Softpanorama

May the source be with you, but remember the KISS principle ;-)
Contents Bulletin Scripting in shell and Perl Network troubleshooting History Humor

Softpanorama Malware Protection Bulletin, 2009

Malware 2019 2018 2017 2016 2015 2014 2013 2012 2011 2010
2009 2008 2007 2006 2005 2004 2003 2002 2001 2000 1999

Top Visited
Switchboard
Latest
Past week
Past month

NEWS CONTENTS

Old News ;-)

[Nov 14, 2009] Remove sdra64.exe virus and delete file

This is the best way I found on Internet to remove this spyware which adds itslef to winlogin registry entry. For more technical description see Trojan.Spy.Zeus.W , Spy-Agent.du, Adware.Win32.Zeus
This sdra64.exe removal is a little harder to remove than your normal virus removal. The file sdra64.exe is locked by the Winlogon process and therefore you are not able to delete it by using tools such as Hijackthis or Icesword.

To remove this virus please download the following tool Process Explorer from Microsoft/Sysinternals. Process Explorer

Once you have downloaded the tool, open it.

1. Press CTRL+F on your keyboard to begin search.

2. Type sdra64.exe

3. Double click on the search results, it should be listed as winlogon and some additional details

4. On the toolbar select Handle then Close Handle

Then you would be able to delete the file. Follow the location listed in the registry. Typically it's going to be C:\windows\system32

5. Delete the sdra64.exe file or rename it.

6. While in the system32 folder delete the folder called lowsec which contains the spyware data.

7. Restart your computer then open Regedit by going to Start --> Then Run and typing Regedit, then click ok.

[Nov 14, 2009] sdra64.exe

For better method see Remove sdra64.exe virus and delete file
May 22, 2009 | IT Computer Help

I was recently given a laptop that refused to cooperate with the end user. Safemode only worked half the time, and regular boots would just hang after attempting to login.

The computer ended up having a windows init known as sdra64.exe. I don’t even care what these programs do anymore – I just get rid of them.

Quick google search provided me with this guy’s blog:
http://mrmusicmaker.blogspot.com/2009/04/how-to-remove-sdra64exe-yourself-for.html
Although I’m going to provide a different way to fix this issue, a lot of the knowledge was gained from the above blog about this problem and how to fix it.

First, grab your handy IT-Fix-It Disc (Hirens). Boot off the hirens disc – I’m using version 9.8, current at the time of this writing Boot into Tiny/Mini XP
After XP loads, open My Computer and navigate to C:\windows\system32\
Find the file sdra64.exe and either delete or rename this file. I renamed just in case I really wanted to go back to the way it was.
Then reboot back into safe mode (F8 before Windows starts loading).

When in safe mode, open the registry Start
Run
Regedit
Navigate to
HKLM\software\microsoft\windows nt\currentversion\winlogon
Find the “userinit” key
Double click on this key
You should only have the following:
C:\Windows\System32\Userinit.exe,
So delete anything after that comma.

Reboot once again, but this time don’t go into safe mode. You probably will have other infections that you should remove using Malwarebytes or Eset’s Nod32. Combination attacks work the best.

[Nov 14, 2009] How to remove sdra64.exe yourself - for free

Some good technical information but the method is an overkill,. For simpler method see Remove sdra64.exe virus and delete file
April 19, 2009 | mrmusicmaker.blogspot.com

How to remove sdra64.exe yourself - for free
This is an off-topic post about how to remove the virus sdra64.exe which somehow ends up in c:\windows\system32\sdra64.exe and you can't delete or rename it.

I searched online for 'remove sdra64.exe' and get bombarded by stupid-ass companies who all want to rip you off, by making you think you need their software. Some even say its free.. You use their software, it tells you you have problems (surprise surprise!) and then tells you you need to buy a license to do anything about it. Either that or you just end up on a page that makes out it is about tech support, but is actually just trying to get you there so it can show you no content and a million ads.

Well this little post is the official screw-you to all those douchebags.

