Backdoor:win32/Zonebac.gen!f Trojan

Computing.Net > Forums > Security and Virus > Backdoor:win32/Zonebac.gen!f Trojan

Backdoor:win32/Zonebac.gen!f Trojan

Original Message

Name: porterr
Date: March 17, 2008 at 19:19:02 Pacific
Subject: Backdoor:win32/Zonebac.gen!f Trojan
OS: XP
CPU/Ram: 2.6 p4 1 gig ram

Comment:

I am having no luck with anything being able to take care of this problem and I see that a lot of others have posted with the same issue. I am hoping that someone here can help me out, I have had no response on another tech forum I tried to get help on. Thanks guys. Running windows XP.

I have both HijackThis and AWF Logs ready to post, any help would be appreciated.

Report Offensive Message For Removal

Response Number 1

Name: Adii
Date: March 17, 2008 at 21:44:05 Pacific

Reply: (edit)

We are here to help you :)
Please Post your HijackThis and AWF Logs for review..!

Report Offensive Follow Up For Removal

Response Number 2

Name: porterr
Date: March 17, 2008 at 22:12:25 Pacific

Reply: (edit)

I appreciate any help, thanks again. Here are the logs.
----
HijackThis Log:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:59:25 PM, on 3/17/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\NeroCheck.exe
C:\WINDOWS\CTHELPER.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\SanDisk\SanDisk TransferMate\SD Monitor.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?Lin...
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?Lin...
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?Lin...
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?Lin...
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [CTxfiHlp] CTXFIHLP.EXE
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe
O4 - HKLM\..\Run: [HPHUPD05] C:\Program Files\Hewlett-Packard\\{5372B9A6-6E51-4f90-9B40-E0A3B8475C4E}\hphupd05.exe
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [HPHmon05] C:\WINDOWS\system32\hphmon05.exe
O4 - HKLM\..\Run: [UMonit] C:\WINDOWS\system32\umonit.exe
O4 - HKLM\..\Run: [OFFICEKB] C:\Program Files\Labtec\Keyboard\V5.1\kbdap32a.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [NVIDIA nTune] "C:\Program Files\NVIDIA Corporation\nTune\nTuneCmd.exe" clear
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [AnyDVD] C:\Program Files\SlySoft\AnyDVD\AnyDVD.exe
O4 - HKCU\..\Run: [Eraser] C:\Program Files\Eraser\eraser.exe -hide
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Monitor.lnk = C:\Program Files\SanDisk\SanDisk TransferMate\SD Monitor.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://a1540.g.akamai.net/7/1540/52...
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} - http://www.fileplanet.com/fpdlmgr/c...
O16 - DPF: {3DCEC959-378A-4922-AD7E-FD5C925D927F} (Disney Online Games ActiveX Control) - http://disney.go.com/pirates/online...
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySp...
O16 - DPF: {4CCA4E6B-9259-11D9-AC6E-444553544200} (FixController Control) - http://h30155.www3.hp.com/ediags/dd...
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windows...
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/active...
O16 - DPF: {E7DBFB6C-113A-47CF-B278-F5C6AF4DE1BD} - http://download.abacast.com/downloa...
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: nTune Service (nTuneService) - NVIDIA - C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe
--
End of file - 7134 bytes

-------
AWF Log:

Find AWF report by noahdfear ©2006
Version 1.40
The current date is: Mon 03/17/2008
The current time is: 20:01:13.63

