Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Zonebac.b Will Not Go Away!


  • This topic is locked This topic is locked
41 replies to this topic

#1 Dunsky

Dunsky

  • Members
  • 35 posts
  • OFFLINE
  •  
  • Local time:01:03 AM

Posted 03 November 2007 - 04:27 PM

Hey I'm a newbie so you'll have to bare with me here. Windows Defender detects the Zonebac.b on my computer.

Symptoms: Norton anti-virus will not start up at startup- the icon in the icon mysteriously disappeared and my computer seems to be making a lot more noise than it ever was before. Startup is taking a bit longer than usual as well. Windows Defender would also not start at all but I fixed that by reinstalling it.

I downloaded HijackThis and here is my log:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:27:51 PM, on 11/3/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
c:\Program Files\Common Files\Symantec Shared\ccProxy.exe
c:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
c:\Program Files\Norton Internet Security\ISSVC.exe
c:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
c:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
c:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
c:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\wanmpsvc.exe
c:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\Program Files\QuickTime\bak\qttask.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\WINDOWS\system32\bak\hkcmd.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\svchost.exe
c:\program files\internet explorer\iexplore.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.onlineregister.com/sonic/cgi/in...B&VRST=0227 (EN)&FNAM=B.&LNAM=P.&EMAL=mosby1476@yahoo.com&NTFY=&PRDN=&YSNL=&PRNM=SCMain&SVTG=&SRNM=SC-612B87B (obfuscated)
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 68.56.155.199:7212
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - c:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: HP view - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - c:\Program Files\HP\Digital Imaging\bin\HPDTLK02.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - c:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [ccApp] "c:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [URLLSTCK.exe] c:\Program Files\Norton Internet Security\UrlLstCk.exe
O4 - HKLM\..\Run: [HPBootOp] "C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" /run
O4 - HKLM\..\Run: [LSBWatcher] c:\hp\drivers\hplsbwatcher\lsburnwatcher.exe
O4 - HKLM\..\Run: [Pure Networks Port Magic] "C:\PROGRA~1\PURENE~1\PORTMA~1\bak\PortAOL.exe" -Run
O4 - HKLM\..\Run: [HPHmon06] C:\WINDOWS\system32\hphmon06.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\bak\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra button: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra 'Tools' menuitem: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm (HKCU)
O9 - Extra 'Tools' menuitem: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm (HKCU)
O15 - Trusted Zone: *.doginhispen.com
O15 - Trusted Zone: *.whataboutadog.com
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {49232000-16E4-426C-A231-62846947304B} - http://ipgweb.cce.hp.com/rdqcpc/downloads/sysinfo.cab
O23 - Service: AOL Connectivity Service (AOL ACS) - AOL LLC - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: ISSvc (ISSVC) - Symantec Corporation - c:\Program Files\Norton Internet Security\ISSVC.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - c:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - c:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: SAVScan - Symantec Corporation - c:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
O24 - Desktop Component 0: (no name) - http://www.eurohockey.net/leagues/dkpic.jpg

--
End of file - 8768 bytes



I have no clue what to do next so any help would be greatly appreciated. Please help!

Edited by Dunsky, 03 November 2007 - 05:29 PM.


BC AdBot (Login to Remove)

 


#2 SifuMike

SifuMike

    malware expert


  • Members
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:11:03 PM

Posted 05 November 2007 - 05:54 PM

Hello Dunsky,

I think you may have an AWF infection.

Download FindAWF:
http://noahdfear.net/downloads/FindAWF.exe
Save the file to the Desktop
Double-click the FindAWF icon.

If a Security Alert shows, allow the program to run.
As instructed, press any key to continue.
Use the following option: Press 1 then Enter to scan for bak folders
The scan may take a while, please be patient.

When done, a text file, Find AWF report is produced that we need to look at.
Please post it in your reply.
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#3 Dunsky

Dunsky
  • Topic Starter

  • Members
  • 35 posts
  • OFFLINE
  •  
  • Local time:01:03 AM

Posted 07 November 2007 - 04:27 PM

Hey Mike!,

Thanks for helping out. I will get right on that now but I also want to add that whenever I start my computer I receive a message that says:

"This application has failed to start because NISRES.DLL was not found"

I am not sure if that is related or not but it has been happening ever since Zonebac.b has been showing up.

