Tom's Guide | Tom's Hardware | Tom's Games
 |
 |
 |
This virus Win32/Zonebac.gen!B is like a rash that never heals. It was detected in multiple files now it's detected as vptray.exe (Norton) and nothing I can do will get rid of it. Any help would be much appreciated.
Please download and install the latest version of HijackThis v2.0.2:
Download the HijackThis Installer from this link: HijackThis
1. Save " HJTInstall.exe" to your desktop.
2. Double click on HJTInstall.exe to run the program.
3. By default it will install to C:\Program Files\Trend Micro\HijackThis.
4. Accept the license agreement by clicking the "I Accept" button.
5.Click on the "Do a system scan and save a log file" button. It will scan and then ask you to save the log.
6. Click "Save log" to save the log file and then the log will open in Notepad.
7. Click on "Edit > Select All" then click on "Edit > Copy" to copy the entire contents of the log.
8. Paste the log in your next reply.
9. Do NOT have HijackThis fix anything yet! Most of what it finds will be harmless or even required.Please download FindAWL from this link FindAWF
Double-click on the FindAWF.exe file to run it. It will open a command prompt and ask you to "Press any key to continue". You will be presented with a Menu.
1. Press 1 then Enter to scan for bak folders
2. Press 2 then Enter to restore files from bak folders
3. Press 3 then Enter to remove bak folders
4. Press 4 then Enter to reset domain zones
5. Press E then Enter to EXIT
Press 1 then press Enter. Copy and paste the contents of the AWF.txt file in your next reply.
0 
Ok, here's the log from HijackThis:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:21:16 PM, on 11/13/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)
Boot mode: NormalRunning processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile DeviceSupport\bin\AppleMobileDeviceService.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\NewTech Infosystems\Dragon Disc\tray.exe
C:\Program Files\QuickTime\QTTask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\NewTech Infosystems\NTI Shadow 3\Shadow.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\bak\vptray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.exe
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.exe
C:\Program Files\NewTech Infosystems\NTI CD & DVD-Maker 7\Cdmkr32.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exeR1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =
http://go.microsoft.com/fwlink/?Lin...
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL =http://go.microsoft.com/fwlink/?Lin...
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page =http://go.microsoft.com/fwlink/?Lin...
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =http://go.microsoft.com/fwlink/?Lin...
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} -C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: IE - {0CB66BA8-5E1F-4963-93D1-E1D6B78FE9A2} - C:\ProgramFiles\WinBudget\bin\matrix.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} -C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} -C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\CommonFiles\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [NTI Dragon Disc] C:\Program Files\NewTech Infosystems\DragonDisc\tray.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\ProgramFiles\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [NTI Scheduler] "C:\Program Files\Common Files\NewTechInfosystems\Scheduler\Schdlr32.exe" -s
O4 - HKCU\..\Run: [BlazeServoTool] "C:\Program Files\BlazeVideo\BlazeDVD 5Professional\MediaDetector.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Shadow] C:\Program Files\NewTech Infosystems\NTI Shadow 3\Shadow.exe--minimize
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\CommonFiles\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: NTI Ninja.lnk = C:\Program Files\NewTech Infosystems\NTINinja\setup\Open.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} -C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} -C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\ProgramFiles\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683}- C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: *.doginhispen.com
O15 - Trusted Zone: *.whataboutadog.com
O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage ValidationTool) - http://go.microsoft.com/fwlink/?lin...
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) -http://lads.myspace.com/upload/MySp...
