Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Zonebac.b


  • This topic is locked This topic is locked
15 replies to this topic

#1 LionsMike

LionsMike

  • Members
  • 64 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Massachusetts
  • Local time:06:46 PM

Posted 01 November 2007 - 12:26 AM

THIS IS A REDUNDANT POSTING I initialy posted it in the WinXP area. I later found this (probably more appropriate) topic area and I am now posting here also.

Every time I boot up (warm or cold) I get a message that I am infected with Backdoor:Win32/Zonebac.B

I run Grisoft AV7.5, Spybot S&D, Windows Defender, and Adaware. All have latest version and all updates. Spybot finds the zonebac.B and removes it but apparently my boot sector is infected and it gets reinstalled with each bootup.

I have tried several on-line scans and run all of my defensive programs at their highest levels and it just keeps on comming back.

I saw a few postings on other board where people had sent their Hijack This Logs to get help with removing it. Free help would be nice but I would not mind paying $15.00 or $20.00 to purchase a program which would remove this little bugger

Who has experience and or good ideas to help solve this one.

Mike

Old Fart with history in Vacume Tube computers


BC AdBot (Login to Remove)

 


#2 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,751 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:07:46 PM

Posted 01 November 2007 - 07:38 AM

Trojan.Zonebac is related to the Downloader.Agent.awf. It is a particularly difficult infection to remove without expert help because it moves legitimate executable files from their correct location into a 'bak' folder created by the malware.

Please read and follow all instructions in the pinned topic titled "Preparation Guide For Use Before Posting A Hijackthis Log". You may have performed some of these steps already. If you can't perform a step, then skip and continue with the next. In step #9 there are instructions for downloading HijackThis and creating a log. (This is a self-extracting version which will automatically install HJT in the proper location.)

When you have done that, post your log in the HijackThis Logs and Malware Removal forum, NOT here, for assistance by the HJT Team Experts. A member of the Team will walk you through, step by step, on how to clean your computer. If you post your log back in this thread, the response from the HJT Team will be delayed because your post will have to be moved. This means it will fall in line behind any others posted that same day.

Start a new topic, give it a relevant title and post your log along with a brief description of your problem, a summary of any anti-malware tools you have used and a summary of any steps that you have performed on your own. Please include the top portion of the HijackThis log that lists version information. An expert will analyze your log and reply with instructions advising you what to fix. After doing this, we would appreciate if you post a link to your log back here so we know that your getting help from the HJT Team.

Please be patient. It may take a while to get a response because the HJT Team members are very busy working logs posted before yours. They are volunteers who will help you out as soon as possible. Once you have made your post and are waiting, please DO NOT "bump" your post or make another reply until it has been responded to by a member of the HJT Team. Generally the staff checks the forum for postings that have 0 replies as this makes it easier for them to identify those who have not been helped. If you post another response there will be 1 reply. A team member, looking for a new log to work may assume another HJT Team member is already assisting you and not open the thread to respond.

If after 5 days you still have received no response, then post a link to your HJT log in the thread titled "Haven't Had A Reply In Five Days?".
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#3 LionsMike

LionsMike
  • Topic Starter

  • Members
  • 64 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Massachusetts
  • Local time:06:46 PM

Posted 01 November 2007 - 08:47 AM

I am going through the preparation steps for HJT. The instructions ask us to run AdAware SE I will run my AdAware 2007 and Spybot S&D.

Do you want me to uninstall my AdAware 2007 and go back to AdAware SE and run it?

Old Fart with history in Vacume Tube computers


#4 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,751 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:07:46 PM

Posted 01 November 2007 - 09:29 AM

There is no need to uninstall and your current version of Ad-aware.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#5 LionsMike

LionsMike
  • Topic Starter

  • Members
  • 64 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Massachusetts
  • Local time:06:46 PM

Posted 01 November 2007 - 04:23 PM

I think that the Trend Micro program is scanning my computer now

I think that because I can see the hard drive light fluttering.

There is nothing else that indicates that anything is happening.

I am not happy with the fact that I have no idea of how many hours or how many days I should ecpect it scan for.

I just ran my AVG 7.5 and it found nothing.

Do you really think that it will be worth running Panda and Bit Defender if and when the trend Micro scan finishes

Old Fart with history in Vacume Tube computers


#6 LionsMike

LionsMike
  • Topic Starter

  • Members
  • 64 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Massachusetts
  • Local time:06:46 PM

Posted 01 November 2007 - 05:42 PM

The Trend Micro was actually running and it found about 9 adware and/or spyware programs that were not picked up by SpyBot or AdAware. I did nottime it carefully but I think it took about 2 hours.

I will now try to run Panda

Old Fart with history in Vacume Tube computers


#7 LionsMike

LionsMike
  • Topic Starter

  • Members
  • 64 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Massachusetts
  • Local time:06:46 PM

Posted 01 November 2007 - 07:27 PM

Panda is now running..