#4 Dunsky

Dunsky
  • Topic Starter

  • Members
  • 35 posts
  • OFFLINE
  •  
  • Local time:01:03 AM

Posted 07 November 2007 - 05:20 PM

Here's the text file:


Find AWF report by noahdfear 2006
Version 1.40

The current date is: Wed 11/07/2007
The current time is: 17:16:55.92


bak folders found
~~~~~~~~~~~


Directory of C:\PROGRA~1\MESSEN~1\BAK

0 File(s) 0 bytes

Directory of C:\PROGRA~1\NORTON~1\BAK

08/30/2004 02:29 PM 33,936 UrlLstCk.exe
1 File(s) 33,936 bytes

Directory of C:\PROGRA~1\QUICKT~1\BAK

06/14/2005 12:43 PM 98,304 qttask.exe
1 File(s) 98,304 bytes

Directory of C:\PROGRA~1\WINDOW~4\BAK

11/03/2006 06:20 PM 866,584 MSASCui.exe
1 File(s) 866,584 bytes

Directory of C:\WINDOWS\SYSTEM32\BAK

08/03/2004 11:00 PM 15,360 ctfmon.exe
11/02/2004 03:59 AM 126,976 hkcmd.exe
06/07/2004 06:42 AM 659,456 hphmon06.exe
3 File(s) 801,792 bytes

Directory of C:\HP\DRIVERS\HPLSBW~1\BAK

10/14/2004 08:54 AM 253,952 lsburnwatcher.exe
1 File(s) 253,952 bytes

Directory of C:\PROGRA~1\COMMON~1\SYMANT~1\BAK

08/27/2004 11:22 AM 58,488 ccApp.exe
1 File(s) 58,488 bytes

Directory of C:\PROGRA~1\HEWLET~1\HPBOOT~1\BAK

02/25/2005 05:34 PM 245,760 HPBootOp.exe
1 File(s) 245,760 bytes

Directory of C:\PROGRA~1\PURENE~1\PORTMA~1\BAK

08/24/2004 03:09 PM 99,480 PortAOL.exe
1 File(s) 99,480 bytes

Directory of C:\PROGRA~1\COMMON~1\REAL\UPDATE~1\BAK

04/22/2007 06:11 PM 185,784 realsched.exe
1 File(s) 185,784 bytes

Directory of C:\PROGRA~1\JAVA\JRE15~1.0_1\BIN\BAK

11/09/2006 03:07 PM 49,263 jusched.exe
1 File(s) 49,263 bytes


Duplicate files of bak directory contents
~~~~~~~~~~~~~~~~~~~~~~~

27660 Oct 5 2007 "C:\Program Files\Norton Internet Security\UrlLstCk.exe"
33936 Aug 30 2004 "C:\Program Files\Norton Internet Security\bak\UrlLstCk.exe"
27660 Oct 5 2007 "C:\Program Files\QuickTime\qttask.exe"
98304 Jun 14 2005 "C:\Program Files\QuickTime\bak\qttask.exe"
866584 Nov 3 2006 "C:\Program Files\Windows Defender\MSASCui.exe"
866584 Nov 3 2006 "C:\Program Files\Windows Defender\bak\MSASCui.exe"
15360 Aug 3 2004 "C:\WINDOWS\system32\ctfmon.exe"
15360 Aug 3 2004 "C:\WINDOWS\system32\bak\ctfmon.exe"
27660 Oct 5 2007 "C:\WINDOWS\system32\hkcmd.exe"
126976 Nov 2 2004 "C:\hp\drivers\video_Intel\hkcmd.exe"
126976 Nov 2 2004 "C:\WINDOWS\system32\bak\hkcmd.exe"
126976 Nov 2 2004 "C:\WINDOWS\system32\ReinstallBackups\0001\DriverFiles\hkcmd.exe"
27660 Oct 5 2007 "C:\WINDOWS\system32\hphmon06.exe"
659456 Jun 7 2004 "C:\WINDOWS\system32\bak\hphmon06.exe"
27660 Oct 5 2007 "C:\hp\drivers\hplsbwatcher\lsburnwatcher.exe"
253952 Oct 14 2004 "C:\hp\drivers\hplsbwatcher\bak\lsburnwatcher.exe"
27660 Oct 5 2007 "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
58488 Aug 27 2004 "C:\Program Files\Common Files\Symantec Shared\bak\ccApp.exe"
27660 Oct 5 2007 "C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe"
245760 Feb 25 2005 "C:\Program Files\Hewlett-Packard\HP Boot Optimizer\bak\HPBootOp.exe"
27660 Oct 5 2007 "C:\Program Files\Pure Networks\Port Magic\PortAOL.exe"
99480 Aug 24 2004 "C:\Program Files\Pure Networks\Port Magic\bak\PortAOL.exe"
27660 Oct 5 2007 "C:\Program Files\Common Files\Real\Update_OB\realsched.exe"
185784 Apr 22 2007 "C:\Program Files\Common Files\Real\Update_OB\bak\realsched.exe"
36972 Jun 14 2005 "C:\Program Files\Java\jre1.5.0\bin\jusched.exe"
27660 Oct 5 2007 "C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe"
49263 Nov 9 2006 "C:\Program Files\Java\jre1.5.0_10\bin\bak\jusched.exe"


