Win32/Zonebac.gen!F won't go away

Original Message

Name: Kalynn
Date: March 20, 2008 at 14:36:10 Pacific
Subject: Win32/Zonebac.gen!F won't go away
OS: MS WinXP Prof SP2
CPU/Ram: Pentium D 2.80Ghz, 512MB
Model/Manufacturer: Dell Precision Workstatio

Comment:

Computer running slow. Have downloaded PC Tools, Webroot Spysweeper w/ AntiVirus. Today I went to Microsoft. Downloaded Windows Live OneCare. It notified me of Win32/Zonebac.gen!F and says it cleans it, but later, it pops back up for cleaning. HELP! (I've seen other postings, but am afraid to follow instr b/c of warning of HijackThis being all inclusive.
Karen

Report Offensive Message For Removal

Response Number 1

Name: jabuck
Date: March 20, 2008 at 16:40:09 Pacific
Subject: Win32/Zonebac.gen!F won't go away

Reply: (edit)

Please download and install the latest version of HijackThis v2.0.2:

Download the "HijackThis" Installer from this link:
Hijack This

1. Save " HJTInstall.exe" to your desktop.
2. Double click on HJTInstall.exe to run the program.
3. By default it will install to C:\Program Files\Trend Micro\HijackThis.
4. Accept the license agreement by clicking the "I Accept" button.
5.Click on the "Do a system scan and save a log file" button. It will scan and then ask you to save the log.
6. Click "Save log" to save the log file and then the log will open in Notepad.
7. Click on "Edit > Select All" then click on "Edit > Copy" to copy the entire contents of the log.
8. Paste the log in your next reply.
9. Do NOT have HijackThis fix anything yet! Most of what it finds will be harmless or even required.
Please download FindAWF from the following link:
http://noahdfear.geekstogo.com/FindAWF.exe

Double-click on the FindAWF.exe file to run it. It will open a command prompt and ask you to "Press any key to continue". You will be presented with a Menu.
1. Press 1 then Enter to scan for bak folders
2. Press 2 then Enter to restore files from bak folders
3. Press 3 then Enter to remove bak folders
4. Press 4 then Enter to reset domain zones
5. Press E then Enter to EXIT
Press 1 then press Enter. Copy and paste the contents of the AWF.txt file in your next reply.

Report Offensive Follow Up For Removal

Response Number 2

Name: Kalynn
Date: March 20, 2008 at 16:56:52 Pacific
Subject: Win32/Zonebac.gen!F won't go away

Reply: (edit)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:48:05 PM, on 3/20/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Microsoft Windows OneCare Live\Antivirus\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\stsystra.exe
C:\Program Files\Spyware Doctor\pctsTray.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe
C:\Program Files\Microsoft Windows OneCare Live\winssnotify.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\Program Files\PIXELA\ImageMixer3\HDDCameraMonitor.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe
C:\Program Files\Spyware Doctor\pctsAuxs.exe
C:\Program Files\Spyware Doctor\pctsSvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\Microsoft Windows OneCare Live\Firewall\msfwsvc.exe
C:\Program Files\Microsoft Windows OneCare Live\winss.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Webroot\Spy Sweeper\SSU.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\JMMarcum\Desktop\HiJackThis.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.wholehogsports.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :0
R3 - URLSearchHook: AOLSearchHook Class - {54EB34EA-E6BE-4CFD-9F4F-C4A0C2EAFA22} - C:\Program Files\AOL Search\AOLSearch.dll
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\Userinit.exe
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: AOL Search Enhancement - {54EB34EA-E6BE-4CFD-9F4F-C4A0C2EAFA22} - C:\Program Files\AOL Search\AOLSearch.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [NvCplDaemon] "RUNDLL32.EXE" C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] "nwiz.exe" /install
O4 - HKLM\..\Run: [Ad-Watch] C:\Program Files\Lavasoft\Ad-Aware 2007\Ad-Watch2007.exe
O4 - HKLM\..\Run: [ISTray] "C:\Program Files\Spyware Doctor\pctsTray.exe"
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [OneCareUI] "C:\Program Files\Microsoft Windows OneCare Live\winssnotify.exe"
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe" /startintray
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: ImageMixer HDD Camera Monitor.lnk = ?
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/re...
O18 - Protocol: intu-help-qb1 - {9B0F96C7-2E4B-433E-ABF3-043BA1B54AE3} - C:\Program Files\Intuit\QuickBooks 2008\HelpAsyncPluggableProtocol.dll
O18 - Protocol: qbwc - {FC598A64-626C-4447-85B8-53150405FD57} - mscoree.dll (file missing)
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: MSCSPTISRV - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: QBCFMonitorService - Intuit - C:\Program Files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe
O23 - Service: Intuit QuickBooks FCS (QBFCService) - Intuit Inc. - C:\Program Files\Common Files\Intuit\QuickBooks\FCS\Intuit.QuickBooks.FCS.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
--
End of file - 6608 bytes
Find AWF report by noahdfear ©2006
Version 1.40
The current date is: Thu 03/20/2008
The current time is: 18:50:44.50

bak folders found
~~~~~~~~~~~

Directory of C:\PROGRA~1\ITUNES\BAK
12/11/2007 01:10 PM 267,048 iTunesHelper.exe
1 File(s) 267,048 bytes
Directory of C:\PROGRA~1\QUICKT~1\BAK
12/11/2007 11:56 AM 286,720 qttask.exe
1 File(s) 286,720 bytes
Directory of C:\PROGRA~1\WINAMP\BAK
10/10/2007 12:28 AM 36,352 winampa.exe
1 File(s) 36,352 bytes
Directory of C:\WINDOWS\SYSTEM32\BAK
08/04/2004 07:00 AM 15,360 ctfmon.exe
1 File(s) 15,360 bytes
Directory of C:\PROGRA~1\CYBERL~1\POWERDVD\BAK
02/23/2005 04:19 PM 53,248 DVDLauncher.exe
1 File(s) 53,248 bytes
Directory of C:\PROGRA~1\LAVASOFT\AD-AWA~1\BAK
01/28/2008 08:13 AM 2,476,408 Ad-Watch2007.exe
1 File(s) 2,476,408 bytes
Directory of C:\PROGRA~1\RISING\RAV\BAK
12/16/2007 09:37 AM 118,784 RavTask.exe
1 File(s) 118,784 bytes
Directory of C:\PROGRA~1\WINAMP~1\BIN\BAK
10/22/2007 07:47 PM 360,448 OrbTray.exe
1 File(s) 360,448 bytes
Directory of C:\PROGRA~1\ADOBE\READER~1.0\READER\BAK
05/11/2007 03:06 AM 40,048 Reader_sl.exe
1 File(s) 40,048 bytes

Duplicate files of bak directory contents
~~~~~~~~~~~~~~~~~~~~~~~
267048 Feb 19 2008 "C:\Program Files\iTunes\iTunesHelper.exe1731194078"
257088 Apr 27 2007 "C:\Backup 1012-2007\Program Files\iTunes\iTunesHelper.exe"
267048 Dec 11 2007 "C:\Program Files\iTunes\bak\iTunesHelper.exe"
102400 Feb 22 2008 "C:\WINDOWS\Installer\{80FD852F-5AAC-4129-B931-06AAFFA43138}\iTunesIco.exe"
75048 Feb 22 2008 "C:\Documents and Settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 7.6.1.9\iTunesSetupAdmin.exe"
116288 May 16 2007 "C:\Backup 1012-2007\old docs and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 7.1.1.5\iTunesSetupAdmin.exe"
282624 Apr 27 2007 "C:\Backup 1012-2007\Program Files\QuickTime\qttask.exe"
286720 Dec 11 2007 "C:\Program Files\QuickTime\bak\qttask.exe"
36352 Oct 10 2007 "C:\Program Files\Winamp\bak\winampa.exe"
15360 Aug 4 2004 "C:\WINDOWS\system32\ctfmon.exe"
15360 Aug 4 2004 "C:\WINDOWS\system32\bak\ctfmon.exe"
53248 Feb 23 2005 "C:\Backup 1012-2007\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
53248 Feb 23 2005 "C:\Program Files\CyberLink\PowerDVD\bak\DVDLauncher.exe"
2476408 Jan 28 2008 "C:\Program Files\Lavasoft\Ad-Aware 2007\bak\Ad-Watch2007.exe"
118784 Dec 16 2007 "C:\Program Files\Rising\Rav\bak\RavTask.exe"
360448 Oct 22 2007 "C:\Program Files\Winamp Remote\bin\bak\OrbTray.exe"
40048 Oct 23 2006 "C:\Backup 1012-2007\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe"
40048 May 11 2007 "C:\Program Files\Adobe\Reader 8.0\Reader\bak\Reader_sl.exe"

