Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

My Computer Is Infected With A Backdoor


  • Please log in to reply
9 replies to this topic

#1 WLMer

WLMer

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:04:29 PM

Posted 08 January 2008 - 02:07 AM

Windows Defender is telling me that I am in infected with Backdoor:Win32/Zonebac.B .

Can someone please help me in getting rid of it? Thank you.

WLMer

BC AdBot (Login to Remove)

 


#2 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,479 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:05:29 PM

Posted 08 January 2008 - 08:48 AM

Welcome to BC WLMer

This is a particularly complex infection to remove. The Trojan replaces many egitimate program files with a copy of itself in the original folder and moves the legitimate program's file into a 'bak' folder created by the malware. The files in the original folders are the bad ones and running at each startup. This means when the program affected is run, what is actually running is the malware.

Please follow the directions below to run FindAWF so we can identify the files that have been infected and the backups, then restore them.

Download FindAWF.exe by noahdfear and save to your desktop.
  • Double-click on FindAWF.exe to run.
  • Select option #1 - Scan for bak folders by typing 1 and press 'Enter'.
  • When complete, it will open a text file in notepad called AWF.txt which will automatically be saved to your desktop.
  • Copy and paste the contents of the awf.txt file in your next reply.

.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#3 WLMer

WLMer
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:04:29 PM

Posted 08 January 2008 - 01:45 PM

Thank you, quietman7.

Here are the contents of the text file:

------------------------------------------------------------------------------------


bak folders found
~~~~~~~~~~~


Directory of C:\PROGRA~1\DELLPH~1\BAK

08/31/2004 09:18 AM 294,912 dlbubmgr.exe
07/27/2004 09:08 AM 262,144 memcard.exe
2 File(s) 557,056 bytes

Directory of C:\PROGRA~1\MESSEN~1\BAK

0 File(s) 0 bytes

Directory of C:\PROGRA~1\QUICKT~1\BAK

02/16/2007 09:54 AM 282,624 qttask.exe
1 File(s) 282,624 bytes

Directory of C:\WINDOWS\SYSTEM32\BAK

05/17/2004 12:27 PM 32,859 dpmw32.exe
05/12/2004 03:22 PM 249,856 keyhook.exe
2 File(s) 282,715 bytes

Directory of C:\PROGRA~1\BROADJ~1\CLIENT~1\BAK

01/27/2003 05:16 PM 376,912 CFD.exe
1 File(s) 376,912 bytes

Directory of C:\PROGRA~1\NETWOR~1\COMMON~1\BAK

08/06/2004 02:50 AM 139,320 UpdaterUI.exe
1 File(s) 139,320 bytes

Directory of C:\PROGRA~1\NETWOR~1\VIRUSS~1\BAK

0 File(s) 0 bytes

Directory of C:\PROGRA~1\COMMON~1\NETWOR~1\TALKBACK\BAK

10/07/2003 08:48 AM 147,514 tbmon.exe
1 File(s) 147,514 bytes

Directory of C:\PROGRA~1\COMMON~1\REAL\UPDATE~1\BAK

09/13/2005 06:08 PM 180,269 realsched.exe
1 File(s) 180,269 bytes

Directory of C:\PROGRA~1\JAVA\JRE15~2.0_0\BIN\BAK

11/10/2005 01:03 PM 36,975 jusched.exe
1 File(s) 36,975 bytes

Directory of C:\PROGRA~1\COMMON~1\AOL\113009~1\EE\BAK

11/02/2005 10:01 PM 50,792 AOLSoftware.exe
1 File(s) 50,792 bytes


Duplicate files of bak directory contents
~~~~~~~~~~~~~~~~~~~~~~~

