Trojan.Zonebac virus detected by Symantec

[courtneyt]

Hi, Please help!

I run a full scheduled virus scan weekly through symantec , and an abbreviated scan daily. For the past two days, it has been saying that I am infected with a Trojan.Zonebac virus. A couple of times there were only 1-3 infected files, but today it said there were 7. I don't know where these viruses keep coming from. or what more to do. It appears to get rid of the files, and then they come back, but in different files (like in scansoft). I've tried \ ridding myself of malware: running ATF cleaner, system restore, SuperAntiSpyware (I already have Spybot running on the compuer), Panda Active Scan, and checked for Windows Updates. Nothing has seemed to help I'm a law student, so my computer is my life.

Please help, thank you!
Courtney

As requested my hijack file and what not is attached.

View attachment 24507

View attachment 24508

View attachment 24510



THANK YOU THANK YOU THANK YOU. I've exceeded the limit of my tech knowledge and I am at your mercy to save my computer!

 

[LuckyM]

have you tried to delete Zonebac manually? here's zonebac removal

 

[Rik]

Please remove Full Scan Results.doc as a .doc can carry infections.


You need to have a read of this - If your system is infected. Read this before deciding whether to CLEAN or REFORMAT.

Then if you should wish to proceed with cleaning your system you need to go and read the Viruses/Spyware/Malware, preliminary removal instructions. Follow all the instructions exactly.

Post fresh HJT, Combofix, , and AVG Antispyware logs as ATTACHMENTS into this thread, only after doing the above.
We also need to know the result of Panda Antirootkit.


This thread is for the use of courtneyt only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

 

[courtneyt]

Ric,
Thanks for your reply. I'm only a student, so I'm new to all of this. I've confused on some of the 15 different steps--should I really be downloading all of these programs? I thought too many weren't good?

I've installed Hjack It, Super AntiSpyware, Spybot, and I'm using Symantec for virus protection. I also downloaded the Find AWF function.

I attempted to follow Howard's guide to remove the trojan dropper agent, but I am not techy enough to fix it out. Can you help me with my next step?

I would really appreciate it!

Also, I would like to clean, thanks

 

[Rik]

You have what's commonly referred to as the whataboutadog infection. We will deal with that first, then tackle any other problems after that.


Double-click FindAWF.exe to start the tool. Then, do the following
Select "option #2 - Restore files from bak folders" by typing 2 and press Enter .
A text file will open up. Please copy/paste the following text from the quote box (all except the word QUOTE) into the text file.

"C:\Program Files\iTunes\bak\iTunesHelper.exe"
"C:\Program Files\QuickTime\bak\QTTask.exe"
"C:\Program Files\Symantec AntiVirus\bak\VPTray.exe"
"C:\Program Files\Verizon\bak\McciTrayApp.exe"
"C:\WINDOWS\system32\bak\ctfmon.exe"
"C:\hp\drivers\hplsbwatcher\bak\lsburnwatcher.exe"
"C:\Program Files\ATI Technologies\ATI Control Panel\bak\atiptaxx.exe"
"C:\Program Files\Brother\Brmfcmon\bak\BrMfcWnd.exe"
"C:\Program Files\Brother\ControlCenter3\bak\brctrcen.exe"
"C:\Program Files\Common Files\Symantec Shared\bak\ccApp.exe"
"C:\Program Files\Google\GoogleToolbarNotifier\bak\GoogleToolbarNotifier.exe"
"C:\Program Files\Hp\HP Software Update\bak\HPWuSchd2.exe"
"C:\Program Files\HPQ\Default Settings\bak\cpqset.exe"
"C:\Program Files\HPQ\Quick Launch Buttons\bak\EabServr.exe"
"C:\Program Files\OLYMPUS\OLYMPUS Master\bak\FirstStart.exe"
"C:\Program Files\OLYMPUS\OLYMPUS Master\bak\Monitor.exe"
"C:\Program Files\ScanSoft\PaperPort\bak\IndexSearch.exe"
"C:\Program Files\ScanSoft\PaperPort\bak\pptd40nt.exe"
"C:\Program Files\Synaptics\SynTP\bak\SynTPEnh.exe"
"C:\Program Files\Synaptics\SynTP\bak\SynTPLpr.exe"
"C:\Program Files\Adobe\Acrobat 7.0\Reader\bak\AdobeUpdateManager.exe"
"C:\Program Files\Common Files\AOL\ACS\bak\AOLDial.exe"
"C:\Program Files\Common Files\AOL\IPHSend\bak\IPHSend.exe"
"C:\Program Files\Common Files\Real\Update_OB\bak\realsched.exe"
"C:\Program Files\Common Files\ScanSoft Shared\SSBkgdUpdate\bak\SSBkgdupdate.exe"
"C:\Program Files\Java\jre1.6.0_02\bin\bak\jusched.exe"
"C:\Program Files\Common Files\AOL\1141771157\ee\bak\AOLSoftware.exe"

Close the .txt file and click Yes to save the changes.
When the tool has completed, a report will open up in notepad. Please post the results of the awf.txt in your next reply as an attachment.



This thread is for the use of courtneyt only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

 

[courtneyt]

Thanks Rik for the quick reply.

Here you go, here's crossing my fingers...

(Please forgive me for spelling your name wrong prior! I'm sorry.)

 

[Rik]

Lol don't worry about the spelling, happens all the time. Even more so with my sir name which is an unusual one.


Please double-click the FindAWF icon once again
This time we are going to remove some folders.


Use the following option: Press 3 then Enter to remove bak folders.