end of report
Karen

Report Offensive Follow Up For Removal

Response Number 3

Name: jabuck
Date: March 20, 2008 at 18:05:54 Pacific
Subject: Win32/Zonebac.gen!F won't go away

Reply: (edit)

Go to the this link:
Disable Realtime Protection
Follow their directions to disable any realtime protection that you have as it will interfere with the fix by reinstalling the corrupt files.
Double-click the FindAWF icon once again
If a Security Alert shows, allow the program to run.
As instructed, press any key to continue.
Use the following option:
Press 2 then Enter to restore files from bak folders
A text file opens called: files.txt
Copy/paste the following list of bolded files to be restored:

"C:\Program Files\iTunes\bak\iTunesHelper.exe"
"C:\Program Files\QuickTime\bak\qttask.exe"
"C:\Program Files\Winamp\bak\winampa.exe"
"C:\WINDOWS\system32\bak\ctfmon.exe"
"C:\Program Files\CyberLink\PowerDVD\bak\DVDLauncher.exe"
"C:\Program Files\Lavasoft\Ad-Aware 2007\bak\Ad-Watch2007.exe"
"C:\Program Files\Rising\Rav\bak\RavTask.exe"
"C:\Program Files\Winamp Remote\bin\bak\OrbTray.exe"
"C:\Program Files\Adobe\Reader 8.0\Reader\bak\Reader_sl.exe"

Next, close and click Yes to save the changes.
Once files.txt is saved, FindAWF does the following:
-It attempts to terminate the process represented by each filename on the list, if running
-Deletes the rogue file from the parent folder, if present
-Copies the original file to the parent folder
When done with the above, it automatically runs a new scan and opens a new log.
Please provide the new FindAWF log in your reply.

Report Offensive Follow Up For Removal

Response Number 4

Name: Kalynn
Date: March 20, 2008 at 18:35:15 Pacific
Subject: Win32/Zonebac.gen!F won't go away

Reply: (edit)

jabuck, before I do this:
I uninstalled Lavasoft & Rising Antivirus about a week or so ago when I started this process. They didn't seem to be detecting anything. How do I get that off for good before I follow your instructions for the RealTime programs???
Karen

Report Offensive Follow Up For Removal

Response Number 5

Name: Kalynn
Date: March 20, 2008 at 19:06:33 Pacific
Subject: Win32/Zonebac.gen!F won't go away

Reply: (edit)

Find AWF report by noahdfear ©2006
Version 1.40
Option 2 run successfully
The current date is: Thu 03/20/2008
The current time is: 21:00:37.07

bak folders found
~~~~~~~~~~~

Directory of C:\PROGRA~1\ITUNES\BAK
12/11/2007 01:10 PM 267,048 iTunesHelper.exe
1 File(s) 267,048 bytes
Directory of C:\PROGRA~1\QUICKT~1\BAK
12/11/2007 11:56 AM 286,720 qttask.exe
1 File(s) 286,720 bytes
Directory of C:\PROGRA~1\WINAMP\BAK
10/10/2007 12:28 AM 36,352 winampa.exe
1 File(s) 36,352 bytes
Directory of C:\WINDOWS\SYSTEM32\BAK
08/04/2004 07:00 AM 15,360 ctfmon.exe
1 File(s) 15,360 bytes
Directory of C:\PROGRA~1\CYBERL~1\POWERDVD\BAK
02/23/2005 04:19 PM 53,248 DVDLauncher.exe
1 File(s) 53,248 bytes
Directory of C:\PROGRA~1\LAVASOFT\AD-AWA~1\BAK
01/28/2008 08:13 AM 2,476,408 Ad-Watch2007.exe
1 File(s) 2,476,408 bytes
Directory of C:\PROGRA~1\RISING\RAV\BAK
12/16/2007 09:37 AM 118,784 RavTask.exe
1 File(s) 118,784 bytes
Directory of C:\PROGRA~1\WINAMP~1\BIN\BAK
10/22/2007 07:47 PM 360,448 OrbTray.exe
1 File(s) 360,448 bytes
Directory of C:\PROGRA~1\ADOBE\READER~1.0\READER\BAK
05/11/2007 03:06 AM 40,048 Reader_sl.exe
1 File(s) 40,048 bytes

Duplicate files of bak directory contents
~~~~~~~~~~~~~~~~~~~~~~~
267048 Feb 19 2008 "C:\Program Files\iTunes\iTunesHelper.exe1731194078"
257088 Apr 27 2007 "C:\Backup 1012-2007\Program Files\iTunes\iTunesHelper.exe"
267048 Dec 11 2007 "C:\Program Files\iTunes\bak\iTunesHelper.exe"
102400 Feb 22 2008 "C:\WINDOWS\Installer\{80FD852F-5AAC-4129-B931-06AAFFA43138}\iTunesIco.exe"
75048 Feb 22 2008 "C:\Documents and Settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 7.6.1.9\iTunesSetupAdmin.exe"
116288 May 16 2007 "C:\Backup 1012-2007\old docs and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 7.1.1.5\iTunesSetupAdmin.exe"
286720 Dec 11 2007 "C:\Program Files\QuickTime\qttask.exe"
282624 Apr 27 2007 "C:\Backup 1012-2007\Program Files\QuickTime\qttask.exe"
286720 Dec 11 2007 "C:\Program Files\QuickTime\bak\qttask.exe"
36352 Oct 10 2007 "C:\Program Files\Winamp\winampa.exe"
36352 Oct 10 2007 "C:\Program Files\Winamp\bak\winampa.exe"
15360 Aug 4 2004 "C:\WINDOWS\system32\ctfmon.exe"
15360 Aug 4 2004 "C:\WINDOWS\system32\bak\ctfmon.exe"
53248 Feb 23 2005 "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
53248 Feb 23 2005 "C:\Backup 1012-2007\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
53248 Feb 23 2005 "C:\Program Files\CyberLink\PowerDVD\bak\DVDLauncher.exe"
2476408 Jan 28 2008 "C:\Program Files\Lavasoft\Ad-Aware 2007\Ad-Watch2007.exe"
2476408 Jan 28 2008 "C:\Program Files\Lavasoft\Ad-Aware 2007\bak\Ad-Watch2007.exe"
118784 Dec 16 2007 "C:\Program Files\Rising\Rav\RavTask.exe"
118784 Dec 16 2007 "C:\Program Files\Rising\Rav\bak\RavTask.exe"
360448 Oct 22 2007 "C:\Program Files\Winamp Remote\bin\OrbTray.exe"
360448 Oct 22 2007 "C:\Program Files\Winamp Remote\bin\bak\OrbTray.exe"
40048 May 11 2007 "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
40048 Oct 23 2006 "C:\Backup 1012-2007\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe"
40048 May 11 2007 "C:\Program Files\Adobe\Reader 8.0\Reader\bak\Reader_sl.exe"

end of report
Karen

Report Offensive Follow Up For Removal


Win32/Zonebac.gen!B Won't go away : backdoor:Win32/Zonebac.gen!F virus backdoor: win32/zonebac.gen!F probs Win32/Zonebac.gen!F found on my PC. Viruses Won't Go Away	boxsexitbags won't go away help...zonebac.gen!F virus Backdoor:win32/Zonebac.gen!f Trojan Win32/Zonebac.gen!F Problem Virus - Backdoor:Win32/Zonebac.gen!