end of report

#5 SifuMike

SifuMike

    malware expert


  • Members
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:11:03 PM

Posted 07 November 2007 - 05:47 PM

Hi Dunsky,


I will get right on that now but I also want to add that whenever I start my computer I receive a message that says:

"This application has failed to start because NISRES.DLL was not found"

I am not sure if that is related or not but it has been happening ever since Zonebac.b has been showing up.



NISRES.DLL is part of symantec. The AWF (aka Zonebac.b ) infection has damaged many of your files, but we will restore them shortly.



Please double-click the FindAWF icon once again

If a Security Alert shows, allow the program to run.
As instructed, press any key to continue.
Use the following option: Press 2 then Enter to restore files from bak folders

A text file opens called: files.txt
Click below the line and paste the following list of files to be restored:


"C:\Program Files\Norton Internet Security\bak\UrlLstCk.exe"
"C:\Program Files\QuickTime\bak\qttask.exe"
"C:\Program Files\Windows Defender\bak\MSASCui.exe"
"C:\WINDOWS\system32\bak\ctfmon.exe"
"C:\WINDOWS\system32\bak\hkcmd.exe"
"C:\WINDOWS\system32\bak\hphmon06.exe"
"C:\hp\drivers\hplsbwatcher\bak\lsburnwatcher.exe"
"C:\Program Files\Common Files\Symantec Shared\bak\ccApp.exe"
"C:\Program Files\Hewlett-Packard\HP Boot Optimizer\bak\HPBootOp.exe"
"C:\Program Files\Pure Networks\Port Magic\bak\PortAOL.exe"
"C:\Program Files\Common Files\Real\Update_OB\bak\realsched.exe"
"C:\Program Files\Java\jre1.5.0_10\bin\bak\jusched.exe"


Next, close and click Yes to save the changes.

Once files.txt is saved, FindAWF does the following:
-It attempts to terminate the process represented by each filename on the list, if running
-Deletes the rogue file from the parent folder, if present
-Copies the original file to the parent folder

When done with the above, it automatically runs a new scan and opens a new log.
Please provide the new FindAWF log in your reply
.

Edited by SifuMike, 07 November 2007 - 05:47 PM.

