Zonebac! infection, please help

[johnp2007]

View attachment 23787

View attachment 23788

View attachment 23789

View attachment awf.txt

View attachment 23791\

My Microsoft OneCare virus scan keeps finding Win32/Zonebac! infections and quaranteening them but then another one shows up the next time I start up. I have gone through th preliminary removal instructions. Nothing showed up on my Combofix scan but the log is attached anyway, no rootkits were found by Panda. I am attaching my HJK log file, two AVG files (one before and one after I deleted the found problems) and also a FindAWF scan which shows a number of bak files. What should I do to get rid of this guy.

 

[howard_hopkinso]

Hello and welcome to Techspot.

Your system is infected with a trojan called Downloader.Agent.awf. It replaces legitimate files that are common on most computers with an infected file. Then, it moves the legitimate files to a bak or backup folder.

Right click on this link DelO15Domains.inf and choose Save As. Save it to your desktop. Right click on that file and choose Install. It will run immediately (you won't be able to see anything happen). You may delete it afterwards. NOTE: This script will delete any sites you may have added to the Trusted Sites. So if you want them back, you have to add them back to the Trusted Sites again.


Double-click FindAWF.exe to start the tool. Then, do the following
Select "option #2 - Restore files from bak folders" by typing 2 and press Enter .
A text file will open up. Please copy/paste the following text from the quote box (all except the word QUOTE) into the text file.

"C:\WINDOWS\bak\UpdReg.EXE"


"C:\Program Files\iTunes\bak\iTunesHelper.exe"


"C:\Program Files\LexmarkX83\bak\AcBtnMgr_X83.exe"


"C:\Program Files\LexmarkX83\bak\ACMonitor_X83.exe"


"C:\Program Files\Microsoft IntelliType Pro\bak\type32.exe"


"C:\Program Files\Microsoft Windows OneCare Live\bak\winssnotify.exe"


"C:\Program Files\Microsoft IntelliPoint\bak\point32.exe"


"C:\Program Files\QuickTime\bak\qttask.exe"


"C:\Program Files\REGSHAVE\bak\REGSHAVE.EXE"


"C:\WINDOWS\INF\bak\unregmp2.exe"


"C:\WINDOWS\SYSTEM32\bak\ctfmon.exe"


"C:\WINDOWS\SYSTEM32\bak\DSentry.exe"


"C:\Program Files\Microsoft Office\Office12\bak\GrooveMonitor.exe"


"C:\Program Files\Yahoo!\browser\bak\ybrwicon.exe"


"C:\Program Files\Yahoo!\YOP\bak\yop.exe"


"C:\Program Files\Common Files\Microsoft Shared\Works Shared\bak\WkUFind.exe"


"C:\Program Files\Creative\SBLive\Diagnostics\bak\diagent.exe"


"C:\Program Files\Java\j2re1.4.2_04\bin\bak\jusched.exe"


"C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\bak\DirectCD.exe"


"C:\Documents and Settings\Main\Application Data\Microsoft\Address Book\OE.Bak\Main.wab"


"F:\Backups\OFFICE Data Backup Set 1\C\Documents and Settings\Main\Application Data\Microsoft\Address Book\OE.Bak\Main.wab"


"C:\WINDOWS\SYSTEM32\SPOOL\DRIVERS\W32X86\3\bak\printray.exe"


"C:\Documents and Settings\Main\Application Data\Microsoft\Address Book\OE.Bak\Main.wab"


"F:\Backups\OFFICE Data Backup Set 1\C\Documents and Settings\Main\Application Data\Microsoft\Address Book\OE.Bak\Main.wab"


"F:\Backups\OFFICE Data Backup Set 1\Revisions\C\Documents and Settings\Main\Application Data\Microsoft\Address Book\OE.Bak\Main.(1).wab"


"F:\Backups\OFFICE Data Backup Set 1\Revisions\C\Documents and Settings\Main\Application Data\Microsoft\Address Book\OE.Bak\Main.(2).wab"

Close the .txt file and click Yes to save the changes.
When the tool has completed, a report will open up in notepad. Please post the results of the awf.txt in your next reply as an attachment.

Regards Howard :wave: :wave:

This thread is for the use of johnp2007 only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.