Zonebac / Whataboutadog infection

[kb3535]

Hi,
My viruschecker started warning me about a Trojan called Zonebac. After running HiJackThis I saw trusted zones for whataboutdog. This lead me to running FindAWF.exe from this site and following all the steps. But I am still geting bak directories in the report and fear I'm still infected. I have attached my latest Hijackthis log and awf.txt file.

Many thanks.

Kb

 

[howard_hopkinso]

Hello and welcome to Techspot.

Very Important: Before deciding whether you should clean or reformat your system, go and read this thread HERE and decide what it is you want to do.

If after reading the above, you wish to clean your system, do the following.

Right click on this link DelO15Domains.inf and choose Save As. Save it to your desktop. Right click on that file and choose Install. It will run immediately (you won't be able to see anything happen). You may delete it afterwards. NOTE: This script will delete any sites you may have added to the Trusted Sites. So if you want them back, you have to add them back to the Trusted Sites again.

Double-click FindAWF.exe to start the tool. Then, do the following
Select "option #2 - Restore files from bak folders" by typing 2 and press Enter .
A text file will open up. Please copy/paste the following text from the quote box (all except the word QUOTE) into the text file.

"C:\Program Files\QuickTime\bak\QTTask.exe"
"C:\Program Files\IBM ThinkVantage\Client Security Solution\bak\cssauth.exe"
"C:\Program Files\ThinkPad\PkgMgr\HOTKEY\bak\TPHKMGR.exe"

Close the .txt file and click Yes to save the changes.
When the tool has completed, a report will open up in notepad. Please post the results of the awf.txt in your next reply as an attachment.


Regards Howard :wave: :wave:

This thread is for the use of kb3535 only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

 

[kb3535]

Latest AWF attached

I installed the inf and followed your instructions for awf - the resulting log is attached.

Thanks,
KB

 

[howard_hopkinso]

Please double-click the FindAWF icon once again
This time we are going to remove some folders.


Use the following option: Press 3 then Enter to remove bak folders


A text file opens called: folders.txt
Click below the line and paste the following list of folders to be removed:

C:\Program Files\QuickTime\bak
C:\Program Files\IBM ThinkVantage\Client Security Solution\bak
C:\Program Files\ThinkPad\PkgMgr\HOTKEY\bak

Next, close and click Yes to save the changes.

When done with the above, FindAWF automatically runs a new scan and opens a new log that you need to post.
Please provide the new FindAWF log

Regards Howard

This thread is for the use of kb3535 only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

 

[kb3535]

a clean report!

You're one in a million

 

[howard_hopkinso]

That`s great news.

To finish, run Option 4.

Double-click the FindAWF icon once again.
Use the following option: Press 4 then Enter to reset domain zones


When the program returns to the main menu, use the following option:
Press E then Enter to EXIT

Now, just to make sure your system is clean and you`ve no other malware hanging around, please do the following.

Go and read the Viruses/Spyware/Malware, preliminary removal instructions. Follow all the instructions exactly.

Post fresh HJT, AVG Antispyware and Combofix logs as Attachments into this thread, only after doing the above.

Also, let me know the results of the Panda Antirootkit scan.

Regards Howard

This thread is for the use of kb3535 only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

 

[kb3535]

So near and then *lock*

So I did almost all of the steps, ran combofix, generated the log. But when I went to the next step and started my machine in safe mode (IBM ThinkPad T40), it locked up. Now it won't start in normal mode, nor will let me into the damn BIOS. I think the security chip must have kicked in for some reason.

Any advice appreciated - am searching google as we speak (luckily I have another machine (the one I don't let my damn BF use, hence no malware on it).

KB

 

[howard_hopkinso]

I take it you simply can`t boot into any mode now?

Are you receiving any messages?

I`m really not familiar with your system.

Regards Howard

This thread is for the use of kb3535 only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

 

[kb3535]

no boot possible

that's correct, no boot seems to be possible.

The usual route to safe more (pressing the IBM key) leads to one or two strange colour changing squares appearing in low res - it looks like when a game on a ZX Spectrum 48K used to fail to load when I was a little kid in the 80s.

Leaving it to just boot in Windows results in a blinking cursor ad infinitum.

Bummer....

 

[howard_hopkinso]

Oh dear, that`s not good.

I don`t really know what to suggest.

Maybe try contacting IBM, if that doesn`t help, then maybe you need to take it to a professional for repair or whatever.

Regards Howard

This thread is for the use of kb3535 only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

 

[kb3535]

will do that...

...will also post with an update once I have one in case anyone else manages to get their machine into this state....

kb

 

[howard_hopkinso]

Ok, I wish you good luck in your endeavours.

Regards Howard

This thread is for the use of kb3535 only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.