Response Number 6

Name: jabuck
Date: March 20, 2008 at 19:31:04 Pacific
Subject: Win32/Zonebac.gen!F won't go away

Reply: (edit)

Double-click the FindAWF icon once again
If a Security Alert shows, allow the program to run.
As instructed, press any key to continue.
Use the following option: Press 3 then Enter to remove bak folders
A text file opens called: folders.txt
Copy /paste the following list of bolded folders to be removed:

C:\Program Files\iTunes\bak
C:\Program Files\QuickTime\bak
C:\Program Files\Winamp\bak
C:\WINDOWS\system32\bak
C:\Program Files\CyberLink\PowerDVD\bak
C:\Program Files\Lavasoft\Ad-Aware 2007\bak
C:\Program Files\Rising\Rav\bak
C:\Program Files\Winamp Remote\bin\bak
C:\Program Files\Adobe\Reader 8.0\Reader\bak

Next, close and click Yes to save the changes.
Once folders.txt is saved, FindAWF does the following:
-It deletes the contents of the bak folders
-Removes the bak folders
When done with the above, it automatically runs a new scan and opens a new log.
Please provide the new FindAWF log in your reply.
If you uninstalled them in add/remove programs go to C:\Program Files and delete their folders.
You must have an antivirus.
I use the free version of AVG, you can download it at this link:
AVG Free Antivirus
Update it once you get it installed.

Report Offensive Follow Up For Removal

Response Number 7

Name: Kalynn
Date: March 20, 2008 at 20:25:01 Pacific
Subject: Win32/Zonebac.gen!F won't go away

Reply: (edit)

Find AWF report by noahdfear ©2006
Version 1.40
Option 3 run successfully
The current date is: Thu 03/20/2008
The current time is: 22:17:21.28

bak folders found
~~~~~~~~~~~
Duplicate files of bak directory contents
~~~~~~~~~~~~~~~~~~~~~~~
end of report
Jabuck- Thanks for all your help. Does this look good now??? I have antivirus with Webroot Spy Sweeper w/ Antivirus. Is it usually good to have more than one?
Karen
Karen

Report Offensive Follow Up For Removal

Response Number 8

Name: jabuck
Date: March 20, 2008 at 20:39:13 Pacific
Subject: Win32/Zonebac.gen!F won't go away

Reply: (edit)

You only need one antivirus, and probably a few baddies left.
Please download ComboFix to the desktop from one of the following links:
Link1
Link 2
Link 3

Double-click combofix.exe
Follow the prompts.
(Don't click on the window while the program is running, it may cause your system to hang.)
Please post the log it produces.
Empty the restore folder. Go to start>control panel>system>system restore tab>check the box beside "turn off system restore>apply (takes a minute)>ok. Go back and uncheck the box to turn system restore back on>apply>ok.
Download CCleaner from the following link:
http://filehippo.com/download_ccleaner/
After you download it to your desktop and begin installing it only allow the "install icon on desktop" to install . Then run it, use only as suggested, it's powerful use only the prechecked items.
Double-click the FindAWF icon once again
If a Security Alert shows, allow the program to run.
As instructed, press any key to continue.
Use the following option: Press 4 then Enter to reset domain zones
This removes all entries from the domain zones.
When the program returns to the main menu, use the following option:
Press E then Enter to EXIT
Next,
Launch Notepad, and copy/paste everything between the X's making "regedit4" the very top line.
Save in: Desktop
File Name: fixme.reg
Save as Type: All files
Click: Save
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
REGEDIT4
[-HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains]
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains]
[-HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges]
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges]
[-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains]
[-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges]
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
Then, disconnect from the Internet!
Next,
Back on the Desktop, double-click on the fixme.reg file you just saved and click on Yes when asked to merge the information.
Optional if the following programs are in your computer.
Note that since the Domains are deleted SpywareBlaster protection must be re-enabled. Spybot's Immunize feature must be used again, also you have to re-install IE-SpyAd if installed.
Delete the fixme.reg file just created.
Let us know how the computer is operating.

Report Offensive Follow Up For Removal

Response Number 9

Name: Kalynn
Date: March 21, 2008 at 05:24:47 Pacific
Subject: Win32/Zonebac.gen!F won't go away

Reply: (edit)

Have to go to work this morning, but will perform when I get home. Will let you know how that goes.
Karen

Report Offensive Follow Up For Removal

Response Number 10

Name: Kalynn
Date: March 21, 2008 at 17:53:01 Pacific
Subject: Win32/Zonebac.gen!F won't go away

Reply: (edit)

Do I need to turn off my antivirus/antispyware properties to do the above actions? I downloaded Combofix from link 1 and attempted to perform, but my PC Tools said there was a malicious trojan trying to work and stopped it. Please advise. Thanks so much.
Karen

Report Offensive Follow Up For Removal

Response Number 11

Name: jabuck
Date: March 21, 2008 at 18:38:42 Pacific
Subject: Win32/Zonebac.gen!F won't go away

Reply: (edit)

Disable any realtime protection that you have (spysweeper, etc) the link in response #3 covers most of them but any other ones need to be turned off or an allowance made for the tools to run.

Report Offensive Follow Up For Removal

Response Number 12

Name: Kalynn
Date: March 23, 2008 at 17:49:03 Pacific
Subject: Win32/Zonebac.gen!F won't go away

Reply: (edit)

