I searched online for 'remove sdra64.exe' and get bombarded by stupid-ass companies who all want to rip you off, by making you think you need their software. Some even say its free.. You use their software, it tells you you have problems (surprise surprise!) and then tells you you need to buy a license to do anything about it. Either that or you just end up on a page that makes out it is about tech support, but is actually just trying to get you there so it can show you no content and a million ads.
Well this lil post is the official screw-you to all those douchebags.
First off, this virus is so-say a keystroke logger, so whatever you do - don't do anything which involves typing passwords or sensitive data until we have removed it.
Step 1 - Print off these instructions.
Step 2 - Bring your PC up in safe mode: That means go to Start > Run > and type:
msconfig
This will bring up the msconfig utility.
On the General tab, select 'Selective Startup' and UNCHECK all the 4 boxes with checks in them so they are empty. Then go to the BOOT.INI tab and check /SAFEBOOT and MINIMAL (next to it).
Click apply and OK.
It will ask you if you want to reboot. Say yes.
Step 3 - When your PC has rebooted, go to Start > Run > and type regedit.
This brings up registry editor.
Now navigate down this path:
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
There will be a registry key in there called userinit. Its data will look like this:
C:\Windows\System32\Userinit.exe,C:\Windows\System32sdra64.exe,
Now what you need to do is remove the second bit I have highlighted in red(C:\Windows\System32sdra64.exe,)
BUT - as soon as you do **poof** it will add itself back in !!
(If you have just tried to remove that part - now click away to another folder in regedit and back into winlogon so you can see it back there again).
So what to do ??
This is where we get sneaky.
Keep regedit open on the userinit key we want to edit - we are coming back to it in a sec.
Press Ctrl Alt & Del and open the task manager. Go to the processes tab. End process on a few of the svchost.exe processes.
When you have done one or two of them you will get a message saying the PC is about to reboot in 60 seconds.
Go back to regedit - double click the userinit key to edit it.
The idea here is to remove the unwanted part (C:\Windows\System32sdra64.exe,) so you are just left with
C:\Windows\System32\Userinit.exe,
but DON'T click ok UNTIL the timer has almost completely run out.
We want to remove it with so little time left that the virus doesn't have time to add it back in again!!
I clicked OK somewhere between 1 and 0 seconds left.
Your PC will reboot now and come back up in safe mode again.
Step 4 - Check regedit to see if the change you made to the registry key in step 3 has worked. If not.. do it again.
If it has worked, you should see that all you have is
C:\Windows\System32\Userinit.exe,
Step 5 - Now go to Start > Run > and type C:\Windows\System32\ hit enter.
Find the file sdra64.exe (which now shouldn't be in use because we removed the command for it to load in Step 3).
Rename it to sdra64.bla and hit enter. It should let you because it isn't in use.
Step 6 - Now delete it.
Step 7 - Now go to your recycle bin and delete it from there too.
Step 8 - Delete all temporary internet files in Internet Explorer. (In Internet Explorer > Tools > Internet Options > and under browsing history click Delete.
Step 9 - Reboot your PC again. It will still be in safe mode.
When it comes back up, check to make sure that sdra64.exe is gone from C:\Windows\System32\
If it has, then you can remove the safeboot option.
Start > Run > type msconfig
Select Normal Startup
Hopefully you should now be rid of that god damn virus.
This is how I did it. Hopefully it will work for you too.
If you have any more info or tips that helped you, post them in the comments.
PEACE!
UPDATE: 03/08/09
I have been noticing a lot of comments about people still having problems getting rid of the sdra64.exe file itself.
I have had quite a few reports of getting around this using a simple freeware tool called Remove On Reboot, which allows you to right click the file, choose 'remove on reboot', and then the file gets deleted in the boot up process. Poof!
49 comments:
Thank you so much for sending your time to so carefully spell out the solution. I followed your instructions step by step and successfully removed the virus on my first attempt.
Let me add at this virus (I believe) is known as the sub seven virus and causes a run time error 216 message to appear. Also, I was unable to use remote desktop, my outlook 2007 kept crashing and I constantly got winlogon errors.
Thanks again my friend
Thanks for the feedback.
I'm glad it helped you.
First off, thanks for the info. I have the corp version of Norton and it couldn't remove it as could none of the other AV software. I pay them good money to do what? Jack All! Good thing I'm a bit of a geek and search for people like you that have done it. Thanks again.
Pat.
It doesn't work for me even I tried it so many times.. However, I think of another solution. And here it simply goes...
1. Boot from my Windows XP installer.
2. Log on to recovery console.
3. Go to system32 directory folder.
4. Delete the file (del sdra64.exe).
5. Log on to Windows (on safe mode, don't know if will work on normal mode).
6. Go to regedit.
7. Modify the Userinit values as stated on this post
8. And, say "Whew!"
I had the sdra64.exe infection and could not remove with ad-aware or SpyBot (it appears that it somehow would not allow SpyBot to correctly install, but I’m not sure about this).
