Trojan - win32/zonebac.gen!F

Computing.Net > Forums > Security and Virus > Trojan - win32/zonebac.gen!F

Computer Problems? Computing.Net has over 1,000,000 posts about all things technology related! Over 90% answered within 24 hours! Click here to start participating now! Also, be sure to check out the New User Guide.

Trojan - win32/zonebac.gen!F

Name: alanwt
Date: March 15, 2008 at 12:35:40 Pacific
OS: Windows XP Home
CPU/Ram: P4 2.00 GHz/ 512 MB
Product: Generic PC

Comment:

Like others posting here, I have the zonebac.gen trojan. The highjackthis and awf files are ready to send. Please help. Thank you.

Sponsored Link

Ads by Google

Response Number 1

Name: jabuck
Date: March 15, 2008 at 19:19:27 Pacific

Reply:

Please post your logs.

Response Number 2

Name: alanwt
Date: March 15, 2008 at 19:38:44 Pacific

Reply:

Thanks for your response. The logs follow. It's curious that the AWF log shows nothing, though I did run ccleaner several days ago and found and removed 2 BAKs to get Windows Defender and Traceless running again. It might be worth noting that I once got a message that a hidden browser was running. I had no idea what that meant. Also, when I ran AWF.exe, I got an alert that autoexec.nt was unsuitable to run DOS and Windows apps. I pressed the Ignore button.
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:13:10 PM, on 3/15/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\McAfee\MBK\MBackMonitor.exe
C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\program files\common files\mcafee\mna\mcnasvc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
C:\PROGRA~1\McAfee\MSC\mcpromgr.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\PROGRA~1\McAfee\MPS\mps.exe
C:\WINDOWS\System32\tcpsvcs.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\Explorer.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Program Files\Microsoft Hardware\Mouse\point32.exe
C:\Program Files\Traceless\traceless.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\McAfee\MPS\mpsevh.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Microsoft Office\Office10\OUTLOOK.exe
C:\PROGRA~1\COMMON~1\McAfee\EmProxy\emproxy.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
c:\program files\mcafee\msc\mcuimgr.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?Lin...
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?Lin...
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?Lin...
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?Lin...
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer
F3 - REG:win.ini: run=
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - c:\PROGRA~1\mcafee\VIRUSS~1\scriptcl.dll
O2 - BHO: (no name) - {D2F719F3-106A-402B-9996-3A5B12ACA564} - (no file)
O4 - HKLM\..\Run: [anvshell] anvshell.exe
O4 - HKLM\..\Run: [POINTER] C:\Program Files\Microsoft Hardware\Mouse\point32.exe
O4 - HKLM\..\Run: [TomcatStartup] C:\Program Files\Hewlett-Packard\Toolbox2.0\hpbpsttp.exe
O4 - HKLM\..\Run: [Traceless] "C:\Program Files\Traceless\traceless.exe" launch
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\\NeroCheck.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [MBkLogOnHook] C:\Program Files\McAfee\MBK\LogOnHook.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Subscribe in RSS Bandit - C:\Documents and Settings\AlanThraikill\Application Data\RssBandit\iecontext_subscribebandit.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.comcast.net
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} -
O16 - DPF: {0713E8D2-850A-101B-AFC0-4210102A8DA7} -
O16 - DPF: {149E45D8-163E-4189-86FC-45022AB2B6C9} (SpinTop DRM Control) - file:///C:/Program%20Files/Mahjong%20World/Images/stg_drm.ocx
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} -
O16 - DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} -
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/s...
O16 - DPF: {597C45C2-2D39-11D5-8D53-0050048383FE} (OPUCatalog Class) -
O16 - DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} (System Requirements Lab) - http://www.nvidia.com/content/Drive...
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microso...
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.4.2) -
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} -
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://download.mcafee.com/molbin/s...
O16 - DPF: {CAFEEFAC-0014-0002-0000-ABCDEFFEDCBA} -
O16 - DPF: {DE22A7AB-A739-4C58-AD52-21F9CD6306B7} -
O23 - Service: McAfee E-mail Proxy (Emproxy) - McAfee, Inc. - C:\PROGRA~1\COMMON~1\McAfee\EmProxy\emproxy.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: MBackMonitor - McAfee - C:\Program Files\McAfee\MBK\MBackMonitor.exe
O23 - Service: McAfee HackerWatch Service - McAfee, Inc. - C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
O23 - Service: McAfee Update Manager (mcmispupdmgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcupdmgr.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\program files\common files\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Protection Manager (mcpromgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcpromgr.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Redirector Service (McRedirector) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McSysmon - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: McAfee Privacy Service (MPS9) - McAfee, Inc. - C:\PROGRA~1\McAfee\MPS\mps.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
--
End of file - 8144 bytes
Find AWF report by noahdfear ©2006
Version 1.40
The current date is: Sat 03/15/2008
The current time is: 12:19:35.60