bak folders found
~~~~~~~~~~~

Directory of C:\PROGRA~1\ERASER\BAK
07/28/2007 03:05 PM 277,328 Eraser.exe
1 File(s) 277,328 bytes
Directory of C:\PROGRA~1\QUICKT~1\BAK
06/29/2007 06:24 AM 286,720 qttask.exe
1 File(s) 286,720 bytes
Directory of C:\WINDOWS\SYSTEM32\BAK
08/04/2004 01:56 AM 15,360 ctfmon.exe
07/07/2005 10:55 PM 491,520 hphmon05.exe
07/09/2001 11:50 AM 155,648 NeroCheck.exe
07/26/2006 04:21 PM 53,248 umonit.exe
4 File(s) 715,776 bytes
Directory of C:\PROGRA~1\CYBERL~1\POWERDVD\BAK
01/12/2005 04:01 AM 32,768 PDVDServ.exe
1 File(s) 32,768 bytes
Directory of C:\PROGRA~1\FILEPL~1\DOWNLO~1\BAK
03/05/2007 03:57 PM 1,103,480 DLM.exe
1 File(s) 1,103,480 bytes
Directory of C:\PROGRA~1\HEWLET~1\HPSOFT~1\BAK
12/05/2003 04:41 PM 49,152 HPWuSchd2.exe
1 File(s) 49,152 bytes
Directory of C:\PROGRA~1\HEWLET~1\{5372B~1\BAK
07/07/2005 10:55 PM 49,152 hphupd05.exe
1 File(s) 49,152 bytes
Directory of C:\PROGRA~1\HP\HPCORE~1\BAK
05/12/2004 04:18 PM 241,664 hpcmpmgr.exe
1 File(s) 241,664 bytes
Directory of C:\PROGRA~1\NVIDIA~1\NTUNE\BAK
01/22/2007 06:22 PM 81,920 nTuneCmd.exe
1 File(s) 81,920 bytes
Directory of C:\PROGRA~1\SLYSOFT\ANYDVD\BAK
08/12/2007 05:28 AM 1,465,280 AnyDVD.exe
1 File(s) 1,465,280 bytes
Directory of C:\PROGRA~1\ADOBE\READER~1.0\READER\BAK
10/10/2007 07:51 PM 39,792 Reader_sl.exe
1 File(s) 39,792 bytes
Directory of C:\PROGRA~1\JAVA\JRE16~2.0_0\BIN\BAK
07/12/2007 04:00 AM 132,496 jusched.exe
1 File(s) 132,496 bytes
Directory of C:\PROGRA~1\LABTEC\KEYBOARD\V5.1\BAK
01/27/2007 06:58 PM 387,584 kbdap32a.exe
1 File(s) 387,584 bytes
Directory of C:\WINDOWS\SYSTEM32\SPOOL\DRIVERS\W32X86\3\BAK
07/07/2005 10:55 PM 176,128 hpztsb09.exe
1 File(s) 176,128 bytes

Duplicate files of bak directory contents
~~~~~~~~~~~~~~~~~~~~~~~
14348 Feb 26 2008 "C:\Program Files\Eraser\eraser.exe"
277328 Jul 28 2007 "C:\Program Files\Eraser\bak\Eraser.exe"
14348 Feb 26 2008 "C:\Program Files\QuickTime\qttask.exe"
286720 Jun 29 2007 "C:\Program Files\QuickTime\bak\qttask.exe"
15360 Aug 4 2004 "C:\WINDOWS\system32\ctfmon.exe"
15360 Aug 4 2004 "C:\WINDOWS\system32\bak\ctfmon.exe"
14348 Feb 26 2008 "C:\WINDOWS\system32\hphmon05.exe"
491520 Jul 7 2005 "C:\WINDOWS\system32\bak\hphmon05.exe"
14348 Feb 26 2008 "C:\WINDOWS\system32\NeroCheck.exe"
155648 Jul 9 2001 "C:\WINDOWS\system32\bak\NeroCheck.exe"
14348 Feb 26 2008 "C:\WINDOWS\system32\umonit.exe"
53248 Jul 26 2006 "C:\WINDOWS\system32\bak\umonit.exe"
14348 Feb 26 2008 "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
32768 Jan 12 2005 "C:\Program Files\CyberLink\PowerDVD\bak\PDVDServ.exe"
1103480 Mar 5 2007 "C:\Program Files\fileplanet\Download Manager\bak\DLM.exe"
14348 Feb 26 2008 "C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe"
49152 Dec 5 2003 "C:\Program Files\Hewlett-Packard\HP Software Update\bak\HPWuSchd2.exe"
14348 Feb 26 2008 "C:\Program Files\Hewlett-Packard\{5372B9A6-6E51-4f90-9B40-E0A3B8475C4E}\hphupd05.exe"
49152 Jul 7 2005 "C:\Program Files\Hewlett-Packard\{5372B9A6-6E51-4f90-9B40-E0A3B8475C4E}\bak\hphupd05.exe"
14348 Feb 26 2008 "C:\Program Files\Hp\hpcoretech\hpcmpmgr.exe"
241664 May 12 2004 "C:\Program Files\Hp\hpcoretech\bak\hpcmpmgr.exe"
14348 Feb 26 2008 "C:\Program Files\NVIDIA Corporation\nTune\nTuneCmd.exe"
81920 Jan 22 2007 "C:\Program Files\NVIDIA Corporation\nTune\bak\nTuneCmd.exe"
14348 Feb 26 2008 "C:\Program Files\SlySoft\AnyDVD\AnyDVD.exe"
1465280 Aug 12 2007 "C:\Program Files\SlySoft\AnyDVD\bak\AnyDVD.exe"
14348 Feb 26 2008 "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
39792 Oct 10 2007 "C:\Program Files\Adobe\Reader 8.0\Reader\bak\Reader_sl.exe"
132496 Jul 12 2007 "C:\Program Files\Java\jre1.6.0_02\bin\bak\jusched.exe"
14348 Feb 26 2008 "C:\Program Files\Labtec\Keyboard\V5.1\kbdap32a.exe"
387584 Jan 27 2007 "C:\Program Files\Labtec\Keyboard\V5.1\bak\kbdap32a.exe"
14348 Feb 26 2008 "C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe"
176128 Jul 7 2005 "C:\WINDOWS\system32\spool\drivers\w32x86\3\bak\hpztsb09.exe"