IT LOOKS LIKE PANDA USES THE SYMANTEC PROGRAM

The progress bar is at about 35% and the scanned file count is over 400,000
I uninstalled Norton about a year ago when they could not figure out why I was getting such repeated scanning. I could scan a subdirectory with 42 files and the scan reported 12,000 files in that subdirectory. Panda appears to be doing the same thing now. it now reporst 430,000 files scanned It shpould finish scanning 1,000,000 of my 110,000 files in an other two hours or so.

BTW it has founs 72 spyware and 3 hacking tools and rootkit infections. SO FAR

If it completes this scan atba reasonable hour I we try to move on to Bit Defender tomorrow.
Panda is at about 42% on the bar and the scanned count is now over 550,000

Old Fart with history in Vacume Tube computers


#8 LionsMike

LionsMike
  • Topic Starter

  • Members
  • 64 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Massachusetts
  • Local time:06:46 PM

Posted 01 November 2007 - 07:51 PM

I started Panda just about 2 hours ago it still shows 72 spyware and 3 hacking tool and rootkit infections.

The progress bar has moved very little perhaps 44% or 45% complete and the scanned file count is a bit shy of a million files.

Old Fart with history in Vacume Tube computers


#9 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,751 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:07:46 PM

Posted 01 November 2007 - 08:27 PM

If your having trouble with the scans and cannot complete them, its ok to skip. We understand that this sometimes happens so don't worry about it.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#10 LionsMike

LionsMike
  • Topic Starter

  • Members
  • 64 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Massachusetts
  • Local time:06:46 PM

Posted 01 November 2007 - 08:36 PM

IT LOOKS LIKE SOMETHING HAS CHANGED

Panda did finnaly finish scanning

It will tell us about infections (which are probably not infections at all) but it it cannot remove any of them. It does suggest that I purchase their service.

Perhaps you shopuld suggest that those terrorists purchase a service from you which will allow their first born children to live to age 8.


When I see free I think about the function in math in which multiplication by zero always yields zero free to me means that 700,000,000 cost exactly the same as one Nothing .

YOU SHOULD PROBABLY REMOVE THAT LINK FROM YOUR PROCEDURE

I will now try to run Bit Defender. I hope it is not the scam that Panda was

Edited by quietman7, 01 November 2007 - 09:33 PM.

Old Fart with history in Vacume Tube computers


#11 LionsMike

LionsMike
  • Topic Starter

  • Members
  • 64 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Massachusetts
  • Local time:06:46 PM

Posted 01 November 2007 - 09:11 PM

Bit Defender is reporting that there are 7˝ hopiurs left to scan my computer. It found nothing in the boot sector or in memory so I stopped it.

I can go back and run an eight hour scan if you believe that it is worth running. or I can install an additional AV program and run it.

HOW DOES THIS FORMATTING WORK

How does this formatting work

HOW DOES THIS FORMATTING WORK

Something went wrong on my last post

Old Fart with history in Vacume Tube computers


#12 LionsMike

LionsMike
  • Topic Starter

  • Members
  • 64 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Massachusetts
  • Local time:06:46 PM

Posted 01 November 2007 - 09:15 PM

Sorry about the text screw up

It looks like simple HTML coding.

I am now moving on to McAfee Stinger

Old Fart with history in Vacume Tube computers


#13 LionsMike

LionsMike
  • Topic Starter

  • Members
  • 64 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Massachusetts
  • Local time:06:46 PM

Posted 01 November 2007 - 09:28 PM

OOPS NO CAN DO

Stinger is not a single program you have to tell me which one of the eight (or all eight) to download and run.
I would think that the rootkit detective might be the one.

Current Stinger Downloads

1         Stinger v3.8.0 - Updated September 10, 2007 to include PWS-JA and related threats
2         Stinger for W32/Polip
3         Stinger for W32/Bacalid ePO Compatible
4         Stinger for W32/Bacalid
5         Stinger for W32/QQPass.worm and W32/Rjump.worm
6         Stinger for W32/HLLP.Philis.bq ePO Compatible
7         Stinger for W32/HLLP.Philis.bq

8         If you are looking for the McAfee Rootkit Detective Beta you can find information about it here.

Old Fart with history in Vacume Tube computers


#14 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,751 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:07:46 PM

Posted 01 November 2007 - 09:38 PM

Stinger v3.8.0 .
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#15 LionsMike

LionsMike
  • Topic Starter

  • Members
  • 64 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Massachusetts
  • Local time:06:46 PM

Posted 01 November 2007 - 11:13 PM

Stinger ran and apparently found nothing. I have pasted the report below
I did not seeanything other than the clean files count . The entire report is pasted below.





McAfee® Stinger Version 3.8.0 built on Sep 10 2007

Copyright © 2007 McAfee, Inc. All Rights Reserved.

Virus data file v1000 created on Sep 10 2007.

Ready to scan for 191 viruses, trojans and variants.



Scan initiated on Thu Nov 01 22:34:28 2007

Number of clean files: 249346

Old Fart with history in Vacume Tube computers





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users