backdoor: win32/zonebac.gen!F probs

Computing.Net > Forums > Security and Virus > backdoor: win32/zonebac.gen!F probs

Computing.Net: Over 1,000,000 posts about all things technology related! Over 90% answered within 24 hours! Click here to sign up now, it's free!

backdoor: win32/zonebac.gen!F probs

Original Message

Name: jencohen
Date: March 12, 2008 at 15:06:38 Pacific
Subject: backdoor: win32/zonebac.gen!F probs
OS: Microsoft Windows XP Prof
CPU/Ram: 2gb
Model/Manufacturer: Dell Latitude D620

Comment:

I began having problems with my IE 6 opening new windows slowly so I started to troubleshoot. My antivirus software is Avast and it shows no virus after a thorough scan.
Microsoft Malicious software program shows a backdoor:Win32/Zonebac.gen!F virus that it cannot remove.
Can someone help me out?

Report Offensive Message For Removal

Response Number 1

Name: jabuck
Date: March 13, 2008 at 03:28:47 Pacific

Reply: (edit)

Please download and install the latest version of HijackThis v2.0.2:

Download the "HijackThis" Installer from this link:
Hijack This

1. Save " HJTInstall.exe" to your desktop.
2. Double click on HJTInstall.exe to run the program.
3. By default it will install to C:\Program Files\Trend Micro\HijackThis.
4. Accept the license agreement by clicking the "I Accept" button.
5.Click on the "Do a system scan and save a log file" button. It will scan and then ask you to save the log.
6. Click "Save log" to save the log file and then the log will open in Notepad.
7. Click on "Edit > Select All" then click on "Edit > Copy" to copy the entire contents of the log.
8. Paste the log in your next reply.
9. Do NOT have HijackThis fix anything yet! Most of what it finds will be harmless or even required.
Please download FindAWF from the following link:
http://noahdfear.geekstogo.com/FindAWF.exe

Double-click on the FindAWF.exe file to run it. It will open a command prompt and ask you to "Press any key to continue". You will be presented with a Menu.
1. Press 1 then Enter to scan for bak folders
2. Press 2 then Enter to restore files from bak folders
3. Press 3 then Enter to remove bak folders
4. Press 4 then Enter to reset domain zones
5. Press E then Enter to EXIT
Press 1 then press Enter. Copy and paste the contents of the AWF.txt file in your next reply.

Report Offensive Follow Up For Removal

Response Number 2

Name: jencohen
Date: March 13, 2008 at 05:20:42 Pacific

Reply: (edit)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:13:40 AM, on 3/13/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\stsystra.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\HP\HP Software Update\bak\HPWuSchd2.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Wave Systems Corp\Services Manager\Secure Update\AutoUpdate.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\OpenOffice.org 2.1\program\soffice.exe
C:\Program Files\OpenOffice.org 2.1\program\soffice.BIN
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Wave Systems Corp\Common\DataServer.exe
C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\OpenCASE\OpenCASE Media Agent\MediaAgent.exe
C:\Program Files\HP\Digital Imaging\Product Assistant\bin\hprblog.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\NTRU Cryptosystems\NTRU Hybrid TSS v2.0.25\bin\tcsd_win32.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Jennifer\Desktop\HiJackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk-rel&channel=us&ibd=3070304
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.gmail.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk-rel&channel=us&ibd=3070304
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O2 - BHO: Browser Address Error Redirector - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - C:\Program Files\BAE\BAE.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet
O4 - HKLM\..\Run: [NVHotkey] rundll32.exe nvHotkey.dll,Start
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKUS\S-1-5-18\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe (User 'Default user')
O4 - Startup: OpenOffice.org 2.1.lnk = C:\Program Files\OpenOffice.org 2.1\program\quickstart.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: EMBASSY Trust Suite Secure Update.lnk = C:\Program Files\Wave Systems Corp\Services Manager\Secure Update\AutoUpdate.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: *.doginhispen.com
O15 - Trusted Zone: *.whataboutadog.com
O16 - DPF: {5C6698D9-7BE4-4122-8EC5-291D84DBD4A0} (Facebook Photo Uploader 4 Control) - http://upload.facebook.com/controls...
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls...
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/mic...
O16 - DPF: {D821DC4A-0814-435E-9820-661C543A4679} (CRLDownloadWrapper Class) - http://drmlicense.one.microsoft.com...
O20 - AppInit_DLLs: wxvault.dll C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: DataSvr2 - Wave Systems Corp. - C:\Program Files\Wave Systems Corp\Common\DataServer.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: OpenCASE Media Agent - ExtendMedia Inc. - C:\Program Files\OpenCASE\OpenCASE Media Agent\MediaAgent.exe
O23 - Service: NTRU Hybrid TSS v2.0.25 TCS (tcsd_win32.exe) - Unknown owner - C:\Program Files\NTRU Cryptosystems\NTRU Hybrid TSS v2.0.25\bin\tcsd_win32.exe
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE
--
End of file - 7900 bytes
FindAWF:

Find AWF report by noahdfear ©2006
Version 1.40
The current date is: Thu 03/13/2008
The current time is: 8:15:30.03

bak folders found
~~~~~~~~~~~

Directory of C:\PROGRA~1\APOINT\BAK
10/07/2005 02:13 PM 176,128 Apoint.exe
1 File(s) 176,128 bytes
Directory of C:\PROGRA~1\DELLSU~1\BAK
08/28/2006 11:57 PM 395,776 DSAgnt.exe
1 File(s) 395,776 bytes
Directory of C:\PROGRA~1\ITUNES\BAK
06/01/2007 04:51 PM 257,088 iTunesHelper.exe
1 File(s) 257,088 bytes
Directory of C:\PROGRA~1\MESSEN~1\BAK
0 File(s) 0 bytes
Directory of C:\PROGRA~1\NETWAI~1\BAK
09/10/2003 04:24 AM 20,480 netWaiting.exe
1 File(s) 20,480 bytes
Directory of C:\PROGRA~1\PICASA2\BAK
06/15/2007 07:15 PM 366,400 PicasaMediaDetector.exe
1 File(s) 366,400 bytes
Directory of C:\PROGRA~1\QUICKT~1\BAK
04/27/2007 09:41 AM 282,624 qttask.exe
1 File(s) 282,624 bytes
Directory of C:\WINDOWS\SYSTEM32\BAK
11/22/2006 07:35 PM 1,392,640 WLTRAY.exe
1 File(s) 1,392,640 bytes
Directory of C:\PROGRA~1\ALWILS~1\AVAST4\BAK
09/06/2007 06:06 AM 79,224 ashDisp.exe
1 File(s) 79,224 bytes
Directory of C:\PROGRA~1\CYBERL~1\POWERDVD\BAK
12/09/2005 10:29 PM 49,152 DVDLauncher.exe
1 File(s) 49,152 bytes
Directory of C:\PROGRA~1\DELL\QUICKSET\BAK
06/29/2006 02:13 PM 1,032,192 quickset.exe
1 File(s) 1,032,192 bytes
Directory of C:\PROGRA~1\GOOGLE\GOOGLE~1\BAK
03/05/2007 12:38 AM 169,984 GoogleDesktop.exe
1 File(s) 169,984 bytes
Directory of C:\PROGRA~1\GOOGLE\GOOGLE~2\BAK
08/11/2007 05:23 PM 68,856 GoogleToolbarNotifier.exe
1 File(s) 68,856 bytes
Directory of C:\PROGRA~1\GOOGLE\GOOGLE~3\BAK
01/01/2007 05:22 PM 3,739,648 googletalk.exe
1 File(s) 3,739,648 bytes
Directory of C:\PROGRA~1\HP\HPSOFT~1\BAK
05/12/2005 12:12 AM 49,152 HPWuSchd2.exe
1 File(s) 49,152 bytes
Directory of C:\PROGRA~1\ADOBE\READER~1.0\READER\BAK
05/11/2007 03:06 AM 40,048 Reader_sl.exe
1 File(s) 40,048 bytes
Directory of C:\PROGRA~1\COMMON~1\REAL\UPDATE~1\BAK
04/03/2007 12:26 AM 185,896 realsched.exe
1 File(s) 185,896 bytes
Directory of C:\PROGRA~1\JAVA\JRE16~2.0_0\BIN\BAK
07/12/2007 04:00 AM 132,496 jusched.exe
1 File(s) 132,496 bytes
Directory of C:\PROGRA~1\WAVESY~1\SERVIC~1\DOCMGR\BIN\BAK
09/08/2006 10:32 AM 102,400 docmgr.exe
1 File(s) 102,400 bytes

Duplicate files of bak directory contents
~~~~~~~~~~~~~~~~~~~~~~~
176128 Oct 7 2005 "C:\drivers\mouse\onboard\Apoint.exe"
176128 Oct 7 2005 "C:\Program Files\Apoint\bak\Apoint.exe"
395776 Aug 28 2006 "C:\Program Files\Dell Support\bak\DSAgnt.exe"
267064 Sep 26 2007 "C:\Program Files\iTunes\iTunesHelper.exe1269992640"
257088 Jun 1 2007 "C:\Program Files\iTunes\bak\iTunesHelper.exe"
102400 Feb 17 2008 "C:\WINDOWS\Installer\{02DFB3FD-CF52-4183-8BCA-2A127D4888F4}\iTunesIco.exe"
79144 Feb 4 2008 "C:\Documents and Settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 7.6.0.29\iTunesSetupAdmin.exe"
20480 Sep 10 2003 "C:\Program Files\NetWaiting\bak\netWaiting.exe"
591416 Sep 27 2007 "C:\Program Files\Picasa2\PicasaUpdate.exe"
5903928 Oct 21 2007 "C:\Documents and Settings\Jennifer\Desktop\picasaweb-current-setup.exe"
366400 Jun 15 2007 "C:\Program Files\Picasa2\bak\PicasaMediaDetector.exe"
665160 Sep 27 2007 "C:\Program Files\Picasa2\cdautorun\PicasaRestore.exe"
5388088 Jul 16 2007 "C:\Documents and Settings\Jennifer\Desktop\Install\picasaweb-current-setup.exe"
14348 Feb 26 2008 "C:\Program Files\QuickTime\QTTask.exe"
282624 Apr 27 2007 "C:\Program Files\QuickTime\bak\qttask.exe"
1392640 Nov 22 2006 "C:\WINDOWS\system32\bak\WLTRAY.exe"
79224 Dec 4 2007 "C:\Program Files\Alwil Software\Avast4\ashDisp.exe"