end of report

Report Offensive Follow Up For Removal

Response Number 3

Name: XpUser4Real
Date: March 17, 2008 at 22:14:39 Pacific

Reply: (edit)

porterr,
you may want to wait for jabuck to request your logs...he wears the crown here in computing.net and does a great job. There is a BIG difference in requesting a log and then following up on it....I know jabuck follows up.
Some HELP in posting on Cnet plus free progs and instructions Glad to Help!

Report Offensive Follow Up For Removal

Response Number 4

Name: Adii
Date: March 17, 2008 at 22:54:33 Pacific

Reply: (edit)

Double.click the FindAWF Icon once again
If a Security Alert shows, allow the program to run.
As instructed, press any key to continue.
Use the following option:
Press 2 then Enter to restore files from bak folders
A text file opens called: files.txt
Copy/paste the following list of files to be restored:

"C:\Program Files\Eraser\bak\Eraser.exe"
"C:\Program Files\QuickTime\bak\qttask.exe"
"C:\WINDOWS\system32\bak\ctfmon.exe"
"C:\WINDOWS\system32\bak\hphmon05.exe"
"C:\WINDOWS\system32\bak\NeroCheck.exe"
"C:\WINDOWS\system32\bak\umonit.exe"
"C:\Program Files\CyberLink\PowerDVD\bak\PDVDServ.exe"
"C:\Program Files\fileplanet\Download Manager\bak\DLM.exe"
"C:\Program Files\Hewlett-Packard\HP Software Update\bak\HPWuSchd2.exe"
"C:\Program Files\Hewlett-Packard\{5372B9A6-6E51-4f90-9B40-E0A3B8475C4E}\bak\hphupd05.exe"
"C:\Program Files\Hp\hpcoretech\bak\hpcmpmgr.exe"
"C:\Program Files\NVIDIA Corporation\nTune\bak\nTuneCmd.exe"
"C:\Program Files\SlySoft\AnyDVD\bak\AnyDVD.exe"
"C:\Program Files\Adobe\Reader 8.0\Reader\bak\Reader_sl.exe"
"C:\Program Files\Java\jre1.6.0_02\bin\bak\jusched.exe"
"C:\Program Files\Labtec\Keyboard\V5.1\bak\kbdap32a.exe"
"C:\WINDOWS\system32\spool\drivers\w32x86\3\bak\hpztsb09.exe"

Next, close and click Yes to save the changes.
Once files.txt is saved, FindAWF does the following:
-It attempts to terminate the process represented by each filename on the list, if running
-Deletes the rogue file from the parent folder, if present
-Copies the original file to the parent folder
When done with the above, it automatically runs a new scan and opens a new log.
Please provide the new FindAWF log in your reply.

