Noticed this infection today, I would like to remove it. The less a man makes declarative statements, the less apt he is to look foolish in retrospect.

Okay, for some reason, the forums didn't see my subject "Win32/Zonebac.gen!F" and decided to use something else. I can't repost, because it sees it as spam...yea! So, for my 3rd attempt: Infected with: Win32/Zonebac.gen!F Seeking help. The less a man makes declarative statements, the less apt he is to look foolish in retrospect.

I will be gone for two hours. Please download and install the latest version of HijackThis v2.0.2: Download the "HijackThis" Installer from this link: Hijack This 1. Save " HJTInstall.exe" to your desktop. 2. Double click on HJTInstall.exe to run the program. 3. By default it will install to C:\Program Files\Trend Micro\HijackThis. 4. Accept the license agreement by clicking the "I Accept" button. 5.Click on the "Do a system scan and save a log file" button. It will scan and then ask you to save the log. 6. Click "Save log" to save the log file and then the log will open in Notepad. 7. Click on "Edit > Select All" then click on "Edit > Copy" to copy the entire contents of the log. 8. Paste the log in your next reply. 9. Do NOT have HijackThis fix anything yet! Most of what it finds will be harmless or even required. Please download FindAWF from the following link: http://noahdfear.geekstogo.com/FindAWF.exe Double-click on the FindAWF.exe file to run it. It will open a command prompt and ask you to "Press any key to continue". You will be presented with a Menu. 1. Press 1 then Enter to scan for bak folders 2. Press 2 then Enter to restore files from bak folders 3. Press 3 then Enter to remove bak folders 4. Press 4 then Enter to reset domain zones 5. Press E then Enter to EXIT Press 1 then press Enter. Copy and paste the contents of the AWF.txt file in your next reply.

Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 5:24:26 PM, on 3/12/2008 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.6000.16608) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\Windows Defender\MsMpEng.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe C:\WINDOWS\system32\nvsvc32.exe C:\WINDOWS\system32\PnkBstrA.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\wscntfy.exe C:\WINDOWS\Explorer.exe C:\WINDOWS\RTHDCPL.exe C:\Program Files\Common Files\Real\Update_OB\realsched.exe C:\WINDOWS\system32\RUNDLL32.exe C:\Program Files\Microsoft IntelliPoint\ipoint.exe C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe C:\Program Files\Windows Defender\MSASCui.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\Common Files\Real\Update_OB\bak\realsched.exe c:\Program Files\Microsoft IntelliPoint\dpupdchk.exe C:\Documents and Settings\F S B\Desktop\HiJackThis\HijackThis.exe R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?Lin... R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?Lin... R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?Lin... R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?Lin... R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = dynhost.inetcam.com;register.inetcam.com; O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll O2 - BHO: CDNSCacheObj Object - {376892AE-1825-4E5F-9F85-23F9640051CC} - C:\WINDOWS\xmljacodec.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file) O2 - BHO: IE - {D83A7B12-A4D4-4984-8F72-D41C6B4C1E6E} - C:\Program Files\eSoftware\studio.dll O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.exe C:\WINDOWS\system32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.exe O4 - HKLM\..\Run: [Alcmtr] ALCMTR.exe O4 - HKLM\..\Run: [nwiz] nwiz.exe /install O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe" O4 - HKLM\..\Run: [UfSeAgnt.exe] "C:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe" O4 - HKLM\..\Run: [NBKeyScan] "C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe" O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.exe C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" O4 - HKLM\..