ComboFix 08-03-21.1 - JMMarcum 2008-03-23 19:41:45.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.222 [GMT -5:00]
Running from: C:\Documents and Settings\JMMarcum\Desktop\ComboFix.exe
* Created a new restore point
[color=red][b]WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !![/b][/color]
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\Program Files\WinBudget
C:\Program Files\WinBudget\bin\matrix.dat
C:\Program Files\WinBudget\bin\matrix.dll
.
((((((((((((((((((((((((( Files Created from 2008-02-24 to 2008-03-24 )))))))))))))))))))))))))))))))
.
2008-03-23 11:31 . 2008-03-23 11:31 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-03-23 11:31 . 2008-03-23 11:31 1,409 --a------ C:\WINDOWS\QTFont.for
2008-03-21 19:58 . 2008-03-21 19:58 3,631 --a------ C:\150.tmp
2008-03-21 19:57 . 2008-03-21 19:57 3,631 --a------ C:\14E.tmp
2008-03-21 19:49 . 2008-03-21 19:49 3,631 --a------ C:\14C.tmp
2008-03-20 13:02 . 2007-07-30 19:19 271,224 --a------ C:\WINDOWS\system32\mucltui.dll
2008-03-20 13:02 . 2007-07-30 19:19 207,736 --a------ C:\WINDOWS\system32\muweb.dll
2008-03-20 13:02 . 2007-07-30 19:19 30,072 --a------ C:\WINDOWS\system32\mucltui.dll.mui
2008-03-20 09:49 . 2008-03-20 09:49 <DIR> d-------- C:\WINDOWS\system32\bits
2008-03-20 09:48 . 2007-03-29 07:56 7,168 -----c--- C:\WINDOWS\system32\dllcache\bitsprx4.dll
2008-03-20 09:48 . 2007-03-29 07:56 7,168 --------- C:\WINDOWS\system32\bitsprx4.dll
2008-03-20 08:08 . 2008-03-20 09:38 <DIR> d-------- C:\Program Files\Windows Live Safety Center
2008-03-17 08:52 . 2008-03-17 08:52 <DIR> d-------- C:\Program Files\Citrix
2008-03-16 03:01 . 2008-03-16 03:01 2,501 --a------ C:\WINDOWS\system32\MRT.INI
2008-03-12 05:44 . 2008-03-12 05:44 <DIR> d-------- C:\Program Files\eSoftware
2008-03-12 05:22 . 2008-03-12 05:22 <DIR> d-------- C:\Program Files\Windows Defender
2008-03-09 12:48 . 2008-03-09 12:48 <DIR> d-------- C:\Program Files\Webroot
2008-03-09 12:48 . 2008-03-09 12:48 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\Webroot
2008-03-09 12:48 . 2008-03-09 12:48 <DIR> d-------- C:\Documents and Settings\JMMarcum\Application Data\Webroot
2008-03-09 12:48 . 2008-03-09 12:48 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Webroot
2008-03-09 12:48 . 2008-01-04 20:56 1,526,640 --a------ C:\WINDOWS\WRSetup.dll
2008-03-09 12:48 . 2008-01-04 20:34 163,696 --a------ C:\WINDOWS\system32\drivers\ssidrv.sys
2008-03-09 12:48 . 2008-01-04 20:34 23,920 --a------ C:\WINDOWS\system32\drivers\sskbfd.sys
2008-03-09 12:48 . 2008-01-04 20:34 21,872 --a------ C:\WINDOWS\system32\drivers\sshrmd.sys
2008-03-09 12:48 . 2008-01-04 20:34 20,336 --a------ C:\WINDOWS\system32\drivers\SSFS0BB9.sys
2008-03-09 12:46 . 2008-03-18 09:07 164 --a------ C:\install.dat
2008-02-29 20:36 . 2008-03-23 19:30 <DIR> d-------- C:\Program Files\Spyware Doctor
2008-02-29 20:36 . 2008-02-29 20:37 <DIR> d-------- C:\Program Files\Common Files\PC Tools
2008-02-29 20:36 . 2008-02-29 20:36 <DIR> d-------- C:\Documents and Settings\JMMarcum\Application Data\PC Tools
2008-02-29 20:36 . 2008-03-23 19:31 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2008-02-29 20:36 . 2008-02-29 20:36 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\PC Tools
2008-02-29 20:36 . 2008-03-18 23:25 159,112 --a------ C:\WINDOWS\system32\drivers\pctfw2.sys
2008-02-29 20:36 . 2007-12-10 15:53 81,288 --a------ C:\WINDOWS\system32\drivers\iksyssec.sys
2008-02-29 20:36 . 2007-12-10 15:53 66,952 --a------ C:\WINDOWS\system32\drivers\iksysflt.sys
2008-02-29 20:36 . 2008-02-01 13:55 42,376 --a------ C:\WINDOWS\system32\drivers\ikfilesec.sys
2008-02-29 20:36 . 2007-12-10 15:53 29,576 --a------ C:\WINDOWS\system32\drivers\kcom.sys
2008-02-29 20:11 . 2008-02-29 20:11 693 --a------ C:\WINDOWS\system32\application.config
2008-02-25 16:15 . 2008-02-25 16:15 230 --a------ C:\WINDOWS\system32\spupdsvc.inf
2008-02-24 22:27 . 2008-02-24 22:30 <DIR> d--h----- C:\WINDOWS\msdownld.tmp
2008-02-24 22:20 . 2007-12-06 21:21 6,066,176 -----c--- C:\WINDOWS\system32\dllcache\ieframe.dll
2008-02-24 22:20 . 2007-06-30 22:31 2,455,488 -----c--- C:\WINDOWS\system32\dllcache\ieapfltr.dat
2008-02-24 22:20 . 2007-06-30 22:36 991,232 -----c--- C:\WINDOWS\system32\dllcache\ieframe.dll.mui
2008-02-24 22:20 . 2007-12-06 21:21 459,264 -----c--- C:\WINDOWS\system32\dllcache\msfeeds.dll
2008-02-24 22:20 . 2007-12-06 21:21 383,488 -----c--- C:\WINDOWS\system32\dllcache\ieapfltr.dll
2008-02-24 22:20 . 2007-12-06 21:21 267,776 -----c--- C:\WINDOWS\system32\dllcache\iertutil.dll
2008-02-24 22:20 . 2007-12-06 21:21 63,488 -----c--- C:\WINDOWS\system32\dllcache\icardie.dll
2008-02-24 22:20 . 2007-12-06 21:21 52,224 -----c--- C:\WINDOWS\system32\dllcache\msfeedsbs.dll
2008-02-24 22:20 . 2007-12-06 06:00 13,824 -----c--- C:\WINDOWS\system32\dllcache\ieudinit.exe
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-03-21 03:17 --------- d-----w C:\Program Files\Winamp
2008-03-21 03:17 --------- d-----w C:\Program Files\QuickTime
2008-03-21 03:17 --------- d-----w C:\Program Files\iTunes
2008-03-19 05:23 --------- d-----w C:\Program Files\Microsoft.PC
2008-03-13 04:59 --------- d-----w C:\Program Files\Common Files\AOL
2008-03-13 03:15 --------- d-----w C:\Documents and Settings\All Users\Application Data\Viewpoint
2008-03-04 21:48 --------- d-----w C:\Documents and Settings\JMMarcum\Application Data\Apple Computer
2008-02-25 21:16 --------- d-----w C:\Program Files\Google
2008-02-22 22:58 --------- d-----w C:\Program Files\iPod
2008-01-28 15:44 --------- d-----w C:\Program Files\Common Files\Peach
2008-01-28 13:18 --------- d-----w C:\Documents and Settings\All Users\Application Data\Lavasoft
2007-11-09 15:19 1,280,568 ----a-w C:\Program Files\The Buzz Abacast.exe
2007-07-28 09:06 135 ----a-w C:\Program Files\page.html
2007-05-26 01:24 22 ----a-w C:\Program Files\c.zip
2007-05-26 01:24 22 ----a-w C:\Program Files\b.zip
2007-05-26 01:23 22 ----a-w C:\Program Files\a.zip
2007-03-25 03:36 25,214 ----a-w C:\Program Files\B.ico
2007-03-25 03:36 25,214 ----a-w C:\Program Files\A.ico
2006-05-31 15:14 108,056 ----a-w C:\Program Files\Common Files\secman.dll
2006-03-12 01:09 626,176 ----a-w C:\Program Files\Common Files\osmax.ocx
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{54EB34EA-E6BE-4CFD-9F4F-C4A0C2EAFA22}]
2007-12-18 14:27 111968 --a------ C:\Program Files\AOL Search\AOLSearch.dll
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 07:00 15360]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SigmatelSysTrayApp"="stsystra.exe" [2005-03-22 17:20 339968 C:\WINDOWS\stsystra.exe]
"NvCplDaemon"="RUNDLL32.exe" [2004-08-04 07:00 33280 C:\WINDOWS\system32\rundll32.exe]
"nwiz"="nwiz.exe" [2005-02-24 07:32 1495040 C:\WINDOWS\system32\nwiz.exe]
"Ad-Watch"="C:\Program Files\Lavasoft\Ad-Aware 2007\Ad-Watch2007.exe" [2008-01-28 08:13 2476408]
"WINLOAD32"="" []
"ISTray"="C:\Program Files\Spyware Doctor\pctsTray.exe" [2008-02-01 13:55 1103240]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [2006-11-03 19:20 866584]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-12-11 11:56 286720]
"SpySweeper"="C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe" [2008-01-04 20:56 5367664]
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Acrobat Assistant.lnk - C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe [2003-05-15 01:19:50 217193]
ImageMixer HDD Camera Monitor.lnk - C:\Program Files\PIXELA\ImageMixer3\HDDCameraMonitor.exe [2007-11-03 16:00:03 2117632]
QuickBooks Update Agent.lnk - C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe [2007-09-11 09:38:44 972064]
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Documents and Settings\\JMMarcum\\Local Settings\\Application Data\\Abacast\\Abaclient.exe"=
"C:\\Program Files\\Winamp Remote\\bin\\Orb.exe"=
"C:\\Program Files\\Winamp Remote\\bin\\OrbStreamerClient.exe"=
"C:\\Program Files\\Intuit\\QuickBooks 2008\\QBDBMgrN.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
R1 pctfw2;pctfw2;C:\WINDOWS\system32\drivers\pctfw2.sys [2008-03-18 23:25]
R2 Viewpoint Manager Service;Viewpoint Manager Service;"C:\Program Files\Viewpoint\Common\ViewpointService.exe" [2007-01-04 16:38]
.
Contents of the 'Scheduled Tasks' folder
"2008-03-19 02:13:14 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2008-03-24 00:33:25 C:\WINDOWS\Tasks\MP Scheduled Scan.job"
- C:\Program Files\Windows Defender\MpCmdRun.exe
"2008-03-17 07:00:01 C:\WINDOWS\Tasks\wrSpySweeperTrialSweep.job"
- C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe&/ScheduleSweep=wrSpySweeperTrialSweep
- C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.ex
- C:\
"2008-03-23 05:00:08 C:\WINDOWS\Tasks\wrSpySweeper_L5FA64154689E4818A7120B4835E117E4.job"
- C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe>/ScheduleSweep=wrSpySweeper_L5FA64154689E4818A7120B4835E117E4
- C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.ex
- C:\
.
**************************************************************************
catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-03-23 19:45:57
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
Completion time: 2008-03-23 19:46:50
ComboFix-quarantined-files.txt 2008-03-24 00:46:46
.
2008-03-21 08:03:08 --- E O F ---
Karen