bak folders found
~~~~~~~~~~~
Duplicate files of bak directory contents
~~~~~~~~~~~~~~~~~~~~~~~
end of report

Response Number 3

Name: jabuck
Date: March 16, 2008 at 06:47:36 Pacific

Reply:

Run Hijack This , close all windows and browsers except Hijack This, place a check to the left of the following items and press "fix checked":
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer

F3 - REG:win.ini: run=
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present (If you did did'nt set this)
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} -

O16 - DPF: {0713E8D2-850A-101B-AFC0-4210102A8DA7} -
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} -

O16 - DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} -
O16 - DPF: {597C45C2-2D39-11D5-8D53-0050048383FE} (OPUCatalog Class) -
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} -
O16 - DPF: {CAFEEFAC-0014-0002-0000-ABCDEFFEDCBA} -

O16 - DPF: {DE22A7AB-A739-4C58-AD52-21F9CD6306B7} -
Exit Hijack This.
Please download ComboFix to the desktop from one of the following links:
Link1
Link 2
Link 3

Double-click combofix.exe
Follow the prompts.
(Don't click on the window while the program is running, it may cause your system to hang.)
Please post the log it produces

Response Number 4

Name: alanwt
Date: March 16, 2008 at 09:54:38 Pacific

Reply:

ComboFix 08-03-14.4 - AlanThraikill 2008-03-16 9:34:22.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.139 [GMT -7:00]
Running from: C:\Documents and Settings\AlanThraikill\Desktop\ComboFix.exe
* Created a new restore point
[color=red][b]WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !![/b][/color]
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
F:\Autorun.inf
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
-------\LEGACY_IPRIP
-------\Iprip