79224 Sep 6 2007 "C:\Program Files\Alwil Software\Avast4\bak\ashDisp.exe"
49152 Dec 9 2005 "C:\Program Files\CyberLink\PowerDVD\bak\DVDLauncher.exe"
1032192 Jun 29 2006 "C:\Program Files\Dell\QuickSet\bak\quickset.exe"
40960 Mar 5 2007 "C:\Program Files\Google\googletoolbar1user.exe"
136120 Jan 3 2007 "C:\Program Files\Picasa2\GoogleUpdaterService.exe"
1529400 Dec 5 2006 "C:\Program Files\Google\Google Desktop Search\GoogleDesktopSetup.exe"
14348 Feb 26 2008 "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
1606064 Jun 28 2007 "C:\Documents and Settings\Jennifer\Desktop\Install\googletalk-setup.exe"
1145896 Apr 3 2007 "C:\Program Files\Common Files\Real\GToolbar\GoogleToolbarInstaller.exe"
138168 Mar 15 2007 "C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe"
169984 Mar 5 2007 "C:\Program Files\Google\Google Desktop Search\bak\GoogleDesktop.exe"
68856 Aug 11 2007 "C:\Program Files\Google\GoogleToolbarNotifier\bak\GoogleToolbarNotifier.exe"
3739648 Jan 1 2007 "C:\Program Files\Google\Google Talk\bak\googletalk.exe"
40960 Mar 5 2007 "C:\Program Files\Google\googletoolbar1user.exe"
136120 Jan 3 2007 "C:\Program Files\Picasa2\GoogleUpdaterService.exe"
1529400 Dec 5 2006 "C:\Program Files\Google\Google Desktop Search\GoogleDesktopSetup.exe"
14348 Feb 26 2008 "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
1606064 Jun 28 2007 "C:\Documents and Settings\Jennifer\Desktop\Install\googletalk-setup.exe"
1145896 Apr 3 2007 "C:\Program Files\Common Files\Real\GToolbar\GoogleToolbarInstaller.exe"
138168 Mar 15 2007 "C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe"
169984 Mar 5 2007 "C:\Program Files\Google\Google Desktop Search\bak\GoogleDesktop.exe"
68856 Aug 11 2007 "C:\Program Files\Google\GoogleToolbarNotifier\bak\GoogleToolbarNotifier.exe"
3739648 Jan 1 2007 "C:\Program Files\Google\Google Talk\bak\googletalk.exe"
40960 Mar 5 2007 "C:\Program Files\Google\googletoolbar1user.exe"
136120 Jan 3 2007 "C:\Program Files\Picasa2\GoogleUpdaterService.exe"
1529400 Dec 5 2006 "C:\Program Files\Google\Google Desktop Search\GoogleDesktopSetup.exe"
14348 Feb 26 2008 "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
1606064 Jun 28 2007 "C:\Documents and Settings\Jennifer\Desktop\Install\googletalk-setup.exe"
1145896 Apr 3 2007 "C:\Program Files\Common Files\Real\GToolbar\GoogleToolbarInstaller.exe"
138168 Mar 15 2007 "C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe"
169984 Mar 5 2007 "C:\Program Files\Google\Google Desktop Search\bak\GoogleDesktop.exe"
68856 Aug 11 2007 "C:\Program Files\Google\GoogleToolbarNotifier\bak\GoogleToolbarNotifier.exe"
3739648 Jan 1 2007 "C:\Program Files\Google\Google Talk\bak\googletalk.exe"
14348 Feb 26 2008 "C:\Program Files\HP\HP Software Update\HPWuSchd2.exe"
49152 May 12 2005 "C:\Program Files\HP\HP Software Update\bak\HPWuSchd2.exe"
40048 May 11 2007 "C:\Program Files\Adobe\Reader 8.0\Reader\bak\Reader_sl.exe"
185896 Apr 3 2007 "C:\Program Files\Common Files\Real\Update_OB\bak\realsched.exe"
36975 Nov 10 2005 "C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe"
83608 Mar 14 2007 "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
132496 Jul 12 2007 "C:\Program Files\Java\jre1.6.0_02\bin\bak\jusched.exe"
102400 Sep 8 2006 "C:\Program Files\Wave Systems Corp\Services Manager\DocMgr\bin\bak\docmgr.exe"
102400 Sep 8 2006 "C:\Program Files\Dell\EMBASSY Trust Suite by Wave Systems\Embassy Trust Suite\Document Manager Lite\program files\Wave Systems Corp\Services Manager\DocMgr\bin\docmgr.exe"

