sdra64.exe - Remove the Trojan menace

Is your system restarting when you stop high memory using svchost process'? in otherword, can you be sure it's the sdra64 trojan? If so, how last minute are you making the registry change? If it's still not working then might I suggest you open Start > Run and type in msconfig - now under the startup tag deselect everything to come back in an extremely restricted start mode, this way less will get in the way of the restart action and enable you to hit the registry key extremely last second before the system restarts.

I have the sdra64.exe but its different.C:\Users\Dave\AppData\Roaming\sdra64.exe

I'm running vista and I dont see the svchost.exe process in task manager

Regarding svchost and Vista

"I have the sdra64.exe but its different.C:\Users\Dave\AppData\Roaming\sdra64.exe I'm running vista and I dont see the svchost.exe process in task manager"

In the task manager you need to click "Show process' by all users", they will then appear.

As of Monday, June 1st, Malwarebytes has been able to detect and remove the sdra64.exe & lowsec directories for us. This was not the case on Friday, May 29th. So, it looks like their defintions were updated over the weekend.

Regardless, it is now a painless way to get rid of the problem.

You want to make sure you've updated malwarebytes to its latest version after installing. Their definitions are updated regularly. We've had good luck w/ Malwarebytes as well.

Followed your process in safe mode. Done it numerous times and now having trouble even pulling up in safe mode. When I go back in it is back in the folder even when done at the last second. Know of anything else to do?

Thanks

Unfortunately, that registry key is it's only weakness, by stopping that key from launching the sdra64.exe file you in turn stop the process. Manually ending the hidden svchost.exe process affiliated with sdra64.exe causes the shutdown proceedure (and it relaunches itself), so you need to hit that registry key right before you restart as a result.

My concern is that you're actually not ending the correct svchost process, try ending as many as you can, see if that's why it keeps returning.

Another issue that might be causing this problem could be that you have too much running (even in safe mode), just check that nothing is running but windows, stop any applications that are unessential as this will delay the restart and as a result give sdra64.exe time to make the change before the restart ends its process.

Another method would be to remove the drive and place it in another machine as a slave. Then browse to the sdra64.exe file and delete it, as you would be running that machine's OS, you wouldn't be launching the menace to begin with. that's a more extreme solution anyway. An easy one would be to download Damn Small Linux (it's only a few hundred K to a few Mb), then boot to that and delete the file. Without sdra64.exe on your machine, it can't stop you from deleting all that jibberish.

I'm still working on the problem but was able to get rid of SDRA64.EXE but was unable to delete it because it was in use by the system, however I set it to be deleted in the AUTOEXEC.BAT file which seems to have done the trick to get rid of that portion.  Reading the other posts I've set autoexc to delete the lowsec folder as well.  Hijackthis found the registry entry, but have been unable to correct it without Sdra64 being reinserted so hopefully deleting lowsec will help I've also got Malwarebytes on the case as well.  Spyhunter caught the virus yesterday but unfortunately it didn't fix it.  So hopefully Malware and correcting the registry at the last sec will work.  Thanks for the help.

So i followed the steps you had provided which seemed like they would work. When my computer restarted however, it wasn't working normally. i shut it down and tried to go into safe mode which the screen came up to ask me to go into safe mode and i clicked enter. It went into safe mode and quickly direted me to the welsome screen where it gave me 2 buttons to choose: Admin or hpadmin. i tried both but the would say loading and then saving bringing me back to the same welcome screen. I have no idea what happened with the steps that caused this. I have XP by the way. Any clue of what went wrong?

I discovered lowsec first via MalwareBytes but it didn't pick up sdra64.exe and I didn't know of it until I decided to find out more about what lowsec was and how it got onto my computer.

Prevx found sdra64.exe in the folder

C:\Documents and Settings\My User Name\Application Data

I've had no problems deleting it.

I checked the userinit registry key

KEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon  and it said C:\Windows\System32\Userinit.exe

so I'm assuming that sdra64.exe wasn't launching.

I am concerned about it being in a different directory though.

Is there anything else I should check?

Am in the process of removing this trojan for a client. It creates several other folders and exe's with random filenames. Boot up off a live CD, whether Ultimate Bood CD 4 WIN or a Linux Live CD. Search for all files and folders created in the last day. You will see several other remants of the trojan and can delete them there.

Start Window$ in Safe Mode, log in as Administrator, go to the file and change all security permissions to "Deny". Uncheck the box that allows permission inheritance. Now restart into safe mode again. Now the file can be deleted along with the system32/lowsec folder. You can also delete the registry key now.

While your there go ahead and run the virus scanner and Malware scanner.

Then restart normally.

Viola. No more virus...that one anyway.

I managed to delete

C:\Windows\System32\sdra64.exe from C:\Windows\System32\Userinit.exe,

by following this person instructions

"An easier way is to do this: open up cmd.exe.

type: cd \windows\system32
type: cacls sdra64.exe /d system
Reboot.
Delete sdra64.exe and cleanup the registry entry in WinLogon. What we did was remove the access control list for the sdra64.exe file, which means it cannot execute on reboot, and thus it wont prevent you from editing the registry or delete it after reboot."

But when ever i go to system32 folder i cant rename sdra64 or delete it. Didnt i delete whats in use ??

I've spent the better part of a few days going after this insidious beast, which may or may not have been propagating all sorts of other bots and trojan back door infections.  It all started with the Antivirus System Pro bug and quickly went downhill from there.  I had an older version of Malwarebytes that I thought had eradicated everything, then came to discover that I could no longer run anything that required an executable file (.exe).  I couldn't get into regedit, my computer, control panel, Malwarebytes, AVG, etc. until I found a registry patch online that restored access to explorer.exe.  One by one, I was able to eliminate most of the trojans in Windows\System32 and felt that I was finally out of the woods, then the dreaded sdra64.exe was identified by Windows Defender this morning and I went searching for the answer and found this outstanding page.  THANK YOU.  I didn't realize that my Malwarebytes wasn't the lastest version, so I downloaded it and it successfully removed sdra64.exe as part of the 18 problems it found.  After the reboot, sdra64.exe was indeed gone, but then another trojan popped up on the subsequent scan (but only one this time).  Malwarebytes got rid of it and a subsequent scan is showing 0 infections.  AT LAST.

First thanks to Scott E for explaining the problem and giving us the information to help delete this.

I tried the method mentioned and could not get it to work.   So.... I re-booted my computer with System Recue CD - a Linux boot disk.  Went to WINDOWS\system32 found sdra64.exe and deleted it.  Re-booted in Windows and edited the Registry key as in above.  For System Rescue CD go here:

http://www.sysresccd.org/Main_Page

If people need more detailed instructions, please say so and I will be happy to provide.