Report Offensive Follow Up For Removal

Response Number 5

Name: porterr
Date: March 18, 2008 at 06:40:21 Pacific

Reply: (edit)

Here is the new AWF log file after folling your instructions:
Find AWF report by noahdfear ©2006
Version 1.40
Option 2 run successfully
The current date is: Tue 03/18/2008
The current time is: 7:39:50.74

bak folders found
~~~~~~~~~~~

Directory of C:\PROGRA~1\ERASER\BAK
07/28/2007 03:05 PM 277,328 Eraser.exe
1 File(s) 277,328 bytes
Directory of C:\PROGRA~1\QUICKT~1\BAK
06/29/2007 06:24 AM 286,720 qttask.exe
1 File(s) 286,720 bytes
Directory of C:\WINDOWS\SYSTEM32\BAK
08/04/2004 01:56 AM 15,360 ctfmon.exe
07/07/2005 10:55 PM 491,520 hphmon05.exe
07/09/2001 11:50 AM 155,648 NeroCheck.exe
07/26/2006 04:21 PM 53,248 umonit.exe
4 File(s) 715,776 bytes
Directory of C:\PROGRA~1\CYBERL~1\POWERDVD\BAK
01/12/2005 04:01 AM 32,768 PDVDServ.exe
1 File(s) 32,768 bytes
Directory of C:\PROGRA~1\FILEPL~1\DOWNLO~1\BAK
03/05/2007 03:57 PM 1,103,480 DLM.exe
1 File(s) 1,103,480 bytes
Directory of C:\PROGRA~1\HEWLET~1\HPSOFT~1\BAK
12/05/2003 04:41 PM 49,152 HPWuSchd2.exe
1 File(s) 49,152 bytes
Directory of C:\PROGRA~1\HEWLET~1\{5372B~1\BAK
07/07/2005 10:55 PM 49,152 hphupd05.exe
1 File(s) 49,152 bytes
Directory of C:\PROGRA~1\HP\HPCORE~1\BAK
05/12/2004 04:18 PM 241,664 hpcmpmgr.exe
1 File(s) 241,664 bytes
Directory of C:\PROGRA~1\NVIDIA~1\NTUNE\BAK
01/22/2007 06:22 PM 81,920 nTuneCmd.exe
1 File(s) 81,920 bytes
Directory of C:\PROGRA~1\SLYSOFT\ANYDVD\BAK
08/12/2007 05:28 AM 1,465,280 AnyDVD.exe
1 File(s) 1,465,280 bytes
Directory of C:\PROGRA~1\ADOBE\READER~1.0\READER\BAK
10/10/2007 07:51 PM 39,792 Reader_sl.exe
1 File(s) 39,792 bytes
Directory of C:\PROGRA~1\JAVA\JRE16~2.0_0\BIN\BAK
07/12/2007 04:00 AM 132,496 jusched.exe
1 File(s) 132,496 bytes
Directory of C:\PROGRA~1\LABTEC\KEYBOARD\V5.1\BAK
01/27/2007 06:58 PM 387,584 kbdap32a.exe
1 File(s) 387,584 bytes
Directory of C:\WINDOWS\SYSTEM32\SPOOL\DRIVERS\W32X86\3\BAK
07/07/2005 10:55 PM 176,128 hpztsb09.exe
1 File(s) 176,128 bytes

Duplicate files of bak directory contents
~~~~~~~~~~~~~~~~~~~~~~~
277328 Jul 28 2007 "C:\Program Files\Eraser\Eraser.exe"
277328 Jul 28 2007 "C:\Program Files\Eraser\bak\Eraser.exe"
