Sorry that I can't help you, but this is one of two trojans that I cannot remove. I posted about it a couple days ago...
We should watch each other's threads to see if one of us is lucky enough to get a solution!
Fingers crossed! I understand that McAfee Total Protection is not a gurantee against getting unwanted visitors in my machine's code; but McAfee have known about this virus since March 2009 (according to McAfee's knowldege base). One has to wonder how long it takes to include a fix in the DAT files.
I really hope that somebody on this forum can help. I am at my wits end.
Whilst the spy-agent.bw.gen!mem detection has been around since 2009 it does not mean that the file that was detected in 2009 is the same, this infection is continually morphing at an alarming rate, there is good write up about it in this blog.
Also some info here.
Commonly the file is question these days is sdra64.exe, this file loads under the winlogon which means it runs everytime your system start`s up. Sdra64.exe file is generally hidden in system32 folder along with a folder called lowsec(which might also be hidden) also found in system32.
The problem is it is not that easy to delete the file unless you know what you are doing, There are third-party tools that can remove the file and folder, but you`ll need to confirm that this file/folder are indeed present, which mean that you will have to show hidden file and folders.
Show hidden files and folders
Also recommend unticking the box Hide protecting operatings system files
Click yes to the warning
Click ok and apply
Then go to system 32 folder by going to start> run and type C:\Windows\System32 and see if they are present, do not try to delete them as they may reboot your system.
If you wish to try Malwarebytes first, then by all means do so.
Message was edited by: paullotion on 19/04/10 00:44:26 IST
Here's solution: download and run Process Explorer (link). Find in the process list sdra64.exe (use Ctrl+F) and choose Close Handle (Handle menu). Also you may need to close hundles of all files that placed in ...\system32\Lowsec folder. Then you may go to ..\system32, find and delete Lowsec folder and sdra64.exe (if files are not visible use "folder options" to unhide operation system files). That's it.
To finalise the curing open regedit, browse to HKLM/SOFTWARE/Microsoft/WindoswNT/CurrentVersion/Winlogon userinit
The key userinit must has "c:\windows\system32\userinit.exe," only!
sdra64.exe is not a process, it loads in winlogon`s thread.
Many thanks for your helpful advice. I have found both Sdra64.exe and the lowsec folder in ...\System32 on my machine.
However, I am not sure how to find the 3rd party tools to remove these. Can you please recommend or post a link to one you trust?
Alternatively, should I simply highight them and press the DELETE button? Surely that would be too easy :)
Sent you a private message.
You should remove the file by your self. In fact all of them are locked. To unlock them use the utility Process Explorer http://technet.microsoft.com/en-us/sysinternals/bb896653.aspx
Follow my instruction and everything will be OK.
Hello Paullotion and AlexSha,
Thank you both for your helpful advice.
Having identified the offending files by following Paullotion's approach, I decided to try Malware Bytes before embarking on a more complex procedure to delete them.
Malware Bytes downloaded without problem in Windows Safe Mode; which was a pleasant surprise, because the virus caused AdAware to hang during installation. My second pleasant surprise was that Malware Bytes found and deleted Sdra64.exe and the lowsec file, along with 47 other trojan's and assorted nasties.
For other who are interested, this is exactly what I did...
1. Start Windows in safe mode with networking
2. At resulting black screen CTRL+ALT+DEL and then file/new task/explorer.exe to reveal the icons on my desktop
3. Launch IE and download Malware Bytes
4. Install Malware Bytes and update DAT file
5. Quick Scan
6. Hey presto: files identified and quarantined.
Can it really be that simple? I am about to run another Malware Bytes scan (full one this time) and then McAfee for good measure.
Have I missed something? Am I still at risk?
Again, many thanks for your help
ere the virus lete procPaullotion's