PrevX found the names of the files, but when I went to pay (yes, I was so frustrated that I was willing to pay), I got a PayPal website that said it was under maintenance and I needed to provide more information. I got scared and decided to get rid of the files myself. It would not let me delete sdra64.exe so I went into safe mode and still no way.
I couldn’t get the "edit the registry key at the last second" solution to work – guess I just wasn’t fast enough or too fast at editing the registry key.
I don’t have an XP installer disk, but I do have a Knoppix bootable CD. Go to knoppix.com to get one. I was then stymied because I couldn’t delete the sdra64.exe file. I thought it was some evil code, but it was just that Knoppix default is read only from hard drives. I tried right-clicking on the hard drive to make it read-write, but I kept getting an error due to using an NTFS format. I found this solution:
http://sean-feeney.com/2007/10/knoppix-ntfs-mount-problem.html
I deleted the files listed by PrevX, including the dreaded sdra64.exe, then I rebooted with Windows and edited the userinit registry key and it stayed edited! Voila!
The feeling of success matches the frustration – I beat the idiot who wrote that virus (with your help). I only wish I could beat him (I’m guessing it’s a he) physically for the countless hours of lost time people spend on this. I also agree that paying to get it removed just feeds the beast – it’s extortion, plain and simple. Thanks for a super helpful blog post – I hope my little twist might help someone else.
Humberto
thank you. it worked. and its free!
Hi I had the same problem but could not remove the virus with your method. I tried something else that worked.
1 - Download MS Process Explorer (http://technet.microsoft.com/en-us/sysinternals/bb896653.aspx)
2 - Download MS Autoruns (http://technet.microsoft.com/en-us/sysinternals/bb963902.aspx)
3 - Open Process Explorer, press ctrl+F
4 - Type sdra64.exe
5 - Double click in the item that will be shown in the list "winlogon..."
6 - On the upper toolbar again, select 'Handle' then 'Close Handle' (You Windows UI should be slightly different now, dont worry)
7 - Go to c:\windows\system32 and delete sdra64.exe
8 - Execute Autoruns.exe, go to the Logon tab, under the 'HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit', uncheck the sdra64.exe entry.
9 - Restart your computer, as we killed some critical OS processes, you will probably have to force the OS to reboot. Yes, press the button ;)
Hope that helps!
Bruno Spinelli
Correcting my previous comment:
4 - Type 'sdra64.exe' and press 'search'
I fixed in this way:
- install slax (www.slax.org) on a usb pen (256mb is enough)
- boot from usb pen. when linux started, access system folder, look up for your drive and delete sdra64.exe file in system32 (or similar file, mine was twext.exe)
- reboot to windows xp and fix registry deleting the entry
You my friend are a lifesaver. This nasty virus was making my on-line banking page ask for all my full pin log on and card number details. AVG had found a moved the virus to the vault, but had not deleted the registry settings. I followed your instructions and got it first time. The only thing that was different was that the sdra64.exe was not in the system32 folder (presumably because AVG had already zapped it ? ) Anyhow, it's now gone from the registry and my bankings back to normal.
Many thx
thank you, i was battleing this f****** virus for over 4 hours and your blog finally helped me get rid of it. i live in denver, co and my customer was in phoenix,az. i was contoling their computer via webex. it was a computer register with not cd rom drives or usb.
An easier way is to do this: open up cmd.exe.
type: cd \windows\system32
type: cacls sdra64.exe /d system
Reboot.
Delete sdra64.exe and cleanup the registry entry in WinLogon. What we did was remove the access control list for the sdra64.exe file, which means it cannot execute on reboot, and thus it wont prevent you from editing the registry or delete it after reboot.
this virus was kicking my butt for a while. mostly i was using automated tools instead of looking at which files were causing it. thanks for posting this!
in case it helps anyone, i took a slightly different route and booted into a linux live cd (puppy linux -- just over 100mb iso) and deleted the file. afterwards, i could boot up, but not log in as it was mad that it couldn't find the referenced file (that registry was looking for). i then booted from a UBCD4Win (Ultimate Boot CD For Windows -- great resource) and used the 'remote registry' tool to modify the registry of my OS and changed the userinit reference so that it referrenced the userinit.exe file and NOT the sdra64.exe file. looking back, i probably could have done this all from UBCD4Win.
obviously, this solution relies on haveing the ability to download a live cd and burn it if you don't already have one.
again, thanks for original solution for guidance!
hi
im not very good with computers but im having a problem with sdra64 i followed the steps but my userinit reads like this
C:\WINDOWS\system32\twex.exe,C:\WINDOWS\system32\sdra64.exe
instead of C:\Windows\System32\Userinit.exe,C:\Windows\System32sdra64.exe,
so i looked into that twex.exe and it appears to be a virus aswell or its comes with the sdra64
anyway should i delete it as well in the regedit and re-type C:\Windows\System32\Userinit.exe,
before the reboot ??
thanks, thanks and thanks again. This bloody Virus is gone to hell.