If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#6 Dunsky

Dunsky
  • Topic Starter

  • Members
  • 35 posts
  • OFFLINE
  •  
  • Local time:01:03 AM

Posted 07 November 2007 - 05:51 PM

Find AWF report by noahdfear 2006
Version 1.40
Option 2 run successfully

The current date is: Wed 11/07/2007
The current time is: 17:49:56.96


bak folders found
~~~~~~~~~~~


Directory of C:\PROGRA~1\MESSEN~1\BAK

0 File(s) 0 bytes

Directory of C:\PROGRA~1\NORTON~1\BAK

08/30/2004 02:29 PM 33,936 UrlLstCk.exe
1 File(s) 33,936 bytes

Directory of C:\PROGRA~1\QUICKT~1\BAK

06/14/2005 12:43 PM 98,304 qttask.exe
1 File(s) 98,304 bytes

Directory of C:\PROGRA~1\WINDOW~4\BAK

11/03/2006 06:20 PM 866,584 MSASCui.exe
1 File(s) 866,584 bytes

Directory of C:\WINDOWS\SYSTEM32\BAK

08/03/2004 11:00 PM 15,360 ctfmon.exe
11/02/2004 03:59 AM 126,976 hkcmd.exe
06/07/2004 06:42 AM 659,456 hphmon06.exe
3 File(s) 801,792 bytes

Directory of C:\HP\DRIVERS\HPLSBW~1\BAK

10/14/2004 08:54 AM 253,952 lsburnwatcher.exe
1 File(s) 253,952 bytes

Directory of C:\PROGRA~1\COMMON~1\SYMANT~1\BAK

08/27/2004 11:22 AM 58,488 ccApp.exe
1 File(s) 58,488 bytes

Directory of C:\PROGRA~1\HEWLET~1\HPBOOT~1\BAK

02/25/2005 05:34 PM 245,760 HPBootOp.exe
1 File(s) 245,760 bytes

Directory of C:\PROGRA~1\PURENE~1\PORTMA~1\BAK

08/24/2004 03:09 PM 99,480 PortAOL.exe
1 File(s) 99,480 bytes

Directory of C:\PROGRA~1\COMMON~1\REAL\UPDATE~1\BAK

04/22/2007 06:11 PM 185,784 realsched.exe
1 File(s) 185,784 bytes

Directory of C:\PROGRA~1\JAVA\JRE15~1.0_1\BIN\BAK

11/09/2006 03:07 PM 49,263 jusched.exe
1 File(s) 49,263 bytes


Duplicate files of bak directory contents
~~~~~~~~~~~~~~~~~~~~~~~

33936 Aug 30 2004 "C:\Program Files\Norton Internet Security\UrlLstCk.exe"
33936 Aug 30 2004 "C:\Program Files\Norton Internet Security\bak\UrlLstCk.exe"
98304 Jun 14 2005 "C:\Program Files\QuickTime\qttask.exe"
98304 Jun 14 2005 "C:\Program Files\QuickTime\bak\qttask.exe"
866584 Nov 3 2006 "C:\Program Files\Windows Defender\MSASCui.exe"
866584 Nov 3 2006 "C:\Program Files\Windows Defender\bak\MSASCui.exe"
15360 Aug 3 2004 "C:\WINDOWS\system32\ctfmon.exe"
15360 Aug 3 2004 "C:\WINDOWS\system32\bak\ctfmon.exe"
126976 Nov 2 2004 "C:\WINDOWS\system32\hkcmd.exe"
126976 Nov 2 2004 "C:\hp\drivers\video_Intel\hkcmd.exe"
126976 Nov 2 2004 "C:\WINDOWS\system32\bak\hkcmd.exe"
126976 Nov 2 2004 "C:\WINDOWS\system32\ReinstallBackups\0001\DriverFiles\hkcmd.exe"
659456 Jun 7 2004 "C:\WINDOWS\system32\hphmon06.exe"
659456 Jun 7 2004 "C:\WINDOWS\system32\bak\hphmon06.exe"
253952 Oct 14 2004 "C:\hp\drivers\hplsbwatcher\lsburnwatcher.exe"
253952 Oct 14 2004 "C:\hp\drivers\hplsbwatcher\bak\lsburnwatcher.exe"
58488 Aug 27 2004 "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
58488 Aug 27 2004 "C:\Program Files\Common Files\Symantec Shared\bak\ccApp.exe"
245760 Feb 25 2005 "C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe"
245760 Feb 25 2005 "C:\Program Files\Hewlett-Packard\HP Boot Optimizer\bak\HPBootOp.exe"
99480 Aug 24 2004 "C:\Program Files\Pure Networks\Port Magic\PortAOL.exe"
99480 Aug 24 2004 "C:\Program Files\Pure Networks\Port Magic\bak\PortAOL.exe"
185784 Apr 22 2007 "C:\Program Files\Common Files\Real\Update_OB\realsched.exe"
185784 Apr 22 2007 "C:\Program Files\Common Files\Real\Update_OB\bak\realsched.exe"
36972 Jun 14 2005 "C:\Program Files\Java\jre1.5.0\bin\jusched.exe"
49263 Nov 9 2006 "C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe"
49263 Nov 9 2006 "C:\Program Files\Java\jre1.5.0_10\bin\bak\jusched.exe"


end of report

#7 Dunsky

Dunsky
  • Topic Starter

  • Members
  • 35 posts
  • OFFLINE
  •  
  • Local time:01:03 AM

Posted 07 November 2007 - 06:04 PM

Ok what now? Is that it?

