TechSpot

Trojan.Zonebac virus detected by Symantec

By courtneyt
Oct 30, 2007
  1. Hi, Please help!

    I run a full scheduled virus scan weekly through symantec , and an abbreviated scan daily. For the past two days, it has been saying that I am infected with a Trojan.Zonebac virus. A couple of times there were only 1-3 infected files, but today it said there were 7. I don't know where these viruses keep coming from. or what more to do. It appears to get rid of the files, and then they come back, but in different files (like in scansoft). I've tried \ ridding myself of malware: running ATF cleaner, system restore, SuperAntiSpyware (I already have Spybot running on the compuer), Panda Active Scan, and checked for Windows Updates. Nothing has seemed to help I'm a law student, so my computer is my life.

    Please help, thank you!
    Courtney

    As requested my hijack file and what not is attached.

    View attachment 24507

    View attachment 24508

    View attachment 24510



    THANK YOU THANK YOU THANK YOU. I've exceeded the limit of my tech knowledge and I am at your mercy to save my computer!
     
  2. LuckyM

    LuckyM Banned Posts: 66

  3. Rik

    Rik Banned Posts: 3,814

    Please remove Full Scan Results.doc as a .doc can carry infections.


    You need to have a read of this - If your system is infected. Read this before deciding whether to CLEAN or REFORMAT.

    Then if you should wish to proceed with cleaning your system you need to go and read the Viruses/Spyware/Malware, preliminary removal instructions. Follow all the instructions exactly.

    Post fresh HJT, Combofix, , and AVG Antispyware logs as ATTACHMENTS into this thread, only after doing the above.
    We also need to know the result of Panda Antirootkit.


    This thread is for the use of courtneyt only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  4. courtneyt

    courtneyt TS Rookie Topic Starter

    Ric,
    Thanks for your reply. I'm only a student, so I'm new to all of this. I've confused on some of the 15 different steps--should I really be downloading all of these programs? I thought too many weren't good?

    I've installed Hjack It, Super AntiSpyware, Spybot, and I'm using Symantec for virus protection. I also downloaded the Find AWF function.

    I attempted to follow Howard's guide to remove the trojan dropper agent, but I am not techy enough to fix it out. Can you help me with my next step?

    I would really appreciate it!

    Also, I would like to clean, thanks :)
     
  5. Rik

    Rik Banned Posts: 3,814

    You have what's commonly referred to as the whataboutadog infection. We will deal with that first, then tackle any other problems after that.


    Double-click FindAWF.exe to start the tool. Then, do the following
    Select "option #2 - Restore files from bak folders" by typing 2 and press Enter .
    A text file will open up. Please copy/paste the following text from the quote box (all except the word QUOTE) into the text file.

    Close the .txt file and click Yes to save the changes.
    When the tool has completed, a report will open up in notepad. Please post the results of the awf.txt in your next reply as an attachment.



    This thread is for the use of courtneyt only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  6. courtneyt

    courtneyt TS Rookie Topic Starter

    Thanks Rik for the quick reply.

    Here you go, here's crossing my fingers...

    (Please forgive me for spelling your name wrong prior! I'm sorry.)
     
  7. Rik

    Rik Banned Posts: 3,814

    Lol don't worry about the spelling, happens all the time.:) Even more so with my sir name which is an unusual one.


    Please double-click the FindAWF icon once again
    This time we are going to remove some folders.


    Use the following option: Press 3 then Enter to remove bak folders.

    A text file opens called: folders.txt
    Click below the line and paste the following list of folders to be removed:

    Next, close and click Yes to save the changes.

    When done with the above, FindAWF automatically runs a new scan and opens a new log that you need to post.
    Please provide the new FindAWF log.



    This thread is for the use of courtneyt only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  8. courtneyt

    courtneyt TS Rookie Topic Starter

    I think we are getting closer! :)

    Thank you so much for working with me!
     
  9. Rik

    Rik Banned Posts: 3,814

    I need you to Boot into safe mode, under your normal user name(NOT THE ADMINISTRATOR ACCOUNT). See how here.> http://www.bleepingcomputer.com/forums/tutorial61.html

    In Windows Explorer, turn on "Show all files and folders, including hidden and system". See how here.> http://www.bleepingcomputer.com/forums/tutorial62.html

    Open your task manager, by holding down the ctrl and alt keys and pressing the delete key.

