Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.


Adware / Virus redirect infection

  • Please log in to reply
1 reply to this topic

#1 chew762


  • Members
  • 20 posts
  • Local time:04:42 PM

Posted 30 June 2010 - 04:39 PM

Hello There.... I am experiencing the link redirecting, random window popups, and sluggish response from my browser. AVG and Malwarebytes both report problems, but removing them with those programs is not successful. Below is the log file from my last Malwarebytes scan...

Malwarebytes' Anti-Malware 1.46

Database version: 4258

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

6/30/2010 3:54:36 PM
mbam-log-2010-06-30 (15-54-36).txt

Scan type: Full scan (C:\|)
Objects scanned: 191570
Time elapsed: 54 minute(s), 28 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 6
Registry Values Infected: 2
Registry Data Items Infected: 3
Folders Infected: 1
Files Infected: 5

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{19127ad2-394b-70f5-c650-b97867baa1f7} (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{3446af26-b8d7-199b-4cfc-6fd764ca5c9f} (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{43bf8cd1-c5d5-2230-7bb2-98f22c2b7dc6} (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{19127ad2-394b-70f5-c650-b97867baa1f7} (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{3446af26-b8d7-199b-4cfc-6fd764ca5c9f} (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{43bf8cd1-c5d5-2230-7bb2-98f22c2b7dc6} (Backdoor.Bot) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Network\uid (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\d6ca5e41-fcd7-48ec-8031-b85c98116b05_42 (Trojan.FakeAlert) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Spyware.Zbot) -> Data: c:\windows\system32\sdra64.exe -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Spyware.Zbot) -> Data: system32\sdra64.exe -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Hijack.UserInit) -> Bad: (C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\sdra64.exe,) Good: (userinit.exe) -> Quarantined and deleted successfully.

Folders Infected:
C:\WINDOWS\system32\lowsec (Stolen.data) -> Delete on reboot.

Files Infected:
C:\WINDOWS\Temp\68.tmp (Spyware.Passwords) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\lowsec\local.ds (Stolen.data) -> Delete on reboot.
C:\WINDOWS\system32\lowsec\user.ds (Stolen.data) -> Delete on reboot.
C:\WINDOWS\system32\sdra64.exe (Spyware.Zbot) -> Delete on reboot.
C:\WINDOWS\system32\config\systemprofile\Application Data\d6ca5e41-fcd7-48ec-8031-b85c98116b05_42.avi (Trojan.FakeAlert) -> Quarantined and deleted successfully.


Here's the detailed object info for the files that AVG identified as infected.

"Object name";"C:\WINDOWS\system32\svchost.exe (2272):\memory_00400000"
"Detection name";"Trojan horse BackDoor.Ircbot.LWM"
"Object type";"file"
"SDK Type";"Core"
"Result";"Object is inaccessible."

"Object name";"C:\WINDOWS\system32\svchost.exe (2272)"
"Detection name";"Trojan horse BackDoor.Ircbot.LWM"
"Object type";"process"
"SDK Type";"Core"

I have no idea how to dig deep enough to get rid of these things. Any guidance would be greatly appreciated.


BC AdBot (Login to Remove)


#2 Budapest


    Bleepin' Cynic

  • Moderator
  • 23,579 posts
  • Gender:Male
  • Local time:07:42 AM

Posted 04 July 2010 - 05:25 PM

Please run the Malwarebytes scan again (quick scan) and post the new log.
The power of accurate observation is commonly called cynicism by those who haven't got it.

—George Bernard Shaw

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users