How to remove windowsclick infection




Tagged Under : , , ,

Version: 39.2
Revision: 46 Build 154

How to remove windowsclick infection

Introduction: this malware had infected my machine and I didn’t notice it. But, when I was surfing Google website with Firefox, the links had redirected my current website to a nasty website that served fake anti-virus.

Right, lets get to work and get this out of your system before it is too late!

1.] Download these software with “Firefox” and save it to your C:/ drive.

Important: please look at ComboFix procedure if everything else fails.
After the repair, please follow this guide, again, for a complete scan and removal.

Notes: if you’re using Firefox as your main – browser, you’ll need to right – click and open a new tab. If you don’t, the actual malware will redirect you to a new link.
————————-
Avira Free Edition: http://www.avira.com/en/pages/index.php
Mirror: http://filehippo.com/download_antivir/

ComboFix: http://www.combofix.org/
Mirror: http://subs.geekstogo.com/ComboFix.exe
Mirror: http://www.forospyware.com/sUBs/ComboFix.exe
Mirror: http://download.bleepingcomputer.com/sUBs/ComboFix.exe

SpywareTerminator: http://spywareterminator.com

CCleaner: http://filehippo.com/download_ccleaner/
————————–

Part One: remove Trojan.Agent.RL and RKIT/TDss.eyj.xxx
————————–
2.] Install SpywareTerminator and Avira.
3.] Update their database.

Notes: if you encounter an error with SpywareTerminator Shield, please ignore it and use the scanner…

4.] Do a “Quick Scan” (Fast Spyware Scan) with SpywareTerminator.
5.] Remove all infected files and this file: CmdLineExt03.dll
6.] Exit Spywareterminator and click on Avira Anti-Virus. The application is located on your window’s taskbar (red umbrella icon).
7.] Double click on the application and select: Local Protection >> Scanner >> Rootkit Search
8.] Select all available drive and run the scan…

Notes: if the application asked you for permission, just select “Quarantine” and continue.

Similar Infected file…
————————–
c:\windows\system32\uacrvkuvdgg.dll
c:\windows\system32\drivers\uaccseutoro.sys
————————–

9.] When Avira finished removing the following “backdoor-rootkit” infection, just click no and cancel the reboot operation…

10.] Right click on Avira and disable “AntiVir Guard”.

Advice: press Crtl + Alt + Del to bring up the process menu. After that, just select the second tab and look this processes: Avguard.exe. But, don’t worry about the errors…its only for ComboFix procedure…

Notes: leave your internet connection as “Enable” for ComboFix.exe
————————–

Part Two: remove UACcseutoro.sys and acovcnt.exe
————————–
11.] Make a folder in your C:/ drive.
12.] Drag your ComboFix into that folder and rename it as: FixCombo.exe.

Notes: if it doesn’t work, please use this method for execution!
————————–
Right click on the actual link and click: “Save Link As”. After that, you’ll need to rename the file into one of these names. However, if that doesn’t work, just make it up…

Renamed files: tool.exe | Fixfile.exe | toolb.exe | FixCombi.exe | FixCombo.exe

13.] Execute the application.
14.] ComboFix will warn you if you haven’t disable Avira. But, click Ok if you already disable Avira’s Shield.
15.] The scanner will trigger another box which contains a list of infected files. The list will look like this…
Notes: I’ve put two different list. This is because, the malware can change its name with random characters. But, they can be detected by combofix without any problems…

c:\windows\system32\acovcnt.exe
c:\windows\system32\drivers\UACcseutoro.sys
c:\windows\system32\UACalwoglkx.dll
c:\windows\system32\UACbdkqyjia.log
c:\windows\system32\UACktlsummn.log
c:\windows\system32\UACndsuqqrv.log
c:\windows\system32\UACplaqlmxs.dat
c:\windows\system32\UACrvkuvdgg.dll
c:\windows\system32\UACtfiwcpqk.dll
c:\windows\system32\UACwkmlpjat.dll
——————————————————————-
c:\windows\system32\drivers\UACtnfmndkx.sys
c:\windows\system32\tmp67.tmp
c:\windows\system32\UACblevabwi.log
c:\windows\system32\UACefnatakr.dll
c:\windows\system32\UACfsaprdmv.dll
c:\windows\system32\UACkjfmxcxi.dll
c:\windows\system32\UAClwnqcbve.dat
c:\windows\system32\UACnfwquyvx.log
c:\windows\system32\UACrjghjnnw.log
c:\windows\system32\UACsdntxukq.dll
c:\windows\temp\uac52f0.tmp

17.] After the scan, it will ask you to reboot your computer.
All you need to do is click the “Ok” button or hit the “Enter” key (on your keyboard).