24592 Sep 30 2007 "C:\Program Files\Dell Photo AIO Printer 942\dlbubmgr.exe"
294912 Aug 31 2004 "C:\Program Files\Dell Photo AIO Printer 942\bak\dlbubmgr.exe"
24592 Sep 30 2007 "C:\Program Files\Dell Photo AIO Printer 942\memcard.exe"
262144 Jul 27 2004 "C:\Program Files\Dell Photo AIO Printer 942\bak\memcard.exe"
286720 Jun 29 2007 "C:\Program Files\QuickTime\QTTask.exe"
282624 Feb 16 2007 "C:\Program Files\QuickTime\bak\qttask.exe"
24592 Sep 30 2007 "C:\WINDOWS\system32\dpmw32.exe"
32859 May 17 2004 "C:\WINDOWS\system32\bak\dpmw32.exe"
24592 Sep 30 2007 "C:\WINDOWS\system32\keyhook.exe"
249856 May 12 2004 "C:\WINDOWS\system32\bak\keyhook.exe"
24592 Sep 30 2007 "C:\Program Files\BroadJump\Client Foundation\CFD.exe"
376912 Jan 27 2003 "C:\Program Files\BroadJump\Client Foundation\bak\CFD.exe"
24592 Sep 30 2007 "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe"
139320 Aug 6 2004 "C:\Program Files\Network Associates\Common Framework\bak\UpdaterUI.exe"
24592 Sep 30 2007 "C:\Program Files\Common Files\Network Associates\TalkBack\tbmon.exe"
147514 Oct 7 2003 "C:\Program Files\Common Files\Network Associates\TalkBack\bak\tbmon.exe"
24592 Sep 23 2007 "C:\Program Files\Common Files\Real\Update_OB\realsched.exe1190578902"
180269 Sep 13 2005 "C:\Program Files\Common Files\Real\Update_OB\bak\realsched.exe"
36975 Apr 13 2005 "C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe"
24592 Sep 30 2007 "C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe"
36975 Nov 10 2005 "C:\Program Files\Java\jdk1.5.0_06\jre\bin\jusched.exe"
36975 Nov 10 2005 "C:\Program Files\Java\jre1.5.0_06\bin\bak\jusched.exe"
36972 Oct 1 2004 "C:\Program Files\MATLAB704\sys\java\jre\win32\jre1.5.0\bin\jusched.exe"
36972 Oct 1 2004 "C:\Program Files\MATLAB704\uninstall\java\jre\win32\jre\bin\jusched.exe"
24592 Sep 30 2007 "C:\Program Files\Common Files\AOL\1130093379\ee\AOLSoftware.exe"
50792 Nov 2 2005 "C:\Program Files\Common Files\AOL\1130093379\ee\bak\AOLSoftware.exe"


end of report

#4 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,479 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:05:29 PM

Posted 08 January 2008 - 02:01 PM

Double-click the FindAWF icon once again.
  • If a "Security Alert" shows, allow the program to run.
  • As instructed, press any key to continue.
  • Select option #2 - Restore files from bak folders by typing 2 and press 'Enter'.
  • A text file named files.txt will then open.
  • Click below the line and copy/paste the following list of files in the quote box into the text file:

"C:\Program Files\Dell Photo AIO Printer 942\bak\dlbubmgr.exe"
"C:\Program Files\Dell Photo AIO Printer 942\bak\memcard.exe"
"C:\Program Files\QuickTime\bak\qttask.exe"
"C:\WINDOWS\system32\bak\dpmw32.exe"
"C:\WINDOWS\system32\bak\keyhook.exe"
"C:\Program Files\BroadJump\Client Foundation\bak\CFD.exe"
"C:\Program Files\Network Associates\Common Framework\bak\UpdaterUI.exe"
"C:\Program Files\Common Files\Network Associates\TalkBack\bak\tbmon.exe"
"C:\Program Files\Common Files\Real\Update_OB\bak\realsched.exe"
"C:\Program Files\Java\jre1.5.0_06\bin\bak\jusched.exe"
"C:\Program Files\Common Files\AOL\1130093379\ee\bak\AOLSoftware.exe"

  • Close the text file and click Yes to save the changes. Once files.txt is saved, FindAWF does the following:
    • It attempts to terminate the process represented by each filename on the list (if running).
    • Deletes the rogue file from the parent folder (if present).
    • Copies the original file to the parent folder.
  • When done, it automatically runs a new scan and opens a new log.
  • Please copy/paste the contents of the new awf.txt log in your reply.