#8 SifuMike

SifuMike

    malware expert


  • Members
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:11:03 PM

Posted 07 November 2007 - 06:09 PM

No. We are not done yet.

Please download ATF Cleaner by Atribune.Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.
If you use Firefox browserClick Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browserClick Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.
For Technical Support, double-click the e-mail address located at the bottom of each menu.

Reboot your computer <==== Important

Let me know when you have done the ATF cleaner.

Edited by SifuMike, 07 November 2007 - 06:11 PM.

If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#9 Dunsky

Dunsky
  • Topic Starter

  • Members
  • 35 posts
  • OFFLINE
  •  
  • Local time:01:03 AM

Posted 07 November 2007 - 06:11 PM

Ok I'll get on it.

Edited by Dunsky, 07 November 2007 - 06:12 PM.


#10 Dunsky

Dunsky
  • Topic Starter

  • Members
  • 35 posts
  • OFFLINE
  •  
  • Local time:01:03 AM

Posted 07 November 2007 - 06:21 PM

Ok just finished with the atf cleaner.

Ready for the next step.

#11 SifuMike

SifuMike

    malware expert


  • Members
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:11:03 PM

Posted 07 November 2007 - 06:25 PM

Hi Dunsky,

Please double-click the FindAWF icon once again :thumbsup:
This time we are going to remove some folders.

If a Security Alert shows, allow the program to run.
As instructed, press any key to continue.
Use the following option: Press 3 then Enter to remove bak folders

A text file opens called: folders.txt
Click below the line and paste the following list of folders to be removed:

C:\Program Files\Norton Internet Security\bak
C:\Program Files\QuickTime\bak
C:\Program Files\Windows Defender\bak
C:\WINDOWS\system32\bak
C:\hp\drivers\hplsbwatcher\bak
C:\Program Files\Common Files\Symantec Shared\bak
C:\Program Files\Hewlett-Packard\HP Boot Optimizer\bak
C:\Program Files\Pure Networks\Port Magic\bak
C:\Program Files\Common Files\Real\Update_OB\bak
C:\Program Files\Java\jre1.5.0_10\bin\bak


Next, close and click Yes to save the changes.

When done with the above, FindAWF automatically runs a new scan and opens a new log that you need to post.
Please provide the new FindAWF log in your reply
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#12 Dunsky

Dunsky
  • Topic Starter

  • Members
  • 35 posts
  • OFFLINE
  •  
  • Local time:01:03 AM

Posted 07 November 2007 - 06:31 PM

Find AWF report by noahdfear 2006
Version 1.40
Option 3 run successfully

The current date is: Wed 11/07/2007
The current time is: 18:28:18.73


bak folders found
~~~~~~~~~~~


Directory of C:\PROGRA~1\MESSEN~1\BAK

0 File(s) 0 bytes

Directory of C:\PROGRA~1\QUICKT~1\BAK

06/14/2005 12:43 PM 98,304 qttask.exe
1 File(s) 98,304 bytes


Duplicate files of bak directory contents
~~~~~~~~~~~~~~~~~~~~~~~

98304 Jun 14 2005 "C:\Program Files\QuickTime\qttask.exe"
98304 Jun 14 2005 "C:\Program Files\QuickTime\bak\qttask.exe"


end of report

#13 SifuMike

SifuMike

    malware expert


  • Members
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:11:03 PM

Posted 07 November 2007 - 06:42 PM

Hi Dunsky,

Find and delete the following BAK folders.

C:\Program Files\MESSEN~1\BAK <== folder
C:\Program Files\QuickTime\bak <== folder


Then run FindAWF with Option 1 and post the FindAWF log.
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#14 Dunsky

Dunsky
  • Topic Starter

  • Members
  • 35 posts
  • OFFLINE
  •  
  • Local time:01:03 AM

Posted 07 November 2007 - 06:47 PM

I found the Quicktime bak folder but I cant find the first one.

Is it the Windows Messenger bak file folder?

#15 SifuMike

SifuMike

    malware expert


  • Members
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:11:03 PM

Posted 07 November 2007 - 06:56 PM

No. The program found all the BAK files and there were only those two.

It should begin with MESSEN and have some letters after the MESSEN then a BAK folder.

It should be an empty folder
C:\Program Files\MESSEN~1\BAK

If you still cant find it then go on to the FindAWF option 1 step.
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users