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) -http://www.update.microsoft.com/win...
b?1192044511781
O17 - HKLM\System\CCS\Services\Tcpip\..\{E770C294-5C45-431E-979D-B5643FECF1FA}:NameServer = 68.6.16.30,68.4.16.30
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\CommonFiles\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: DefWatch - Symantec Corporation - C:\ProgramFiles\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) -Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\NeroBackItUp\NBService.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - SymantecCorporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
--
End of file - 6443 bytesAnd here is the AWF.txt:
Find AWF report by noahdfear ©2006
Version 1.40The current date is: Tue 11/13/2007
The current time is: 16:23:06.57
bak folders found
~~~~~~~~~~~
Directory of C:\PROGRA~1\ITUNES\BAK09/26/2007 01:42 PM 267,064 iTunesHelper.exe
1 File(s) 267,064 bytesDirectory of C:\PROGRA~1\QUICKT~1\BAK
06/29/2007 05:24 AM 286,720 qttask.exe
1 File(s) 286,720 bytesDirectory of C:\WINDOWS\SYSTEM32\BAK
08/04/2004 04:00 AM 15,360 ctfmon.exe
1 File(s) 15,360 bytesDirectory of C:\PROGRA~1\SYMANT~1\SYMANT~1\BAK
07/30/2002 10:35 AM 77,824 vptray.exe
1 File(s) 77,824 bytesDirectory of C:\PROGRA~1\ADOBE\READER~1.0\READER\BAK
05/11/2007 02:06 AM 40,048 Reader_sl.exe
1 File(s) 40,048 bytesDirectory of C:\PROGRA~1\COMMON~1\AHEAD\LIB\BAK
01/12/2006 02:40 PM 155,648 NeroCheck.exe
11/16/2006 06:04 PM 139,264 NMBgMonitor.exe
2 File(s) 294,912 bytesDirectory of C:\PROGRA~1\COMMON~1\NEWTEC~1\SCHEDU~1\BAK
11/06/2006 09:26 PM 77,824 Schdlr32.exe
1 File(s) 77,824 bytes
Duplicate files of bak directory contents
~~~~~~~~~~~~~~~~~~~~~~~267048 Nov 2 2007 "C:\Program Files\iTunes\iTunesHelper.exe"
267064 Sep 26 2007 "C:\Program Files\iTunes\bak\iTunesHelper.exe"
102400 Nov 12 2007 "C:\WINDOWS\Installer\{E3FEE4E7-4488-4A3F-A6BD-13745936EADB}\iTunesIco.exe"
116008 Nov 12 2007 "C:\Documents and Settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 7.5.0.20\iTunesSetupAdmin.exe"
116008 Nov 12 2007 "C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\UCAYOEAM\iTunesSetupAdmin[1].exe"
286720 Oct 19 2007 "C:\Program Files\QuickTime\QTTask.exe"
286720 Jun 29 2007 "C:\Program Files\QuickTime\bak\qttask.exe"
15360 Aug 4 2004 "C:\WINDOWS\system32\ctfmon.exe"
15360 Aug 4 2004 "C:\WINDOWS\system32\bak\ctfmon.exe"
8704 Nov 2 2006 "D:\Windows\System32\ctfmon.exe"
8704 Nov 2 2006 "D:\Windows\winsxs\x86_microsoft-windows-t..cesframework-ctfmon_31bf3856ad364e35_6.0.6000.16386_none_9af9cad793a67953\ctfmon.exe"
77824 Jul 30 2002 "C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\bak\vptray.exe"
134808 Nov 28 2006 "D:\Program Files\Symantec AntiVirus\VPTray.exe"
39792 Oct 10 2007 "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_SL.exe"
40048 May 11 2007 "C:\Program Files\Adobe\Reader 8.0\Reader\bak\Reader_sl.exe"
155648 Jan 12 2006 "C:\Program Files\Common Files\Ahead\Lib\bak\NeroCheck.exe"
155648 Jan 12 2006 "D:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe"
139264 Nov 16 2006 "C:\Program Files\Common Files\Ahead\Lib\bak\NMBgMonitor.exe"
139264 Oct 9 2006 "D:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
77824 Nov 6 2006 "C:\Program Files\Common Files\NewTech Infosystems\Scheduler\bak\Schdlr32.exe"
end of report
0
Double-click the FindAWF icon once again
If a Security Alert shows, allow the program to run.
As instructed, press any key to continue.
