Bloody Virus! Heres the fix .....

Ahhhhhhhh! Pull my hair out and call me bald! Actually dont do that I like having hair. Just spent hours trying to rid my pc of a stupid virus! I stumbled across a strange key in my registry while cleaning up a few keys that were left behind when I deleted a program. sdra64.exe. Following the link will take you to some information on the virus.

The key you are looking for is 

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon

and if it shows the string

C:\Windows\System32\Userinit.exe,C:\Windows\System32\sdra64.exe

Then ayup you got it! Ive read that it can bypass most of the best antivirus and spyware cleaners and remain undetected. It can also stop you from being able to install an antivirus as well as having the ability to both turn off your anti virus and shut down your computer. Deleting the above string alone wont get rid of it as it will re-install every time you reboot unless you get rid of it completely. It falls into the category of info stealer but I am aware that if present can cause a number of issues.

So being curious off I trek to find out what it is because I have never noticed this last bit in my registry before ... I know my registry fairly well as I have fixed a number of issues with it over the years.Even if you unhide system and hidden folders you will most likely not find the file in the system32 folder to be able to delete it.
I couldnt find the file until I booted into safe mode where I could see the file but still unable to delete it. So here are the steps to rid yourself of this nasty little *cough* f (insert any relevant word you like here) ker.

To remove this I found these steps to be the only 1 of 3 fixes I tried

Firstly




Go to START  > RUN > MSCONFIG

Choose SELECTIVE START UP

untick all 4 boxes

Go to the BOOT.INI tab

Check SAFEBOOT  and chose MINIMAL (found next to the safeboot option)

Reboot your computer into safe mode and log into ADMINISTRATOR.

Go START > RUN > REGEDIT


The easiest way to search is to go to the EDIT menu and chose FIND.

Type in sdra64.exe and ok to search.


To find it manually refer to the key in pink at the beginning of the post to locate in your registry.


Double click the USERINIT key in the right pane


You will notice it will look like this


C:\Windows\System32\Userinit.exe,C:\Windows\System32sdra64.exe,


Delete the area I have highlighted in pink above so that the key looks like this :


C:\Windows\System32\Userinit.exe


Now go to C: (or your main OS drive) > WINDOWS folder  > SYSTEM32 folder. You should now be able to find the file but more than likely it still wont let you delete it. If  you cannot fnid the file, make sure you have your folders unhidden.

(To unhide folders go to TOOLS menu and select FOLDER OPTONS from the drop down list.)

If you can see it but cannot delete it 

You may also need to reset the permissions on the file. To do this simply RIGHT CLICK on the file and choose PROPERTIES.

Select the SECURITY tab.

Chose DENY for all permissions

Make sure PERMISSION INHERITENCE is unchecked

hit (not punch :-P) APPLY and/or OK

Now you should be able to delete the file easy as. Make sure you also delete the file from your recycle bin.

Restart in SAFE MODE 

Go back to your registry and have a look to make sure the sdra64.exe file is no longer attached to your user init key (following the steps above if you are not to savvy at finding your way around the registry).


Before you restart your computer again go back to

START > RUN > MSCONFIG

and choose normal start up.

Reboot your computer. If your as lucky as me it should be all gone.


If not I'll be scratching my head as much as you.

Let me know how you go if you had a similar issue or found this helpful in any way.

Ok .. virus' found and conquered , post made oh and look just in time to get 4 or 5 hours sleep if my computer gives me permission to bed now.

Ciao for now beautiful people Continued Here