TechSpot

Backdoor Zonebac.b infection

By watchmeshine
Oct 22, 2007
  1. Unfortunately, my laptop has joined the growing list of victims of this virus. I noticed this infection sometime last week when it turned up in a Windows Defender scan, but I suspect it might have been lurking around my computer for at least two weeks before then. I used to use Trend Micro PC-Cillin, but the trojan must have messed with it because the antivirus had not updated/scanned my computer in more than 2 weeks. I constantly got "This feature is still initializing" errors even when the computer had been on for hours. A friend of mine removed Trend Micro and installed Avast, AdAware and Spybot in its place, but full scans with these three programs do not show the virus. Only Windows Defender was able to detect it. Windows Defender itself also stopped working for a while, and I actually had to uninstall it and reinstall it from the Microsoft website. Internet explorer has also been acting weird, my volume and Dell Wireless signal icons have disappeared from the taskbar, all sorts of problems have just been popping up, and I am really just sick and tired and need help!!!

    I am a neophyte computer user, so I don't exactly know how to go about removing this infection. I would really appreciate some help because at this point, I am so ready to throw out my computer! Thanks in advance!
     
  2. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    Hello and welcome to Techspot.

    Your system is infected with a very dangerous backdoor trojan.

    Very Important: Before deciding whether you should clean or reformat your system, go and read this thread HERE and decide what it is you want to do.

    If after reading the above, you wish to clean your system, do the following.

    Go and follow the instructions in this thread, then post the requested log files once done.

    Regards Howard :wave: :wave:

    This thread is for the use of watchmeshine only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  3. watchmeshine

    watchmeshine TS Rookie Topic Starter

    Hi and thanks for your quick reply. I have attached the HJT and awf logfiles. Please let me know what to do next. Thanks.
     
  4. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    Run HJT with no other programmes open(except notepad). Click the scan button. Have HJT fix the following, by placing a tick in the little box next to(if there).

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://search.bearshare.com/sidebar.html?src=ssb

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://search.bearshare.com/sidebar.html?src=ssb

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://search.bearshare.com/sidebar.html?src=ssb

    O2 - BHO: IE7pro - {00011268-E188-40DF-A514-835FCD78B1BF} - C:\Program Files\IE7Pro\IE7Pro.dll (file missing)

    O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)

    O9 - Extra button: IE7pro Preferences - {0026439F-A980-4f18-8C95-4F1CBBF9C1D8} - C:\Program Files\IE7Pro\IE7Pro.dll (file missing)

    O9 - Extra 'Tools' menuitem: IE7pro Preferences - {0026439F-A980-4f18-8C95-4F1CBBF9C1D8} - C:\Program Files\IE7Pro\IE7Pro.dll (file missing)

    Click on the fix checked button.

    Close HJT and reboot your computer.

    Download and install the latest version of Java from HERE.

    Once it`s fully installed, go to add remove programmes in your control panel and uninstall all versions of Java, except for version 6 update 3.

    Now, in the interests of making sure your system is clean, please do the following.

    Go and read the Viruses/Spyware/Malware, preliminary removal instructions. Follow all the instructions exactly.

    Post fresh HJT, AVG Antispyware and Combofix logs as attachments into this thread, only after doing the above.

    Also, let me know the results of the Panda Antirootkit scan.

    Regards Howard :)

    This thread is for the use of watchmeshine only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  5. watchmeshine

    watchmeshine TS Rookie Topic Starter

    I followed all the steps exactly and have attached the new log files. I had to stop avg's first scan last night because i had to switch off my computer to go to bed, but i quarantined the results before saving the report as avg_scan1. I ran avg again this morning and saved the secind report as avg_scan2.

    Please let me know what else to do. Thanks.

    Oh, and the Panda Anti-Rootkit said no rootkits were found.
     
  6. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    Everything looks ok there.

    However, I`d like you to let me know the results of the Panda Antirootkit scan as per step11 of this thread.

    I`d also like you to have a file checked out over at Jotti`s.

    Please visit this link http://virusscan.jotti.org/
    * Click the Browse... button
    * Navigate to the following file C:\WINDOWS\system32\AD33402EE9.sys
    * Click Open
    * Please let me know the results.

    EDIT: Disregard the Panda instructions.

    Regards Howard :)

    This thread is for the use of watchmeshine only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  7. watchmeshine

    watchmeshine TS Rookie Topic Starter

    I just scanned the file on the website, and according to the scanner results, nothing was found and the status is ok. I think it's an OS file because I forgot to rehide the protected OS files before doing the 2nd HJT scan.

    So my computer's good to go now?
     
  8. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    Yes, it certainly looks that way.

    Turn off system restore.(XP/ME only) See how HERE.

    Now, turn system restore back on. This will have deleted all your old restore points and any nasties that are in them. It will also have created a new, clean restore point.


    If you have any further virus/spyware problems, please post in this thread.

    Regards Howard :)

    This thread is for the use of watchmeshine only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  9. watchmeshine

    watchmeshine TS Rookie Topic Starter

    Thank you so much for all your help! I'll certainly be more careful when using the internet from now on.

    This thread is now closed: If you need this thread unlocking, please pm a moderator with a link to the thread.

    Only the original thread starter can do this. Anyone else, will be ignored.
     
Topic Status:
Not open for further replies.

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...