    Click on the processes tab and end process for(if there).

    AdobeUpdateManager.exe
    SSBkgdupdate.exe

    Close task manager.

    Locate and delete the following bold files and/or folders(if there).


    C:\Program Files\Adobe\Acrobat 7.0\Reader\bak
    C:\Program Files\Common Files\ScanSoft Shared\SSBkgdUpdate\bak
    C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe
    C:\Program Files\Common Files\ScanSoft Shared\SSBkgdUpdate\SSBkgdupdate.exe

    Reboot into normal mode and rehide your protected OS files.

    You will probably need to reinstall Adobe reader and Scansoft.


    I then need you to post a fresh awf log after running the Find AWF tool option1.



    This thread is for the use of courtneyt only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  10. courtneyt

    courtneyt TS Rookie Topic Starter

    Okay! I think we've got it!!
     
  11. Rik

    Rik Banned Posts: 3,814

    Thats that infection gone. One more thing to do with find awf tho.

    To finish, run Option 4.

    Double-click the FindAWF icon once again.
    Use the following option: Press 4 then Enter to reset domain zones.


    Once done, i need to see fresh hjt and combofix logs.



    This thread is for the use of courtneyt only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  12. courtneyt

    courtneyt TS Rookie Topic Starter

    WOOHOO rik! I'm getting excited:) YAY
     
  13. Rik

    Rik Banned Posts: 3,814

    Almost clean, but not quite.

    Have hjt fix the following by placing a tick in the box next to them.

    O2 - BHO: (no name) - {9713408a-e520-4a18-8995-2c69a00cec61} - C:\WINDOWS\system32\dspz32.dll (file missing)
    O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
    O16 - DPF: {9522B3FB-7A2B-4646-8AF6-36E7F593073C} - http://a19.g.akamai.net/7/19/7125/4056/ftp.coupons.com/r3302/Coupons.cab
    O20 - Winlogon Notify: dspz32 - dspz32.dll (file missing)


    These next entries, do the same if you dont recognize and trust them.

    O16 - DPF: {A762E064-A885-40E4-AC10-671BB62DC2B2} (OFMailHTMLCtl Class) - http://www.eomniform.com/OF5/nsplugins/OFMailX.cab
    O16 - DPF: {B2FCED61-570E-11D3-B160-00A0C9E70E84} (OmniForm Form Control) - https://www4.lsac.org/LSACD_XMLWebServices/Http/OIFActiveX/ofmctl.cab
    O16 - DPF: {CB50428B-657F-47DF-9B32-671F82AA73F7} (Photodex Presenter AX control) - http://www.photodex.com/pxplay.cab
    O16 - DPF: {E6182DB0-BE70-4EA3-A8FB-D402C6D951D5} (VUploader Control) - http://photofiddle.com/ocx/VUploaderProj1.cab

    Click on the fix checked button.

    Close HJT.


    Let me know if your pc is running properly or if you have anymore problems.



    This thread is for the use of courtneyt only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  14. courtneyt

    courtneyt TS Rookie Topic Starter

    YAY! Everything looks great! :) Thanks for all of your help, Rik! I really appreciate it.

    Two last questions:
    1) I have Spybot Search and Destroy, Super AntiSpyware, Hjack This, and AVG Anti Spyware on my computer. Any of these I can get rid of? What do you recommend? I should mention that I'll, of course, be keeping Symantec Anti-Virus! I just added Zone Alarm

    2) Should I worry about my information being stolen from this trojan?

    Thanks again!
     
  15. Rik

    Rik Banned Posts: 3,814

    No problem.:)

    Antispyware wise, Spybot and AVG antispyware are the better ones, it's entirely your choice whether you keep the rest or not.

    Antivirus wise, Symantec antivirus isnt very good and i suggest you uninstall it and replace it with either AVG or Avast antivirus programmes from within this link - http://www.techspot.com/vb/topic58138.html.

    Make sure you are disconnected from the net while doing this then reconnect and force the antivirus program of your choice to do an update.

    If you do any form of online banking including credit card use then you should have all passwords and codes changed as a precaution.




    This thread is for the use of courtneyt only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
Topic Status:
Not open for further replies.

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...