Ok, help

I'm attaching all that the geek gods require of me. I'm attaching HijackThis, PandaScan and the runkey/shownew txt files. I'm attaching before deletion and after deletion HijackThis files. One thing I deleted O15 - Trusted Zone: *.whataboutadog.com came back after I rebooted.

I ran Bitdefender and it found nothing.
I ran CounterSpy and it found a bunch of stuff and "fixed" it. Now it finds only the following:

Cookie: Hotbar Cookie (General) more information...
Details: Cookies are small "data tags" that web sites store on PCs in order to recognize unique visitors. Cookies are used to identify returning visitors who have registered for special services; to measure and analyze visitors' use of web site features; to count unique visitors to web pages; and to allow web surfers to use virtual "shopping carts." Online advertising networks use cookies to track users across web sites and to measure ad impressions and click-throughs.
Status: Ignored

Cookies detected
c:\documents and settings\emily\cookies\emily@ad.yieldmanager[2].txt
c:\documents and settings\emily\cookies\emily@realmedia[1].txt

 

You never came back and answered your previous thread that I responded to.
http://forums.majorgeeks.com/showthread.php?t=140664

For this thread, we need just a few more logs...

• CounterSpy Log - only for Windows XP, 2K, & NT users
• AVG Antispyware Log - ONLY IF NEEDED you were not able to run CounterSpy. - only for Windows XP, 2K, & NT users
• Bitdefender Log - from step 6
• HijackThis Log

NOTE: You can only attach 3 files in a single message so it will require that you use two messages to attach all of these logs!

 

This is TERRIBLY tedious when it takes an IE window 20 minutes to open. To reiterate the problem, when we came home from vacation and booted up the computer, both AVG antivirus and windows defender were missing files and inactivated. And IE explorer runs SO SLOWLY at startup. Though once it's up, it stays up and runs normally. Outlook Express seems to run fine as well.

Attaching HijackThis Files before and after deleting what I knew was bad. Before is called "10.16" and after is "10.16.08 After"

I'm really hoping you can help me go in the right direction.

Emily

 

I've attached the HijackThis logs. the whataboutadog 015 file didn't seem to delete.

BitDefender didn't find anything, so no log.

I didn't save the initial scan of the CounterSpy, but it did find quite a bit of garbage that it removed. I copied and pasted the only thing it currently finds when I run it in my initial post. It's that Hotbar cookie

It takes flipping forever to open the window to attach the attachments, so that's why the delay.

 

Part 6 of the READ ME!

 

Please attach a current HJT log from normal mode and attach it, name it hijackthis.log

 

Appropriate HijackThis log appropriately named now attached.

Re-running bitdefender so you can have a log that says nothing has been found. That will take about an hour and may not be accurate if I've already run PandaScan.

Thanks for your help. I'm frustrated with the computer, not really with you.

Emily

 

Finally...

Attached is my bitdefenderlog. please help, going nuts.

Emily

 

Making sure this is attached too.

I'm not usually this annoying. I think my brain's fried.

Emily

 

Great, now I can't attach HijackThis.txt. I copied and pasted it here.

Edit by bjgarrick: Inline log attached!

 

Before we continue, click Start > Run > type msconfig and press ENTER.

Once the System Configuration is displayed, under the General Tab, select the option for Normal Startup click Apply and OK.

DO NOT REBOOT!

Attach a fresh HijackThis & GetRunKey log once you have completed the above.

 

Thanks for trying to help me.

If it helps, Windows Defender is finding "Backdoor.Win32/zonebac.B" Earlier in the week it was finding a different "Backdoor". It corrects it, but then if I restart, it's back again. So something must be running in task manager or startup somewhere.

I didn't have time to work on this yesterday, but I have a little this morning.

Emily

 

Since it has been a few days, get a fresh ShowNew log and then we will begin a fix.

 

In the interest of full-disclosure, my nephew was over playing a game and turned off the computer. Since you said not to restart after MSconfig, I wanted to make sure that was ok.

And here's this morning's ShowNew log.

THANKS!

Emily

 

Look in Add/Remove Programs and uninstall Java 2 Runtime Environment, SE v1.4.2_05.

Next, download ATF Cleaner by Atribune. This program does not require an installation. The executable actually runs the program.