First off, this virus is so-say a keystroke logger, so whatever you do - don't do anything which involves typing passwords or sensitive data until we have removed it.

Step 1 - Print off these instructions.

Step 2 - Bring your PC up in safe mode:

That means go to Start > Run > and type:

msconfig

This will bring up the msconfig utility.

On the General tab, select 'Selective Startup' and UNCHECK all the 4 boxes with checks in them so they are empty. Then go to the BOOT.INI tab and check /SAFEBOOT and MINIMAL (next to it).

Click apply and OK.

It will ask you if you want to reboot. Say yes.

Step 3 - When your PC has rebooted, go to Start > Run > and type regedit.

This brings up registry editor.

Now navigate down this path:

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]

There will be a registry key in there called userinit. Its data will look like this:

C:\Windows\System32\Userinit.exe,C:\Windows\System32sdra64.exe,

Now what you need to do is remove the second bit I have highlighted in red(C:\Windows\System32sdra64.exe,)

BUT - as soon as you do **poof** it will add itself back in !!

(If you have just tried to remove that part - now click away to another folder in regedit and back into winlogon so you can see it back there again).

So what to do ??

This is where we get sneaky.

Keep regedit open on the userinit key we want to edit - we are coming back to it in a sec.

Press Ctrl Alt & Del and open the task manager. Go to the processes tab. End process on a few of the svchost.exe processes.

When you have done one or two of them you will get a message saying the PC is about to reboot in 60 seconds.

Go back to regedit - double click the userinit key to edit it.

The idea here is to remove the unwanted part (C:\Windows\System32sdra64.exe,) so you are just left with

C:\Windows\System32\Userinit.exe,

but DON'T click ok UNTIL the timer has almost completely run out.

We want to remove it with so little time left that the virus doesn't have time to add it back in again!!

I clicked OK somewhere between 1 and 0 seconds left.

Your PC will reboot now and come back up in safe mode again.

Step 4 - Check regedit to see if the change you made to the registry key in step 3 has worked. If not.. do it again.

If it has worked, you should see that all you have is

C:\Windows\System32\Userinit.exe,

Step 5 - Now go to Start > Run > and type C:\Windows\System32\ hit enter.

Find the file sdra64.exe (which now shouldn't be in use because we removed the command for it to load in Step 3).

Rename it to sdra64.bla and hit enter. It should let you because it isn't in use.

Step 6 - Now delete it.

Step 7 - Now go to your recycle bin and delete it from there too.

Step 8 - Delete all temporary internet files in Internet Explorer. (In Internet Explorer > Tools > Internet Options > and under browsing history click Delete.

Step 9 - Reboot your PC again. It will still be in safe mode.

When it comes back up, check to make sure that sdra64.exe is gone from C:\Windows\System32\

If it has, then you can remove the safeboot option.

Start > Run > type msconfig

Select Normal Startup

Hopefully you should now be rid of that god damn virus.

This is how I did it. Hopefully it will work for you too.

If you have any more info or tips that helped you, post them in the comments.

PEACE!


UPDATE: 03/08/09

I have been noticing a lot of comments about people still having problems getting rid of the sdra64.exe file itself.

I have had quite a few reports of getting around this using a simple freeware tool called Remove On Reboot, which allows you to right click the file, choose 'remove on reboot', and then the file gets deleted in the boot up process. Poof!

Comments:

Moisture:

First off, thanks for the info. I have the corp version of Norton and it couldn't remove it as could none of the other AV software. I pay them good money to do what? Jack All! Good thing I'm a bit of a geek and search for people like you that have done it. Thanks again.

jao:

It doesn't work for me even I tried it so many times.. However, I think of another solution. And here it simply goes...

1. Boot from my Windows XP installer.
2. Log on to recovery console.
3. Go to system32 directory folder.
4. Delete the file (del sdra64.exe).
5. Log on to Windows (on safe mode, don't know if will work on normal mode).
6. Go to regedit.
7. Modify the Userinit values as stated on this post
8. And, say "Whew!"