Thanks, this is awesome. This piece of trash plagued me for days. Just FYI, even in safge mode with command prompt, the process was still loaded and could not be deleted. I had to use the Sysinternals ERD to get in there and delete it through the GUI. You could also boot to a Windows recovery console using the Windows install disk (http://pcsupport.about.com/od/fixtheproblem/ss/rconsole.htm). Point is your current Windows OS cannot be loaded in any way. After the offending file is deleted from WINDOWS\System32, then you may safely change ther registry without fear of a reappearance. Thanks again.
...Poul Wann's method would probably work as well. However, I could not find the file with my regular Windows OS loaded. Perhaps it "hides" itself. In any case, nice work everyone. Score one for the good guys.
I have successfully deleted the sdra64.exe from c:\windows\system32. However, after reboot, Ifound it still exist in the winlogon registry entry. I removed it, and to my surprise, it came back again automatically. Iused process explorer and I can still found sdra64.exe was loaded. I double check c:\windows\system32, and the file really didn't exist (I used dir/a option). I used the process explorer to close the handler, but still can't successfully removed it from the registry. I don't know how this file can be hidden. I was wondering there must be another process monitoring my registry update.. I was a little frustrated.
hello ,i am satyam
one file y6yol.exe is bothering me.i deleted it hundreds of time but it comes back again.it even hides itself and i pulled it back by ATTRIB command and deleted it but unsuccessful.anyone pls help me on this!!!
I have cleaned this nasty virus using Solo Antivirus from http://www.srnmicro.com. When I choose clean button, Solo placed the infected file in pending clean and requested me to restart the system. After restart it removed the infection without problem.
this little b*tch virus is driving me NUTS.
no matter HOW many times i delete it from the registry it will NOT go away.
i've followed the steps too many times and everytime i go back to check to see if it's still there it's blatantly mocking and jeering at me just SITTING there
it will not BUDGE.
i even tried Poul Wonn's method with the cmd and deleting it like that
it will not
go
away.
i have NO idea what the hell i'm supposed to do now
i've been on this freaking virus for a week now and spent too many sleepless nights and lost way too much hair for this
is there ANYTHING else i can do or try?
p.s. i tried the Solo Antivirus too
it didn't even PICK UP the damn virus.
I tried the steps. It didn't work. However I tried Paul Wonn's method and it allowed me to edit the registry key without it coming back "poof", but I can't delete the file. It won't let me. Prompt- access denied. Arggh!
Has anyone found the fix for this? Has anyone tried combo fix? I've spent far too many days on this.
I had the same problem with a blank screen and music in the background. I managed to boot of an old cd. When the boot came up from the CD i just hit enter i did not do an R. after that it came to the license question I hit F8. and then i hit the R for repair. everything came up fine and i ran the malwarebytes software. this found lots of problems and now I am back up and going. Try it, I will work
Thank you indeed, Mr. P. I followed your instructions and finally got rid of the damned sdra64
Thanks for posting this, was extremely helpful. I wasn't able to do it through safe mode because I was accessing the computer remotely. However, I was able to get into the registry before the computer was logged on and removing it from the registry entry at that point seemed to do the trick.
It took me a couple of tries to get the timing right, but when I hit "OK" at 1 second on the countdown, it worked and it's gone. The info provided here is one of the BEST reasons for the internet to exist I've seen in a long time. Keep up the great work...AND sharing your knowledge with us all.
another simpler method
http://www.pctechrx.com/DisplayAllInfo.asp?bId=26
perfect ! Mr. P you are a genius, thank you.
Hmm, tried most of the above. Managed to get rid of the reg entry but the sdra64.exe file in system 32 is still in use, therefore I cannot delete it.
Any thoughts?
I've been chasing that sdra64 virus for 3 bloody days now. It's like a mother inlaw. It kept coming back. And as for those so called Registry Cleaner programs, they are about as sincere as a Xmas Card from a Bank Manager.
I followed your instructions to the letter and I might add (very clear instructions) and finally was able to delete it out of the PC between 0 and 1 second.