((((((((((((((((((((((((( Files Created from 2008-02-16 to 2008-03-16 )))))))))))))))))))))))))))))))
.
2008-03-15 12:12 . 2008-03-15 12:12 <DIR> d-------- C:\Program Files\Trend Micro
2008-03-12 19:13 . 2008-03-12 19:13 1,444 --a------ C:\WINDOWS\system32\MRT.INI
2008-02-22 22:28 . 2008-02-22 22:28 <DIR> d-------- C:\Program Files\Common Files\eSellerate
2008-02-22 22:28 . 2008-02-22 22:28 <DIR> d-------- C:\Program Files\AnswersThatWork
2008-02-22 22:28 . 2007-06-08 14:53 1,753,088 --a------ C:\WINDOWS\system32\ExGrid.dll
2008-02-22 22:28 . 2007-04-03 17:51 614,400 --a------ C:\WINDOWS\system32\ExButton.dll
2008-02-22 22:28 . 2007-06-05 11:20 602,112 --a------ C:\WINDOWS\system32\ExMenu.dll
2008-02-22 22:28 . 2007-06-05 11:19 516,096 --a------ C:\WINDOWS\system32\ExTab.dll
2008-02-22 22:28 . 2005-10-11 15:40 356,352 --a------ C:\WINDOWS\system32\eSellerateEngine.dll
2008-02-22 22:28 . 2007-04-03 17:51 307,200 --a------ C:\WINDOWS\system32\ExPMenu.dll
2008-02-22 22:28 . 2004-03-09 02:00 124,688 --a------ C:\WINDOWS\system32\MSWinSck.ocx
2008-02-22 22:28 . 2005-10-04 09:11 118,784 --a------ C:\WINDOWS\system32\eWebControl.dll
2008-02-20 12:41 . 2008-02-20 12:41 <DIR> d-------- C:\WINDOWS\system32\logs
2008-02-19 23:13 . 2008-02-19 22:51 691,545 --a------ C:\WINDOWS\unins000.exe
2008-02-19 23:13 . 2008-02-19 23:13 3,457 --a------ C:\WINDOWS\unins000.dat
2008-02-18 22:49 . 2008-02-18 22:49 <DIR> d-------- C:\WINDOWS\system32\McAfee
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-03-16 06:55 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-03-16 05:37 --------- d-----w C:\Documents and Settings\AlanThraikill\Application Data\RssBandit
2008-03-16 00:10 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-02-28 04:26 --------- d-----w C:\Program Files\Windows Defender
2008-02-27 03:21 --------- d-----w C:\Program Files\Traceless
2008-02-26 04:24 --------- d-----w C:\Program Files\McAfee
2008-02-24 22:49 --------- d-----w C:\Documents and Settings\Justin Thrailkill\Application Data\Skype
2008-02-20 06:22 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-02-06 17:51 171,400 ----a-w C:\WINDOWS\system32\drivers\mfehidk.sys
2008-02-05 04:04 --------- d-----w C:\Program Files\QuickTime
2007-07-13 18:13 83,072 ----a-w C:\Documents and Settings\Rita Zwerin\Application Data\GDIPFONTCACHEV1.DAT
2006-12-30 17:18 83,072 ----a-w C:\Documents and Settings\SashaThrailkill\Application Data\GDIPFONTCACHEV1.DAT
2006-11-12 02:11 81,992 ----a-w C:\Documents and Settings\AlanThraikill\Application Data\GDIPFONTCACHEV1.DAT
2005-05-03 04:59 81,992 ----a-w C:\Documents and Settings\Justin Thrailkill\Application Data\GDIPFONTCACHEV1.DAT
.
((((((((((((((((((((((((((((((((((((((((((((( AWF ))))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
----a-w 313,472 2006-03-30 23:45:08 C:\Program Files\Adobe\Acrobat 7.0\Reader\bak\AdobeUpdateManager.exe
----a-w 14,348 2008-02-27 03:19:38 C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe
----a-w 155,648 2003-04-01 03:28:28 C:\Program Files\Hewlett-Packard\Toolbox2.0\bak\hpbpsttp.exe
----a-w 14,348 2008-02-27 03:19:38 C:\Program Files\Hewlett-Packard\Toolbox2.0\hpbpsttp.exe
----a-w 20,480 2007-01-08 18:22:46 C:\Program Files\McAfee\MBK\bak\LogOnHook.exe
----a-w 14,348 2008-02-27 03:19:38 C:\Program Files\McAfee\MBK\LogOnHook.exe
----a-w 167,936 2001-08-24 01:37:40 C:\Program Files\Microsoft Hardware\Mouse\bak\point32.exe
----a-w 14,348 2008-02-27 03:19:38 C:\Program Files\Microsoft Hardware\Mouse\point32.exe
----a-w 155,648 2006-04-11 23:40:10 C:\Program Files\QuickTime\bak\qttask.exe
----a-w 14,860 2008-02-05 04:02:41 C:\Program Files\QuickTime\qttask.exe
----a-w 1,415,824 2005-05-31 08:04:00 C:\Program Files\Spybot - Search & Destroy\bak\TeaTimer.exe
--sha-r 2,097,488 2008-01-28 19:43:40 C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
----a-w 0 2008-02-06 02:43:27 C:\Program Files\Traceless\bak\exclude.dat
----a-w 34 2008-01-21 02:08:33 C:\Program Files\Traceless\exclude.dat
----a-w 2,138,112 2007-05-21 00:57:46 C:\Program Files\Traceless\bak\traceless.exe