Use the following option: Press 2 then Enter to restore files from bak foldersA text file opens called: files.txt
Click below the line and paste the following list of files to be restored:
"C:\Program Files\iTunes\bak\iTunesHelper.exe"
"C:\Program Files\QuickTime\bak\qttask.exe"
"C:\WINDOWS\system32\bak\ctfmon.exe"
"C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\bak\vptray.exe"
"C:\Program Files\Adobe\Reader 8.0\Reader\bak\Reader_sl.exe"
"C:\Program Files\Common Files\Ahead\Lib\bak\NeroCheck.exe"
"C:\Program Files\Common Files\Ahead\Lib\bak\NMBgMonitor.exe"
"C:\Program Files\Common Files\NewTech Infosystems\Scheduler\bak\Schdlr32.exe"Next, close and click Yes to save the changes.
Once files.txt is saved, FindAWF does the following:
-It attempts to terminate the process represented by each filename on the list, if running
-Deletes the rogue file from the parent folder, if present
-Copies the original file to the parent folderWhen done with the above, it automatically runs a new scan and opens a new log.
Please provide the new FindAWF log in your reply.
0
Ok, here's the new FindAWF log:
Find AWF report by noahdfear ©2006
Version 1.40
Option 2 run successfullyThe current date is: Tue 11/13/2007
The current time is: 19:19:41.14
bak folders found
~~~~~~~~~~~
Directory of C:\PROGRA~1\ITUNES\BAK09/26/2007 01:42 PM 267,064 iTunesHelper.exe
1 File(s) 267,064 bytesDirectory of C:\PROGRA~1\QUICKT~1\BAK
06/29/2007 05:24 AM 286,720 qttask.exe
1 File(s) 286,720 bytesDirectory of C:\WINDOWS\SYSTEM32\BAK
08/04/2004 04:00 AM 15,360 ctfmon.exe
1 File(s) 15,360 bytesDirectory of C:\PROGRA~1\SYMANT~1\SYMANT~1\BAK
07/30/2002 10:35 AM 77,824 vptray.exe
1 File(s) 77,824 bytesDirectory of C:\PROGRA~1\ADOBE\READER~1.0\READER\BAK
05/11/2007 02:06 AM 40,048 Reader_sl.exe
1 File(s) 40,048 bytesDirectory of C:\PROGRA~1\COMMON~1\AHEAD\LIB\BAK
01/12/2006 02:40 PM 155,648 NeroCheck.exe
11/16/2006 06:04 PM 139,264 NMBgMonitor.exe
2 File(s) 294,912 bytesDirectory of C:\PROGRA~1\COMMON~1\NEWTEC~1\SCHEDU~1\BAK
11/06/2006 09:26 PM 77,824 Schdlr32.exe
1 File(s) 77,824 bytes
Duplicate files of bak directory contents
~~~~~~~~~~~~~~~~~~~~~~~
0
This Sony laptop is having the same issue, or one very similar. I am hesitant to follow the routine listed becuase it sounded unique to StarMarie10's machine. What should I do to get rid of the problem? I have d'loaded the two pieces of software...
Robert
0
I think you have to start a new thread because each PC is unique. So start a new subject with your problem and they can work with you one on one.
0
Option 3:
Double-click the FindAWF icon once againIf a Security Alert shows, allow the program to run.
As instructed, press any key to continue.
Use the following option: Press 3 then Enter to remove bak foldersA text file opens called: folders.txt
Click below the line and paste the following list of folders to be removed:
C:\Program Files\iTunes\bak
C:\Program Files\QuickTime\bak
C:\WINDOWS\system32\bak
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\bak
C:\Program Files\Adobe\Reader 8.0\Reader\bak
C:\Program Files\Common Files\Ahead\Lib\bak
C:\Program Files\Common Files\NewTech Infosystems\Scheduler\bak
Next, close and click Yes to save the changes.
Once folders.txt is saved, FindAWF does the following:
-It deletes the contents of the bak folders
-Removes the bak foldersWhen done with the above, it automatically runs a new scan and opens a new log.