A text file opens called: folders.txt
Click below the line and paste the following list of folders to be removed:

C:\Program Files\iTunes\bak
C:\Program Files\QuickTime\bak
C:\Program Files\Symantec AntiVirus\bak
C:\Program Files\Verizon\bak
C:\WINDOWS\system32\bak
C:\hp\drivers\hplsbwatcher\bak
C:\Program Files\ATI Technologies\ATI Control Panel\bak
C:\Program Files\Brother\Brmfcmon\bak
C:\Program Files\Brother\ControlCenter3\bak
C:\Program Files\Common Files\Symantec Shared\bak
C:\Program Files\Google\GoogleToolbarNotifier\bak
C:\Program Files\Hp\HP Software Update\bak
C:\Program Files\HPQ\Default Settings\bak
C:\Program Files\HPQ\Quick Launch Buttons\bak
C:\Program Files\OLYMPUS\OLYMPUS Master\bak
C:\Program Files\ScanSoft\PaperPort\bak
C:\Program Files\Synaptics\SynTP\bak
C:\Program Files\Adobe\Acrobat 7.0\Reader\bak
C:\Program Files\Common Files\AOL\ACS\bak
C:\Program Files\Common Files\AOL\IPHSend\bak
C:\Program Files\Common Files\Real\Update_OB\bak
C:\Program Files\Common Files\ScanSoft Shared\SSBkgdUpdate\bak
C:\Program Files\Java\jre1.6.0_02\bin\bak
C:\Program Files\Common Files\AOL\1141771157\ee\bak

Next, close and click Yes to save the changes.

When done with the above, FindAWF automatically runs a new scan and opens a new log that you need to post.
Please provide the new FindAWF log.



This thread is for the use of courtneyt only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

 

[courtneyt]

I think we are getting closer!

Thank you so much for working with me!

 

[Rik]

I need you to Boot into safe mode, under your normal user name(NOT THE ADMINISTRATOR ACCOUNT). See how here.> http://www.bleepingcomputer.com/forums/tutorial61.html

In Windows Explorer, turn on "Show all files and folders, including hidden and system". See how here.> http://www.bleepingcomputer.com/forums/tutorial62.html

Open your task manager, by holding down the ctrl and alt keys and pressing the delete key.

Click on the processes tab and end process for(if there).

AdobeUpdateManager.exe
SSBkgdupdate.exe

Close task manager.

Locate and delete the following bold files and/or folders(if there).


C:\Program Files\Adobe\Acrobat 7.0\Reader\bak
C:\Program Files\Common Files\ScanSoft Shared\SSBkgdUpdate\bak
C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe
C:\Program Files\Common Files\ScanSoft Shared\SSBkgdUpdate\SSBkgdupdate.exe

Reboot into normal mode and rehide your protected OS files.

You will probably need to reinstall Adobe reader and Scansoft.


I then need you to post a fresh awf log after running the Find AWF tool option1.



This thread is for the use of courtneyt only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

 

[courtneyt]

Okay! I think we've got it!!

 

[Rik]

Thats that infection gone. One more thing to do with find awf tho.

To finish, run Option 4.

Double-click the FindAWF icon once again.
Use the following option: Press 4 then Enter to reset domain zones.


Once done, i need to see fresh hjt and combofix logs.



This thread is for the use of courtneyt only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

 

[courtneyt]

WOOHOO rik! I'm getting excited YAY

 

[Rik]

Almost clean, but not quite.

Have hjt fix the following by placing a tick in the box next to them.

O2 - BHO: (no name) - {9713408a-e520-4a18-8995-2c69a00cec61} - C:\WINDOWS\system32\dspz32.dll (file missing)
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O16 - DPF: {9522B3FB-7A2B-4646-8AF6-36E7F593073C} - http://a19.g.akamai.net/7/19/7125/4056/ftp.coupons.com/r3302/Coupons.cab
O20 - Winlogon Notify: dspz32 - dspz32.dll (file missing)


These next entries, do the same if you dont recognize and trust them.

O16 - DPF: {A762E064-A885-40E4-AC10-671BB62DC2B2} (OFMailHTMLCtl Class) - http://www.eomniform.com/OF5/nsplugins/OFMailX.cab
O16 - DPF: {B2FCED61-570E-11D3-B160-00A0C9E70E84} (OmniForm Form Control) - https://www4.lsac.org/LSACD_XMLWebServices/Http/OIFActiveX/ofmctl.cab
O16 - DPF: {CB50428B-657F-47DF-9B32-671F82AA73F7} (Photodex Presenter AX control) - http://www.photodex.com/pxplay.cab
O16 - DPF: {E6182DB0-BE70-4EA3-A8FB-D402C6D951D5} (VUploader Control) - http://photofiddle.com/ocx/VUploaderProj1.cab

Click on the fix checked button.

Close HJT.


Let me know if your pc is running properly or if you have anymore problems.



This thread is for the use of courtneyt only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

 

[courtneyt]

YAY! Everything looks great! Thanks for all of your help, Rik! I really appreciate it.

Two last questions:
1) I have Spybot Search and Destroy, Super AntiSpyware, Hjack This, and AVG Anti Spyware on my computer. Any of these I can get rid of? What do you recommend? I should mention that I'll, of course, be keeping Symantec Anti-Virus! I just added Zone Alarm

2) Should I worry about my information being stolen from this trojan?

Thanks again!

 

[Rik]

No problem.

Antispyware wise, Spybot and AVG antispyware are the better ones, it's entirely your choice whether you keep the rest or not.

Antivirus wise, Symantec antivirus isnt very good and i suggest you uninstall it and replace it with either AVG or Avast antivirus programmes from within this link - https://www.techspot.com/community/...lware-removal-preliminary-instructions.58138/.

Make sure you are disconnected from the net while doing this then reconnect and force the antivirus program of your choice to do an update.

If you do any form of online banking including credit card use then you should have all passwords and codes changed as a precaution.




This thread is for the use of courtneyt only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.