----a-w 2,138,112 2007-05-21 00:57:46 C:\Program Files\Traceless\traceless.exe
----a-w 866,584 2006-11-04 02:20:12 C:\Program Files\Windows Defender\bak\MSASCui.exe
----a-w 866,584 2006-11-04 02:20:12 C:\Program Files\Windows Defender\MSASCui.exe
----a-w 155,648 2001-07-09 09:50:42 C:\WINDOWS\system32\bak\NeroCheck.exe
----a-w 14,348 2008-02-27 03:19:38 C:\WINDOWS\system32\NeroCheck.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"anvshell"="anvshell.exe" [2002-04-09 19:14 331776 C:\WINDOWS\anvshell.exe]
"POINTER"="C:\Program Files\Microsoft Hardware\Mouse\point32.exe" [2008-02-26 20:19 14348]
"TomcatStartup"="C:\Program Files\Hewlett-Packard\Toolbox2.0\hpbpsttp.exe" [2008-02-26 20:19 14348]
"Traceless"="C:\Program Files\Traceless\traceless.exe" [2007-05-20 17:57 2138112]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [2006-11-03 19:20 866584]
"NeroCheck"="C:\WINDOWS\system32\\NeroCheck.exe" [2008-02-26 20:19 14348]
"nwiz"="nwiz.exe" [2006-10-22 13:22 1622016 C:\WINDOWS\system32\nwiz.exe]
"MBkLogOnHook"="C:\Program Files\McAfee\MBK\LogOnHook.exe" [2008-02-26 20:19 14348]
"combofix"="C:\WINDOWS\system32\CF21475.exe" [2004-08-04 00:56 388608]
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"updateMgr"="C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_8 -reboot 1
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"C-Media Mixer"=Mixer.exe /startup
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"FirewallDisableNotify"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"C:\\Program Files\\Hewlett-Packard\\Toolbox2.0\\Javasoft\\JRE\\1.3.1\\bin\\javaw.exe"=
"C:\\WINDOWS\\system32\\sessmgr.exe"=
"C:\\Program Files\\RssBandit\\RSSBandit.exe"=
"C:\\Program Files\\Real\\RealOne Player\\realplay.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\WINDOWS\\system32\\dpvsetup.exe"=
"C:\\WINDOWS\\system32\\rundll32.exe"=
"C:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=
"C:\\Program Files\\Skype\\Phone\\Skype.exe"=
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009
"3587:TCP"= 3587:TCP:Windows Peer-to-Peer Grouping
"3540:UDP"= 3540:UDP:Peer Name Resolution Protocol (PNRP)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings]
"AllowInboundEchoRequest"= 1 (0x1)
R1 ANVIOCTL;ANVIOCTL;C:\WINDOWS\system32\DRIVERS\anvioctl.sys [2002-05-03 06:41]
R1 ANVOSDNT;ASUS Keyboard Filter Driver;C:\WINDOWS\system32\DRIVERS\anvosdnt.sys [2002-07-29 17:29]
S3 p2pgasvc;Peer Networking Group Authentication;C:\WINDOWS\System32\svchost.exe [2004-08-04 00:56]
S3 p2pimsvc;Peer Networking Identity Manager;C:\WINDOWS\System32\svchost.exe [2004-08-04 00:56]
S3 p2psvc;Peer Networking;C:\WINDOWS\System32\svchost.exe [2004-08-04 00:56]
S3 PNRPSvc;Peer Name Resolution Protocol;C:\WINDOWS\System32\svchost.exe [2004-08-04 00:56]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
p2psvc REG_MULTI_SZ p2psvc p2pimsvc p2pgasvc PNRPSvc
.
Contents of the 'Scheduled Tasks' folder
"2008-03-16 16:42:07 C:\WINDOWS\Tasks\MP Scheduled Scan.job"
- C:\Program Files\Windows Defender\MpCmdRun.exe
.
**************************************************************************
catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-03-16 09:40:40
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
r Running Proce
.
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\McAfee\MBK\MBackMonitor.exe
C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\program files\common files\mcafee\mna\mcnasvc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
C:\PROGRA~1\McAfee\MSC\mcpromgr.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\PROGRA~1\McAfee\MPS\mps.exe
C:\WINDOWS\System32\locator.exe
C:\WINDOWS\System32\tcpsvcs.exe
C:\WINDOWS\System32\snmp.exe
C:\Program Files\McAfee\MPS\mpsevh.exe
C:\Program Files\Internet Explorer\IEXPLORE.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
.
**************************************************************************
.
Completion time: 2008-03-16 9:44:00 - machine was rebooted
ComboFix-quarantined-files.txt 2008-03-16 16:43:55
.
2008-03-14 00:22:28 --- E O F ---