Please provide the new FindAWF log in your reply.
Next Option 4.
Option 4:
Double-click the FindAWF icon once againIf a Security Alert shows, allow the program to run.
As instructed, press any key to continue.
Use the following option: Press 4 then Enter to reset domain zonesThis removes all entries from the domain zones.
When the program returns to the main menu, use the following option:
Press E then Enter to EXITNext,
Launch Notepad, and copy/paste everything between the X's making "regedit4" the very top line.
Save in: Desktop
File Name: fixme.reg
Save as Type: All files
Click: Save
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
REGEDIT4
[-HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains]
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains]
[-HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges]
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges]
[-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains]
[-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges]
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
Then, disconnect from the Internet!
Next,
Back on the Desktop, double-click on the fixme.reg file you just saved and click on Yes when asked to merge the information.
Optional if the following programs are in your computer.
Note that since the Domains are deleted SpywareBlaster protection must be re-enabled. Spybot's Immunize feature must be used again, also you have to re-install IE-SpyAd if installed.
Delete the fixme.reg file just created.Please download ComboFix to the desktop from this link:
http://download.bleepingcomputer.com/sUBs/ComboFix.exe
Double-click combofix.exe
Follow the prompts.
(Don't click on the window while the program is running, it may cause your system to hang.)Please post the log it produces.
0
Thank you so much for your help. I really appreciate you taking the time to guide me through this. Here is the AWF log:
Find AWF report by noahdfear ©2006
Version 1.40
Option 3 run successfullyThe current date is: Wed 11/14/2007
The current time is: 14:39:22.26
bak folders found
~~~~~~~~~~~Duplicate files of bak directory contents
~~~~~~~~~~~~~~~~~~~~~~~end of report
And here is the combofix log:
ComboFix 07-11-08.1 - Owner 2007-11-14 14:49:07.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.510 [GMT -8:00]
Running from: C:\Documents and Settings\Owner\Desktop\ComboFix.exe
* Created a new restore point
.((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.C:\Program Files\WinBudget
C:\Program Files\WinBudget\bin\crap.1194645460.old
C:\Program Files\WinBudget\bin\matrix.dat.
((((((((((((((((((((((((( Files Created from 2007-10-14 to 2007-11-14 )))))))))))))))))))))))))))))))
.2007-11-14 14:48 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-11-13 13:25 <DIR> d-------- C:\Program Files\Windows Defender
2007-11-13 12:52 <DIR> d-------- C:\Program Files\Trend Micro
2007-11-13 12:51 289,144 --a------ C:\WINDOWS\system32\VCCLSID.exe
2007-11-13 12:51 288,417 --a------ C:\WINDOWS\system32\SrchSTS.exe
2007-11-13 12:51 53,248 --a------ C:\WINDOWS\system32\Process.exe
2007-11-13 12:51 51,200 --a------ C:\WINDOWS\system32\dumphive.exe
2007-11-13 12:51 25,600 --a------ C:\WINDOWS\system32\WS2Fix.exe
2007-11-13 12:51 2,084 --a------ C:\WINDOWS\system32\tmp.reg
2007-11-13 10:46 308,224 --a------ C:\WINDOWS\system32\ECHMRCI4.DLL
2007-11-13 10:45 <DIR> d-------- C:\Program Files\HelpandManual4
2007-11-12 11:26 <DIR> d-------- C:\Program Files\iPod
2007-11-06 18:16 60,066,476 --a------ C:\SYM_REGISTRY_BACKUP.reg
2007-11-06 17:48 <DIR> d-------- C:\VirDefs
2007-11-06 17:48 <DIR> d-------- C:\Support
2007-11-06 17:48 <DIR> d-------- C:\SevInst