\Run: [Tarantula] C:\Program Files\Razer\Tarantula\razerhid.exe O4 - HKLM\..\Run: [IntelliPoint] "c:\Program Files\Microsoft IntelliPoint\ipoint.exe" O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\isuspm.exe -startup O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [NVIDIA nTune] "C:\Program Files\NVIDIA Corporation\nTune\nTuneCmd.exe" clear O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe" O4 - HKCU\..\Run: [SpyDefender Shield] "C:\Program Files\SpyDefender Pro\SpyDefender.exe" --scan2 O4 - HKCU\..\Run: [igndlm.exe] C:\Program Files\Download Manager\DLM.exe /windowsstart /startifwork O4 - Startup: OneNote 2007 Screen Clipper and Launcher.lnk = C:\Program Files\Microsoft Office\Office12\ONENOTEM.exe O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\Office12\EXCEL.EXE/3000 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MI1933~1\Office12\ONBttnIE.dll O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MI1933~1\Office12\ONBttnIE.dll O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\Office12\REFIEBAR.DLL O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - http://supportcenter.rr.com/sdccomm... O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://a1540.g.akamai.net/7/1540/52... O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://pcpitstop.com/pcpitstop/PCPi... O16 - DPF: {0E8D0700-75DF-11D3-8B4A-0008C7450C4A} (DjVuCtl Class) - http://www.lizardtech.com/download/... O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/h... O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (CDownloadCtrl Object) - http://www.fileplanet.com/fpdlmgr/c... O16 - DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} (System Requirements Lab) - http://www.systemrequirementslab.co... O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://download.divx.com/webplayer/... O16 - DPF: {B7D07999-2ADB-4AEB-997E-F61CB7B2E2CD} (TSEasyInstallX Control) - http://www.trendsecure.com/easy_ins... O16 - DPF: {FFBB3F3B-0A5A-4106-BE53-DFE1E2340CB1} (DownloadManager Control) - http://dlm.tools.akamai.com/dlmanag... O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: nTune Service (nTuneService) - NVIDIA - C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe O23 - Service: Trend Micro Central Control Component (SfCtlCom) - Unknown owner - C:\Program Files\Trend Micro\Internet Security\SfCtlCom.exe (file missing) O23 - Service: SupportSoft RemoteAssist - SupportSoft, Inc. - C:\Program Files\Common Files\supportsoft\bin\ssrc.exe O23 - Service: Trend Micro Unauthorized Change Prevention Service (TMBMServer) - Unknown owner - C:\Program Files\Trend Micro\BM\TMBMSRV.exe (file missing) O23 - Service: Trend Micro Personal Firewall (TmPfw) - Unknown owner - C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe (file missing) O23 - Service: Trend Micro Proxy Service (tmproxy) - Unknown owner - C:\Program Files\Trend Micro\Internet Security\TmProxy.exe (file missing) -- End of file - 8292 bytes Find AWF report by noahdfear ©2006 Version 1.40 The current date is: Wed 03/12/2008 The current time is: 17:25:28.95 bak folders found ~~~~~~~~~~~ Directory of C:\PROGRA~1\MESSEN~1\BAK 10/13/2004 12:24 PM 1,694,208 msmsgs.exe 1 File(s) 1,694,208 bytes Directory of C:\PROGRA~1\MICROS~3\BAK 08/31/2007 01:01 PM 1,037,736 ipoint.exe 1 File(s) 1,037,736 bytes Directory of C:\PROGRA~1\QUICKT~1\BAK 07/16/2007 01:13 AM 286,720 qttask.exe 1 File(s) 286,720 bytes Directory of C:\PROGRA~1\WINDOW~4\BAK 11/03/2006 07:20 PM 866,584 MSASCui.exe 1 File(s) 866,584 bytes Directory of C:\WINDOWS\SYSTEM32\BAK 02/28/2006 08:00 AM 15,360 ctfmon.exe 1 File(s) 15,360 bytes Directory of C:\PROGRA~1\NVIDIA~1\NTUNE\BAK 09/04/2007 08:25 PM 81,920 nTuneCmd.exe 1 File(s) 81,920 bytes Directory of C:\PROGRA~1\RAZER\TARANT~1\BAK 05/07/2007 11:52 AM 159,744 razerhid.exe 1 File(s) 159,744 bytes Directory of C:\PROGRA~1\ADOBE\READER~1.0\READER\BAK 10/10/2007 07:51 PM 39,792 Reader_sl.exe 1 File(s) 39,792 bytes Directory of C:\PROGRA~1\COMMON~1\NERO\LIB\BAK 03/01/2007 