Jump to content

Backdoor.bot and Hijack.Usernit


Recommended Posts

Hi

I've been having trouble for some time with getting rid of several Backdoor.bot bugs in my computer. I use Malwarebytes and Microsoft Security Essentials and I have them both updated. I keep getting backdoor.bots , trojans, spyware and a hijacking virus which I can't get rid of! Straight after I have scanned and (supposedly) deleted them, they appear again (usually after I get a pop-up tab and my internet crashes).

I would really, really apprieciate help on this!

Thank you!

My last MBAM scan log:

Malwarebytes' Anti-Malware 1.45

www.malwarebytes.org

Database version: 3993

Windows 5.1.2600 Service Pack 3

Internet Explorer 8.0.6001.18702

16/04/2010 00:07:37

mbam-log-2010-04-16 (00-07-37).txt

Scan type: Quick scan

Objects scanned: 113927

Time elapsed: 15 minute(s), 2 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 4

Registry Values Infected: 1

Registry Data Items Infected: 3

Folders Infected: 1

Files Infected: 6

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{19127ad2-394b-70f5-c650-b97867baa1f7} (Backdoor.Bot) -> Quarantined and deleted successfully.

HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{43bf8cd1-c5d5-2230-7bb2-98f22c2b7dc6} (Backdoor.Bot) -> Quarantined and deleted successfully.

HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{19127ad2-394b-70f5-c650-b97867baa1f7} (Backdoor.Bot) -> Quarantined and deleted successfully.

HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{43bf8cd1-c5d5-2230-7bb2-98f22c2b7dc6} (Backdoor.Bot) -> Quarantined and deleted successfully.

Registry Values Infected:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Network\uid (Malware.Trace) -> Quarantined and deleted successfully.

Registry Data Items Infected:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Spyware.Zbot) -> Data: c:\windows\system32\sdra64.exe -> Delete on reboot.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Spyware.Zbot) -> Data: system32\sdra64.exe -> Delete on reboot.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Hijack.Userinit) -> Bad: (C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\sdra64.exe,) Good: (Userinit.exe) -> Quarantined and deleted successfully.

Folders Infected:

C:\WINDOWS\system32\lowsec (Stolen.data) -> Delete on reboot.

Files Infected:

C:\Documents and Settings\caspian\Local Settings\Temp\pdfupd.exe (Trojan.Zbot) -> Quarantined and deleted successfully.

C:\WINDOWS\Temp\271.tmp (Trojan.Zbot) -> Quarantined and deleted successfully.

C:\Documents and Settings\caspian\Local Settings\Temporary Internet Files\Content.IE5\XXXNMUOV\update[1].exe (Trojan.Zbot) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\lowsec\local.ds (Stolen.data) -> Delete on reboot.

C:\WINDOWS\system32\lowsec\user.ds (Stolen.data) -> Delete on reboot.

C:\WINDOWS\system32\sdra64.exe (Spyware.Zbot) -> Delete on reboot.

Link to post
Share on other sites

Hello Colour and welcome to the forums.

Identity Theft

As you can see from MBAM, it looks like you have been infected by a few Backdoor Trojans.

This allows hackers to remotely control your computer, steal critical system information and Download and Execute files

Its very possible that anything could have been installed on your computer by the remote attacker, including opening other backdoors and installing rootkits. While we can attempt to clean what we see in your logs, we cannot guarantee that your computer will be completely in the clear since we have no way of knowing that has been done to the computer. Your computer could be completely compromised at this moment. It may be prudent to backup your information, reformat, and reinstall.

More information on Remote Access Trojans can be found here.

I suggest you do the following immediately:

  • Call all of your banks, credit card companies, financial institutions and inform them that you may be a victim of identity theft and to put a watch on your accounts or change all your account numbers.
  • From a clean computer, change *all* your online passwords -- for email, for banks, financial accounts, PayPal, eBay, online companies, any online forums or groups you belong to.
  • DO NOT change passwords or do any transactions while using the infected computer because the attacker will get the new passwords and transaction information.

If, however, you decide that the computer is not used for any sensitive work, or if you do not wish to reformat at this time, I can help you clean your computer to the best of my abilities. I must remind you that i cannot guarantee that your computer will be completely clean afterwards since we have no way of knowing what has been done to it.

To help you make your decision, here are a few related articles that i suggest you read:

Should you have any questions, please feel free to ask.

Please let me know what you decide to do in your next post.

Link to post
Share on other sites

  • Root Admin

Due to the lack of feedback this Topic is closed to prevent others from posting here. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

The fixes and advice in this thread are for this machine only. Do not apply the instructions from this thread to your own machine. Please start a new thread describing your issue and someone will be along to assist you.

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.