp
c:\windows\system32\drivers\rotscxltmrssww.sys
c:\windows\system32\drivers \_rotscxltmrssww_.sys.zip
c:\windows\system32\rotscxobwwavmy.dll
c:\windows\system32\rotscxoqfqjruf.dat
c:\windows\system32\rotscxqoeniplv.dat
c:\windows\system32\rotscxylltpkql.dll
c:\windows\system32\twain.dll
c:\windows\braviax.exe
c:\windows\cru629.dat
c:\windows\Installer\550c37.msi
c:\windows\oqixovevu.scr
c:\windows\orabuj.inf
c:\windows\ppp3.dat
c:\windows\ppp4.dat
c:\documents and settings\All Users\Documents\cejik.sys
c:\documents and settings\All Users\Documents\koqely.reg
c:\documents and settings\All Users\Documents\oqijatuzu.exe
c:\documents and settings\All Users\Documents\qyxazemose.exe
c:\windows\system32\lowsec
c:\windows\system32\lowsec\local.ds
c:\windows\system32\lowsec\user.ds
c:\windows\system32\minix32.exe
c:\windows\system32\sdra64.exe
c:\windows\system32\sonhelp.htm
c:\windows\system32\sysnet.dat
c:\windows\system32\tapi.nfo
c:\windows\system32\userini.exe

Folder::
c:\program files\Windows Police Pro

DirLook::
c:\program files\awesome
C:\b624c1897f972641605426d99d3538

Registry::
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\Viewpoint\\Common\\ViewpointService.exe"=-
"c:\\Program Files\\uTorrent\\uTorrent.exe"=-

RegNull::
[HKEY_USERS\S-1-5-21-2186207459-4142083742-1883771569-1006\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{AF49AC62-35CC-90AD-1EC3-2AE9C244CBB5}*]

12.] Drag CFScript.txt into Combo-Fix.exe

Notes: When Combofix finishes running, there will be a log that pops – up. Please don’t be alarmed! It’s normal for ComboFix…

13.] Download OTL from these website…
—————————

http://oldtimer.geekstogo.com/OTL.exe

—————————

14.] Run the program and paste these codes into the “Custom Scans/Fixes” box.
—————————

:OTL
SRV - (RDPRGOSK [Disabled | Stopped]) -- File not found
[2009/08/28 17:01:10 | 00,017,976 | ---- | M] () -- C:\WINDOWS\ugyl.db
[2009/08/28 17:01:10 | 00,014,776 | ---- | M] () -- C:\Documents and Settings\All Users\Application Data\okebihyk.db
[2009/08/28 17:01:10 | 00,013,269 | ---- | M] () -- C:\Documents and Settings\tim\Application Data\epujap.db
[2009/08/28 17:01:10 | 00,012,616 | ---- | M] () -- C:\Documents and Settings\tim\Local Settings\Application Data\ybopot.lib

:Services

:Reg

:Files

:Commands
[purity]
[emptytemp]
[Reboot]

—————————

15.] Click the Run Fix button which is located at the top – left – corner.

Notes: let the program run; reboot the PC when it is done.

16.] Download Malwarebytes from these links and follow the prompts.
—————————

http://www.malwarebytes.org/mbam-download.php

http://www.softpedia.com/get/Antivirus/Malwarebytes-Anti-Malware.shtml

Notes: please do a deep scan and make sure that your database is up-to-date!
Also, If it asked you to restart the computer, please do so immediately.

17.] Last and not least, please copy these codes and save it as: CFScript.txt
—————————

KillAll::

File::
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\FGQ0JB3M\111_[1].exe
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\PH0SB3VN\lexus111[1].exe
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\QIS2LMNX\file[1].exe

Reboot::

—————————

18.] Drag the scripts into Combo-Fix.exe

19.] Now, you’ll need to cleanup your computer. But, don’t worry, you’re nearly there!

- Click Start >> Run >> Type: Combofix /u
- Click OK

20.] Go back and look for OLT. Then, double-click on OTL.exe and run it.

21.] Click on the CleanUp! Button.

Notes: you will be asked to reboot the machine to finish the Cleanup process. If you are asked to reboot the machine choose Yes.

22.] Finish!

Good Work! You have done a great job!!

Copyrighted By Lair360