6:58 PM February 3, 2010

How I Removed sdra64.exe

I did a stupid thing recently. I accidentally clicked on a link that allowed a virus called sdra64.exe to try to infect my system.

I have WinPatrol from http://www.winpatrol.com/. Its much like the UAC in Windows Vista but it doesn't have a stroke every time you move your mouse. It just warns you when a startup item is being added to your system.

WinPatrol kept warning me that sdra64.exe was trying to add itself to the startup. I chose to disallow it. But WinPatrol kept popping up the same message over and over. So online I went to find more info about this virus. Turns out its a very serious keylogger type infection - tries to steal credit card numbers, bank account info....and so on.

I found some info and procedures to remove it, some a bit complicated, so here is mine.

  1. copy of FileMenu Tools 5.7 from:
  2. copy of Autoruns from :
  3. a copy of Malwarebytes from :
  4. a copy of SuperAntiSpyware from :

(from my WinXP system) -

If you click on Start then Run then in the box type in regedit then navigate to:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon....

Find HKEY_LOCAL_MACHINE then click SOFTWARE then click on the little plus sign in the square on the left hand side to open it up and then do the same for SOFTWARE, Microsoft, Windows NT,CurrentVersion, Winlogon.

When you get to the Winlogon - click on it once to highlight it and then look in the right hand panel for the term userinit - this is what should be there:

this is what the virus puts there:

Of course it seems like just a matter of erasing the extra info C:\Windows\System32\sdra64.exe,, but it will not work because the virus puts it back again just as quick.

You can also try a search for the file sdra64.exe but you'll probably will not find it even if your system is set up to see hidden and system files.

So here's what I did:

I restarted in Safemode With Networking, restart your computer and keep pressing the F8 key until you gets taken to a menu.

Safemode pics and more info here: bertk.mvps.org/html/safemode.html

We want the option of Safemode With Networking, this will give you the option to download, install and update Malwarebytes and to update it if you already have it installed.

I have a program installed that allows me to customize the context menu of Windows Explorer, basically when you right click on a file and the menu items that pop up. The main one I want to point out now is called Delete Locked File

By the way, this program is called FileMenu Tools 5.7 from :

In safe mode I was able to see the sdra64.exe but still couldn't delete it so I right-clicked on it and chose the option to Delete Locked File. A message popped up it would be done on next reboot.

Then I opened Autoruns.exe, and went to the to the Logon tab, under the
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit, there where two entries listed I right clicked on the one with the sdra64.exe entry and chose delete from the menu.

Then I ran Malwarebytes. I updated it and then ran a full scan. The following is the log file Malwarebytes created after the scan to show you what files where deleted.

Malwarebytes' Anti-Malware 1.44
Database version: 3681
Windows 5.1.2600 Service Pack 2 (Safe Mode)
Internet Explorer 6.0.2900.2096

02/02/2010 9:17:49 PM
mbam-log-2010-02-02 (21-17-49).txt

Scan type: Full Scan (C:\|D:\|)
Objects scanned: 133054
Time elapsed: 29 minute(s), 37 second(s)

Registry Keys Infected:
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{19127ad2-394b-70f5-c650-b97867baa1f7} (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{43bf8cd1-c5d5-2230-7bb2-98f22c2b7dc6} (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{19127ad2-394b-70f5-c650-b97867baa1f7} (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{43bf8cd1-c5d5-2230-7bb2-98f22c2b7dc6} (Backdoor.Bot) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\forceclassiccontrolpanel (Hijack.ControlPanelStyle) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Network\uid (Malware.Trace) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Spyware.Zbot) -> Data: c:\windows\system32\sdra64.exe -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Spyware.Zbot) -> Data: system32\sdra64.exe -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Hijack.Userinit) -> Bad: (C:\WINDOWS\SYSTEM32\Userinit.exe,C:\WINDOWS\system32\sdra64.exe,) Good: (Userinit.exe) -> Quarantined and deleted successfully.

Folders Infected:
C:\WINDOWS\system32\lowsec (Stolen.data) -> Delete on reboot.

Files Infected:
C:\WINDOWS\system32\lowsec\local.ds (Stolen.data) -> Delete on reboot.
C:\WINDOWS\system32\lowsec\user.ds (Stolen.data) -> Delete on reboot.
C:\WINDOWS\system32\sdra64.exe (Spyware.Zbot) -> Delete on reboot.

I'm convinced now that Malwarebytes could of done the job all by it's self...but, No Apologies!!

When finished I rebooted the system into normal Windows. Then I ran a second anti-malware program called SuperAntiSpyware from : www.superantispyware.com/index.html

I updated it first and then ran a complete scan from this program as well. It came out clean. And checking again the registry key mentioned earlier it still reads: