Backdoor Zonebac.b infection

[gyanprarthi]

Hello! Thank you so much for this forum and all your help. I have carefully read through the related threads, and I have tried to implement all your suggestions.

Windows Defender detected the Zonebac. Further scans by Symantec Antivirus, Kaspersky (online), BitDefender (online), Spyware Terminator turned blanks.

I enclose the relevant log files. Just to note, Panda Antirootkit detected no anomalies, and I forgot to save a report for the AVG Antispyware (so I took screenshots, one of which I attach -- only 39 minor traces were found in all). Also, noting from findAWF that Comodo, Symantec and Spyware Terminator were infected, I uninstalled all 3 and installed Outpost, Avast! and AVG in their place.

Please could you let me know if I am now safe or what steps I need to take to solve the problems. Many, many thanks in advance.

 

[Rik]

Double-click FindAWF.exe to start the tool. Then, do the following
Select "option #2 - Restore files from bak folders" by typing 2 and press Enter .
A text file will open up. Please copy/paste the following text from the quote box (all except the word QUOTE) into the text file.

"C:\Program Files\Athan\bak\Athan.exe"
"C:\Program Files\Clipomatic\bak\Clipomatic.exe"
"C:\Program Files\Dell Support\bak\DSAgnt.exe"
"C:\Program Files\iTunes\bak\iTunesHelper.exe"
"C:\Program Files\QuickTime\bak\QTTask.exe"
"C:\Program Files\Spyware Terminator\bak\SpywareTerminatorShield.exe"
"C:\Program Files\Symantec AntiVirus\bak\VPTray.exe"
"C:\Program Files\Windows Defender\bak\MSASCui.exe"
"C:\WINDOWS\system32\bak\ctfmon.exe"
"C:\WINDOWS\system32\bak\taskswitch.exe"
"C:\WINDOWS\system32\bak\WLTRAY.exe"
"C:\Program Files\BroadJump\Client Foundation\bak\CFD.exe"
"C:\Program Files\Common Files\Symantec Shared\bak\ccApp.exe"
"C:\Program Files\CyberLink\PowerDVD\bak\DVDLauncher.exe"
"C:\Program Files\Dell\QuickSet\bak\quickset.exe"
"C:\Program Files\Synaptics\SynTP\bak\SynTPEnh.exe"
"C:\Program Files\Yahoo!\Messenger\bak\YAHOOM~1.EXE"
"C:\WINDOWS\system32\DLA\bak\DLACTRLW.EXE"
"C:\Program Files\Adobe\Acrobat 7.0\Distillr\bak\Acrotray.exe"
"C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\bak\CLIStart.exe"
"C:\Program Files\Common Files\InstallShield\UpdateService\bak\issch.exe"
"C:\Program Files\Common Files\InstallShield\UpdateService\bak\ISUSPM.exe"
"C:\Program Files\Common Files\Real\Update_OB\bak\realsched.exe"
"C:\Program Files\Java\jre1.6.0_02\bin\bak\jusched.exe"

Close the .txt file and click Yes to save the changes.
When the tool has completed, a report will open up in notepad. Please post the results of the awf.txt in your next reply as an attachment.



This thread is for the use of gyanprarthi only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

 

[gyanprarthi]

Thanks so much for the help, Rik. Here's the updated awf.txt

Please let me know what to do next, and whether or not I am ok! Thanks.

Oh, and I forgot to say, I had run "option #2" before posting even the first awf file, and I think basically nothing seems to have changed between the two awf files.

Thanks again!

 

[Rik]

Don't worry about the lack of change in the logs, there will bw some soon.

Please double-click the FindAWF icon once again
This time we are going to remove some folders.