NOTE: This program is for Windows XP and Windows 2000 only. ATF Cleaner will remove all files from the items that are checked so if you have some cookies you'd like to save. Please move them to a different directory first.

• Double-click ATF-Cleaner.exe to run the program.
• Under Main choose: Select All
• Click the Empty Selected button.

If you use Firefox browser

• Click Firefox at the top and choose: Select All
• Click the Empty Selected button.
  • NOTE: If you would like to keep your saved passwords, please click No at the prompt.

If you use Opera browser

• Click Opera at the top and choose: Select All
• Click the Empty Selected button.
  • NOTE: If you would like to keep your saved passwords, please click No at the prompt.

Click Exit on the Main ATF Cleaner menu to close the program.

 

Nope, we haven't quite killed it yet. Please let me know what else you need. Ran ATF cleaner and removed Java. If anything, it's slower now than it was.

I appreciate any help you can give me.

Emily

 

Attaching a new HijackThis log in case those help. And I ran shownew again, but it won't let me attach the notepad for some reason.

Emily

 

Ok, it's not just when I restart. If I log off of XP to let my husband use the computer, then it comes back when I log back in. Thing is the Java doesn't come back to be re-deleted, so there has to be something else that needs taken out. Windows Defender finds it every time, but Spyware Doctor does not.

Emily
:confused

 

What does it find? Your logs show nothing suspicious.

 

Windows Defender finds "Backdoor.Win32/zonebac.B"

And I can remove it and the computer runs fine, but if I restart or log out of my session on XP, then it's back. Which, in the scheme of things isn't the worst thing, as I can just run Defender again, but I'd prefer to get rid of it completely.

That and I THINK it's why I can't keep my network printer online. It also works and then will stop working if I restart. I reinstall and it'll work again.

Flakey PITA

Emily

 

First, attach a fresh ShowNew log. Can you see exactly what's being flagged as "zonebac.B", a file, folder, registry entry?

Also, run the below so we can get a look if anything else is hiding.

Using Sophos Anti-Rootkit

 

Alrighty, Windows Defender only "quarantines" Backdoor:Win32/zonebac.B even when I try to make it remove manually. I guess that's why it keeps coming back when I logoff.

And no, it doesn't say where the zonebac.B is found in. Just finds it, labels it severe, quarantines it. A search does not find it on the hard drives.

Sophos didn't find anything either. Log is attached.

I was hoping this was something people had heard of so it could be killed quickly.

I wanted to be sure to tell you that my scans were run while Defender had this quarantined. So if I have to be infected, I can let the monster loose, just takes it SO much longer to attach files.

Sorry to be difficult.

Emily

 

Download The Avenger by Swandog46, and save it to your Desktop.

• Extract avenger.exe from the Zip file and save it to your desktop
• Run avenger.exe by double-clicking on it.
• Check the 'Input script manually' box.
• Click on the magnifying glass icon.
• Copy everything in the Quote box below, and paste it in the box that opens:

• Now click the 'Done' button.
• Click on the traffic light icon and OK the prompt.
• You will be prompted to restart, OK the prompt and your PC should reboot, if not, reboot it yourself.
• A log file from Avenger will be produced at C:\avenger.txt

Once you complete the above, let me know if Windows Defender still flags that infection.

 

Sorry, out of town this past weekend.

Anyway, yes, after avenger Defender still finds the backdoor trojan. The weird thing is this...after running avenger IE explorer still didn't work right, long time to load, but instead of finding "Backdoor:Win32.zonebac.B" Defender found two "unknown" files that it allowed, but still the IE explorer worked fine even though it "allowed" those two files and didn't find backdoor. Then last night, without logging off or restarting or any of that, it found the Backdoor trojan on Defender with it's normal 2 am scan.

I attached what I know about the files Defender is finding and also the Avenger log.

Thanks for you help.

Emily

 

Okay! Let's run Avenger once more, like you did before.

• Run avenger.exe by double-clicking on it.
• Check the 'Input script manually' box.
• Click on the magnifying glass icon.
• Copy everything in the Quote box below, and paste it in the box that opens:

• Now click the 'Done' button.
• Click on the traffic light icon and OK the prompt.
• You will be prompted to restart, OK the prompt and your PC should reboot, if not, reboot it yourself.
• A log file from Avenger will be produced at C:\avenger.txt

Once you complete the above, attach the new Avenger log then reboot a few times and see if Windows Defender gives you any prompts.