Cuban Man:

I had the sdra64.exe infection and could not remove with ad-aware or SpyBot (it appears that it somehow would not allow SpyBot to correctly install, but I’m not sure about this).

PrevX found the names of the files, but when I went to pay (yes, I was so frustrated that I was willing to pay), I got a PayPal website that said it was under maintenance and I needed to provide more information. I got scared and decided to get rid of the files myself. It would not let me delete sdra64.exe so I went into safe mode and still no way.

I couldn’t get the "edit the registry key at the last second" solution to work – guess I just wasn’t fast enough or too fast at editing the registry key.

I don’t have an XP installer disk, but I do have a Knoppix bootable CD. Go to knoppix.com to get one. I was then stymied because I couldn’t delete the sdra64.exe file. I thought it was some evil code, but it was just that Knoppix default is read only from hard drives. I tried right-clicking on the hard drive to make it read-write, but I kept getting an error due to using an NTFS format. I found this solution:
http://sean-feeney.com/2007/10/knoppix-ntfs-mount-problem.html

I deleted the files listed by PrevX, including the dreaded sdra64.exe, then I rebooted with Windows and edited the userinit registry key and it stayed edited! Voila!

The feeling of success matches the frustration – I beat the idiot who wrote that virus (with your help). I only wish I could beat him (I’m guessing it’s a he) physically for the countless hours of lost time people spend on this. I also agree that paying to get it removed just feeds the beast – it’s extortion, plain and simple. Thanks for a super helpful blog post – I hope my little twist might help someone else.
Humberto

Spinelli :

Hi I had the same problem but could not remove the virus with your method. I tried something else that worked.

1 - Download MS Process Explorer (http://technet.microsoft.com/en-us/sysinternals/bb896653.aspx)

2 - Download MS Autoruns (http://technet.microsoft.com/en-us/sysinternals/bb963902.aspx)

3 - Open Process Explorer, press ctrl+F

4 - Type sdra64.exe

5 - Double click in the item that will be shown in the list "winlogon..."

6 - On the upper toolbar again, select 'Handle' then 'Close Handle' (You Windows UI should be slightly different now, dont worry)

7 - Go to c:\windows\system32 and delete sdra64.exe

8 - Execute Autoruns.exe, go to the Logon tab, under the 'HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit', uncheck the sdra64.exe entry.

9 - Restart your computer, as we killed some critical OS processes, you will probably have to force the OS to reboot. Yes, press the button ;)

Correcting my previous comment:

4 - Type 'sdra64.exe' and press 'search'

Arwain:

I fixed in this way:

- install slax (www.slax.org) on a usb pen (256mb is enough)
- boot from usb pen. when linux started, access system folder, look up for your drive and delete sdra64.exe file in system32 (or similar file, mine was twext.exe)
- reboot to windows xp and fix registry deleting the entry

ziggystardust95:

You my friend are a lifesaver. This nasty virus was making my on-line banking page ask for all my full pin log on and card number details. AVG had found a moved the virus to the vault, but had not deleted the registry settings. I followed your instructions and got it first time. The only thing that was different was that the sdra64.exe was not in the system32 folder (presumably because AVG had already zapped it ? ) Anyhow, it's now gone from the registry and my bankings back to normal.

Tim:

thank you, i was battleing this f****** virus for over 4 hours and your blog finally helped me get rid of it. i live in denver, co and my customer was in phoenix,az. i was contoling their computer via webex. it was a computer register with not cd rom drives or usb.

Poul Wann:

An easier way is to do this: open up cmd.exe.

type: cd \windows\system32
type: cacls sdra64.exe /d system
Reboot.
Delete sdra64.exe and cleanup the registry entry in WinLogon.