286720 Jun 29 2007 "C:\Program Files\QuickTime\qttask.exe"
286720 Jun 29 2007 "C:\Program Files\QuickTime\bak\qttask.exe"
15360 Aug 4 2004 "C:\WINDOWS\system32\ctfmon.exe"
15360 Aug 4 2004 "C:\WINDOWS\system32\bak\ctfmon.exe"
491520 Jul 7 2005 "C:\WINDOWS\system32\hphmon05.exe"
491520 Jul 7 2005 "C:\WINDOWS\system32\bak\hphmon05.exe"
155648 Jul 9 2001 "C:\WINDOWS\system32\NeroCheck.exe"
155648 Jul 9 2001 "C:\WINDOWS\system32\bak\NeroCheck.exe"
53248 Jul 26 2006 "C:\WINDOWS\system32\umonit.exe"
53248 Jul 26 2006 "C:\WINDOWS\system32\bak\umonit.exe"
32768 Jan 12 2005 "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
32768 Jan 12 2005 "C:\Program Files\CyberLink\PowerDVD\bak\PDVDServ.exe"
1103480 Mar 5 2007 "C:\Program Files\fileplanet\Download Manager\DLM.exe"
1103480 Mar 5 2007 "C:\Program Files\fileplanet\Download Manager\bak\DLM.exe"
49152 Dec 5 2003 "C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe"
49152 Dec 5 2003 "C:\Program Files\Hewlett-Packard\HP Software Update\bak\HPWuSchd2.exe"
49152 Jul 7 2005 "C:\Program Files\Hewlett-Packard\{5372B9A6-6E51-4f90-9B40-E0A3B8475C4E}\hphupd05.exe"
49152 Jul 7 2005 "C:\Program Files\Hewlett-Packard\{5372B9A6-6E51-4f90-9B40-E0A3B8475C4E}\bak\hphupd05.exe"
241664 May 12 2004 "C:\Program Files\Hp\hpcoretech\hpcmpmgr.exe"
241664 May 12 2004 "C:\Program Files\Hp\hpcoretech\bak\hpcmpmgr.exe"
81920 Jan 22 2007 "C:\Program Files\NVIDIA Corporation\nTune\nTuneCmd.exe"
81920 Jan 22 2007 "C:\Program Files\NVIDIA Corporation\nTune\bak\nTuneCmd.exe"
1465280 Aug 12 2007 "C:\Program Files\SlySoft\AnyDVD\AnyDVD.exe"
1465280 Aug 12 2007 "C:\Program Files\SlySoft\AnyDVD\bak\AnyDVD.exe"
39792 Oct 10 2007 "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
39792 Oct 10 2007 "C:\Program Files\Adobe\Reader 8.0\Reader\bak\Reader_sl.exe"
132496 Jul 12 2007 "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
132496 Jul 12 2007 "C:\Program Files\Java\jre1.6.0_02\bin\bak\jusched.exe"
387584 Jan 27 2007 "C:\Program Files\Labtec\Keyboard\V5.1\kbdap32a.exe"
387584 Jan 27 2007 "C:\Program Files\Labtec\Keyboard\V5.1\bak\kbdap32a.exe"
176128 Jul 7 2005 "C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe"
176128 Jul 7 2005 "C:\WINDOWS\system32\spool\drivers\w32x86\3\bak\hpztsb09.exe"