18.] At the next reboot, just don’t touch anything and let it remove these pest!
The files which will be remove are shown on combofix…
————————–
c:\documents and settings\Userfolder\Application Data\inst.exe
c:\windows\a3kebook.ini
c:\windows\akebook.ini
c:\windows\ANS2000.INI
c:\windows\AutoUpdateWin31.dll
c:\windows\IE4 Error Log.txt
c:\windows\system32\acovcnt.exe
c:\windows\system32\drivers\UACcseutoro.sys
c:\windows\system32\UACalwoglkx.dll
c:\windows\system32\UACbdkqyjia.log
c:\windows\system32\UACktlsummn.log
c:\windows\system32\UACndsuqqrv.log
c:\windows\system32\UACplaqlmxs.dat
c:\windows\system32\UACrvkuvdgg.dll
c:\windows\system32\drivers\UACtnfmndkx.sys
c:\windows\system32\tmp67.tmp
c:\windows\temp\uac52f0.tmp
c:\windows\system32\UACblevabwi.log
c:\windows\system32\UACefnatakr.dll
c:\windows\system32\UACfsaprdmv.dll
c:\windows\system32\UACkjfmxcxi.dll
c:\windows\system32\UAClwnqcbve.dat
c:\windows\system32\UACnfwquyvx.log
c:\windows\system32\UACrjghjnnw.log
c:\windows\system32\UACsdntxukq.dll
c:\windows\system32\UACtfiwcpqk.dll
c:\windows\system32\UACwkmlpjat.dll
K:\Autorun.inf
————————–

19.] When everything is cleared and dusted, you’ll need to wait for a while.
This is because; the application is generating a ‘Log.txt’ file about ComboFix removal process.

20.] Install CCleaner and clear your Internet Explorer + Firefox temporary files and internet system cache.

Part Three: remove ComboFix.exe from your computer
————————–
21.] Click Start >> Run >> Type: Combofix /u
22.] Click Ok or press “Enter” on your keyboard
23.] Disable your System Restore and re-enable it…

Click Start >> Control Panel >> System >> System Restore

24.] Exit “System Properties” and go to “Microsoft.com” for new updates to block these threats from killing your computer…

Alternative method to remove “windowsclick” if your PC is seriously infected…
————————–
1.] Insert your Windows XP disk into your CD-ROM drive.
2.] Wait for it to load and press: ‘R’ to boot into the recovery console.
3.] When the console is ready, press 1 if you only have one “Windows XP” installation on the harddrive, After that, just hit “Enter” (without the quotes).
4.] Type in the “Administrator’s” password and hit “Enter” (without the quotes).
5.] Now, you’ll need to type this command: listsvc and press “Enter” on your keyboard.
6.] Look for a svc called: UACD.sys / UACd.sys
7.] Press “ESC” to stop listing and go back to ‘cmd’ prompt.
8.] Now, all you need to do is type this: “disable UACd.sys” (without quotes).
9.] Exit recovery console – don’t forget to take your XP CD out and reboot the computer.
10.] Go back to stage “ONE” and remove this idiot virus!

Copyrighted By Lair360

Posted by admin in Virus Removal | No Comments | Read more



How to remove sdra64.exe from your computer




Tagged Under : , , , ,

Version: 14.2b
Revision: 15 Build 35

How to remove sdra64.exe from your computer.

Introduction: when I was at my friend’s house, his computer is really unhealthy! So, I told him to get off his computer and let me handle his machine. Nevertheless, it took me hours to remove these infected files and directories.

1.] Download ComboFix from these websites and rename it as: Combo-Fix.exe.
However, you don’t need to use it now. If you do, there is a chance that Combo-Fix will be shutdown!

http://download.bleepingcomputer.com/sUBs/ComboFix.exe

http://www.forospyware.com/sUBs/ComboFix.exe

Warning: It’s highly recommended that you must disable all anti-virus before you use ComboFix.

Notes: if you want to use ComboFix.exe, you must install Microsoft Recovery Console with your Windows XP CD. However, you must be connected to the internet to download the latest Recovery Console Updates.

2.] Click on this link and download: Process Explorer – http://technet.microsoft.com/en-us/sysinternals/bb896653.aspx

Notes: if the link is broken, please remove “bb896653.aspx” and find “Process Explorer”

3.] Execute the program and look for this hidden process: sdra64.exe

Notes: this process hides itself under “Winlogon”.

4.] Press CTRL+F on your keyboard and type: sdra64.exe.

5.] Double click on the search results, it should be listed as winlogon. However, don’t end the actual process! You need to highlight “sdra64.exe” on the second box and end the infected process.

6.] On the toolbar select Handle >> Close Handle. After that, you could delete the file.

7.] Click Start >> Run >> Type: Regedit

8.] Expand each folder and look for this registry location…

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon

9.] Look for this registry key and modify with caution.

Userinit = C:\WINDOWS\SYSTEM32\\Userinit.exe,C:\WINDOWS\system32\sdra64.exe,

- You need to delete the second part and accept the changes.

Userinit = C:\WINDOWS\SYSTEM32\\Userinit.exe,

10.] Close the registry and rename sdra64.exe to sdra64.vir. After that, you need to use “Notepad” and make a TXT file for Combo-Fix.exe (renamed version to avoid shutdown).

