Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.


Zbot Trojan and possible other infections?

  • Please log in to reply
2 replies to this topic

#1 ElevenDoor


  • Members
  • 2 posts
  • Local time:05:01 AM

Posted 04 March 2010 - 01:47 PM

Here is my tale. To start off, this is my computer at work. Running Windows XP SP2. I have an administrator account for the computer, but not for the network.

So a few weeks ago Firefox tells me to update. So I update to version 3.6. After the update I notice a few weird things happening. Sometimes a new tab will open without me having clicked on something and go to a random website, usually what looks like an obscure search site related to what I am already looking at or have searched in the past. Sometimes (and especially in Internet Explorer) a click on a search result in Google will bring me to something that is not what I clicked on. I also received a couple of emails of the Nigerian bank variety, and I don't usually get emails like that.

So I decide to run a virus scan. My work has Symantec endpoint protection. Symantec comes up with three instances of a Zbot trojan and a tacking cookie. The Zbots are quarantined, and the cookie deleted. I am not satisfied with quarantine, so I have the computer guy delete the quarantined files manually.

After this the problem persists. There is also an instance where the windows clock is wrong, which makes me late for a meeting because I didn't get the reminder from outlook. I am also getting notices in pop ups that my computer is infected. This time, I decide to consult Dr. Google to fix the problem. I find a file named sdra64.exe which Google search tells me is a bad file associated with the Zbot Trojan. So the way to delete this file is to go into the registry and delete part of the Winlogon userinit entry after stopping some processes and saving the change right before a reboot (caused by stopping processes, windows will reboot after 60 seconds, etc). After doing this, the registry doesn't change itself back, and I am able to delete the sdra64 file. I did forget to rename the file before I deleted it, which my instructions told me to do. But it seems to be gone now, and the registry hasn't changed back. However, the same problems persist.

So I start to get more desperate. Google searches suggest to me that a few programs may be able to solve my problem. Below are the results of each program I tried.

Avast - found a few things and deleted them. I have Unistalled the program.

Malware Bytes - found a lot of things and deleted them, including a lowsec folder supposed to be associated with the Zbot. Also deleted a file in one of the programs I need. I had to copy the file from a co-worker and replace it to get the program to work. I Unistalled the program. I re-installed it and am now running a new scan, which so far, shows no infections.

SuperAntiSpyware - found a lot of things and deleted them. I have Unistalled the program.

HijackThis - gave me a report I did not understand. I have Unistalled the program.

RootKit Revealer - gave me a report I did not understand. . I have Unistalled the program.

Spyware Doctor - reports 11 infections of Zbot, 24 tracking cookies, 4 spywere.known_bad_sites, and 13 adware infections. Have to buy Spyware Doctor for it to do anything about it, which I haven't done.

I also uninstalled and re-installed firefox. I also downloaded the add-in Web of Trust (WOT) for firefox.

After all this the problem persists. Now that I have WOT it tells me that the sites that pop up in new tabs are bad sites. Firefox takes a long time to load up and crashes pretty frequently. I also get a lot of unresponsive script warnings. Also the computer is running very sluggishly now. I am afraid that my installing of all these programs may have done some harm and has probably left my registry a mess.

So… Is there anything I can do other than telling my boss I fried my computer?


BC AdBot (Login to Remove)


#2 Sashacat


  • Members
  • 372 posts
  • Local time:09:01 AM

Posted 04 March 2010 - 02:35 PM

Hello :thumbsup:

The best thing you can do is not to make any further changes to your computer until one of the OFFICIAL STAFF MEMBERS can get to you.

Instructions from the following members is to be considered trusted:
Admin | Site Admin | Global Moderator | Moderator | Malware Response Instructor | Malware Response Team | BC Advisor

Do be patient, because they have lots of people to help.

I've read several articles on the zbot infection, and it is severe.
Some users, attempting to fix this on their own (without supervision) end up with a computer that will not boot into Windows.

This is from Microsoft on zbot:

Zbot evades most anti-virus programs:
If we don't change the direction we are going,
We are likely to end up where we are headed.

#3 ElevenDoor

  • Topic Starter

  • Members
  • 2 posts
  • Local time:05:01 AM

Posted 08 March 2010 - 11:49 AM

So I couldn't resist doing something while I wait for help. As some of my symptoms resembled the TDSS Trojan, I ran the TDSS killer. I found three things, and said it either cured them, or would do so on reboot. I am happy to report that things seem to be running pretty normally now. I'm not getting new tabs opened to untrusted sites, and google search links take me directly where they say they will (in both FF and IE). So I am hoping I am okay now. Firefox is still loading slowly, but I think that the WOT thing is slowing it down. Small price to pay in my estimation as the little green and red circles are pretty re-assuring.

Still would be nice to have someone who knows what to look for run over a scan for me, just to make sure I got everything. But Bleeping Computer forums have been a big help already. Thanks!

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users