end of report

Report Offensive Follow Up For Removal

Response Number 3

Name: jabuck
Date: March 13, 2008 at 17:37:08 Pacific

Reply: (edit)

Double-click the FindAWF icon once again
If a Security Alert shows, allow the program to run.
As instructed, press any key to continue.
Use the following option:
Press 2 then Enter to restore files from bak folders
A text file opens called: files.txt
Copy/paste the following list of bolded files to be restored:

"C:\Program Files\Apoint\bak\Apoint.exe"
"C:\Program Files\Dell Support\bak\DSAgnt.exe"
"C:\Program Files\iTunes\bak\iTunesHelper.exe"
"C:\Program Files\NetWaiting\bak\netWaiting.exe"
"C:\Program Files\Picasa2\bak\PicasaMediaDetector.exe"
"C:\Program Files\QuickTime\bak\qttask.exe"
"C:\WINDOWS\system32\bak\WLTRAY.exe"
"C:\Program Files\Alwil Software\Avast4\bak\ashDisp.exe"
"C:\Program Files\CyberLink\PowerDVD\bak\DVDLauncher.exe"
"C:\Program Files\Dell\QuickSet\bak\quickset.exe"
"C:\Program Files\Google\Google Desktop Search\bak\GoogleDesktop.exe"
"C:\Program Files\Google\GoogleToolbarNotifier\bak\GoogleToolbarNotifier.exe"
"C:\Program Files\Google\Google Talk\bak\googletalk.exe"
"C:\Program Files\Google\Google Desktop Search\bak\GoogleDesktop.exe"
"C:\Program Files\Google\GoogleToolbarNotifier\bak\GoogleToolbarNotifier.exe"
"C:\Program Files\Google\Google Talk\bak\googletalk.exe"
"C:\Program Files\Google\Google Desktop Search\bak\GoogleDesktop.exe"
"C:\Program Files\Google\GoogleToolbarNotifier\bak\GoogleToolbarNotifier.exe"
"C:\Program Files\Google\Google Talk\bak\googletalk.exe"
"C:\Program Files\HP\HP Software Update\bak\HPWuSchd2.exe"
"C:\Program Files\Adobe\Reader 8.0\Reader\bak\Reader_sl.exe"
"C:\Program Files\Common Files\Real\Update_OB\bak\realsched.exe"
"C:\Program Files\Java\jre1.6.0_02\bin\bak\jusched.exe"
"C:\Program Files\Wave Systems Corp\Services Manager\DocMgr\bin\bak\docmgr.exe"