Now to my next problem. I seem to have a problem with c:/windows/system32/motherinlaw.exe (only joking)
Thanks again
Cheers from down under
Pete
Found this on my search. Its free and it scans and CLEANS your Registry problems for free as well
It's called CCleaner and you can get it here and have a try.
http://www.filehippo.com/download_ccleaner/
Cheers
Aussie Pete
CCleaner is great but registry issues are just one symptom of the infection. I pulled the hard drive and scanned it as an external drive. Malwarebytes Anti-Malware detected and deleted the sdra64 entries along with some others including rootkits on a clients XP SP2 machine.
I agree Mark. There are other issues with this virus.
But I thought it might be worth publishing this free software that does repair errors in the registry for free. Although I had already had got rid of sdra64 before I located this CClenaer..it would have been interesting to see if it picked it up and what it did with it.
FYI I wont be re-infecting my PC with it just to find out. LOL
Cheers
Aussie Pete
The problem with sdra64.exe is that it now hides itself via rootkit technology. Check out the video at http://www.joeverminator.com for manual removal techniques. This file is related to ZBot (Zeus) and can steal your credentials, so do not leave it on your system long!
i used a program called unlocker it does wonders. I unlock the process as it is being locked by winlogon.exe and then i delete it and remove the registry key. this is a sneaky virus it hides in the winlogon so you cant find it in most startup editer programs.
These instructions worked like a charm for me on a XP - VM at work, direct & to the point. Now if I could just find the same type of direct & to the point instructions for TAPI.NFO
It did not work Mr.P. I was able to remove the ergistry entry, but could not delete the file as it says it iw write protected or some non-sense. Help me pls...
i deleted this nasty trojan using GarbageClean.com and it cleaned it pretty well.
I am stuck in step 2. When I changed msconfig for SAFEBOOT MINIMAL, I get BSOD in any mode -
Problem has been detected and windows has been shut down to prevent damage to your computer.
. . . .
Technical information:
*** STOP: 0x0000007E (0x0000005,0x82B14C21,0xF8994C44,0xF8994940).
I tried all Safe Modes, Normal mode, Last used, but nothing works... it comes back to same BSOD.
Can some one help me?
Thanks
Thank you! Worked exactly according to your instructions. So glad to be rid of that virus.
HELP
i have win 7 ..just upgraded..as soon as it logs on it says.. sdra64.exe has stopped working..when i look for it with regedit or processes explorer i cannot find it....SO how do i delete it?
Thank you! Also for me it worked exactly as you described.
One remark - I have tried 3 times to press "ok" between 1 and 0 seconds left, but the virus was always coming back. I had 2 svchost processes and closing each of them was resulting in the system reboot. I tried with one - no success. Then I tried with another - no success again!
I almost started losing a hope!
But then I decided to close both svchost processes (one after another), waited till the moment when it was really almost 0s left and pressed ok (confirming the registry change). The system rebooted without sdra64 in the registry! The rest was easy.
To be honest, I don't know if I succeded because I was finally so close to 0s that the virus didn't have time to add back the unwanted part in the registry or because I closed both svchost processes.
I guess it was the latter case, because when I compared memory usage of both processes, it was lower for both processes after sdra64 had been removed.
Malwarebytes Anti-Malware got rid of sdra64 and a few others that I did not realise was on my computer. I just did a quick scan.
Despite following the direction above and waiting until the lat possible second; the sdra64 file kept coming back. I must have tried it about 20 times. I finally gave up and had decided to go another route (probably one of the other options listed above) but in order to do so; you would probably need to take your computer out of safe mode. So as I went to reverse the directions in step 2; I noticed that all the options that I had UNCHECKED earlier were CHECKED as if I had done nothing in step 2. Then I remembered that while I was in step 2, the OK option disappeared after I had clicked apply and went directly to restart (I did not have an option to click ok). In the directions; it states to "Click apply and OK". Well I decided to give it one more try but instead of clicking apply, I just clicked OK and followed the rest of the process through and it worked that time. Maybe the virus is able to eliminate that OK button once you click apply; which causes the user to believe that the settings change were accepted..???
Just a word of warning to all those people who were infected by sdra64.exe. The first thing I did when I realised I was infected is to disconnect from the internet. And from another computer I went on the internet hunting for a solution most of which are mentioned above. And they worked! I was able to delete sdra64.exe and delete the entry from the winlogon registry key. Then did several scans with various antivirus and anti spyware programs until nothing was found and the system was (or seemed) completely clean. I checked th registry key - all was as it should be. Use the computer for a few days (still not connected to the internet) - everything was still clean. So I reconnected to the internet - and within a few minutes the registry key entry was back!! So was sdra64.exe. So even if you manage to delete this file something else must remain running in the background dormant waiting for a chance to connect to the internet and redownload what ever it wants to. In the end I bit the bullet, reformated the hard drive and reinstalled windows: it was the only way to be sure. Because if the virus can make entries in the registry and download files to your computer you can never be sure what other changes it has made to your system.
Thank you!!
Post a Comment