Tech Support Team

Pewter7 · #1 (**permalink**) **Top** 18th March 2008, 03:45 AM

Hi there! About two weeks ago or so I used IE7 to go online and noticed a tab next to my home page tab for a.doginhispen, and after researching realized I have been infected this this horrible pest which broke my IE7. Then a couple of weeks later I logged on and a pop up warning from Microsoft Malicious Removal said it had scanned my system and had found malware:a trojan in the win32/zonebac.gen!f and that it could not remove this! I have ran Spybot S&D, and Avast to no avail. I've tried everything I can think of but I can't seem to get rid of this trojan. It disabled my firewall program as well as Netscape browser too. Thanks in advance for any help!!

I downloaded Hijack this tonight and this is the result of the scan:

Howard · #2 (**permalink**) **Top** 18th March 2008, 03:58 AM

Hello and welcome to

I have moved your thread to the correct forum.

Go and read the Viruses/Spyware/Malware, preliminary removal instructions. Follow all the instructions exactly.

Post fresh HJT, AVG Antispyware and Combofix logs as Attachments into this thread, only after doing the above.

Also, let me know the results of the Panda Antirootkit scan.

Also, please let me know the exact location of the infection that the WMRT is finding.

Regards Howard

Pewter7 · #3 (**permalink**) **Top** 18th March 2008, 02:00 PM

Oh, wonderful! Thank you so much for your assistance. I will do as you recommend as soon as I get home this evening.

Howard · #4 (**permalink**) **Top** 18th March 2008, 04:49 PM

That`s not a problem mate. I`m pretty sure we can get your system all cleaned up.

Regards Howard

Pewter7 · #5 (**permalink**) **Top** 19th March 2008, 02:03 PM

Hi Howard,

I just wanted to let you know that I have begun the recommended steps you supplied me. Unfortunately, I cannot do them all at once. The last step I did was to download the latest version of Adaware SE and left it this morning running it's scan.

I do have a question. My wife needed to do some homework early this morning and logged in under her user name. After she did her homework, I went to log her off and it took a really long time to log her off, and then when it did the screen went black and even though my username was still logged in I could not access my screen and the keyboard was unresponsive. I couldn't reboot the computer by depressing the start button either. I had to unplug the machine and then restart it. This is the second time this has happened. The first time was before I had begun to follow the steps you so kindly have provided. I thought you should be aware of it. I don't know if this will be fixed as I follow your steps or if something in addition needs to be done. Also, every time the sign-in screen comes up (due to inactivity in the desktop), I have to turn on number lock on the keyboard. I never had to do that before -it has always remained on.

I downloaded and installed zone alarm, since the firewall I was using before was Comodo, and that was broken by the trojan. I really like Zone Alarm and I'm so thankful for it. It blocked over a hundred attempts to get into my computer through various ports last night as I was working through your steps.

I will let you know when I have finished the steps. I hope to be able to finish them tonight.

Howard · #6 (**permalink**) **Top** 19th March 2008, 03:16 PM

I don`t know at this stage what`s causing you shutdown/startup problems. Once I have the requested log files, I`ll be able to see what needs doing and advise you further.

Regards Howard

Pewter7 · #7 (**permalink**) **Top** 22nd March 2008, 01:12 AM

Hi Howard,

Hope you are well today. I just wanted to let you know that I have gotten up to Step 8 and have downloaded SmitFraud. However, when I double-click the exe file like the directions say to do, I get a pop-up warning which states: "SmitfraudFix.exe is not a valid Win32 extension" Can you advise what I should do?

Thanks!

Jason · #8 (**permalink**) **Top** 22nd March 2008, 01:38 AM

Hello Pewter7 and welcome to TST!

Please skip any steps that you aren't able to complete. Afterwards, post the requested logs and Howard will be with you shortly.

Regards Jason

Pewter7 · #9 (**permalink**) **Top** 22nd March 2008, 02:57 AM

Thanks Jason, will do!

Howard · #10 (**permalink**) **Top** 22nd March 2008, 03:10 AM

If you can, you should allow SmitfraudFix.exe to run. Otherwise, just skip it and move onto the next instruction.

Regards Howard

Pewter7 · #11 (**permalink**) **Top** 22nd March 2008, 08:16 PM

Hi Guys!

Ok, well I finally was able to complete the 14 recommended steps. Well, all except for step 8: the smitfraudfix executable. I downloaded it and when I clicked on the executable I got an error message. So I thought that perhaps I needed to re-download it. But when I used the first link from your action steps page, Zone Alarm gave me a warning saying that this particular web page/site was known for downloading malware and did I want to stay or go back. So I hit go back. So this step 8 has not been done.

Also, when I ran the AVG anti-spyware scan, I forgot to save the log file!

Duh! But I did make a print-screen of the results and I will send that so you can see what it found; which was a Trojan and a bunch of cookies.

I'm not sure if the Combo fix did everything it was supposed to. It said it would take 10 minutes to run. At the end of about that time it had stopped putting text on the blue field and just sat there and never did anything else. I had forgotten to disable Threatfire so when Combo fix was running I did have to use the mouse to ok it's procedure, twice. I had to reboot because it did leave the desktop disabled, as you said.

I went ahead and included the Eset scan log too, just in case it's helpful.

Thanks so much for all your expertise, time and help!

Howard · #12 (**permalink**) **Top** 22nd March 2008, 10:54 PM

You should have allowed SmitFraudfix.exe to have access, I assure you it`s perfectly safe.

Unfortunately, that`s not a full Combofix log.

Please follow these instructions carefully.