Next, close and click Yes to save the changes.
Once files.txt is saved, FindAWF does the following:
-It attempts to terminate the process represented by each filename on the list, if running
-Deletes the rogue file from the parent folder, if present
-Copies the original file to the parent folder
When done with the above, it automatically runs a new scan and opens a new log.
Please provide the new FindAWF log in your reply.

Report Offensive Follow Up For Removal

Response Number 4

Name: jencohen
Date: March 13, 2008 at 20:11:40 Pacific

Reply: (edit)

Find AWF report by noahdfear ©2006
Version 1.40
Option 2 run successfully
The current date is: Thu 03/13/2008
The current time is: 23:09:55.71

bak folders found
~~~~~~~~~~~

Directory of C:\PROGRA~1\APOINT\BAK
10/07/2005 02:13 PM 176,128 Apoint.exe
1 File(s) 176,128 bytes
Directory of C:\PROGRA~1\DELLSU~1\BAK
08/28/2006 11:57 PM 395,776 DSAgnt.exe
1 File(s) 395,776 bytes
Directory of C:\PROGRA~1\ITUNES\BAK
06/01/2007 04:51 PM 257,088 iTunesHelper.exe
1 File(s) 257,088 bytes
Directory of C:\PROGRA~1\MESSEN~1\BAK
0 File(s) 0 bytes
Directory of C:\PROGRA~1\NETWAI~1\BAK
09/10/2003 04:24 AM 20,480 netWaiting.exe
1 File(s) 20,480 bytes
Directory of C:\PROGRA~1\PICASA2\BAK
06/15/2007 07:15 PM 366,400 PicasaMediaDetector.exe
1 File(s) 366,400 bytes
Directory of C:\PROGRA~1\QUICKT~1\BAK
04/27/2007 09:41 AM 282,624 qttask.exe
1 File(s) 282,624 bytes
Directory of C:\WINDOWS\SYSTEM32\BAK
11/22/2006 07:35 PM 1,392,640 WLTRAY.exe
1 File(s) 1,392,640 bytes
Directory of C:\PROGRA~1\ALWILS~1\AVAST4\BAK
09/06/2007 06:06 AM 79,224 ashDisp.exe
1 File(s) 79,224 bytes
Directory of C:\PROGRA~1\CYBERL~1\POWERDVD\BAK
12/09/2005 10:29 PM 49,152 DVDLauncher.exe
1 File(s) 49,152 bytes
Directory of C:\PROGRA~1\DELL\QUICKSET\BAK
06/29/2006 02:13 PM 1,032,192 quickset.exe
1 File(s) 1,032,192 bytes
Directory of C:\PROGRA~1\GOOGLE\GOOGLE~1\BAK
03/05/2007 12:38 AM 169,984 GoogleDesktop.exe
1 File(s) 169,984 bytes
Directory of C:\PROGRA~1\GOOGLE\GOOGLE~2\BAK
08/11/2007 05:23 PM 68,856 GoogleToolbarNotifier.exe
1 File(s) 68,856 bytes
Directory of C:\PROGRA~1\GOOGLE\GOOGLE~3\BAK
01/01/2007 05:22 PM 3,739,648 googletalk.exe
1 File(s) 3,739,648 bytes
Directory of C:\PROGRA~1\HP\HPSOFT~1\BAK
05/12/2005 12:12 AM 49,152 HPWuSchd2.exe
1 File(s) 49,152 bytes
Directory of C:\PROGRA~1\ADOBE\READER~1.0\READER\BAK
05/11/2007 03:06 AM 40,048 Reader_sl.exe
1 File(s) 40,048 bytes
Directory of C:\PROGRA~1\COMMON~1\REAL\UPDATE~1\BAK
04/03/2007 12:26 AM 185,896 realsched.exe
1 File(s) 185,896 bytes
Directory of C:\PROGRA~1\JAVA\JRE16~2.0_0\BIN\BAK
07/12/2007 04:00 AM 132,496 jusched.exe
1 File(s) 132,496 bytes
Directory of C:\PROGRA~1\WAVESY~1\SERVIC~1\DOCMGR\BIN\BAK
09/08/2006 10:32 AM 102,400 docmgr.exe
1 File(s) 102,400 bytes

Duplicate files of bak directory contents
~~~~~~~~~~~~~~~~~~~~~~~