end of report

Report Offensive Follow Up For Removal


backdoor: win32/zonebac.gen!F probs backdoor:Win32/Zonebac.gen!F virus Virus - Backdoor:Win32/Zonebac.gen! Win32/Zonebac.gen!F found on my PC. Stubborn backdoor:Win32/Zonebac.gen	backdoor:Win32 Zonebac.gen Win32/Zonebac.gen!F Problem Help - Backdoor:Win32/Zonebac.gen!B infection Backdoor:Win32/Zonebac.ge help...zonebac.gen!F virus

Response Number 6

Name: porterr
Date: March 18, 2008 at 08:36:26 Pacific

Reply: (edit)

Just an added note, when I run Windows Malicious Software Removal Tool now it is coming up clean, before I posted this thread in this forum it was showing 16 infected files.

Report Offensive Follow Up For Removal

Response Number 7

Name: Adii
Date: March 18, 2008 at 22:07:29 Pacific

Reply: (edit)

Your logs still showing infection on your system. So follow steps to clean!
Double.click the FindAWF icon once again
If a Security Alert shows, allow the program to run.
As instructed, press any key to continue.
Use the following option: Press 3 then Enter to remove bak folders
A text file opens called: folders.txt
Copy /paste the following list of folders to be removed:

C:\Program Files\Eraser\bak
C:\Program Files\QuickTime\bak
C:\WINDOWS\system32\bak
C:\Program Files\CyberLink\PowerDVD\bak
C:\Program Files\fileplanet\Download Manager\bak
C:\Program Files\Hewlett-Packard\HP Software Update\bak
C:\Program Files\Hewlett-Packard\{5372B9A6-6E51-4f90-9B40-E0A3B8475C4E}\bak
C:\Program Files\Hp\hpcoretech\bak
C:\Program Files\NVIDIA Corporation\nTune\bak
C:\Program Files\SlySoft\AnyDVD\bak
C:\Program Files\Adobe\Reader 8.0\Reader\bak
C:\Program Files\Java\jre1.6.0_02\bin\bak
C:\Program Files\Labtec\Keyboard\V5.1\bak
C:\WINDOWS\system32\spool\drivers\w32x86\3\bak

Next, close and click Yes to save the changes.
Once folders.txt is saved, FindAWF does the following:
-It deletes the contents of the bak folders
-Removes the bak folders
When done with the above, it automatically runs a new scan and opens a new log.
Please provide the new FindAWF log in your reply.
Also
Your java is out of date and can be exploited.
Download the latest version of java from this link "http://java.sun.com/javase/downloads/index.jsp"
Click on the JDK 6 Update 5 download button.
Check the box that says: "Accept License Agreement". The page will refresh.
Click on the link to download Windows Offline Installation with or without Multi-language and save to your desktop.
Close any programs you may have running - especially your web browser.
Go to Start > Control Panel double-click on Add/Remove programs and remove all older versions of Java. Check any item with Java Runtime Environment (JRE or J2SE) in the name. It should have the "coffee cup" icon next to it.
Click the Remove or Change/Remove button. Repeat as many times as necessary to remove each Java versions.
Reboot your computer once all Java components are removed
Then double-click on jdk-6u5-windows-i586-p.exe from your desktop to install the newest version.

Report Offensive Follow Up For Removal

Response Number 8

Name: porterr
Date: March 19, 2008 at 07:50:23 Pacific

Reply: (edit)

Here is the current AWF Log, let me know if there is anything else I need to do. This has really helped me out a lot!

Find AWF report by noahdfear ©2006
Version 1.40
The current date is: Wed 03/19/2008
The current time is: 8:45:27.95

bak folders found
~~~~~~~~~~~

Directory of C:\WINDOWS\SYSTEM32\BAK
07/26/2006 04:21 PM 53,248 umonit.exe
1 File(s) 53,248 bytes

Duplicate files of bak directory contents
~~~~~~~~~~~~~~~~~~~~~~~
53248 Jul 26 2006 "C:\WINDOWS\system32\umonit.exe"
53248 Jul 26 2006 "C:\WINDOWS\system32\bak\umonit.exe"

end of report

Report Offensive Follow Up For Removal

Response Number 9

Name: Adii
Date: March 19, 2008 at 22:13:50 Pacific

Reply: (edit)

Dear porterr,
Your system is almost clean now. but finally you need to do one more step.
Please repeat previous both steps once again.
Step1:
Double.click the FindAWF Icon once again
If a Security Alert shows, allow the program to run.
As instructed, press any key to continue.
Use the following option:
Press 2 then Enter to restore files from bak folders
A text file opens called: files.txt
Copy/paste the following file to be restored:

"C:\WINDOWS\system32\bak\umonit.exe"

Next, close and click Yes to save the changes.
Once files.txt is saved, FindAWF does the following:
-It attempts to terminate the process represented by each filename on the list, if running
-Deletes the rogue file from the parent folder, if present
-Copies the original file to the parent folder
When done with the above, it automatically runs a new scan and opens a new log.
Step2:
Double.click the FindAWF icon once again
If a Security Alert shows, allow the program to run.
As instructed, press any key to continue.
Use the following option: Press 3 then Enter to remove bak folders
A text file opens called: folders.txt
Copy /paste the following folder to be removed:

C:\WINDOWS\system32\bak

Next, close and click Yes to save the changes.
Once folders.txt is saved, FindAWF does the following:
-It deletes the contents of the bak folders
-Removes the bak folders
When done with the above, it automatically runs a new scan and opens a new log.
Please provide the new FindAWF log in your reply.
Also Post your Hijackthis Log!!

