Sdra64.exe (Sdra64) Trojan Virus File Information

	Sdra64.exe is a dangerous file which creates activities on a user’s computer which may be highly undesirable. This file is a trojan virus and is unsafe.

Type: Computer Trojan (Click Here To Learn More)
Location: C:\WINDOWS\system32\sdra64.exe (Click Here To Learn How To Locate)
Risk Level: Moderate (Learn More About Risk Levels)

It is recommended that you remove any malicious software such as Sdra64.exe from your computer immediately. Below is our recommended removal tool for Sdra64.exe . The removal tool has been rated 5 cows out of 5 by Tucows and was previously CNET’s Editor’s Choice. Feel free to download it below.

Manual Removal – Sdra64.exe may be removed through analyzing your HijackThis log. Feel free to post your hijackthis log below if you need assistance analyzing it. Hijackthis will be ideal to manually remove the virus

Click Here To Learn About HijackThis. To download HijackThis, please click HERE.

Sdra64.exe File Details -
File Type – EXE – Sdra64.exe is a executable file
First Identified – Mar 03 2024

We recommend that you follow our safety tips so that you can keep your computer clean. Please click here to view our safety tips

Please post comments below. Your comments are both useful to visitors and to us.

Posted in: Suspicious File

Tags: Sdra64.exe

This entry was posted on Tuesday, March 3rd, 2024 at 11:15 pm and is filed under Suspicious File. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.

21 Responses to “Sdra64.exe (Sdra64) Trojan Virus File Information”

Zach March 4th, 2024 at 4:24 pm

I was lucky enough to witness this trojan in action as early as 25FEB09. Had to boot to PE Disc to remove. It was Disabling Windows Firewall as well as causing Symantec Tamper protection errors in the Event Viewer. It was DLing malware to the system. To those not yet infected….Be careful what you click on. Pretty sure this was installed via email.

margo March 20th, 2024 at 3:00 am

I came across this sometime in the last day and can’t get rid of it. My AVG supposedly caught it and quarantined/deleted it, but then my WinPatrol warned me that SDRA64 was trying to automatically start up and numerous suspicious task appeared in the WinPatrol window. I did another scan; downloaded SpyWare Doctor and scanned/cleaned with that; searched my computer for any sdra64 or lowsec files to see if it had saved itself somewhere else (per online suggestions); tried to kill the suspicious applications on reststart using WinPatrol: nothing. But WinPatrol is pretty insistent that it’s still there. Does anyone have other suggestions on how to remove this?

Mariusz March 20th, 2024 at 11:20 pm

Hello,

I had the same sdra64.exe virus a few days ago.

What I did first was going into safe mode.

Then I deleted (or rather modified) registry key containing sdra64.exe

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]

from:

“Userinit”=”C:\\WINDOWS\\SYSTEM32\\Userinit.exe,C:\\WINDOWS\\system32\\sdra64.exe,”

to:

“Userinit”=”C:\\WINDOWS\\SYSTEM32\\Userinit.exe,”

The renamed C:\WINDOWS\SYSTEM32\sdra64.exe to sdra64.bla and deleted after reboot.

Fred McCabe March 23rd, 2024 at 11:03 pm

I modified the Registry Key as advised but it still wouldn’t let me rename sdra64.exe (or delete it). I am going to use a boot disc and delete it from there.

unknown April 16th, 2024 at 4:25 pm

I tried to edit the Registry Key and set it to just the userint.exe
however when I clicked ok and went back to it the sdra64.exe had re-written itself in.

Any ideas on how to stop this?

still couldn’t delete or rename it either

Jeff June 1st, 2023 at 12:17 am

We had the same problem and followed this article to manually remove it.

https://www.pctechrx.com/DisplayAllInfo.asp?bId=26

Vince, IT June 9th, 2023 at 3:19 pm

Thanks alot for the above post.

Worked like a charm!

Michele June 22nd, 2023 at 10:26 pm

I discovered lowsec first via MalwareBytes but it didn’t pick up sdra64.exe so I didn’t know of it until I decided to find out more about what lowsec was and how it got onto my computer.

Prevx found sdra64.exe in the folder

C:\Documents and Settings\My User Name\Application Data

and I’ve had no problems deleting it.

I checked the userinit registry key

KEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon and it said C:\Windows\System32\Userinit.exe

so I’m assuming that sdra64.exe wasn’t launching.

I am concerned about it being in a different directory though (seems everyone says it usually appears in c/windows/system32)

Is there anything else I should check?

M July 1st, 2023 at 6:55 am

I tried to manually edit/delete sdra64 from registry & system32 folder. It didn’t work; it kept reappearing in the registry and since it is in used, I couldn’t delete sdra64.exe from system32.