———— Copy Text —————

FileLook::
c:\Program Files\mb.exe

Collect::
c:\windows \system32\lowsec\local.ds
c:\windows \system32\lowsec\user.ds
c:\windows\uyuxexiv.dll
c:\windows\Kqigisucejalafo.dll
c:\windows\system32\sdra64.exe

Folder::
c:\windows\system32\lowsec

———— End —————

11.] Save this as: “CFScript.txt”.

12.] Drag the text file to Combo-Fix.exe and let it remove the infected files.

Notes: your desktop may go blank. This is normal and it will return, when ComboFix is done. But, make sure that you are connected to the internet and click OK.
After that, just follow the prompts for any updates.

Warning: do not mouse-click combofix’s window whilst it’s running.
That may cause it to stall.

13.] Let the application remove the threats.
All you need to do is make a cup of tea or coffee and keep an eye on your computer.

14.] Check your ComboFix log files and take a look at the removal area.
Make sure that the following infection is deleted.

c:\windows\Kqigisucejalafo.dll
c:\windows\system32\lowsec
c:\windows\system32\lowsec\local.ds
c:\windows\system32\lowsec\user.ds
c:\windows\system32\sdra64.exe
c:\windows\uyuxexiv.dll

15.] Go back into the registry – library and check “userinit” for any unwanted modification.

Normal: Userinit = C:\WINDOWS\SYSTEM32\\Userinit.exe,
Infected: Userinit = C:\WINDOWS\SYSTEM32\\Userinit.exe,C:\WINDOWS\system32\sdra64.exe,

16.] Download CCleaner and delete all your Computer’s temporary files and internet files.

17.] Reboot your computer and re-enable all of your security settings.

Recommended procedure: I would suggest you to download “MalwareBytes” and do a full system scan. It’s important to keep a backup of another anti-virus. You cannot trust just one… you need 2 just to keep things low!

http://www.malwarebytes.org/

Notes: to remove ‘ComboFix’ from your computer, please use this command from the Run Box.

Type: combofix /u

18.] Finish!

Copyrighted by Lair360 – 2009

Posted by admin in Virus Removal | (2) Comments | Read more



Kick BlockWatcher out the house!




Tagged Under : , ,

Version: 11.1
Revision: 32 Build: 12

Updates: this post was revised to meet the safety – standards for all users.

Kick BlockWatcher out the house!

Introduction: last-night, I was analyzing a Rouge Anti-Virus. The name of the anti-virus is “BlockWatcher”.

According to my research, the fake anti-virus looks exactly identical to “BlockScanner”.
But, for now, here is some background information, about this infection.

BlockWatcher is a poorly designed security tool, but its real purpose is forcing the user into purchasing fake program. The only way “Block Scanner” differs from its ancestors is the name on the logo. If you take a look at SoftBarrier, ShieldSafeness and BlockScanner you will see that they are all identical.

1.] Download these application and put them on your desktop.

a.] Right click on these links and Save it As: “Combo-Fix.exe”
————-
Link#1: http://download.bleepingcomputer.com/sUBs/ComboFix.exe
Link#2: http://www.forospyware.com/sUBs/ComboFix.exe

b.] Download this Ant-virus and Install it to your computer with the latest updates.
————-
Link#1: http://www.softpedia.com/progDownload/Malwarebytes-Anti-Malware-Download-81598.html
Link#2: http://www.malwarebytes.org/mbam-download.php

2.] Copy this script and Save it As: “CFScript.txt”, then drop the file into the application.
However, you must install “Windows Recovery Consol” for the application to work.
This can be downloaded with Combofix or installing it with your Windows Disk.

Warning: Before you begin, you must disable all Anti-Virus / Anti-Spyware application.
This is for safety, if you’re running Combofix.

File::
c:\Documents and Settings\All Users\Desktop\BlockWatcher.lnk
c:\Program Files\BlockWatcher Software\BlockWatcher\BlockWatcher.exe
c:\WINDOWS\10068tro9zd85.exe
c:\WINDOWS\10258z9amb5t73a.bin
c:\WINDOWS\10518virzs5f9.ocx
c:\WINDOWS\temp\yxh5.tmp.exe
c:\WINDOWS\system32\yxh5.tmp.exe
c:\WINDOWS\system32\19z89s5y663.dll
c:\WINDOWS\system32\1a605tzal32359.dll
c:\WINDOWS\system32\1aa8tzi952064.cpl 

Folder::
c:\Program Files\BlockWatcher Software
c:\Program Files\BlockWatcher Software\BlockWatcher
c:\Documents and Settings\All Users\Start Menu\Programs\BlockWatcher

Registry::
[HKEY_CURRENT_USER\Software\BlockWatcher]
[HKEY_LOCAL_MACHINE\SOFTWARE\BlockWatcher]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"BlockWatcher"=-
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"BlockWatcher"=-
"yxh5.tmp.exe"=-

3.] Let the application repair / disinfect your computer. Also, when it’s running, please avoid touching your keyboard or the switch button.

4.] At this stage, you’ll need to use MalwareBytes and perform a full system scan.
After that, you’ll need to download CCleaner and remove all of the junk files.

Link: http://ccleaner.com

5.] You’re Done!

Copyrighted By Lair360

Posted by admin in Virus Removal | No Comments | Read more