.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#5 WLMer

WLMer
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:04:29 PM

Posted 08 January 2008 - 07:10 PM

Here is the awf file from Run #2

----------------------------------------------


Find AWF report by noahdfear 2006
Version 1.40
Option 2 run successfully

The current date is: Tue 01/08/2008
The current time is: 17:18:48.71


bak folders found
~~~~~~~~~~~


Directory of C:\PROGRA~1\DELLPH~1\BAK

08/31/2004 09:18 AM 294,912 dlbubmgr.exe
07/27/2004 09:08 AM 262,144 memcard.exe
2 File(s) 557,056 bytes

Directory of C:\PROGRA~1\MESSEN~1\BAK

0 File(s) 0 bytes

Directory of C:\PROGRA~1\QUICKT~1\BAK

02/16/2007 09:54 AM 282,624 qttask.exe
1 File(s) 282,624 bytes

Directory of C:\WINDOWS\SYSTEM32\BAK

05/17/2004 12:27 PM 32,859 dpmw32.exe
05/12/2004 03:22 PM 249,856 keyhook.exe
2 File(s) 282,715 bytes

Directory of C:\PROGRA~1\BROADJ~1\CLIENT~1\BAK

01/27/2003 05:16 PM 376,912 CFD.exe
1 File(s) 376,912 bytes

Directory of C:\PROGRA~1\NETWOR~1\COMMON~1\BAK

08/06/2004 02:50 AM 139,320 UpdaterUI.exe
1 File(s) 139,320 bytes

Directory of C:\PROGRA~1\NETWOR~1\VIRUSS~1\BAK

0 File(s) 0 bytes

Directory of C:\PROGRA~1\COMMON~1\NETWOR~1\TALKBACK\BAK

10/07/2003 08:48 AM 147,514 tbmon.exe
1 File(s) 147,514 bytes

Directory of C:\PROGRA~1\COMMON~1\REAL\UPDATE~1\BAK

09/13/2005 06:08 PM 180,269 realsched.exe
1 File(s) 180,269 bytes

Directory of C:\PROGRA~1\JAVA\JRE15~2.0_0\BIN\BAK

11/10/2005 01:03 PM 36,975 jusched.exe
1 File(s) 36,975 bytes

Directory of C:\PROGRA~1\COMMON~1\AOL\113009~1\EE\BAK

11/02/2005 10:01 PM 50,792 AOLSoftware.exe
1 File(s) 50,792 bytes


Duplicate files of bak directory contents
~~~~~~~~~~~~~~~~~~~~~~~

294912 Aug 31 2004 "C:\Program Files\Dell Photo AIO Printer 942\dlbubmgr.exe"
294912 Aug 31 2004 "C:\Program Files\Dell Photo AIO Printer 942\bak\dlbubmgr.exe"
262144 Jul 27 2004 "C:\Program Files\Dell Photo AIO Printer 942\memcard.exe"
262144 Jul 27 2004 "C:\Program Files\Dell Photo AIO Printer 942\bak\memcard.exe"
282624 Feb 16 2007 "C:\Program Files\QuickTime\qttask.exe"
282624 Feb 16 2007 "C:\Program Files\QuickTime\bak\qttask.exe"
32859 May 17 2004 "C:\WINDOWS\system32\dpmw32.exe"
32859 May 17 2004 "C:\WINDOWS\system32\bak\dpmw32.exe"
249856 May 12 2004 "C:\WINDOWS\system32\keyhook.exe"
249856 May 12 2004 "C:\WINDOWS\system32\bak\keyhook.exe"
376912 Jan 27 2003 "C:\Program Files\BroadJump\Client Foundation\CFD.exe"
376912 Jan 27 2003 "C:\Program Files\BroadJump\Client Foundation\bak\CFD.exe"
139320 Aug 6 2004 "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe"
139320 Aug 6 2004 "C:\Program Files\Network Associates\Common Framework\bak\UpdaterUI.exe"
147514 Oct 7 2003 "C:\Program Files\Common Files\Network Associates\TalkBack\tbmon.exe"
147514 Oct 7 2003 "C:\Program Files\Common Files\Network Associates\TalkBack\bak\tbmon.exe"
24592 Sep 23 2007 "C:\Program Files\Common Files\Real\Update_OB\realsched.exe1190578902"
180269 Sep 13 2005 "C:\Program Files\Common Files\Real\Update_OB\bak\realsched.exe"
36975 Apr 13 2005 "C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe"
36975 Nov 10 2005 "C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe"
36975 Nov 10 2005 "C:\Program Files\Java\jdk1.5.0_06\jre\bin\jusched.exe"
36975 Nov 10 2005 "C:\Program Files\Java\jre1.5.0_06\bin\bak\jusched.exe"
36972 Oct 1 2004 "C:\Program Files\MATLAB704\sys\java\jre\win32\jre1.5.0\bin\jusched.exe"
36972 Oct 1 2004 "C:\Program Files\MATLAB704\uninstall\java\jre\win32\jre\bin\jusched.exe"
50792 Nov 2 2005 "C:\Program Files\Common Files\AOL\1130093379\ee\AOLSoftware.exe"
50792 Nov 2 2005 "C:\Program Files\Common Files\AOL\1130093379\ee\bak\AOLSoftware.exe"


end of report

#6 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,479 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:05:29 PM