2007-11-06 17:48 <DIR> d-------- C:\LiveUpdt
2007-11-05 16:12 206,720 --a------ C:\WINDOWS\system32\drivers\DragonUDF.sys
2007-11-05 16:12 17,280 --a------ C:\WINDOWS\system32\drivers\MRWMap.sys
2007-11-05 16:12 15,488 --a------ C:\WINDOWS\system32\drivers\DragonHLP.sys
2007-10-19 15:35 <DIR> d-------- C:\Shadow Backup
2007-10-17 08:31 <DIR> d-------- C:\WINDOWS\system32\DRM.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-11-14 22:42 188 ----a-w C:\Documents and Settings\Owner\BackupResult.DAT
2007-11-14 22:39 --------- d-----w C:\Program Files\QuickTime
2007-11-14 22:39 --------- d-----w C:\Program Files\iTunes
2007-11-13 00:48 95,584 ----a-w C:\WINDOWS\system32\drivers\NtiEnc.sys
2007-11-12 19:26 --------- d-----w C:\Documents and Settings\All Users\Application Data\Apple Computer
2007-11-07 02:02 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2007-11-06 00:12 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-11-06 00:12 --------- d-----w C:\Program Files\NewTech Infosystems
2007-10-24 18:34 6,144 ----a-w C:\WINDOWS\system32\drivers\NTIDrvr.sys
2007-10-16 16:01 0 ----a-w C:\Documents and Settings\Owner\SCHDLR.DAT
2007-10-01 15:46 --------- d-----w C:\Program Files\Apple Software Update
2007-09-24 21:03 --------- d-----w C:\Program Files\MSECACHE
2007-08-21 06:15 683,520 ----a-w C:\WINDOWS\system32\inetcomm.dll
2007-08-14 02:54 413,696 ----a-w C:\WINDOWS\system32\vbscript.dll
2007-08-14 02:54 156,160 ----a-w C:\WINDOWS\system32\msls31.dll
2007-08-14 02:45 78,336 ----a-w C:\WINDOWS\system32\ieencode.dll
2007-08-14 02:44 40,960 ----a-w C:\WINDOWS\system32\licmgr10.dll
2007-08-14 02:39 71,680 ----a-w C:\WINDOWS\system32\admparse.dll
2007-08-14 02:39 55,296 ----a-w C:\WINDOWS\system32\iesetup.dll
2007-08-14 02:36 36,352 ----a-w C:\WINDOWS\system32\imgutil.dll
2007-08-14 02:32 45,568 ----a-w C:\WINDOWS\system32\mshta.exe
2007-08-14 02:01 48,128 ----a-w C:\WINDOWS\system32\mshtmler.dll
.((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"vptray"="C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe" [2002-07-30 10:35]
"NeroFilterCheck"="C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe" [2006-01-12 14:40]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-05-11 02:06]
"Ninja"="" []
"NTI Dragon Disc"="C:\Program Files\NewTech Infosystems\Dragon Disc\tray.exe" [2006-08-15 08:22]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2007-06-29 05:24]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-09-26 13:42]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [2006-11-03 19:20][HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe" [2006-11-16 18:04]
"NTI Scheduler"="C:\Program Files\Common Files\NewTech Infosystems\Scheduler\Schdlr32.exe" [2006-11-06 21:26]
"BlazeServoTool"="C:\Program Files\BlazeVideo\BlazeDVD 5 Professional\MediaDetector.exe" []
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 04:00]
"Shadow"="C:\Program Files\NewTech Infosystems\NTI Shadow 3\Shadow.exe" [2006-09-07 17:11]C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2007-08-17 13:15:38]
NTI Ninja.lnk - C:\Program Files\NewTech Infosystems\NTI Ninja\setup\Open.exe [2007-07-16 08:20:31]R0 DragonHLP;DragonHLP;C:\WINDOWS\system32\drivers\DragonHLP.sys
R0 MRWMap;MRWMap;C:\WINDOWS\system32\drivers\MRWMap.sys
R1 DragonUDF;AchievaUDF;C:\WINDOWS\system32\drivers\DragonUDF.sys
R1 UBHelper;UBHelper;C:\WINDOWS\system32\drivers\UBHelper.sys
S0 NtiFilter;NtiFilter;C:\WINDOWS\system32\Drivers\NtiFilter.sys
S3 NtiEnc;NtiEnc;C:\WINDOWS\system32\Drivers\NtiEnc.sys[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 Pml Driver HPZ12 Net Driver HPZ12*Newly Created Service* - CATCHME
.