176128 Oct 7 2005 "C:\Program Files\Apoint\Apoint.exe"
176128 Oct 7 2005 "C:\drivers\mouse\onboard\Apoint.exe"
176128 Oct 7 2005 "C:\Program Files\Apoint\bak\Apoint.exe"
395776 Aug 28 2006 "C:\Program Files\Dell Support\DSAgnt.exe"
395776 Aug 28 2006 "C:\Program Files\Dell Support\bak\DSAgnt.exe"
267064 Sep 26 2007 "C:\Program Files\iTunes\iTunesHelper.exe1269992640"
257088 Jun 1 2007 "C:\Program Files\iTunes\bak\iTunesHelper.exe"
102400 Feb 17 2008 "C:\WINDOWS\Installer\{02DFB3FD-CF52-4183-8BCA-2A127D4888F4}\iTunesIco.exe"
79144 Feb 4 2008 "C:\Documents and Settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 7.6.0.29\iTunesSetupAdmin.exe"
20480 Sep 10 2003 "C:\Program Files\NetWaiting\netWaiting.exe"
20480 Sep 10 2003 "C:\Program Files\NetWaiting\bak\netWaiting.exe"
591416 Sep 27 2007 "C:\Program Files\Picasa2\PicasaUpdate.exe"
5903928 Oct 21 2007 "C:\Documents and Settings\Jennifer\Desktop\picasaweb-current-setup.exe"
366400 Jun 15 2007 "C:\Program Files\Picasa2\bak\PicasaMediaDetector.exe"
665160 Sep 27 2007 "C:\Program Files\Picasa2\cdautorun\PicasaRestore.exe"
5388088 Jul 16 2007 "C:\Documents and Settings\Jennifer\Desktop\Install\picasaweb-current-setup.exe"
282624 Apr 27 2007 "C:\Program Files\QuickTime\qttask.exe"
282624 Apr 27 2007 "C:\Program Files\QuickTime\bak\qttask.exe"
1392640 Nov 22 2006 "C:\WINDOWS\system32\WLTRAY.exe"
1392640 Nov 22 2006 "C:\WINDOWS\system32\bak\WLTRAY.exe"
79224 Sep 6 2007 "C:\Program Files\Alwil Software\Avast4\ashDisp.exe"
79224 Sep 6 2007 "C:\Program Files\Alwil Software\Avast4\bak\ashDisp.exe"
49152 Dec 9 2005 "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
49152 Dec 9 2005 "C:\Program Files\CyberLink\PowerDVD\bak\DVDLauncher.exe"
1032192 Jun 29 2006 "C:\Program Files\Dell\QuickSet\quickset.exe"
1032192 Jun 29 2006 "C:\Program Files\Dell\QuickSet\bak\quickset.exe"
40960 Mar 5 2007 "C:\Program Files\Google\googletoolbar1user.exe"
136120 Jan 3 2007 "C:\Program Files\Picasa2\GoogleUpdaterService.exe"
1529400 Dec 5 2006 "C:\Program Files\Google\Google Desktop Search\GoogleDesktopSetup.exe"
68856 Aug 11 2007 "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
3739648 Jan 1 2007 "C:\Program Files\Google\Google Talk\googletalk.exe"
1606064 Jun 28 2007 "C:\Documents and Settings\Jennifer\Desktop\Install\googletalk-setup.exe"
1145896 Apr 3 2007 "C:\Program Files\Common Files\Real\GToolbar\GoogleToolbarInstaller.exe"
138168 Mar 15 2007 "C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe"
169984 Mar 5 2007 "C:\Program Files\Google\Google Desktop Search\bak\GoogleDesktop.exe"
68856 Aug 11 2007 "C:\Program Files\Google\GoogleToolbarNotifier\bak\GoogleToolbarNotifier.exe"
3739648 Jan 1 2007 "C:\Program Files\Google\Google Talk\bak\googletalk.exe"
40960 Mar 5 2007 "C:\Program Files\Google\googletoolbar1user.exe"