Report Offensive Follow Up For Removal

Response Number 10

Name: porterr
Date: March 20, 2008 at 09:27:54 Pacific

Reply: (edit)

Here is the AWF log after following the above steps:

Find AWF report by noahdfear ©2006
Version 1.40
Option 3 run successfully
The current date is: Thu 03/20/2008
The current time is: 10:24:15.82

bak folders found
~~~~~~~~~~~

Directory of C:\WINDOWS\SYSTEM32\BAK
07/26/2006 04:21 PM 53,248 umonit.exe
1 File(s) 53,248 bytes

Duplicate files of bak directory contents
~~~~~~~~~~~~~~~~~~~~~~~
53248 Jul 26 2006 "C:\WINDOWS\system32\umonit.exe"
53248 Jul 26 2006 "C:\WINDOWS\system32\bak\umonit.exe"

end of report

Here is the HijackThis Log:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:26:43 AM, on 3/20/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\CTHELPER.EXE
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\WINDOWS\system32\hphmon05.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Spyware Doctor\pctsTray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\SanDisk\SanDisk TransferMate\SD Monitor.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?Lin...
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?Lin...
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?Lin...
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?Lin...
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [CTxfiHlp] CTXFIHLP.EXE
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [HPHmon05] C:\WINDOWS\system32\hphmon05.exe
O4 - HKLM\..\Run: [UMonit] C:\WINDOWS\system32\umonit.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [ISTray] "C:\Program Files\Spyware Doctor\pctsTray.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Monitor.lnk = C:\Program Files\SanDisk\SanDisk TransferMate\SD Monitor.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://a1540.g.akamai.net/7/1540/52...
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} - http://www.fileplanet.com/fpdlmgr/c...
O16 - DPF: {3DCEC959-378A-4922-AD7E-FD5C925D927F} (Disney Online Games ActiveX Control) - http://disney.go.com/pirates/online...
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySp...
O16 - DPF: {4CCA4E6B-9259-11D9-AC6E-444553544200} (FixController Control) - http://h30155.www3.hp.com/ediags/dd...
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windows...
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/active...
O16 - DPF: {E7DBFB6C-113A-47CF-B278-F5C6AF4DE1BD} - http://download.abacast.com/downloa...
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: nTune Service (nTuneService) - NVIDIA - C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe
--
End of file - 6998 bytes

Report Offensive Follow Up For Removal

Response Number 11

Name: Adii
Date: March 20, 2008 at 23:58:11 Pacific

Reply: (edit)

Your Logs are almost clean.
You have successfully cleaned Zonebac.gen!f virus from your computer. :)
But at the end plz do this last step to delete "BAK" folder from your system32 folder.
1.Restart your computer into safe mode.
2.Go to C:\WINDOWS\SYSTEM32 path and delete "BAK" folder manually.
Then restart and com to normal mode. NOw Your computer completely clean.
Now you can continue your work.
TC.
Thanks!
*Do Safe Computing*

Report Offensive Follow Up For Removal

Response Number 12

Name: porterr
Date: March 21, 2008 at 06:46:19 Pacific

Reply: (edit)

Ok, will do and I really appreciate your help. Thanks again.
P.

Report Offensive Follow Up For Removal

Remote Messenger Virus?

Virus or not?

Use following form to reply to current message:

Name: From My Computing.Net Settings E-Mail: From My Computing.Net Settings Subject: Backdoor:win32/Zonebac.gen!f Trojan

Comments:

  Homepage URL (*): 
Homepage Title (*): 
         Image URL:

Have you ever used OpenOffice?

Poll Finishes In 5 Days.
Discuss in The Lounge

Dos on disk-on-module

IE & Firefox showing old website

Delgated authentication

net searching

Multiple Wireless Routers

All Posts Awaiting Replies