Report Offensive Follow Up For Removal

Response Number 13

Name: Kalynn
Date: March 23, 2008 at 18:08:23 Pacific
Subject: Win32/Zonebac.gen!F won't go away

Reply: (edit)

Jabuck, just completed all your instructions. Immediately noticed when logging back onto internet that the forever-there zedo intercept tag thing didn't flash across the bottom. It seems to run quite smoothly. Here's my next question for you. I have a teenager who, despite my repeated instructions, will log onto facebook & myspace. I think that is the source of my problems. How do you feel about those sites? She downloads Itunes as well. Don't want to go thru this again. Any guidance from you concerning surfing habits and what I've just experienced with my computer problems? Thanks so much for your help. It was invaluable to me.
Karen

Report Offensive Follow Up For Removal

Response Number 14

Name: Kalynn
Date: March 23, 2008 at 18:10:12 Pacific
Subject: Win32/Zonebac.gen!F won't go away

Reply: (edit)

Also, do I just uninstall all these programs I have used? Don't want anyone around here clicking on something they shouldn't. Thanks.
Karen

Report Offensive Follow Up For Removal

Response Number 15

Name: jabuck
Date: March 23, 2008 at 18:59:41 Pacific
Subject: Win32/Zonebac.gen!F won't go away

Reply: (edit)

You still have an infection, it looks new.
Turn off SpySweeper, Windows Defender, and Spyware Doctor and Ad-Awares "ad-watch"
Open Notepad and copy/paste everything between the X"s into it and make sure "File::" is at the very top of the page.
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
File::
C:\150.tmp
C:\14E.tmp
C:\14C.tmp
C:\Program Files\page.html
C:\Program Files\c.zip
C:\Program Files\b.zip
C:\Program Files\a.zip
C:\Program Files\B.ico
C:\Program Files\A.ico

XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
Go to File on the top bar and choose" Save As", Change the "Save As Type" to All Files, Name it CFScript.txt then save it to your desktop.
Empty the restore folder. Go to start>control panel>system>system restore tab>check the box beside "turn off system restore>apply (takes a minute)>ok. Go back and uncheck the box to turn system restore back on>apply>ok.
Download CCleaner from the following link:
http://filehippo.com/download_ccleaner/
After you download it to your desktop and begin installing it only allow the "install icon on desktop" to install . Then run it, use only as suggested, it's powerful use only the prechecked items.
Run an online scan with Kaspersky from the following link:
Kaspersky Online Scanner
Note: If you have used this particular scanner before, you MAY HAVE YO UNINSTALL the program through Add/Remove Programs before downloading the new ActiveX component
Click Yes, when prompted to install its ActiveX component.
(Note.. for Internet Explorer 7 users: If at any time you have trouble with the "Accept" button of the license, click on the "Zoom" tool located at the bottom right of the IE window and set the zoom to 75 %. Once the license has been accepted, reset to 100%.)
The program launches and downloads the latest definition files.
Once the files are downloaded click on Next
Click on Scan Settings and configure as follows:
Scan using the following Anti-Virus database:
Extended
Scan Options:
Scan Archives
Scan Mail Base
Click OK and, under select a target to scan, select My Computer
When the scan is done, in the Scan is completed window (below), any infection is displayed.
There is no option to clean/disinfect, however, we need to analyze the information on the report.
To obtain the report:
Click on: Save Report As (above - red blinking arrow)
Next, in the Save as prompt, Save in area, select: Desktop
In the File name area, use KScan, or something similar
In Save as type, click the drop arrow and select: Text file [*.txt]
Then, click: Save
Please post the Kaspersky Online Scanner Report in your reply.
Then drag/drop the CFScript.txt onto ComboFix.exe (the red X on your desktop) if combofix does not auto start click "run".
Post a new Combofix log.

Report Offensive Follow Up For Removal

Response Number 16

Name: Kalynn
Date: March 23, 2008 at 21:22:04 Pacific
Subject: Win32/Zonebac.gen!F won't go away

Reply: (edit)

