TechSpot

Zonebac.B and others

By .:MirrorminD:.
Oct 23, 2007
  1. It seems a computer at my work is infected by a few things. In windows defender it picked up Zonebac.B and in Symantec Corporate edition it picked up Trojan.Adclicker Trojan.Dropper and Trojan.ZoneBac

    Since then i have tried to remove them but they keep coming back and in the internet history it shows b.whataboutadog

    I followed the steps in the stickies but the findawf didnt find any bak directories. I would like to try and remove them as opposed to reformatting that really isnt an option for us here.

    Thanks for all your help and a great forum
     
  2. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    Hello and welcome to Techspot.

    Right click on this link DelO15Domains.inf and choose Save As. Save it to your desktop. Right click on that file and choose Install. It will run immediately (you won't be able to see anything happen). You may delete it afterwards. NOTE: This script will delete any sites you may have added to the Trusted Sites. So if you want them back, you have to add them back to the Trusted Sites again.

    You might want to copy and paste these instructions into a notepad file. Then you can have the file open in safe mode, so you can follow the instructions easier.

    Boot into safe mode, under your normal user name(NOT THE ADMINISTRATOR ACCOUNT). See how HERE.

    In Windows Explorer, turn on "Show all files and folders, including hidden and system". See how HERE.

    Go to add remove programmes in your control panel and uninstall anything to do with(if there).

    viewpont
    viewpoint toolbar
    viewpoint manager

    Close control panel.

    Click start/run and type services.msc into the run box and press the enter key.

    When the window appears, maximise it. Double click on the following services(if there) and select stop if they are running. Set the startup type to disabled. Click apply/ok for each service you disable.

    Viewpoint Manager Service

    Close the services window.

    Open your task manager, by holding down the ctrl and alt keys and pressing the delete key.

    Click on the processes tab and end process for(if there).

    ViewpointService.exe
    ViewMgr.exe

    Close task manager.

    Run HJT with no other programmes open(except notepad). Click the scan button. Have HJT fix the following, by placing a tick in the little box next to(if there).

    O2 - BHO: (no name) - {0CB66BA8-5E1F-4963-93D1-E1D6B78FE9A2} - (no file)

    O15 - Trusted Zone: *.doginhispen.com

    O15 - Trusted Zone: *.whataboutadog.com

    O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = GASPERLS.COM

    O17 - HKLM\Software\..\Telephony: DomainName = GASPERLS.COM

    O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = GASPERLS.COM

    O17 - HKLM\System\CS3\Services\Tcpip\Parameters: Domain = GASPERLS.COM

    Fix tha above 017 entries, if you don`t know exactly what they are.

    O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

    Click on the fix checked button.

    Close HJT.

    Locate and delete the following bold files and/or folders(if there).

    C:\Program Files\Viewpoint

    Reboot into normal mode and rehide your protected OS files.

    Open IE and click tool/internet options.

    Click the Security tab and click on the Trusted sites icon. Click the sites button and remove all sites from the trusted zone by selecting them and clicking the remove button. Once done, click ok.

    Warning! Do not click the links below in the quote box.
    Click ok/ok and close IE. reboot your system.

    Post back when done and I`ll remove the above links to stop anyone from clicking on them.

    Run the Ccleaner programme as per step9 of these instructions.

    Post a fresh HJT log and let me know if you`re still having problems.

    EDIT: Removed bad url`s.

    Regards Howard :wave: :wave:

    This thread is for the use of .:MirrorminD:. only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  3. .:MirrorminD:.

    .:MirrorminD:. TS Rookie Topic Starter

    followed the directions ran everything. All seemed fine, just ran HJT one last time and noticed

    O15 - Trusted Zone: *.whataboutadog.com

    came back

    all the 017 are fine they are our domain
     
  4. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    Ok, let`s try this.