What we did was remove the access control list for the sdra64.exe file, which means it cannot execute on reboot, and thus it wont prevent you from editing the registry or delete it after reboot.

nick:

this virus was kicking my butt for a while. mostly i was using automated tools instead of looking at which files were causing it. thanks for posting this!

in case it helps anyone, i took a slightly different route and booted into a linux live cd (puppy linux -- just over 100mb iso) and deleted the file. afterwards, i could boot up, but not log in as it was mad that it couldn't find the referenced file (that registry was looking for). i then booted from a UBCD4Win (Ultimate Boot CD For Windows -- great resource) and used the 'remote registry' tool to modify the registry of my OS and changed the userinit reference so that it referrenced the userinit.exe file and NOT the sdra64.exe file. looking back, i probably could have done this all from UBCD4Win.

obviously, this solution relies on haveing the ability to download a live cd and burn it if you don't already have one.

again, thanks for original solution for guidance!

Dave:

Thanks, this is awesome. This piece of trash plagued me for days. Just FYI, even in safe mode with command prompt, the process was still loaded and could not be deleted. I had to use the Sysinternals ERD to get in there and delete it through the GUI. You could also boot to a Windows recovery console using the Windows install disk (http://pcsupport.about.com/od/fixtheproblem/ss/rconsole.htm). Point is your current Windows OS cannot be loaded in any way. After the offending file is deleted from WINDOWS\System32, then you may safely change ther registry without fear of a reappearance. Thanks again.

loginitin:

another simpler method

http://www.pctechrx.com/DisplayAllInfo.asp?bId=26

Aussie Pete:

Found this on my search. Its free and it scans and CLEANS your Registry problems for free as well

It's called CCleaner and you can get it here and have a try.

http://www.filehippo.com/download_ccleaner/

Mark:

CCleaner is great but registry issues are just one symptom of the infection. I pulled the hard drive and scanned it as an external drive. Malwarebytes Anti-Malware detected and deleted the sdra64 entries along with some others including rootkits on a clients XP SP2 machine.

Aussie Pete:

I agree Mark. There are other issues with this virus.

But I thought it might be worth publishing this free software that does repair errors in the registry for free. Although I had already had got rid of sdra64 before I located this CClenaer..it would have been interesting to see if it picked it up and what it did with it.

FYI I wont be re-infecting my PC with it just to find out. LOL

krakbabie:

The problem with sdra64.exe is that it now hides itself via rootkit technology. Check out the video at http://www.joeverminator.com for manual removal techniques. This file is related to ZBot (Zeus) and can steal your credentials, so do not leave it on your system long!

Benjamin:

i used a program called unlocker it does wonders. I unlock the process as it is being locked by winlogon.exe and then i delete it and remove the registry key. this is a sneaky virus it hides in the winlogon so you cant find it in most startup editor programs.

[Nov 14, 2009] autodis.dll Parasitic BHO that displays ads in IE8

Can be removed by ComboFix.exe.

Name: Not Available
Publisher: Control name is not available
Type: Browser Helper Object
Version: Not available
File date:
Date last accessed: Today, November 14, 2009, 7:52 PM
Class ID: {B16D00EA-A4E6-48B6-B524-2F366CA4210D}
Use count: 2
Block count: 3
File: autodis.dll
Folder: C:\WINDOWS\system32

In post Solved Trojan.Win32.BHO.abo - Tech Support Guy Forums one guy claims that it is possible to use ComboFix.exe for cleaning of this BHO. I reinfected one of text PCs and was able to clean it using Comboclean but this is just one test and ComboClean might have side effects (on my computer it disabled Netdrive and changed code page for cmd) so restoring from a clean backup is always cleaner solution.

Solved: Trojan.Win32.BHO.abo
Hi.. I recently installed Kaspersky Antivirus 7 and its picking up a Trojan that it can't get rid of. it says it's a Trojan.Win32.BHO.abo and has infected the C:\Windows\system32\autodis.dll file. Can anyone help me get rid of it?

[Oct 4, 2009] Virus, Spyware & Malware Protection Microsoft Security Essentials

Save money: free Microsoft antivirus software for PCs.
Microsoft Security Essentials provides real-time protection for your home PC that guards against viruses, spyware, and other malicious software.

Microsoft Security Essentials is a free download from Microsoft that is simple to install, easy to use, and always kept up to date so you can be assured your PC is protected by the latest technology. It’s easy to tell if your PC is secure — when you’re green, you’re good. It’s that simple.

