TechSpot

Zonebac / Whataboutadog infection

By kb3535
Oct 28, 2007
  1. Hi,
    My viruschecker started warning me about a Trojan called Zonebac. After running HiJackThis I saw trusted zones for whataboutdog. This lead me to running FindAWF.exe from this site and following all the steps. But I am still geting bak directories in the report and fear I'm still infected. I have attached my latest Hijackthis log and awf.txt file.

    Many thanks.

    Kb
     
  2. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    Hello and welcome to Techspot.

    Very Important: Before deciding whether you should clean or reformat your system, go and read this thread HERE and decide what it is you want to do.

    If after reading the above, you wish to clean your system, do the following.

    Right click on this link DelO15Domains.inf and choose Save As. Save it to your desktop. Right click on that file and choose Install. It will run immediately (you won't be able to see anything happen). You may delete it afterwards. NOTE: This script will delete any sites you may have added to the Trusted Sites. So if you want them back, you have to add them back to the Trusted Sites again.

    Double-click FindAWF.exe to start the tool. Then, do the following
    Select "option #2 - Restore files from bak folders" by typing 2 and press Enter .
    A text file will open up. Please copy/paste the following text from the quote box (all except the word QUOTE) into the text file.

    Close the .txt file and click Yes to save the changes.
    When the tool has completed, a report will open up in notepad. Please post the results of the awf.txt in your next reply as an attachment.


    Regards Howard :wave: :wave:

    This thread is for the use of kb3535 only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  3. kb3535

    kb3535 TS Rookie Topic Starter

    Latest AWF attached

    I installed the inf and followed your instructions for awf - the resulting log is attached.

    Thanks,
    KB
     
  4. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    Please double-click the FindAWF icon once again
    This time we are going to remove some folders.


    Use the following option: Press 3 then Enter to remove bak folders


    A text file opens called: folders.txt
    Click below the line and paste the following list of folders to be removed:


    Next, close and click Yes to save the changes.

    When done with the above, FindAWF automatically runs a new scan and opens a new log that you need to post.
    Please provide the new FindAWF log

    Regards Howard :)

    This thread is for the use of kb3535 only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  5. kb3535

    kb3535 TS Rookie Topic Starter

    a clean report!

    You're one in a million
     
  6. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    That`s great news.

    To finish, run Option 4.

    Double-click the FindAWF icon once again.
    Use the following option: Press 4 then Enter to reset domain zones


    When the program returns to the main menu, use the following option:
    Press E then Enter to EXIT

    Now, just to make sure your system is clean and you`ve no other malware hanging around, please do the following.

    Go and read the Viruses/Spyware/Malware, preliminary removal instructions. Follow all the instructions exactly.

    Post fresh HJT, AVG Antispyware and Combofix logs as Attachments into this thread, only after doing the above.

    Also, let me know the results of the Panda Antirootkit scan.

    Regards Howard :)

    This thread is for the use of kb3535 only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  7. kb3535

    kb3535 TS Rookie Topic Starter

    So near and then *lock*

    So I did almost all of the steps, ran combofix, generated the log. But when I went to the next step and started my machine in safe mode (IBM ThinkPad T40), it locked up. Now it won't start in normal mode, nor will let me into the damn BIOS. I think the security chip must have kicked in for some reason.

    Any advice appreciated - am searching google as we speak (luckily I have another machine (the one I don't let my damn BF use, hence no malware on it).

    KB
     
  8. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    I take it you simply can`t boot into any mode now?

    Are you receiving any messages?

    I`m really not familiar with your system.

    Regards Howard :)

    This thread is for the use of kb3535 only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  9. kb3535

    kb3535 TS Rookie Topic Starter

    no boot possible

    that's correct, no boot seems to be possible.

    The usual route to safe more (pressing the IBM key) leads to one or two strange colour changing squares appearing in low res - it looks like when a game on a ZX Spectrum 48K used to fail to load when I was a little kid in the 80s.

    Leaving it to just boot in Windows results in a blinking cursor ad infinitum.

    Bummer....
     
  10. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    Oh dear, that`s not good. :(

    I don`t really know what to suggest.

    Maybe try contacting IBM, if that doesn`t help, then maybe you need to take it to a professional for repair or whatever.

    Regards Howard :)

    This thread is for the use of kb3535 only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  11. kb3535

    kb3535 TS Rookie Topic Starter

    will do that...

    ...will also post with an update once I have one in case anyone else manages to get their machine into this state....

    kb
     
  12. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    Ok, I wish you good luck in your endeavours.

    Regards Howard :)

    This thread is for the use of kb3535 only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
Topic Status:
Not open for further replies.

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...