136120 Jan 3 2007 "C:\Program Files\Picasa2\GoogleUpdaterService.exe"
1529400 Dec 5 2006 "C:\Program Files\Google\Google Desktop Search\GoogleDesktopSetup.exe"
68856 Aug 11 2007 "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
3739648 Jan 1 2007 "C:\Program Files\Google\Google Talk\googletalk.exe"
1606064 Jun 28 2007 "C:\Documents and Settings\Jennifer\Desktop\Install\googletalk-setup.exe"
1145896 Apr 3 2007 "C:\Program Files\Common Files\Real\GToolbar\GoogleToolbarInstaller.exe"
138168 Mar 15 2007 "C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe"
169984 Mar 5 2007 "C:\Program Files\Google\Google Desktop Search\bak\GoogleDesktop.exe"
68856 Aug 11 2007 "C:\Program Files\Google\GoogleToolbarNotifier\bak\GoogleToolbarNotifier.exe"
3739648 Jan 1 2007 "C:\Program Files\Google\Google Talk\bak\googletalk.exe"
40960 Mar 5 2007 "C:\Program Files\Google\googletoolbar1user.exe"
136120 Jan 3 2007 "C:\Program Files\Picasa2\GoogleUpdaterService.exe"
1529400 Dec 5 2006 "C:\Program Files\Google\Google Desktop Search\GoogleDesktopSetup.exe"
68856 Aug 11 2007 "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
3739648 Jan 1 2007 "C:\Program Files\Google\Google Talk\googletalk.exe"
1606064 Jun 28 2007 "C:\Documents and Settings\Jennifer\Desktop\Install\googletalk-setup.exe"
1145896 Apr 3 2007 "C:\Program Files\Common Files\Real\GToolbar\GoogleToolbarInstaller.exe"
138168 Mar 15 2007 "C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe"
169984 Mar 5 2007 "C:\Program Files\Google\Google Desktop Search\bak\GoogleDesktop.exe"
68856 Aug 11 2007 "C:\Program Files\Google\GoogleToolbarNotifier\bak\GoogleToolbarNotifier.exe"
3739648 Jan 1 2007 "C:\Program Files\Google\Google Talk\bak\googletalk.exe"
49152 May 12 2005 "C:\Program Files\HP\HP Software Update\HPWuSchd2.exe"
49152 May 12 2005 "C:\Program Files\HP\HP Software Update\bak\HPWuSchd2.exe"
40048 May 11 2007 "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
40048 May 11 2007 "C:\Program Files\Adobe\Reader 8.0\Reader\bak\Reader_sl.exe"
185896 Apr 3 2007 "C:\Program Files\Common Files\Real\Update_OB\realsched.exe"
185896 Apr 3 2007 "C:\Program Files\Common Files\Real\Update_OB\bak\realsched.exe"
36975 Nov 10 2005 "C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe"
83608 Mar 14 2007 "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
132496 Jul 12 2007 "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
132496 Jul 12 2007 "C:\Program Files\Java\jre1.6.0_02\bin\bak\jusched.exe"
102400 Sep 8 2006 "C:\Program Files\Wave Systems Corp\Services Manager\DocMgr\bin\docmgr.exe"
102400 Sep 8 2006 "C:\Program Files\Wave Systems Corp\Services Manager\DocMgr\bin\bak\docmgr.exe"
102400 Sep 8 2006 "C:\Program Files\Dell\EMBASSY Trust Suite by Wave Systems\Embassy Trust Suite\Document Manager Lite\program files\Wave Systems Corp\Services Manager\DocMgr\bin\docmgr.exe"