Microsoft Security Essentials runs quietly and efficiently in the background so that you are free to use your Windows-based PC the way you want—without interruptions or long computer wait times.

Erik's Work Notes Install SteadyState and Enable Disk Protection in one shot!

Install SteadyState and Enable Disk Protection in one shot! Here's the code that I used to install Windows SteadyState v2.5 and enable windows disk protection all in one shot. This took forever to figure out with myself and a colleague doing a significant amount of head scratching.

After Windows installer finishes the SteadyState install (I used a custom transform to skip the WGA validation since an unattended install would always freeze during this process), you need to run the SCTUI.EXE application located in the folder C:\Program Files\Windows SteadyState\. The catch is that if you try and run it from the same script that you ran the installer from, SCTUI will launch and immediately exit without enabling disk protection. The workaround we finally came up with was to have the installer script create a temporary user account that is a member of the local administrators group and execute SCTUI as that user. Ah, but you can't pass a password to RUNAS.EXE you say? That's where cpau from joeware comes in.

With cpau, you can specify both the user id and the password on the command line. The beauty of this is that once SCTUI has been launched you can delete the "temporary" administrator account we created earlier (the one that cpau is using to launch SCTUI) and the process will still run because of the way security contexts work in Windows (note: I have not yet tested this on Vista).

We guessed (correctly) that the SCTUI was somehow sensing that it was being launched from the same parent process as the Windows Installer instance that installed SteadyState. That's where the other benefit of cpau comes in. The process that cpau creates will be in an entire new user context and won't inherit any of the parent process' environment.

Once the installer scripts finish, the system will reboot. Once the system comes back up, you'll have to run the Windows SteadyState management tools to more fully configure Windows Disk Protection if you don't want all disk changes discarded with each boot.

Getting this all going took me 2 scripts, since I wanted to do some tidying up with the second script. Remember to watch out for line-wrap. As always, your mileage may vary, run these scripts at your own risk and always test on non-production systems and have good backups! That said, I cannot spend a significant amount of time supporting these scripts, here they are:

Script 1; GO.CMD:

@ECHO OFF
ECHO Installing SteadyState Components...
MSIEXEC /I SteadyState.msi /qb TRANSFORMS=SteadyState-attempt4.mst /log %TEMP%\SteadyState.Log

:WDP
ECHO About to enable disk protection...
ECHO.
ECHO Please close all running applications and save all settings.
ECHO When the computer reboots after this, all changes made to the
ECHO hard drive will be discarded when the computer is shutdown or
ECHO restarted.
ECHO.
ECHO THIS IS YOUR FINAL WARNING! Press CTRL-C and choose Y to cancel or
PAUSE
NET USER WDPINSTALLER WDP@ss0123 /ADD
NET LOCALGROUP ADMINISTRATORS WDPINSTALLER /ADD
@START cmd /c wdpenable.bat

Script 2; WDPEnable.BAT:

@ECHO OFF
REM Cleanup the SteadyState installer and any files that
REM contain sensitive account information (like passwords).
DEL /Q *.CMD
DEL /Q *.MSI
DEL /Q *.MST
@cpau -u WDPINSTALLER -p WDP@ss0123 -ex "C:\Program Files\Windows SteadyState\SCTUI.exe /EnableWDPAndReboot"
REM Once the process has been launched we can safely
REM delete the installer user account
@NET USER WDPINSTALLER /DEL
DEL /Q CPAU.EXE

If you want to know more about the transform file I used, send me an email message. I don't want to post it since I'm unsure of any potential licensing implications.

Update (3/18/2009):

Some people have asked me what I used to create the transform (MST) file. The tool I used is called ORCA, which is included in the Windows SDK Components for Windows Installer Developers, part of the Microsoft® Windows® Software Development Kit. If you’re just looking for the Windows Installer tools (which includes ORCA) and not the full SDK (which can be huge), Microsoft has also released the Windows Installer 4.5 Software Development Kit which is only 7MB.