    Double-click the FindAWF icon once again.
    Use the following option: Press 4 then Enter to reset domain zones

    When the program returns to the main menu, use the following option:
    Press E then Enter to EXIT

    Right click on this link DelO15Domains.inf and choose Save As. Save it to your desktop. Right click on that file and choose Install. It will run immediately (you won't be able to see anything happen). You may delete it afterwards. NOTE: This script will delete any sites you may have added to the Trusted Sites. So if you want them back, you have to add them back to the Trusted Sites again.

    Run HJT and fix these entries, if present.

    O15 - Trusted Zone: http://*.companyweb
    O15 - Trusted Zone: *.whataboutadog.com

    Click the fix checked button.

    Go to your control panel and double click the Java icon, click the update tab, then click the update button. Once the updates have downloaded and installed, close the Java Window.

    Go to add remove programmes and uninstall all versions of Java, except for version 6 update 3. Close control panel.

    Reboot your system and post a fresh HJT log.

    Regards Howard :)

    This thread is for the use of .:MirrorminD:. only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  5. .:MirrorminD:.

    .:MirrorminD:. TS Rookie Topic Starter

    It seems it still is showing up in my trusted sites. This spyware is becoming a pain in the ****. I do appreciate all your help though
     
  6. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    I think it may be Windows Defender that`s interfering with the fix.

    Windows Defender

    1. Click on "Tools"
    2. Click on "General Settings"
    3. Scroll down to "Real-time protection options"
    4. Uncheck "Turn on Real-time protection (recommended)"
    5. Click "Save"

    Follow the instructions in my post above and see if that entry has now gone.

    If it has, re-enable Windows defender.

    Regards Howard :)

    This thread is for the use of .:MirrorminD:. only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  7. .:MirrorminD:.

    .:MirrorminD:. TS Rookie Topic Starter

    I actually had the real time protection turned off the whole time we were doing it and as soon as i turned it back on, the zonebac was found again
     
  8. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    Please let me know exactly where the infected files are found. I need the full file path.

    Regards Howard :)

    This thread is for the use of .:MirrorminD:. only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  9. .:MirrorminD:.

    .:MirrorminD:. TS Rookie Topic Starter

    no problem, I actually left work for the day, so i will post it tomorrow. Once again thank you for all your help you really are an asset to this community
     
  10. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    No worries.

    I don`t know about being an asset lol.

    However, I`m getting pissed off that I can`t seem to fix your problem.

    We`ll see what happens tomorrow.

    Regard Howard :)

    This thread is for the use of .:MirrorminD:. only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  11. .:MirrorminD:.

    .:MirrorminD:. TS Rookie Topic Starter

    Backdoor:Win32/ZoneBac.B

    Category:
    Backdoor

    Description:
    This program installs other potentially unwanted software.

    Advice:
    Remove this software immediately.

    Resources:
    process:
    pid:3468

    Summary:
    Application Execution change occurred.

    This agent scans software just before it runs. You are alerted if the software has a high potential for harming your computer.

    Checkpoint:
    Running Processes


    That is the info from windows defender when i turned the real time protection back on.

    Im not exactly sure how to find the exact path and here is another HJT log
     
  12. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    Something is definitely not right here. :(

    I don`t know why those 015 entries keep showing up, but they do.

    Also, without knowing the filepath to the infection, it`s almost impossible to say, if it can be removed.

    It may be time to consider backing up your important data and doing a format and reinstall.

    This is not something I normally like to recommend, but in your case, it`s probably for the best.

    A backdoor trojan, is very very dangerous and will no doubt have tried to steal your personal data etc.

    Doesn`t Windows Defender make any kind of log file, detailing what is found and where?

    Regards Howard :)

    This thread is for the use of .:MirrorminD:. only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  13. .:MirrorminD:.

    .:MirrorminD:. TS Rookie Topic Starter

    i double checked the logs from windows defender and where it should have file path it is blank.

    No worries I will reformat and Ghost the machine. Thank you for yr patience and help.
     
  14. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    No problem, I`m just sorry I was unable to solve your problem. ;(

    Regards Howard :)

    This thread is for the use of .:MirrorminD:. only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
Topic Status:
Not open for further replies.

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...