03:57 PM 153,136 NeroCheck.exe 1 File(s) 153,136 bytes Directory of C:\PROGRA~1\COMMON~1\REAL\UPDATE~1\BAK 01/03/2008 09:56 PM 185,896 realsched.exe 1 File(s) 185,896 bytes Directory of C:\PROGRA~1\JAVA\JRE16~2.0_0\BIN\BAK 07/12/2007 04:00 AM 132,496 jusched.exe 1 File(s) 132,496 bytes Directory of C:\PROGRA~1\NERO\NERO8\NEROBA~1\BAK 09/20/2007 09:51 AM 1,836,328 NBKeyScan.exe 1 File(s) 1,836,328 bytes Duplicate files of bak directory contents ~~~~~~~~~~~~~~~~~~~~~~~ 14348 Feb 26 2008 "C:\Program Files\Messenger\msmsgs.exe" 1667584 Aug 4 2004 "C:\WINDOWS\$NtUninstallKB887472$\msmsgs.exe" 1694208 Oct 13 2004 "C:\Program Files\Messenger\bak\msmsgs.exe" 1694208 Oct 13 2004 "C:\WINDOWS\$hf_mig$\KB887472\SP2QFE\msmsgs.exe" 1037736 Aug 31 2007 "C:\Program Files\Microsoft IntelliPoint\ipoint.exe" 1037736 Aug 31 2007 "C:\Program Files\Microsoft IntelliPoint\bak\ipoint.exe" 14348 Feb 26 2008 "C:\Program Files\QuickTime\qttask.exe" 286720 Jul 16 2007 "C:\Program Files\QuickTime\bak\qttask.exe" 866584 Nov 3 2006 "C:\Program Files\Windows Defender\MSASCui.exe" 866584 Nov 3 2006 "C:\Program Files\Windows Defender\bak\MSASCui.exe" 15360 Feb 28 2006 "C:\WINDOWS\system32\ctfmon.exe" 15360 Feb 28 2006 "C:\WINDOWS\system32\bak\ctfmon.exe" 14348 Feb 26 2008 "C:\Program Files\NVIDIA Corporation\nTune\nTuneCmd.exe" 81920 Sep 4 2007 "C:\Program Files\NVIDIA Corporation\nTune\bak\nTuneCmd.exe" 14348 Feb 26 2008 "C:\Program Files\Razer\Tarantula\razerhid.exe" 159744 May 7 2007 "C:\Program Files\Razer\Tarantula\bak\razerhid.exe" 14348 Feb 26 2008 "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" 39792 Oct 10 2007 "C:\Program Files\Adobe\Reader 8.0\Reader\bak\Reader_sl.exe" 153136 Mar 1 2007 "C:\Program Files\Common Files\Nero\Lib\bak\NeroCheck.exe" 14348 Feb 26 2008 "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" 185896 Jan 3 2008 "C:\Program Files\Common Files\Real\Update_OB\bak\realsched.exe" 77824 Jul 22 2007 "C:\Program Files\Java\jre1.6.0\bin\jusched.exe" 83608 Mar 14 2007 "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe" 14348 Feb 26 2008 "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe" 144784 Dec 14 2007 "C:\Program Files\Java\jre1.6.0_04\bin\jusched.exe" 139264 Dec 14 2007 "C:\Program Files\Java\jdk1.6.0_04\jre\bin\jusched.exe" 132496 Jul 12 2007 "C:\Program Files\Java\jre1.6.0_02\bin\bak\jusched.exe" 14348 Feb 26 2008 "C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe" 1836328 Sep 20 2007 "C:\Program Files\Nero\Nero8\Nero BackItUp\bak\NBKeyScan.exe" end of report The less a man makes declarative statements, the less apt he is to look foolish in retrospect.

Double-click the FindAWF icon once again If a Security Alert shows, allow the program to run. As instructed, press any key to continue. Use the following option: Press 2 then Enter to restore files from bak folders A text file opens called: files.txt Copy/paste the following list of bolded files to be restored: "C:\Program Files\Messenger\bak\msmsgs.exe" "C:\Program Files\Microsoft IntelliPoint\bak\ipoint.exe" "C:\Program Files\QuickTime\bak\qttask.exe" "C:\Program Files\Windows Defender\bak\MSASCui.exe" "C:\WINDOWS\system32\bak\ctfmon.exe" "C:\Program Files\NVIDIA Corporation\nTune\bak\nTuneCmd.exe" "C:\Program Files\Razer\Tarantula\bak\razerhid.exe" "C:\Program Files\Adobe\Reader 8.0\Reader\bak\Reader_sl.exe" "C:\Program Files\Common Files\Nero\Lib\bak\NeroCheck.exe" "C:\Program Files\Common Files\Real\Update_OB\bak\realsched.exe" C:\Program Files\Java\jre1.6.0_02\bin\bak\jusched.exe" "C:\Program Files\Nero\Nero8\Nero BackItUp\bak\NBKeyScan.exe" Next, close and click Yes to save the changes. Once files.txt is saved, FindAWF does the following: -It attempts to terminate the process represented by each filename on the list, if running -Deletes the rogue file from the parent folder, if present -Copies the original file to the parent folder When done with the above, it automatically runs a new scan and opens a new log. Please provide the new FindAWF log in your reply.