Response Number 5

Name: jabuck
Date: March 16, 2008 at 11:04:14 Pacific

Reply:

Double-click the FindAWF icon once again
If a Security Alert shows, allow the program to run.
As instructed, press any key to continue.
Use the following option:
Press 2 then Enter to restore files from bak folders
"A text file opens called: files.txt
Copy/paste the following list of bolded files to be restored:

"C:\Program Files\Adobe\Acrobat 7.0\Reader\bak\AdobeUpdateManager.exe"
"C:\Program Files\Hewlett-Packard\Toolbox2.0\bak\hpbpsttp.exe"
"C:\Program Files\McAfee\MBK\bak\LogOnHook.exe"
"C:\Program Files\Microsoft Hardware\Mouse\bak\point32.exe"
"C:\Program Files\QuickTime\bak\qttask.exe"
"C:\Program Files\Spybot - Search & Destroy\bak\TeaTimer.exe"
"C:\Program Files\Traceless\bak\exclude.dat"
"C:\Program Files\Traceless\bak\traceless.exe"
"C:\Program Files\Windows Defender\bak\MSASCui.exe"
"C:\WINDOWS\system32\bak\NeroCheck.exe"

Next, close and click Yes to save the changes.
Once files.txt is saved, FindAWF does the following:
-It attempts to terminate the process represented by each filename on the list, if running
-Deletes the rogue file from the parent folder, if present
-Copies the original file to the parent folder
When done with the above, it automatically runs a new scan and opens a new log.
Please provide the new FindAWF log in your reply.

file:///C:/Program%20Files/Dell%20Support%20Center/sscommon/common/inc/ss_s inf autorun.gen trojan Gen:Trojan.Heur	PDF/Exploit.Gen trojan trojan:win32/alureon.gen!u autorun virus
See More

Response Number 6

Name: alanwt
Date: March 17, 2008 at 17:34:32 Pacific

Reply:

Here's the new log. Thanks for your ongoing support.
Find AWF report by noahdfear ©2006
Version 1.40
Option 2 run successfully
The current date is: Mon 03/17/2008
The current time is: 17:34:24.40

bak folders found
~~~~~~~~~~~
Duplicate files of bak directory contents
~~~~~~~~~~~~~~~~~~~~~~~
end of report

Response Number 7

Name: jabuck
Date: March 17, 2008 at 18:57:54 Pacific

Reply:

Navigate to and delete these folders if found:

C:\Program Files\Adobe\Acrobat 7.0\Reader\bak
C:\Program Files\Hewlett-Packard\Toolbox2.0\bak
C:\Program Files\McAfee\MBK\bak
C:\Program Files\Microsoft Hardware\Mouse\bak
C:\Program Files\QuickTime\bak
C:\Program Files\Spybot - Search & Destroy\bak
C:\Program Files\Traceless\bak
C:\Program Files\Traceless\bak
C:\Program Files\Windows Defender\bak
C:\WINDOWS\system32\bak
Post a new Combofix log please.

Response Number 8

Name: alanwt
Date: March 17, 2008 at 19:40:19 Pacific

Reply:

I found all of the bak folders and deleted them. Here's the Combofix log. Thanks.
ComboFix 08-03-14.4 - AlanThraikill 2008-03-17 19:32:55.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.160 [GMT -7:00]
Running from: C:\Documents and Settings\AlanThraikill\Desktop\ComboFix.exe
[color=red][b]WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !![/b][/color]
.
((((((((((((((((((((((((( Files Created from 2008-02-18 to 2008-03-18 )))))))))))))))))))))))))))))))
.
2008-03-17 17:34 . 2001-07-09 02:50 155,648 --a------ C:\WINDOWS\system32\NeroCheck.exe
2008-03-15 12:12 . 2008-03-15 12:12 <DIR> d-------- C:\Program Files\Trend Micro
2008-03-12 19:13 . 2008-03-12 19:13 1,444 --a------ C:\WINDOWS\system32\MRT.INI
2008-02-22 22:28 . 2008-02-22 22:28 <DIR> d-------- C:\Program Files\Common Files\eSellerate
2008-02-22 22:28 . 2008-02-22 22:28 <DIR> d-------- C:\Program Files\AnswersThatWork
2008-02-22 22:28 . 2007-06-08 14:53 1,753,088 --a------ C:\WINDOWS\system32\ExGrid.dll
2008-02-22 22:28 . 2007-04-03 17:51 614,400 --a------ C:\WINDOWS\system32\ExButton.dll
2008-02-22 22:28 . 2007-06-05 11:20 602,112 --a------ C:\WINDOWS\system32\ExMenu.dll
2008-02-22 22:28 . 2007-06-05 11:19 516,096 --a------ C:\WINDOWS\system32\ExTab.dll
2008-02-22 22:28 . 2005-10-11 15:40 356,352 --a------ C:\WINDOWS\system32\eSellerateEngine.dll
2008-02-22 22:28 . 2007-04-03 17:51 307,200 --a------ C:\WINDOWS\system32\ExPMenu.dll
2008-02-22 22:28 . 2004-03-09 02:00 124,688 --a------ C:\WINDOWS\system32\MSWinSck.ocx
2008-02-22 22:28 . 2005-10-04 09:11 118,784 --a------ C:\WINDOWS\system32\eWebControl.dll
2008-02-20 12:41 . 2008-02-20 12:41 <DIR> d-------- C:\WINDOWS\system32\logs
2008-02-19 23:13 . 2008-02-19 22:51 691,545 --a------ C:\WINDOWS\unins000.exe
2008-02-19 23:13 . 2008-02-19 23:13 3,457 --a------ C:\WINDOWS\unins000.dat
2008-02-18 22:49 . 2008-02-18 22:49 <DIR> d-------- C:\WINDOWS\system32\McAfee
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-03-18 02:29 --------- d-----w C:\Program Files\Windows Defender
2008-03-18 02:29 --------- d-----w C:\Program Files\Traceless
2008-03-18 02:29 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-03-18 02:28 --------- d-----w C:\Program Files\QuickTime
2008-03-17 04:20 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-03-17 00:14 --------- d-----w C:\Documents and Settings\AlanThraikill\Application Data\RssBandit
2008-03-16 00:10 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-02-26 04:24 --------- d-----w C:\Program Files\McAfee
2008-02-24 22:49 --------- d-----w C:\Documents and Settings\Justin Thrailkill\Application Data\Skype
2008-02-06 17:51 171,400 ----a-w C:\WINDOWS\system32\drivers\mfehidk.sys
2007-07-13 18:13 83,072 ----a-w C:\Documents and Settings\Rita Zwerin\Application Data\GDIPFONTCACHEV1.DAT
2006-12-30 17:18 83,072 ----a-w C:\Documents and Settings\SashaThrailkill\Application Data\GDIPFONTCACHEV1.DAT
2006-11-12 02:11 81,992 ----a-w C:\Documents and Settings\AlanThraikill\Application Data\GDIPFONTCACHEV1.DAT
2005-05-03 04:59 81,992 ----a-w C:\Documents and Settings\Justin Thrailkill\Application Data\GDIPFONTCACHEV1.DAT
