Help with Backdoor Trojan Removal

[elise1074]

Help! I have attached the logfile from hijackthis. I am not sure what all the processes are and I don't really want to delete things without knowing. I had a notification that I had a backdoor trojan called:

Backdoor:Win32/zonebac_gen!B

Any help on how to find and destroy this trojan is appreciated!

Thanks

 

[howard_hopkinso]

Hello and welcome to Techspot.

Please download FindAWF to your Desktop.
Double-click FindAWF.exe to start the tool.
Select "option #1 - Scan for bak folders" by typing 1 and press Enter
When the tool has completed, a report will open up in notepad. Please post the results of the awf.txt as an attachment.

Regards Howard :wave: :wave:

This thread is for the use of elise1074 only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

 

[elise1074]

awf file

here is the awf file. what do you think?

 

[howard_hopkinso]

As I suspected, your system was infected with a trojan called Downloader.Agent.awf. It replaces legitimate files that are common on most computers with an infected file. Then, it moves the legitimate files to a bak or backup folder.

Very Important: Before deciding whether you should clean or reformat your system, go and read this thread HERE and decide what it is you want to do.

If after reading the above, you wish to clean your system, do the following.

Go and read this thread HERE and follow the instructions exactly. Post the requested log files once done.

Regards Howard

This thread is for the use of elise1074 only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

 

[elise1074]

bak files

Just so I understand, the fies in that attachment I sent without "bak" in the path name are viruses?

 

[howard_hopkinso]

In a nutshell, yes.

It is possible to completely recover from this virus, but you need to understand the risks involved, if you use your computer for online banking etc.

Regards Howard

This thread is for the use of elise1074 only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

 

[elise1074]

not coming up clean

I ran the procedure the first time and it cleared all but one. I have attached the hijackthis file and the awf file. Does this mean there is still a virus on the computer somewhere that can't be found or cleaned? Or are there other methods (programs) to hunt down and destroy this virus? I don't even USE Aol (where the virus is contained). I ran ad-aware, spybot, mcafee8, stinger..can't remember what else.

Thanks for your time and thoughts on the subject....almost there!

 

[howard_hopkinso]

You might want to copy and paste these instructions into a notepad file. Then you can have the file open in safe mode, so you can follow the instructions easier.

Boot into safe mode, under your normal user name(NOT THE ADMINISTRATOR ACCOUNT). See how HERE.

In Windows Explorer, turn on "Show all files and folders, including hidden and system". See how HERE.

Open your task manager, by holding down the ctrl and alt keys and pressing the delete key.

Click on the processes tab and end process for(if there).

AOLDial.exe

Close task manager.

Run HJT with no other programmes open(except notepad). Click the scan button. Have HJT fix the following, by placing a tick in the little box next to(if there).

R3 - URLSearchHook: (no name) - {44F9B173-041C-4825-A9B9-D914BD9DCBB3} - (no file)

R3 - URLSearchHook: (no name) - ~CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)

O4 - HKLM\..\Run: [ShowLOMControl]


Click on the fix checked button.

Close HJT.

Locate and delete the following bold files and/or folders(if there).

C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
C:\Program Files\Common Files\AOL\ACS\bak

Reboot into normal mode and rehide your protected OS files.

Download combofix.exe. Double click combofix.exe & follow the prompts. A window will open with a warning. Type "1" (and Enter) to start the fix. When the scan completes it will open a text window. Please attach that log back here together with a fresh HJT log. Caution - do not touch your mouse/keyboard until the scan has completed. The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled. If this occurs, please reboot to restore the desktop.

Combofix will automatically save the log file to C:\combofix.txt

Run the FindAWF tool option1 and attach the awf.txt as well as the Combofix log and a fresh HJT log.