Contents of the 'Scheduled Tasks' folder
"2007-11-12 19:12:01 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2007-11-14 18:19:08 C:\WINDOWS\Tasks\MP Scheduled Scan.job"
- C:\Program Files\Windows Defender\MpCmdRun.exe
.
**************************************************************************catchme 0.3.1250 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-11-14 14:50:29
Windows 5.1.2600 Service Pack 2 NTFSscanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0**************************************************************************
.
Completion time: 2007-11-14 14:51:19
.
--- E O F ---
0
The Combofix log looks clean.Go to start> run> type notepad> ok> format> uncheck "word wrap".
Post a new Hijack This log.
Please download ATF-Cleaner to your desktop from this link
http://www.atribune.org/content/view/19/2/ We will need it later in safe modeEmpty the restore folder. Go to start>control panel>system>system restore tab>check the box beside "turn off system restore>apply (takes a minute)>ok. Go back and uncheck the box to turn system restore back on>apply>ok.
Next, please reboot your computer in Safe Mode by doing the following :
Restart your computer
After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
Instead of Windows loading as normal, a menu with options should appear;
Select the first option, to run Windows in Safe Mode, then press "Enter".
Choose your usual account.
Run ATF-Cleaner from safe mode.Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.
0
Done! Here is the HijackThis log:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:32:05 PM, on 11/15/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)
Boot mode: NormalRunning processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\Program Files\NewTech Infosystems\Dragon Disc\tray.exe
C:\Program Files\QuickTime\QTTask.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\NewTech Infosystems\NTI Shadow 3\Shadow.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Microsoft Office\OFFICE11\EXCEL.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.exe
C:\WINDOWS\system32\NOTEPAD.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exeR1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?Lin...
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?Lin...
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?Lin...
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?Lin...
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [NTI Dragon Disc] C:\Program Files\NewTech Infosystems\Dragon Disc\tray.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [NTI Scheduler] "C:\Program Files\Common Files\NewTech Infosystems\Scheduler\Schdlr32.exe" -s
O4 - HKCU\..\Run: [BlazeServoTool] "C:\Program Files\BlazeVideo\BlazeDVD 5 Professional\MediaDetector.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Shadow] C:\Program Files\NewTech Infosystems\NTI Shadow 3\Shadow.exe --minimize
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: NTI Ninja.lnk = C:\Program Files\NewTech Infosystems\NTI Ninja\setup\Open.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?lin...
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySp...
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/win...
O16 - DPF: {7FC1B346-83E6-4774-8D20-1A6B09B0E737} (Windows Live Photo Upload Control) - http://amysday.spaces.live.com/Phot...
O17 - HKLM\System\CCS\Services\Tcpip\..\{E770C294-5C45-431E-979D-B5643FECF1FA}: NameServer = 68.6.16.30,68.4.16.30
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe--
End of file - 6547 bytes
0
Run Hijack This, close all windows and browsers except Hijack This, place a check to the left of the following items and press "fix checked":
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
Exit Hijack This.
How is the computer operating
0
Ok, I've done that. The system seems to be operating much better now. No more win32/zonebac popups. Does this mean it's all cleaned out? Thanks again for your help, I really do appreciate it.
0
Your logs are clean.
You should add "Spywareblaster" to your arsenol of antispyware tools, just do a google search for spywareblaster, download it,install it, and update it. Its free and runs in the background, so you don't actually run it, and re-writes malicious script before it can install on your computer. Look for updates weekly as there is no auto-update on the free version.
Glad we could help.
0  |
 |
 |
This post is quite old and has been locked from receiving new replies. Please create a new posting instead.
| Ads by Google |