---------------------
KASPERSKY ONLINE SCANNER REPORT
Sunday, March 23, 2008 11:20:31 PM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 24/03/2008
Kaspersky Anti-Virus database records: 656785
---------------------
Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true
Scan Target - My Computer:
C:\
D:\
Scan Statistics:
Total number of scanned objects: 81743
Number of viruses found: 11
Number of infected objects: 50
Number of suspicious objects: 0
Duration of the scan process: 01:04:59
Infected Object Name / Virus Name / Last Action
C:\Backup 1012-2007\old docs and settings\joe\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\jvmsecman.jar-69ee0e0e-25ae8293.zip/vlocal.class Infected: Trojan-Downloader.Java.Agent.f skipped
C:\Backup 1012-2007\old docs and settings\joe\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\jvmsecman.jar-69ee0e0e-25ae8293.zip ZIP: infected - 1 skipped
C:\Backup 1012-2007\Program Files\page.html Infected: Trojan-Clicker.HTML.IFrame.dn skipped
C:\Backup 1012-2007\Program Files\Trend Micro\Internet Security\Quarantine\1EC.tmp Infected: not-a-virus:Monitor.Win32.PCTattletale.a skipped
C:\Backup 1012-2007\Program Files\Trend Micro\Internet Security\Quarantine\1ED.tmp Infected: Trojan-Downloader.Win32.Small.buy skipped
C:\Backup 1012-2007\Program Files\Trend Micro\Internet Security\Quarantine\1EE.tmp Infected: not-a-virus:Monitor.Win32.PCTattletale.a skipped
C:\Backup 1012-2007\Program Files\Trend Micro\Internet Security\Quarantine\1EF.tmp Infected: Trojan-Downloader.Win32.Small.buy skipped
C:\Backup 1012-2007\Program Files\Trend Micro\Internet Security\Quarantine\1F0.tmp Infected: not-a-virus:Monitor.Win32.PCTattletale.a skipped
C:\Backup 1012-2007\Program Files\Trend Micro\Internet Security\Quarantine\1F1.tmp Infected: not-a-virus:Monitor.Win32.PCTattletale.a skipped
C:\Backup 1012-2007\Program Files\Trend Micro\Internet Security\Quarantine\20.tmp Infected: Trojan.Win32.Agent.bqn skipped
C:\Backup 1012-2007\Program Files\Trend Micro\Internet Security\Quarantine\21.tmp Infected: not-a-virus:FraudTool.Win32.BestSeller.c skipped
C:\Backup 1012-2007\Program Files\Trend Micro\Internet Security\Quarantine\22.tmp Infected: not-a-virus:FraudTool.Win32.BestSeller.a skipped
C:\Backup 1012-2007\Program Files\Trend Micro\Internet Security\Quarantine\23.tmp Infected: not-a-virus:FraudTool.Win32.BestSeller.a skipped
C:\Backup 1012-2007\Program Files\Trend Micro\Internet Security\Quarantine\24.tmp Infected: Trojan.Win32.Agent.bck skipped
C:\Backup 1012-2007\Program Files\Trend Micro\Internet Security\Quarantine\25.tmp Infected: not-a-virus:Monitor.Win32.PCTattletale.a skipped
C:\Backup 1012-2007\Program Files\Trend Micro\Internet Security\Quarantine\26.tmp Infected: Trojan-Downloader.Win32.Adload.lv skipped
C:\Backup 1012-2007\Program Files\Trend Micro\Internet Security\Quarantine\27.tmp Infected: Trojan.Win32.BHO.hj skipped
C:\Backup 1012-2007\Program Files\Trend Micro\Internet Security\Quarantine\28.tmp Infected: Trojan.Win32.Agent.bck skipped
C:\Backup 1012-2007\Program Files\Trend Micro\Internet Security\Quarantine\29.tmp Infected: Trojan.Win32.Agent.bqn skipped
C:\Backup 1012-2007\Program Files\Trend Micro\Internet Security\Quarantine\2A.tmp Infected: Trojan-Downloader.Win32.Agent.dpn skipped
C:\Backup 1012-2007\Program Files\Trend Micro\Internet Security\Quarantine\2B.tmp Infected: Trojan-Downloader.Win32.Agent.dpn skipped
C:\Backup 1012-2007\Program Files\Trend Micro\Internet Security\Quarantine\cwmtafeb.exe Infected: Trojan.Win32.Agent.bck skipped
C:\Backup 1012-2007\Program Files\Trend Micro\Internet Security\Quarantine\diocujdl.exe Infected: Trojan.Win32.Agent.bck skipped
C:\Backup 1012-2007\Program Files\Trend Micro\Internet Security\Quarantine\ipodhytc.dll Infected: Trojan.Win32.BHO.hj skipped
C:\Backup 1012-2007\Program Files\Trend Micro\Internet Security\Quarantine\tsqsofsi.exe Infected: Trojan.Win32.Agent.bck skipped
C:\Backup 1012-2007\Program Files\Trend Micro\Internet Security\Quarantine\winable.exe Infected: Trojan-Downloader.Win32.Adload.lv skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Windows Defender\Support\MPLog-03122008-052256.log Object is locked skipped
C:\Documents and Settings\JMMarcum\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\JMMarcum\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\JMMarcum\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\JMMarcum\Local Settings\Application Data\Microsoft\Windows Defender\FileTracker\{DCFC89DF-7C3A-4015-8ED4-A6E7F142AB44} Object is locked skipped
C:\Documents and Settings\JMMarcum\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\JMMarcum\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\JMMarcum\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\JMMarcum\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Data\settings.dat Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Program Files\page.html Infected: Trojan-Clicker.HTML.IFrame.dn skipped
C:\Program Files\Spyware Doctor\NetworkLayer\InterfaceDLL.txt Object is locked skipped
C:\Program Files\Trend Micro\Internet Security\Quarantine\1EC.tmp Infected: not-a-virus:Monitor.Win32.PCTattletale.a skipped
C:\Program Files\Trend Micro\Internet Security\Quarantine\1ED.tmp Infected: Trojan-Downloader.Win32.Small.buy skipped
C:\Program Files\Trend Micro\Internet Security\Quarantine\1EE.tmp Infected: not-a-virus:Monitor.Win32.PCTattletale.a skipped
C:\Program Files\Trend Micro\Internet Security\Quarantine\1EF.tmp Infected: Trojan-Downloader.Win32.Small.buy skipped
C:\Program Files\Trend Micro\Internet Security\Quarantine\1F0.tmp Infected: not-a-virus:Monitor.Win32.PCTattletale.a skipped
C:\Program Files\Trend Micro\Internet Security\Quarantine\1F1.tmp Infected: not-a-virus:Monitor.Win32.PCTattletale.a skipped
C:\Program Files\Trend Micro\Internet Security\Quarantine\20.tmp Infected: Trojan.Win32.Agent.bqn skipped
C:\Program Files\Trend Micro\Internet Security\Quarantine\21.tmp Infected: not-a-virus:FraudTool.Win32.BestSeller.c skipped
C:\Program Files\Trend Micro\Internet Security\Quarantine\22.tmp Infected: not-a-virus:FraudTool.Win32.BestSeller.a skipped
C:\Program Files\Trend Micro\Internet Security\Quarantine\23.tmp Infected: not-a-virus:FraudTool.Win32.BestSeller.a skipped
C:\Program Files\Trend Micro\Internet Security\Quarantine\24.tmp Infected: Trojan.Win32.Agent.bck skipped
C:\Program Files\Trend Micro\Internet Security\Quarantine\25.tmp Infected: not-a-virus:Monitor.Win32.PCTattletale.a skipped
C:\Program Files\Trend Micro\Internet Security\Quarantine\26.tmp Infected: Trojan-Downloader.Win32.Adload.lv skipped
C:\Program Files\Trend Micro\Internet Security\Quarantine\27.tmp Infected: Trojan.Win32.BHO.hj skipped
C:\Program Files\Trend Micro\Internet Security\Quarantine\28.tmp Infected: Trojan.Win32.Agent.bck skipped
C:\Program Files\Trend Micro\Internet Security\Quarantine\29.tmp Infected: Trojan.Win32.Agent.bqn skipped
C:\Program Files\Trend Micro\Internet Security\Quarantine\2A.tmp Infected: Trojan-Downloader.Win32.Agent.dpn skipped
C:\Program Files\Trend Micro\Internet Security\Quarantine\2B.tmp Infected: Trojan-Downloader.Win32.Agent.dpn skipped
C:\Program Files\Trend Micro\Internet Security\Quarantine\cwmtafeb.exe Infected: Trojan.Win32.Agent.bck skipped
C:\Program Files\Trend Micro\Internet Security\Quarantine\diocujdl.exe Infected: Trojan.Win32.Agent.bck skipped
C:\Program Files\Trend Micro\Internet Security\Quarantine\ipodhytc.dll Infected: Trojan.Win32.BHO.hj skipped
C:\Program Files\Trend Micro\Internet Security\Quarantine\tsqsofsi.exe Infected: Trojan.Win32.Agent.bck skipped
C:\Program Files\Trend Micro\Internet Security\Quarantine\winable.exe Infected: Trojan-Downloader.Win32.Adload.lv skipped
C:\Program Files\Webroot\Spy Sweeper\Masters\masters.bak Object is locked skipped
C:\Program Files\Webroot\Spy Sweeper\Masters\Masters.const Object is locked skipped
C:\Program Files\Webroot\Spy Sweeper\Masters\masters.mst Object is locked skipped
C:\Program Files\Webroot\Spy Sweeper\Masters.base Object is locked skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\_restore{13E47E20-9E7A-420A-BD5F-05A82D1952DD}\RP241\change.log Object is locked skipped
C:\WINDOWS\CSC\00000001 Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\Internet.evt Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped
Scan process completed.
Karen