Regards Howard

This thread is for the use of elise1074 only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

 

[elise1074]

another quick question for you

Since you seem to be very knowledgeable about security and viruses I have a few more questions for you. Since I got this backdoor trojan, I would start up the computer and the microsoft virus notification would pop up saying that it had detected this trojan file. Earlier today, I went onto my firewall settings and discovered for whatever reason, I had set exceptions to the firewall (aol, itunes, explorer, realplayer..etc). I then unchecked all those so that there were no exceptions. I then restarted the computer with the no exceptions and the pop up from the task bar didn't come up to say it found the backdoor trojan. I repeated this three time. Still no trojan notification. I then did the cleaning process first time. ran again, second time, one bak dup file remaining (aol), then did it again with same result. Pasted the results in previous post. My main question in this rant is do you think by changing the settings on the firewall, it blocked either microsoft from scanning and communicating the trojan to me, or in fact is blocking the trojan itself? I also checked the "display a notification when firewall blocks a program". Any thoughts on this? Thanks

 

[howard_hopkinso]

It may well be, that since you disallowed the trojan access, that`s why you no longer received any notification.

Once you have completed the instructions in my post above and posted the requested log files, I should be able to tell you whether your system is clean or not.

Regards Howard

This thread is for the use of elise1074 only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

 

[elise1074]

one more before proceeding

First, I am going to buy an external hard drive now and backup all my data folders. Next, I currently have system restore turned OFF (found that in another post on another site), before proceeding with your instructions, should I turn system restore back ON or keep it OFF during the instructions you posted?

 

[howard_hopkinso]

Since you already have system restore turned off, I suggest you leave it like that for now.

I suggest you wait to get an external drive, until we have finished cleaning your system.

Regards Howard

This thread is for the use of elise1074 only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

 

[elise1074]

I have attached the files. Review when you have time. Thanks so much!

I just rebooted and when it came back up, the spybot registry change notification popped up. It said the changed value was to delete the LOC control. Yes, that is one of the things we deleted in the executable. Should I allow the change (accept registry deletion) that the spybot is indicating?

I think I may have allowed it in with the Spybot tea timer (program gives you choices to allow or deny registry changes). I rebooted and the backdoor virus was back. So I have attached the hijack and awf files. ARRRGHHHHH!!!!

 

[howard_hopkinso]

All your log files are clean.

Yes, tell SS&D to allow the registry change.

Turn off system restore.(XP/ME only) See how HERE.

Now, turn system restore back on. This will have deleted all your old restore points and any nasties that are in them. It will also have created a new, clean restore point.


If you have any further virus/spyware problems, please post in this thread.

Edit: Your most recent log files are both clean.

Regards Howard

This thread is for the use of elise1074 only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

 

[elise1074]

question

I wonder why the microsoft virus tool pops up saying that I still have this backdoor trojan?

 

[howard_hopkinso]

Can you please tell me which file and it`s exact location, the Microsoft virus tool is saying is infected?

Regards Howard

This thread is for the use of elise1074 only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

 

[elise1074]

very interesting issue

Ok, so I told you originally that this window (Microsoft Windows Malicious Scan) would pop up from the system tray that said malicious something (don't remember) was found. So when I would bring this up, It would say that it detected the Backdoor:win32/zonebac_gen!B as Malware, but said it was not removed. It did not give ANY location of ANY files. So then I used the same software (Microsoft Windows Malicious Software Removal Tool Nov. 2007) and did a full system scan. When I performed this, it said there were no detections and this backdoor:win32 is one of the things it looks for. So that is VERY ODD that the system tray notification system pops up with this trojan, but the full system scan using the same software doesn't find it!!!

Also to note, the night before this supposed malicious trojan was found, Microsoft did an automatic update and downloaded some files. The computer remained on over night and that is when microsoft downloaded the update. The next day the computer was rebooted and that is when this supposed malicious trojan popped up as detected, but not removed.

Quite coincidental don't you think? So now I am thinking that whatever update was released had a bug in it or something. Should I email microsoft?

What do you think?? Especially since you said the files were cleaned. Doesn't make any sense. The timing is just too coincidental to the update and the "trojan" popping up from the system tray, but not in the full system scan.

 

[howard_hopkinso]

I agree it does seem a little strange and I don`t have a satisfactory explanation as to what happened.

As far as I can tell, your system is now clean.

See how it goes and post back if you have any further problems.

Regards Howard

This thread is for the use of elise1074 only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

 

[elise1074]

thanks!

Thanks for all your help. I now know a little more about viruses, how some create backup folders. Quite interesting. You certainly do great work. I see you helping lots of people on this forum. You are a great person to do this work and thanks again.

I did email Microsoft. Maybe they will reply to my email.

thanks again. If I have anymore trouble, I will know where to look in the future!!