Posted 08 January 2008 - 10:05 PM

Double-click the FindAWF icon once again.
  • Select option #3 - Remove bak folders by typing 3 and press 'Enter'.
  • A text file named files.txt will then open.
  • Click below the line and copy/paste the following list of folders in the quote box into the text file:

C:\Program Files\Dell Photo AIO Printer 942\bak
C:\Program Files\QuickTime\bak
C:\WINDOWS\system32\bak
C:\Program Files\BroadJump\Client Foundation\bak
C:\Program Files\Network Associates\Common Framework\bak
C:\Program Files\Common Files\Network Associates\TalkBack\bak
C:\Program Files\Common Files\Real\Update_OB\bak
C:\Program Files\Java\jre1.5.0_06\bin\bak
C:\Program Files\Common Files\AOL\1130093379\ee\bak

  • Close the text file and click Yes to save the changes.
  • When done, it automatically runs a new scan and opens a new log.
  • Please copy/paste the contents of the new awf.txt log in your reply.

.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#7 WLMer

WLMer
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:04:29 PM

Posted 09 January 2008 - 01:13 PM

Results from scan #3

--------------------------------


Find AWF report by noahdfear 2006
Version 1.40
Option 3 run successfully

The current date is: Wed 01/09/2008
The current time is: 12:57:48.32


bak folders found
~~~~~~~~~~~


Directory of C:\PROGRA~1\MESSEN~1\BAK

0 File(s) 0 bytes

Directory of C:\PROGRA~1\NETWOR~1\VIRUSS~1\BAK

0 File(s) 0 bytes


Duplicate files of bak directory contents
~~~~~~~~~~~~~~~~~~~~~~~



end of report

#8 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,479 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:05:29 PM

Posted 09 January 2008 - 01:17 PM

Good job.

Double-click the FindAWF icon once again.
  • Select option #4 - Reset domain zones by typing 4 and press 'Enter'.
  • You will receive a warning to reset domain zones.
  • Press 1 then press 'Enter'.
  • After resetting the domain zones, the program will return to the main menu.
  • Use the following option: Press E then 'Enter' to EXIT.
  • Note: If you had manually added any sites in the trusted zones, they will need to be re-inserted.
Looks like your Java is out of date. Older versions have vulnerabilities that malicious sites can use to infect your system. That's probably how you came to be infected in the first place. Please follow these steps to remove older version Java components and update:
  • Java Runtime Environment (JRE) Version 6 and save it to your desktop.
  • Scroll down to where it says "Java Runtime Environment (JRE)6 Update 3...allows end-users to run Java applications".
  • Click the "Download" button to the right.
  • Read the License Agreement and then check the box that says: "Accept License Agreement". The page will refresh.
  • Click on the link to download Windows Offline Installation and save the file to your desktop.
  • Close any programs you may have running - especially your web browser.
  • Go to Start > Settings > Control Panel, double-click on Add/Remove Programs and remove all older versions of Java.
  • Check (highlight) any item with Java Runtime Environment (JRE or J2SE) in the name.
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-6u3-windows-i586-p.exe to install the newest version.

.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#9 WLMer

WLMer
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:04:29 PM

Posted 09 January 2008 - 05:54 PM

Thank you for all your help, quietman7!

I installed Java Runtime Environment (JRE)6 Update 3, as well. :thumbsup:


WLMer

#10 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,479 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:05:29 PM

Posted 09 January 2008 - 06:19 PM

Your welcome.

If there are no more problems or signs of infection, you should Create a New Restore Point to prevent possible reinfection from an old one. Some of the malware you picked up could have been saved in System Restore. Since this is a protected directory your tools cannot access to delete these files, they sometimes can reinfect your system if you accidentally use an old restore point. Setting a new restore point AFTER cleaning your system will help prevent this and enable your computer to "roll-back" to a clean working state.

The easiest and safest way to do this is:
  • Go to Start > Programs > Accessories > System Tools and click "System Restore".
  • Choose the radio button marked "Create a Restore Point" on the first screen then click "Next". Give the R.P. a name, then click "Create". The new point will be stamped with the current date and time. Keep a log of this so you can find it easily should you need to use System Restore.
  • Then use Disk Cleanup to remove all but the most recently created Restore Point.
  • Go to Start > Run and type: Cleanmgr
  • Click "OK".
  • Click the "More Options" Tab.
  • Click "Clean Up" in the System Restore section to remove all previous restore points except the newly created one.

.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users