Report Offensive Follow Up For Removal

Response Number 17

Name: Kalynn
Date: March 23, 2008 at 21:28:07 Pacific
Subject: Win32/Zonebac.gen!F won't go away

Reply: (edit)

ComboFix 08-03-21.1 - JMMarcum 2008-03-23 23:23:30.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.189 [GMT -5:00]
Running from: C:\Documents and Settings\JMMarcum\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\JMMarcum\Desktop\CFScript.txt
* Created a new restore point
[color=red][b]WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !![/b][/color]
FILE ::
C:\14C.tmp
C:\14E.tmp
C:\150.tmp
C:\Program Files\A.ico
C:\Program Files\a.zip
C:\Program Files\B.ico
C:\Program Files\b.zip
C:\Program Files\c.zip
C:\Program Files\page.html
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\14C.tmp
C:\14E.tmp
C:\150.tmp
C:\Program Files\A.ico
C:\Program Files\a.zip
C:\Program Files\B.ico
C:\Program Files\b.zip
C:\Program Files\c.zip
C:\Program Files\page.html
.
((((((((((((((((((((((((( Files Created from 2008-02-24 to 2008-03-24 )))))))))))))))))))))))))))))))
.
2008-03-23 23:22 . 2008-03-23 23:22 3,631 --a------ C:\3D44.tmp
2008-03-23 21:49 . 2008-03-23 21:49 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-03-23 21:49 . 2008-03-23 21:49 <DIR> d-------- C:\WINDOWS\LastGood
2008-03-23 21:49 . 2008-03-23 21:49 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-03-23 19:54 . 2008-03-23 19:54 <DIR> d-------- C:\Program Files\CCleaner
2008-03-23 11:31 . 2008-03-23 11:31 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-03-23 11:31 . 2008-03-23 11:31 1,409 --a------ C:\WINDOWS\QTFont.for
2008-03-20 13:02 . 2007-07-30 19:19 271,224 --a------ C:\WINDOWS\system32\mucltui.dll
2008-03-20 13:02 . 2007-07-30 19:19 207,736 --a------ C:\WINDOWS\system32\muweb.dll
2008-03-20 13:02 . 2007-07-30 19:19 30,072 --a------ C:\WINDOWS\system32\mucltui.dll.mui
2008-03-20 09:49 . 2008-03-20 09:49 <DIR> d-------- C:\WINDOWS\system32\bits
2008-03-20 09:48 . 2007-03-29 07:56 7,168 -----c--- C:\WINDOWS\system32\dllcache\bitsprx4.dll
2008-03-20 09:48 . 2007-03-29 07:56 7,168 --------- C:\WINDOWS\system32\bitsprx4.dll
2008-03-20 08:08 . 2008-03-20 09:38 <DIR> d-------- C:\Program Files\Windows Live Safety Center
2008-03-17 08:52 . 2008-03-17 08:52 <DIR> d-------- C:\Program Files\Citrix
2008-03-16 03:01 . 2008-03-16 03:01 2,501 --a------ C:\WINDOWS\system32\MRT.INI
2008-03-12 05:44 . 2008-03-12 05:44 <DIR> d-------- C:\Program Files\eSoftware
2008-03-12 05:22 . 2008-03-12 05:22 <DIR> d-------- C:\Program Files\Windows Defender
2008-03-09 12:48 . 2008-03-09 12:48 <DIR> d-------- C:\Program Files\Webroot
2008-03-09 12:48 . 2008-03-09 12:48 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\Webroot
2008-03-09 12:48 . 2008-03-09 12:48 <DIR> d-------- C:\Documents and Settings\JMMarcum\Application Data\Webroot
2008-03-09 12:48 . 2008-03-09 12:48 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Webroot
2008-03-09 12:48 . 2008-01-04 20:56 1,526,640 --a------ C:\WINDOWS\WRSetup.dll
2008-03-09 12:48 . 2008-01-04 20:34 163,696 --a------ C:\WINDOWS\system32\drivers\ssidrv.sys
2008-03-09 12:48 . 2008-01-04 20:34 23,920 --a------ C:\WINDOWS\system32\drivers\sskbfd.sys
2008-03-09 12:48 . 2008-01-04 20:34 21,872 --a------ C:\WINDOWS\system32\drivers\sshrmd.sys
2008-03-09 12:48 . 2008-01-04 20:34 20,336 --a------ C:\WINDOWS\system32\drivers\SSFS0BB9.sys
2008-03-09 12:46 . 2008-03-18 09:07 164 --a------ C:\install.dat
2008-02-29 20:36 . 2008-03-23 19:30 <DIR> d-------- C:\Program Files\Spyware Doctor
2008-02-29 20:36 . 2008-02-29 20:37 <DIR> d-------- C:\Program Files\Common Files\PC Tools
2008-02-29 20:36 . 2008-02-29 20:36 <DIR> d-------- C:\Documents and Settings\JMMarcum\Application Data\PC Tools
2008-02-29 20:36 . 2008-03-23 19:52 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2008-02-29 20:36 . 2008-02-29 20:36 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\PC Tools
2008-02-29 20:36 . 2008-03-18 23:25 159,112 --a------ C:\WINDOWS\system32\drivers\pctfw2.sys
2008-02-29 20:36 . 2007-12-10 15:53 81,288 --a------ C:\WINDOWS\system32\drivers\iksyssec.sys
2008-02-29 20:36 . 2007-12-10 15:53 66,952 --a------ C:\WINDOWS\system32\drivers\iksysflt.sys
2008-02-29 20:36 . 2008-02-01 13:55 42,376 --a------ C:\WINDOWS\system32\drivers\ikfilesec.sys
2008-02-29 20:36 . 2007-12-10 15:53 29,576 --a------ C:\WINDOWS\system32\drivers\kcom.sys
2008-02-29 20:11 . 2008-02-29 20:11 693 --a------ C:\WINDOWS\system32\application.config
2008-02-25 16:15 . 2008-02-25 16:15 230 --a------ C:\WINDOWS\system32\spupdsvc.inf
2008-02-24 22:27 . 2008-02-24 22:30 <DIR> d--h----- C:\WINDOWS\msdownld.tmp
2008-02-24 22:20 . 2007-12-06 21:21 6,066,176 -----c--- C:\WINDOWS\system32\dllcache\ieframe.dll
2008-02-24 22:20 . 2007-06-30 22:31 2,455,488 -----c--- C:\WINDOWS\system32\dllcache\ieapfltr.dat
2008-02-24 22:20 . 2007-06-30 22:36 991,232 -----c--- C:\WINDOWS\system32\dllcache\ieframe.dll.mui
2008-02-24 22:20 . 2007-12-06 21:21 459,264 -----c--- C:\WINDOWS\system32\dllcache\msfeeds.dll
2008-02-24 22:20 . 2007-12-06 21:21 383,488 -----c--- C:\WINDOWS\system32\dllcache\ieapfltr.dll
2008-02-24 22:20 . 2007-12-06 21:21 267,776 -----c--- C:\WINDOWS\system32\dllcache\iertutil.dll
2008-02-24 22:20 . 2007-12-06 21:21 63,488 -----c--- C:\WINDOWS\system32\dllcache\icardie.dll
2008-02-24 22:20 . 2007-12-06 21:21 52,224 -----c--- C:\WINDOWS\system32\dllcache\msfeedsbs.dll
2008-02-24 22:20 . 2007-12-06 06:00 13,824 -----c--- C:\WINDOWS\system32\dllcache\ieudinit.exe
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-03-21 03:17 --------- d-----w C:\Program Files\Winamp