I downloaded an Unlocker (freeware) from https://ccollomb.free.fr/unlocker

I changed sdra64.exe to sdra64.exe0, but received 2 error messages before another error message that stated something about changing the name the next time the computer boot. All I did was restart the computer in safe mode again and checked for the file in system32 folder. It worked! I went back to registry key and deleted C:\WINDOWS\SYSTEM32\sdra64.exe from “Userinit”. Then, deleted the sdra64xxxxx.pf from the Windows\Prefetch folder.

The computer seems fine now and it’s not restarting.

Use whatever method you like to eliminate the virus, but try unlocker to change the name or delete the file if Windows does not allow you to make change to it.

Sonicdh6 July 6th, 2023 at 3:31 am

I need help every time I open up taskmanager it keeps closing automaticly same with the download programs to get rid of systemsecurity.

newdude July 7th, 2023 at 3:00 am

tryin to start up in safemode, but once i choose the option my pc restarts, not sure how to progress… im thining of just fdisking

palival July 13th, 2023 at 5:56 pm

I have cleaned this nasty virus using Solo Antivirus from https://www.srnmicro.com. When I choose clean button, Solo placed the file in pending clean and requested me to restart the system. After restart it removed the infection without problem.

bibZ July 29th, 2023 at 10:53 am

MANUAL REMOVAL !
[tools needed : Sysinternals Autoruns & Unlocker]

1) Goto system32 and find sdra64.exe
2) Unlock it with unlocker and delete it.
3) Goto folder called “lowsec” in system32 which contains the spyware data.
4) Unlock each files inside it and delete all.
5) Run Autoruns tool and delete the registry entry contains “sdra64.exe” (not userinit.exe).
6) Reeboot and ur free now !

-
bibZ

wyseur September 16th, 2023 at 2:47 am

Thanx BIBZ, your way seems to have been succesfull… at last! Freedom!

Elton September 19th, 2023 at 1:47 pm

Amazing tutorial sir bibZ July
Works Great..
thanks

Average Joe October 17th, 2023 at 8:05 am

Just got hit by this. However because the account it hit was a user it couldn’t get into the system32 folder – yes am running XP.

What tipped me off was the firewall was constantly reporting it was blocking explorer from hitting an ip address. 193.169.12.22.

Nothing told me this IP was linked to sdra64.exe

Anyway to get rid of it.

Firstly it hid and then anything you edited to stop it was rewritten almost instantly.

So in regedit I changed permissions on the the run key so the current user couldn’t edit the entry it creates under run (only one spot because no admin to change the global run key) – I had to use deny on any key that said write/change.

close regedit

i then did a runas of another user (an admin in this case)

splatted the contents of the key which point to the application data directory. however sdrant64 couldn’t update because the user it was running as was denied – what a shame!

rebooted the machine

amazing everything now loads and the file is visible. move it to a temp directory and scan it – av software says it is clean!! rename it and remove the readonly attribute. then del it from the command line so it doesn’t get a second life.

reboot again and check

all clear.

Tom October 20th, 2023 at 12:51 pm

Program is in memory so need to kill on reboot.
1 Download & Install Winpatrol (freeware version)
2 Click on ACTIVE TASKS tab
3 Program is ‘userinit sdra64.exe HKCU_RUN’
4 Highlight and right click program
5 From context menu select ‘DELETE FILE ON REBOOT’
6 REBOOT
IT’S GONE and can never be recovered

Infection December 1st, 2023 at 11:52 pm

Well, this trojan became really scary lately.
If he gets in your system I’d friendly recommend you to save needed files and reinstall Windows. If that trojan ever gets a chance to take over your system (and beileve me, it will), it will delete all files that include Kaspersky, Nod32, Norton, Avast and similar filenames (almost all antiviruses and antispywares)

If you somehow get a chance to delete it (I’m really lucky to know so much about computers, which saved me here) you will still have pretty damaged system later.So, listen what I say, save all valuable files and format all your hard disks. This is the only way to keep your privacy safe.

Hope I helped you ppl

Miffed Joe December 2nd, 2023 at 10:25 pm

Average Joe :

I found out I had it today, and independently did exactly what you did too. Just reaffirms you should never interactively use your PC as an administrator, and I have disabled the Run HKCU registry key for everyone on the PC to avoid this kind of thing in the future.

chokri January 12th, 2024 at 5:16 pm

use avast antivirus , when you prompt about the virus, moved or renamed but not deleted. then run memory scan, and voila the virus is deleted for ever

shakenbake January 28th, 2024 at 8:31 pm

Hey,
Has anyone ran into the “process explorer” ap finding the “lowsec” folder, but when they go to find it via windows explorer, the file/directory is not found?? I’ve gone to “folder options” under cntrl panel to change settings so that all items can be viewed in a folder, but I still can’t see the “lowsec” folder and items??