Use the following option: Press 3 then Enter to remove bak folders


A text file opens called: folders.txt
Click below the line and paste the following list of folders to be removed:

C:\Program Files\Athan\bak
C:\Program Files\Clipomatic\bak
C:\Program Files\Dell Support\bak
C:\Program Files\iTunes\bak
C:\Program Files\QuickTime\bak
C:\Program Files\Symantec AntiVirus\bak
C:\Program Files\Windows Defender\bak
C:\WINDOWS\system32\bak
C:\Program Files\BroadJump\Client Foundation\bak
C:\Program Files\Common Files\Symantec Shared\bak
C:\Program Files\CyberLink\PowerDVD\bak
C:\Program Files\Dell\QuickSet\bak
C:\Program Files\Synaptics\SynTP\bak
C:\Program Files\Yahoo!\Messenger\bak
C:\WINDOWS\system32\DLA\bak
C:\Program Files\Adobe\Acrobat 7.0\Distillr\bak
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\bak
C:\Program Files\Common Files\InstallShield\UpdateService\bak
C:\Program Files\Common Files\InstallShield\UpdateService\bak
C:\Program Files\Common Files\Real\Update_OB\bak
C:\Program Files\Java\jre1.6.0_02\bin\bak

Next, close and click Yes to save the changes.

When done with the above, FindAWF automatically runs a new scan and opens a new log that you need to post.
Please provide the new FindAWF log.



This thread is for the use of gyanprarthi only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

 

[gyanprarthi]

Thank you Rik, I really appreciate all your help. The folder deletions seem to have worked.

3 questions, please:
1) Could you please recommend a scan engine that can check for this horrid backdoor trojan to ascertain that I am now safe?

2) since changing my firewall/antivirus/antisyware combo yesterday, I have had the system crash with a blue screen twice, with a screen dump. Can I now revert to my previous trio (please see message 1 above in this thread).

3) can I now enter my online bank account, assuming the backdoor exploitation hole has been closed?

Many, many thanks again.

 

[Rik]

Question 1. There is no automated scanner that will detect it available at the moment.

Question 2. You may use any combination of software you like as long as you have just 1 antivirus program and just 1 firewall. Spyware scanners dont interfere with one another so you can have as meany as you like.

Question 3. No, not yet. We need to acertain that the threat is really gone and that there are no others present. As a precaution, you should change all your banking passwords but not use them until your pc is %100 clean.



I would like you to re-run step 1. This will show if your pc is clean of this one threat (more work is needed yet to ensure there are no others).

Here is a recap on those instructions.

Please download FindAWF to your Desktop.
Double-click FindAWF.exe to start the tool.
Select "option #1 - Scan for bak folders" by typing 1 and press Enter
When the tool has completed, a report will open up in notepad. Please post the results of the awf.txt as an attachment.




This thread is for the use of gyanprarthi only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

 

[gyanprarthi]

Thanks so much Rik! I am really, really grateful for all the help.
Here is my new awf.txt, as well as a hjt log.

Please could you tell me how I can be sure of a 100% clean pc?

 

[Rik]

Yay, infection gone.

Your system was infected with a trojan called Downloader.Agent.awf. It replaces legitimate files that are common on most computers with an infected file. Then, it moves the legitimate files to a bak or backup folder.

Running FindAWF allows us to identify the files that are infected, as well as the backups and then restore the files.


To finish, run Option 4.

Double-click the FindAWF icon once again.
Use the following option: Press 4 then Enter to reset domain zones.


When the program returns to the main menu, use the following option:
Press E then Enter to EXIT.

Next, follow the instructions below. I know it takes a while but it's better to be safe than sorry.

You need to have a read of this - If your system is infected. Read this before deciding whether to CLEAN or REFORMAT.

Then if you should wish to proceed with cleaning your system you need to go and read the Viruses/Spyware/Malware, preliminary removal instructions. Follow all the instructions exactly.

Post fresh HJT, Combofix, and AVG Antispyware logs as ATTACHMENTS into this thread, only after doing the above.


This thread is for the use of gyanprarthi only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

 

[gyanprarthi]

Thank you so much once again, Rik! After reading the 'have a read to decide whether or not to go for a clean or reformat', I decided that I should have done a reformat instead of a clean. I therefore formatted my hard drive and reinstalled Windows. I will be extra careful with my firewall and antivirus from now on. Any further suggestions will be very welcome.

Many thanks again! I am very grateful.