.
((((((((((((((((((((((((((((( snapshot@2008-03-16_ 9.43.15.32 )))))))))))))))))))))))))))))))))))))))))
.
+ 2008-03-17 21:12:26 16,384 ----atw C:\WINDOWS\Temp\Perflib_Perfdata_83c.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"anvshell"="anvshell.exe" [2002-04-09 19:14 331776 C:\WINDOWS\anvshell.exe]
"POINTER"="C:\Program Files\Microsoft Hardware\Mouse\point32.exe" [2001-08-23 18:37 167936]
"TomcatStartup"="C:\Program Files\Hewlett-Packard\Toolbox2.0\hpbpsttp.exe" [2003-03-31 20:28 155648]
"Traceless"="C:\Program Files\Traceless\traceless.exe" [2007-05-20 17:57 2138112]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [2006-11-03 19:20 866584]
"NeroCheck"="C:\WINDOWS\system32\\NeroCheck.exe" [2001-07-09 02:50 155648]
"nwiz"="nwiz.exe" [2006-10-22 13:22 1622016 C:\WINDOWS\system32\nwiz.exe]
"MBkLogOnHook"="C:\Program Files\McAfee\MBK\LogOnHook.exe" [2007-01-08 11:22 20480]
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"updateMgr"="C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_8 -reboot 1
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"C-Media Mixer"=Mixer.exe /startup
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"C:\\Program Files\\Hewlett-Packard\\Toolbox2.0\\Javasoft\\JRE\\1.3.1\\bin\\javaw.exe"=
"C:\\WINDOWS\\system32\\sessmgr.exe"=
"C:\\Program Files\\RssBandit\\RSSBandit.exe"=
"C:\\Program Files\\Real\\RealOne Player\\realplay.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\WINDOWS\\system32\\dpvsetup.exe"=
"C:\\WINDOWS\\system32\\rundll32.exe"=
"C:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=
"C:\\Program Files\\Skype\\Phone\\Skype.exe"=
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009
"3587:TCP"= 3587:TCP:Windows Peer-to-Peer Grouping
"3540:UDP"= 3540:UDP:Peer Name Resolution Protocol (PNRP)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings]
"AllowInboundEchoRequest"= 1 (0x1)
R1 ANVIOCTL;ANVIOCTL;C:\WINDOWS\system32\DRIVERS\anvioctl.sys [2002-05-03 06:41]
R1 ANVOSDNT;ASUS Keyboard Filter Driver;C:\WINDOWS\system32\DRIVERS\anvosdnt.sys [2002-07-29 17:29]
S3 p2pgasvc;Peer Networking Group Authentication;C:\WINDOWS\System32\svchost.exe [2004-08-04 00:56]
S3 p2pimsvc;Peer Networking Identity Manager;C:\WINDOWS\System32\svchost.exe [2004-08-04 00:56]
S3 p2psvc;Peer Networking;C:\WINDOWS\System32\svchost.exe [2004-08-04 00:56]
S3 PNRPSvc;Peer Name Resolution Protocol;C:\WINDOWS\System32\svchost.exe [2004-08-04 00:56]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
p2psvc REG_MULTI_SZ p2psvc p2pimsvc p2pgasvc PNRPSvc
.
Contents of the 'Scheduled Tasks' folder
"2008-03-17 21:14:28 C:\WINDOWS\Tasks\MP Scheduled Scan.job"
- C:\Program Files\Windows Defender\MpCmdRun.exe
.
**************************************************************************
catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-03-17 19:35:27
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
Completion time: 2008-03-17 19:36:36
ComboFix-quarantined-files.txt 2008-03-18 02:36:26
ComboFix2.txt 2008-03-16 16:44:01
.
2008-03-14 00:22:28 --- E O F ---