end of report

Report Offensive Follow Up For Removal

Response Number 5

Name: jabuck
Date: March 14, 2008 at 03:21:01 Pacific

Reply: (edit)

Double-click the FindAWF icon once again
If a Security Alert shows, allow the program to run.
As instructed, press any key to continue.
Use the following option: Press 3 then Enter to remove bak folders
A text file opens called: folders.txt
Copy /paste the following list of bolded folders to be removed:

C:\Program Files\Apoint\bak
C:\Program Files\Dell Support\bak
C:\Program Files\iTunes\bak
C:\Program Files\NetWaiting\bak
C:\Program Files\Picasa2\bak
C:\Program Files\QuickTime\bak
C:\WINDOWS\system32\bak
C:\Program Files\Alwil Software\Avast4\bak
C:\Program Files\CyberLink\PowerDVD\bak
C:\Program Files\Dell\QuickSet\bak
C:\Program Files\Google\Google Desktop Search\bak
C:\Program Files\Google\GoogleToolbarNotifier\bak
C:\Program Files\Google\Google Talk\bak
C:\Program Files\Google\Google Desktop Search\bak
C:\Program Files\Google\GoogleToolbarNotifier\bak
C:\Program Files\Google\Google Talk\bak
C:\Program Files\Google\Google Desktop Search\bak
C:\Program Files\Google\GoogleToolbarNotifier\bak
C:\Program Files\Google\Google Talk\bak
C:\Program Files\HP\HP Software Update\bak
C:\Program Files\Adobe\Reader 8.0\Reader\bak
C:\Program Files\Common Files\Real\Update_OB\bak
C:\Program Files\Java\jre1.6.0_02\bin\bak
C:\Program Files\Wave Systems Corp\Services Manager\DocMgr\bin\bak

Next, close and click Yes to save the changes.
Once folders.txt is saved, FindAWF does the following:
-It deletes the contents of the bak folders
-Removes the bak folders
When done with the above, it automatically runs a new scan and opens a new log.
Please provide the new FindAWF log in your reply.
Your java is out of date and can be exploited.
Download the latest version of java from this link Java
Click on the JDK 6 Update 5 download button.
Check the box that says: "Accept License Agreement". The page will refresh.
Click on the link to download Windows Offline Installation with or without Multi-language and save to your desktop.
Close any programs you may have running - especially your web browser.
Go to Start > Control Panel double-click on Add/Remove programs and remove all older versions of Java. Check any item with Java Runtime Environment (JRE or J2SE) in the name. It should have the "coffee cup" icon next to it.
Click the Remove or Change/Remove button. Repeat as many times as necessary to remove each Java versions.
Reboot your computer once all Java components are removed
Then from your desktop double-click on jdk-6u5-windows-i586-p.exe
to install the newest version.
Please download ComboFix to the desktop from one of the following links:
Link1
Link 2
Link 3

Double-click combofix.exe
Follow the prompts.
(Don't click on the window while the program is running, it may cause your system to hang.)
Please post the log it produces.

Report Offensive Follow Up For Removal


backdoor:Win32/Zonebac.gen!F virus Virus - Backdoor:Win32/Zonebac.gen! Stubborn backdoor:Win32/Zonebac.gen backdoor:Win32 Zonebac.gen infection Backdoor:Win32/Zonebac.ge	Win32/Zonebac.gen!F Problem Help - Backdoor:Win32/Zonebac.gen!B help...zonebac.gen!F virus Win32/Zonebac.gen!F won't go away Backdoor:win32/Zonebac.gen!f Trojan

Self Built

Help - Backdoor:Win32/Zon...

Post Locked

This post is quite old and has been locked from receiving new replies. Please create a new posting instead.

Go to Security and Virus Forum Home

Do you have your own blog?

Poll Finishes In 4 Days.
Discuss in The Lounge
Poll History

Printing problem in RDP

Will Race Driver GRID work ?

USB thumb drive letter

Xps and pdf

Xps and pdf

All Awaiting Reply