1 2 Previous Next 19 Replies Latest reply on Sep 9, 2010 3:41 PM by Peter M

    spy-agent.bw.gen!mem

      Hello folks.  I've got a problem I can't solve and would really appreciate some help

       

      McAfee Total Protection has identified the above virus in system32\winlogon.exe.  However, it is not able to delete it.  The virus is pretty nasty:

       

      1. It deleted all system restore points

      2. It prevents the icons appearing on my desktop (have to run explore.exe from the process tab after CTRL ALT DEL)

      3. It prevents installation of Adaware (thought this might help where McAfee failed)

       

      What to do?

       

      Ben

        • 1. Re: spy-agent.bw.gen!mem

          Ben,

           

          Sorry that I can't help you, but this is one of two trojans that I cannot remove. I posted about it a couple days ago...

           

          We should watch each other's threads to see if one of us is lucky enough to get a solution!

           

          Good Luck!

           

          Craig

          • 2. Re: spy-agent.bw.gen!mem

            Hi Craig,

             

            Fingers crossed!  I understand that McAfee Total Protection is not a gurantee against getting unwanted visitors in my machine's code; but McAfee have known about this virus since March 2009 (according to McAfee's knowldege base).  One has to wonder how long it takes to include a fix in the DAT files.

             

            I really hope that somebody on this forum can help.  I am at my wits end.

             

            Ben

            • 3. Re: spy-agent.bw.gen!mem

              Hello,

               

              Whilst the spy-agent.bw.gen!mem detection has been around since 2009 it does not mean that the file that was detected in 2009 is the same, this infection is continually morphing at an alarming rate, there is good write up about it in this blog.

              http://www.securelist.com/en/analysis/204792107/ZeuS_on_the_Hunt

               

               

              Also some info here.

              http://www.threatexpert.com/report.aspx?md5=5ee669654b59a84fd8b4b65012f6c381

               

              Commonly the file is question these days is sdra64.exe, this file loads under the winlogon which means it runs everytime your system start`s up. Sdra64.exe file is generally hidden in system32 folder along with a folder called lowsec(which might also be hidden) also found in system32.

               

              The problem is it is not that easy to delete the file unless you know what you are doing, There are third-party tools that can remove the file and folder, but you`ll need to confirm that this file/folder are indeed present, which mean that you will have to show hidden file and folders.

               

              Click start

              My Computer

              Tools

              Folder Option

              View

              Show hidden files and folders

              Also recommend unticking the box Hide protecting operatings system files

              Click yes to the warning

              Click ok and apply

              Then go to system 32 folder by going to start> run and type C:\Windows\System32 and see if they are present, do not try to delete them as they may reboot your system.

              If you wish to try Malwarebytes first, then by all means do so.

               

               

              Message was edited by: paullotion on 19/04/10 00:44:26 IST

               

               

              Message was edited by: paullotion on 19/04/10 00:45:57 IST
              • 4. Re: spy-agent.bw.gen!mem

                Hi, all.

                 

                Here's solution: download and run Process Explorer (link). Find in the process list sdra64.exe (use Ctrl+F) and choose Close Handle (Handle menu). Also you may need to close hundles of all files that placed in ...\system32\Lowsec folder. Then you may go to ..\system32, find and delete Lowsec folder and sdra64.exe (if files are not visible use "folder options" to unhide operation system files). That's it.

                To finalise the curing open regedit, browse to HKLM/SOFTWARE/Microsoft/WindoswNT/CurrentVersion/Winlogon userinit
                The key userinit must has "c:\windows\system32\userinit.exe," only!

                 

                Good luck.

                 

                Alexey

                 

                 

                Message was edited by: AlexSha on 4/19/10 8:40:29 AM CDT
                • 5. Re: spy-agent.bw.gen!mem

                  sdra64.exe is not a process, it loads in winlogon`s thread.

                   

                   

                  on 19/04/10 20:19:05 IST
                  • 6. Re: spy-agent.bw.gen!mem

                    Hi Paollation,

                     

                    Many thanks for your helpful advice.  I have found both Sdra64.exe and the lowsec folder in ...\System32 on my machine.

                     

                    However, I am not sure how to find the 3rd party tools to remove these.  Can you please recommend or post a link to one you trust?

                     

                    Alternatively, should I simply highight them and press the DELETE button?  Surely that would be too easy :)

                     

                    Kind regards,

                     

                    Benjy

                    • 7. Re: spy-agent.bw.gen!mem

                      Sent you a private message.

                      • 8. Re: spy-agent.bw.gen!mem

                        You should remove the file by your self. In fact all of them are locked. To unlock them use the utility Process Explorer http://technet.microsoft.com/en-us/sysinternals/bb896653.aspx

                        Follow my instruction and everything will be OK.

                         

                        Alexey

                        • 9. Re: spy-agent.bw.gen!mem

                          Hello Paullotion and AlexSha,

                           

                          Thank you both for your helpful advice.

                           

                          Having identified the offending files by following Paullotion's approach, I decided to try Malware Bytes before embarking on a more complex procedure to delete them.

                           

                          Malware Bytes downloaded without problem in Windows Safe Mode; which was a pleasant surprise, because the virus caused AdAware to hang during installation.  My second pleasant surprise was that Malware Bytes found and deleted Sdra64.exe and the lowsec file, along with 47 other trojan's and assorted nasties.

                           

                          For other who are interested, this is exactly what I did...

                           

                          1.  Start Windows in safe mode with networking

                          2.  At resulting black screen CTRL+ALT+DEL and then file/new task/explorer.exe to reveal the icons on my desktop

                          3.  Launch IE and download Malware Bytes

                          4.  Install Malware Bytes and update DAT file

                          5.  Quick Scan

                          6.  Hey presto:  files identified and quarantined.

                           

                          Can it really be that simple?  I am about to run another Malware Bytes scan (full one this time) and then McAfee for good measure.

                           

                          Have I missed something?  Am I still at risk?

                           

                          Again, many thanks for your help

                           

                          Benjy

                           

                          ere the virus lete procPaullotion's

                          1 2 Previous Next