Jump to content

Backdoor Agent in Registry Key - Unable to Remove

Recommended Posts

Over the last 12 days, Microsoft Security Essentials identified and removed/quarantined the following malware on my laptop:

Exploit:JS/Blacole.O (10/19)

VirTool:JS/Obfuscator.BR (10/17)

Exploit:JS/Mult.DX (10/17)

Trojan:Win64/Sirefef.B (10/9)

Over this time period, I've had frequent instances (once or twice a day in some cases) in which IE opens spontaneously and usually, but not always, opens to the Google homepage (from looking at the browsing history, though, this appears to be a redirect from numerous other websites). I do all of my browsing in Firefox.

At this point, scans with Spybot, SUPERantispyware, and Microsoft Security Essentials show no infections (other than tracking cookies), but Malwarebytes finds the following:

Registry Values Infected:

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell (Backdoor.Agent)

The first few times, it offered to remove it after a reboot, but subsequent Malwarebytes scans found the same infection. More recently, Malwarebytes doesn't request a reboot but, instead, reports that it successfully removed the infection. Nonetheless, when I run a new scan the same result pops up. The Backdoor Agent, if that's what it is, would appear to be evading removal somehow. I'm not sure what to do at this point, and I'd greatly appreciate some advice...


I just completed a full scan with Ad-Aware, which found the following:

Description: c:\users\ernie\appdata\local\32e41f0f\x Family Name: Trojan.Win32.Smadow.b (v) Engine: 3 Clean status: Success Item ID: 1 Family ID: 0 MD5: 686b479b0ee164cf1744a8be359ebb7d

It removed it during the boot process, and subsequent quick scans in Ad-Aware and Malwarebytes came back clean. I'd still appreciate expert input, though.



Link to post
Share on other sites


Logs will be closed if you haven't replied within 3 days

Please don't attach the scans / logs for these tools, use "copy/paste".

DO NOT use any TOOLS such as Combofix or HijackThis fixes without supervision.

Doing so could make your pc inoperatible and could require a full reinstall of your OS, losing all your programs and data.

Please run a new MBAM scan being sure to update before scanning.

Post the scan results

Also please describe how your computer behaves at the moment.

Please don't attach the scans / logs, use "copy/paste".

Link to post
Share on other sites

Thanks for your reply. My computer is behaving well at this point. Since Ad-Aware removed the trojan from the registry, I've had no additional problems with spontaneous IE windows. I've also run an ESET scan (using the online scanner), and it came back clean. As instructed, I updated Malwarebytes and completed a new scan (full). Here's the log:

Malwarebytes' Anti-Malware


Database version: 7999

Windows 6.1.7601 Service Pack 1

Internet Explorer 9.0.8112.16421

10/22/2011 11:45:45 AM

mbam-log-2011-10-22 (11-45-45).txt

Scan type: Full scan (C:\|)

Objects scanned: 364947

Time elapsed: 56 minute(s), 53 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

Link to post
Share on other sites

Keep in mind you had / have a Backdoor infection.

We can look deeper but you need to be aware of this:

Whether you wish to continue with cleaning or not, you should be aware that you may have been infected by a backdoor trojan. This type of program has the ability to steal passwords and other information from your system. If you are using your computer for sensitive purposes such as internet banking then I recommend you take the following steps immediately:

  • Use another, uninfected computer to change all your internet passwords, especially ones with financial implications such as banks, paypal, ebay, etc. You should also change the passwords for any other site you use.
  • Call your bank(s), credit card company or any other institution which may be affected and advise them that your login/password or credit card information may have been stolen and ask what steps to take with regard to your account.
  • Consider what other private information could possibly have been taken from your computer and take appropriate steps
  • Removing this infection can also disable the ability to connect to the internet.

This infection can almost certainly be cleaned, but as the malware could be configured to run any program a remote attacker requires, it will be impossible to be 100% sure that the machine is clean, if this is unacceptable to you then you should consider reformatting the system partition and reinstalling Windows as this is the only 100% sure answer.

Please post back to let me know how you wish to proceed.

Link to post
Share on other sites

Thanks for your advice, Larry. I've already begun taking steps to safeguard the accounts that might have been compromised. I have no problem with reformatting the drive and starting from scratch, but I do have a concerns about data files that I currently have on the PC, including pdf's, office documents, and a quickbooks file (no .exe's). Would it be safe to transfer them to the reformatted drive, or could they potentially harbor an infection?

Link to post
Share on other sites

That's a relief. I don't have a lot of data on the PC, but, what I do have, I need. Would the same apply to image files and html files? Primarily, should my concern be with executables?


Be sure to install you anti-virus and MBAM before connecting back on the internet.

Link to post
Share on other sites

Very good. One last question about reformatting. My laptop came preloaded with Windows 7, but I don't have a disc. Would you happen to know if there's a way for me to get a disc without actually having to buy it? I know that's a bit off topic, but I thought you might have some idea...

Link to post
Share on other sites


Reinstalling Windows 7

You can reinstall Windows 7 using Recovery in Control Panel, under Advanced recovery methods. This method reinstalls Windows 7, either from a recovery image provided by your computer manufacturer, or from your original Windows 7 installation files. You need to reinstall all of the programs that you added, and restore all of your files from a backup. For more information, see Choosing an advanced recovery method.

Link to post
Share on other sites

If Windows came preinstalled, you might check with your vendor for a CD - it's unlikely that they'll give you one, but perhaps they'll have a discount or other solution for you.)

One lesson here is to always get a copy of Windows on CD when you purchase a machine with Windows preinstalled.

You're more than welcome.

Glad we were able to help

Peace be with you wavey.gif

Link to post
Share on other sites

Glad we could help. :)

If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

Link to post
Share on other sites

This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.