Response Number 9

Name: jabuck
Date: March 18, 2008 at 03:19:42 Pacific

Reply:

Much better, some follow-up and cleanup yet to do.

Double-click the FindAWF icon once again
If a Security Alert shows, allow the program to run.
As instructed, press any key to continue.
Use the following option: Press 4 then Enter to reset domain zones
This removes all entries from the domain zones.
When the program returns to the main menu, use the following option:
Press E then Enter to EXIT
Next,
Launch Notepad, and copy/paste everything between the X's making "regedit4" the very top line.
Save in: Desktop
File Name: fixme.reg
Save as Type: All files
Click: Save
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
REGEDIT4
[-HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains]
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains]
[-HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges]
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges]
[-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains]
[-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges]
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
Then, disconnect from the Internet!
Next,
Back on the Desktop, double-click on the fixme.reg file you just saved and click on Yes when asked to merge the information.
Optional if the following programs are in your computer.
Note that since the Domains are deleted SpywareBlaster protection must be re-enabled. Spybot's Immunize feature must be used again, also you have to re-install IE-SpyAd if installed.
Delete the fixme.reg file just created.
Empty the restore folder. Go to start>control panel>system>system restore tab>check the box beside "turn off system restore>apply (takes a minute)>ok. Go back and uncheck the box to turn system restore back on>apply>ok.
Download CCleaner from the following link:
http://filehippo.com/download_ccleaner/
After you download it to your desktop and begin installing it only allow the "install icon on desktop" to install . Then run it, use only as suggested, it's powerful use only the prechecked items.
Your java is out of date and can be exploited.
Download the latest version of java from this link Java
Click on the JDK 6 Update 5 download button.
Check the box that says: "Accept License Agreement". The page will refresh.
Click on the link to download Windows Offline Installation with or without Multi-language and save to your desktop.
Close any programs you may have running - especially your web browser.
Go to Start > Control Panel double-click on Add/Remove programs and remove all older versions of Java. Check any item with Java Runtime Environment (JRE or J2SE) in the name. It should have the "coffee cup" icon next to it.
Click the Remove or Change/Remove button. Repeat as many times as necessary to remove each Java versions.
Reboot your computer once all Java components are removed
Then from your desktop double-click on jdk-6u5-windows-i586-p.exe to install the newest version.

Response Number 10

Name: alanwt
Date: March 18, 2008 at 22:27:40 Pacific

Reply:

jabuck,
Thank you for all your help. I completed the tasks, and now the system is running faster. A couple of questions please:
1. Do I need Java at all, especially the entire JDK?
2. From what you saw of my system, do you think I actually had the zonebac trojan?
3. Did you notice any other malware or weirdness in my system that was also cleaned up?

Response Number 11

Name: jabuck
Date: March 19, 2008 at 03:33:12 Pacific

Reply:

I only install the 114mb jre 1.6.0_05 java version and uncheck any other addons.
You had zonebac, you were infected with an autorun virus.
You should consider adding "Spywareblaster" to your arsenol of antispyware tools, you can download it from this link Spywareblaster
Just download it,install it, and update it. Its free and runs in the background, so you don't actually run it, and re-writes malicious script before it can install on your computer. Look for updates weekly as there is no auto-update on the free version.

Sponsored Link

Ads by Google

IE replicates, slow pc, m...

missing system32 file

Post Locked

This post is quite old and has been locked from receiving new replies. Please create a new posting instead.

Go to Security and Virus Forum Home

Sponsored links

Ads by Google

Results for: Trojan - win32/zonebac.gen!F

Win32/Zonebac.gen!F found on my PC.

Summary

www.computing.net/answers/security/win32zonebacgenf-found-on-my-pc/22599.html

backdoor: win32/zonebac.gen!F probs

Summary

www.computing.net/answers/security/backdoor-win32zonebacgenf-probs/22538.html

backdoor:Win32/Zonebac.gen!F virus

Summary

www.computing.net/answers/security/backdoorwin32zonebacgenf-virus-/22540.html

From the Geek Dictionary
technology - Noun 1.) anything of a technical nature, mechanical, automated, etc... ...

Ask a Question!

Weekly Poll
What do you think of the new preview of Chrome OS?

Poll Finishes In 3 Days.
Discuss in The Lounge
Poll History

Recent Posts
Excel help!

Can't access the hard drive i just installed

Key typing error

Trace IP address of Youtube user

give perfect answers

All Awaiting Reply

Tom's News
Guy Quits Job With Error Message

News Corp Rivals Threaten to De-list from Google

Google, Tivo Team Up to Track Ad Viewing Habits

Verizon Takes on Sprint's 3G Network (And Wins)

New York Testing Console-Based Alert System

More Tom's Guide News

Data Recovery

Manufacturer List | About Us | Advertising Info | Contact Us
The information on Computing.Net is the opinions of its users. Such opinions may not be accurate and they are to be used at your own risk. Computing.Net cannot verify the validity of the statements made on this site. Computing.Net and Computing.Net LLC hereby disclaim all responsibility and liability for the content of Computing.Net and its accuracy.
PLEASE READ THE FULL DISCLAIMER AND LEGAL TERMS BY CLICKING HERE