2008-03-21 03:17 --------- d-----w C:\Program Files\QuickTime
2008-03-21 03:17 --------- d-----w C:\Program Files\iTunes
2008-03-19 05:23 --------- d-----w C:\Program Files\Microsoft.PC
2008-03-13 04:59 --------- d-----w C:\Program Files\Common Files\AOL
2008-03-13 03:15 --------- d-----w C:\Documents and Settings\All Users\Application Data\Viewpoint
2008-03-04 21:48 --------- d-----w C:\Documents and Settings\JMMarcum\Application Data\Apple Computer
2008-02-25 21:16 --------- d-----w C:\Program Files\Google
2008-02-22 22:58 --------- d-----w C:\Program Files\iPod
2008-01-28 15:44 --------- d-----w C:\Program Files\Common Files\Peach
2008-01-28 13:18 --------- d-----w C:\Documents and Settings\All Users\Application Data\Lavasoft
2007-11-09 15:19 1,280,568 ----a-w C:\Program Files\The Buzz Abacast.exe
2006-05-31 15:14 108,056 ----a-w C:\Program Files\Common Files\secman.dll
2006-03-12 01:09 626,176 ----a-w C:\Program Files\Common Files\osmax.ocx
.
((((((((((((((((((((((((((((( snapshot@2008-03-23_19.46.15.29 )))))))))))))))))))))))))))))))))))))))))
.
+ 2005-05-24 17:27:16 213,048 ----a-w C:\WINDOWS\system32\Kaspersky Lab\Kaspersky Online Scanner\kavss.dll
+ 2007-08-29 20:47:20 94,208 ----a-w C:\WINDOWS\system32\Kaspersky Lab\Kaspersky Online Scanner\kavuninstall.exe
+ 2007-08-29 20:49:54 950,272 ----a-w C:\WINDOWS\system32\Kaspersky Lab\Kaspersky Online Scanner\kavwebscan.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{54EB34EA-E6BE-4CFD-9F4F-C4A0C2EAFA22}]
2007-12-18 14:27 111968 --a------ C:\Program Files\AOL Search\AOLSearch.dll
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 07:00 15360]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SigmatelSysTrayApp"="stsystra.exe" [2005-03-22 17:20 339968 C:\WINDOWS\stsystra.exe]
"NvCplDaemon"="RUNDLL32.exe" [2004-08-04 07:00 33280 C:\WINDOWS\system32\rundll32.exe]
"nwiz"="nwiz.exe" [2005-02-24 07:32 1495040 C:\WINDOWS\system32\nwiz.exe]
"Ad-Watch"="C:\Program Files\Lavasoft\Ad-Aware 2007\Ad-Watch2007.exe" [2008-01-28 08:13 2476408]
"WINLOAD32"="" []
"ISTray"="C:\Program Files\Spyware Doctor\pctsTray.exe" [2008-02-01 13:55 1103240]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [2006-11-03 19:20 866584]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-12-11 11:56 286720]
"SpySweeper"="C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe" [2008-01-04 20:56 5367664]
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Acrobat Assistant.lnk - C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe [2003-05-15 01:19:50 217193]
ImageMixer HDD Camera Monitor.lnk - C:\Program Files\PIXELA\ImageMixer3\HDDCameraMonitor.exe [2007-11-03 16:00:03 2117632]
QuickBooks Update Agent.lnk - C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe [2007-09-11 09:38:44 972064]
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Documents and Settings\\JMMarcum\\Local Settings\\Application Data\\Abacast\\Abaclient.exe"=
"C:\\Program Files\\Winamp Remote\\bin\\Orb.exe"=
"C:\\Program Files\\Winamp Remote\\bin\\OrbStreamerClient.exe"=
"C:\\Program Files\\Intuit\\QuickBooks 2008\\QBDBMgrN.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
R1 pctfw2;pctfw2;C:\WINDOWS\system32\drivers\pctfw2.sys [2008-03-18 23:25]
R2 Viewpoint Manager Service;Viewpoint Manager Service;"C:\Program Files\Viewpoint\Common\ViewpointService.exe" [2007-01-04 16:38]
.
Contents of the 'Scheduled Tasks' folder
"2008-03-19 02:13:14 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2008-03-24 00:33:25 C:\WINDOWS\Tasks\MP Scheduled Scan.job"
- C:\Program Files\Windows Defender\MpCmdRun.exe
"2008-03-17 07:00:01 C:\WINDOWS\Tasks\wrSpySweeperTrialSweep.job"
- C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe&/ScheduleSweep=wrSpySweeperTrialSweep
- C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.ex
- C:\
"2008-03-23 05:00:08 C:\WINDOWS\Tasks\wrSpySweeper_L5FA64154689E4818A7120B4835E117E4.job"
- C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe>/ScheduleSweep=wrSpySweeper_L5FA64154689E4818A7120B4835E117E4
- C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.ex
- C:\
.
**************************************************************************
catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-03-23 23:26:23
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
Completion time: 2008-03-23 23:27:03
ComboFix-quarantined-files.txt 2008-03-24 04:27:00
ComboFix2.txt 2008-03-24 00:46:51
.
2008-03-21 08:03:08 --- E O F ---
Karen

Report Offensive Follow Up For Removal

Response Number 18

Name: Kalynn
Date: March 24, 2008 at 06:32:11 Pacific
Subject: Win32/Zonebac.gen!F won't go away

Reply: (edit)

Jabuck, had a bad virus back in Oct. of last year. So bad computer kept locking up and had to take to local computer guys. They never told me what exactly the virus was. Said they "wiped computer clean" and reloaded old desktop with files back on. Could some of my problems be with that? Just thought I'd give you heads up. Thanks for all your help.
Karen

Report Offensive Follow Up For Removal

Response Number 19

Name: Kalynn
Date: March 25, 2008 at 08:30:31 Pacific
Subject: Win32/Zonebac.gen!F won't go away

Reply: (edit)

Hello, Jabuck. I posted the requested Scan Report from KASPERSKY ONLINE SCANNER REPORT in Reply #16. I also posted the ComboFix log in Reply #17 as requested. Do I need to do anything further? How does it look? I know just enough to be dangerous with my computer and really appreciate all your help. Hope to hear from you soon as I am holding my computer hostage at home until I complete whatever you suggest I do for it. Thanks so much.
Karen

Report Offensive Follow Up For Removal