 

I ran Avenger and Defender does NOT find the backdoor trojan at the moment. I SEEM to be running fine. We'll cross fingers that it stays this way.

I referred a friend here. She has the same trojan to kill.

THANK YOU

Emily

 

Logged off and logged back in and again it finds "unknown" but allowed files. Two again, but the first one has a much longer explanation.

Spoke too soon, I guess.

Attached is avenger and defender logs AGAIN.

Emily

 

Try this first, be sure you have the updated definitions. Reboot into Safe Mode, run a full scan and remove everything found.

Once complete, reboot and attach any logs from Defender.

 

Nothing found in safe mode. We'll see if it finds Backdoor again tonight at 2 am. It has every day this week.

Emily

 

Okay! Let's run Avenger once more, like you did before.

• Run avenger.exe by double-clicking on it.
• Check the 'Input script manually' box.
• Click on the magnifying glass icon.
• Copy everything in the Quote box below, and paste it in the box that opens:

• Now click the 'Done' button.
• Click on the traffic light icon and OK the prompt.
• You will be prompted to restart, OK the prompt and your PC should reboot, if not, reboot it yourself.
• A log file from Avenger will be produced at C:\avenger.txt

Once you complete the above, attach the new Avenger log then reboot a few times and see if Windows Defender gives you any prompts.

 

Let's get a log from the scan below.

• Please download FindAWF by noahdfear.
  • FindAWF.exe
• Save to your desktop.
• Double-click the FindAWF icon.
  • If a Security Alert shows, allow the program to run.
• As instructed, press any key to continue.
• Use the following option: Press 1 then Enter to scan for bak folders
• The scan may take a while, please be patient.
• When done, a text file, Find AWF report is produced.
• Please attach the Find AWF report in your next post.

 

Here's the logs. After running avenger, I didn't have to wait or anything to get online nor did I have to run Defender. Haven't restarted or anything yet, figured I'd let you look.

Emily

 

Next, we need to run FindAWF again.

• Double-click the FindAWF icon.
  • If you receive any security alerts and/or warnings please allow the utility to run.
• As instructed, press any key to continue.
  
• Use the following option: Press 2 then Enter to restore files from bak folders
  
• A text file opens called: files.txt
• Click below the line and paste the following list of files to be restored:

• Next, close and click Yes to save the changes.
  
• Once files.txt is saved, FindAWF does the following:
  • It attempts to terminate the process represented by each filename on the list, if running
  • Deletes the rogue file from the parent folder, if present
  • Copies the original file to the parent folder
• When done with the above, it automatically runs a new scan and opens a new log.
• Please provide the new FindAWF log in your reply.

 

Sorry, been busy with company. That time of year, ya know?

Log attached.

Emily

 

We need to run FindAWF once more.

• Double-click the FindAWF icon.
  • If you receive any security alerts and/or warnings please allow the utility to run.
• As instructed, press any key to continue.
  
• Use the following option: Press 3 then Enter to remove bak folders
  
• A text file opens called: folders.txt
• Click below the line and paste the following list of folders to be removed:

• Next, close and click Yes to save the changes.
  
• Once folders.txt is saved, FindAWF does the following:
  • It deletes the contents of the bak folders
  • Removes the bak folders
• When done with the above, it automatically runs a new scan and opens a new log.
• Please provide the new FindAWF log in your reply.

 

one more time....



Emily

 

We need to run Avenger again, just like you did before.

• Run avenger.exe by double-clicking on it.
• Check the 'Input script manually' box.
• Click on the magnifying glass icon.
• Copy everything in the Quote box below, and paste it in the box that opens:

• Now click the 'Done' button.
• Click on the traffic light icon and OK the prompt.
• You will be prompted to restart, OK the prompt and your PC should reboot, if not, reboot it yourself.
• A log file from Avenger will be produced at C:\avenger.txt

Once you complete the above, attach fresh logs from the below.

• GetRunKey
• ShowNew
• HijackThis
• Avenger

 

Also, lets get a fresh log from Post 31.