Download combofix.exe to your desktop. Double click combofix.exe & follow the prompts. A window will open with a warning. Type "1" (and Enter) to start the fix. When the scan completes it will open a text window. Please attach that log back here together with a fresh HJT log. Caution - do not touch your mouse/keyboard until the scan has completed. The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled. If this occurs, please reboot to restore the desktop.

Combofix will automatically save the log file to C:\combofix.txt

Then do the following.

Run HJT with no other programmes open(except notepad). Click the scan button. Have HJT fix the following, by placing a tick in the little box next to(if there).

F3 - REG:win.ini: load=

F3 - REG:win.ini: run=

O4 - Global Startup: Compaq Connections.lnk.disabled

O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} - http://www.adobe.com/products/acrobat/nos/gp.cab

Click on the fix checked button.

Reboot your system.

Post a fresh HJT log as well as the Combofix log.

Regards Howard

Close HJT.

Pewter7 · #13 (**permalink**) **Top** 23rd March 2008, 02:39 AM

Ok, I will try it again. When I click the blue text in your note above, for Combofix, it takes me to my Opera download screen and then Combofix puts its blue box on my desktop screen and begins to run. Please see the attached screenshot.

What I shall do it try using IE7 to access a download of Combofix and see if I get the option to save it to the desktop.

Well, I used IE7 to find ComboFix and was able to save the executable to my desktop. However, I get an error message when I try to run it by double-clicking it. Please see attached screen-shot.

Should I go ahead with the other instructions for HJT or should I try downloading Deckard's System Scanner instead?

Thanks!

Here is the screen-shot.

**evilfantasy** · #14 (**permalink**) **Top** 23rd March 2008, 03:15 AM

You need to turn off ThreatFire and also any other security monitors you have before running Combofix.

Close any open Web browsers. (Firefox, Opera, Internet Explorer, etc) before starting Combofix.

Important! Temporarily disable your antivirus, script blocking and any antispyware real time protection before performing a scan.

Click this link to see a list of security programs that should be disabled and how to disable them.
If yours is not listed and you don't know how to disable it, please ask.

If you still have problems getting it started try running Combofix in a different way.

Make sure combofix is located on your desktop.
Now STOP all your monitoring programs
Click this link to see a list of security programs that should be disabled and how to disable them.
Click on your START button and choose Run. Then copy/paste the entire content of the following Codebox (Including the "" marks and the Symbols) into the run box.

Code:

"%userprofile%\desktop\ComboFix.exe" /KillAll

Click OK and this will start combofix in a special way.
When finished, it will produce a log.
Please save that log to a Notepad File and include it in your next reply.

Note:
Do not mouse-click combofix's window while it is running. That may cause it to stall.

* ComboFix will automatically Restart your machine when the KillAll switch is used.

Combofix (CF) disconnects your machine from the internet. The connection is automatically restored before CF completes its run.
If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.

Pewter7 · #15 (**permalink**) **Top** 23rd March 2008, 09:52 PM

Hey there and Happy Easter to all.

I have finished the above recommended steps (with the exception of smitfraud).

I was able to get ComboFix to work. After it ran its scan, I went to fix the two F items, the two O items recommended above. However, when I ran the Hijack This the two F items were not listed, so perhaps they were corrected by Combo Fix?

Please see the attached files. I have attached them in the order that I ran them.

I have also attached a jpeg image showing an HP prompt which comes up everytime I log on and my desktop is loading. It also comes up on my wife's desktop when hers is loading. Thus far I have been hitting cancel rapidly two or three times to get it to go away. Can you advise what I should do?

I do so appreciate your assistance with all the problems I have had!

Howard · #16 (**permalink**) **Top** 23rd March 2008, 11:03 PM

Run HJT with no other programmes open(except notepad). Click the scan button. Have HJT fix the following, by placing a tick in the little box next to(if there).

O4 - Global Startup: Compaq Connections.lnk.disabled

O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} - http://www.adobe.com/products/acrobat/nos/gp.cab

Click on the fix checked button.

Reboot your system.

Please download FindAWF to your Desktop.
Double-click FindAWF.exe to start the tool.
Select "option #1 - Scan for bak folders" by typing 1 and press Enter
When the tool has completed, a report will open up in notepad. Please post the results of the awf.txt as an attachment, as well as a fresh HJT log.

Regards Howard

Pewter7 · #17 (**permalink**) **Top** 25th March 2008, 12:08 AM

Hey there.

I did as you recommended and then ran AWF.

The two logs are attached

Howard · #18 (**permalink**) **Top** 25th March 2008, 12:22 AM

Your HJT log is now clean.

Unfortunately, Your system is infected with a trojan called Downloader.Agent.awf. It replaces legitimate files that are common on most computers with an infected file. Then, it moves the legitimate files to a bak or backup folder.

Please do the following.

Double-click FindAWF.exe to start the tool. Then, do the following
Select "option #2 - Restore files from bak folders" by typing 2 and press Enter .
A text file will open up. Please copy/paste the following text from the quote box (all except the word QUOTE) into the text file.

Quote:

"C:\Program Files\QuickTime\bak\qttask.exe"
"C:\WINDOWS\SMINST\bak\RECGUARD.EXE"
"C:\Program Files\QuickTime\bak\qttask.exe"
"C:\WINDOWS\SMINST\bak\RECGUARD.EXE"
"C:\WINDOWS\system32\bak\ctfmon.exe"
"C:\WINDOWS\system32\bak\NeroCheck.exe"
"C:\Program Files\Common Files\LightScribe\bak\LightScribeControlPanel.exe"
"C:\Program Files\Google\GoogleToolbarNotifier\bak\GoogleToolb arNotifier.exe"
"C:\Program Files\Hewlett-Packard\HP Boot Optimizer\bak\HPBootOp.csv"
"C:\Program Files\Hewlett-Packard\HP Boot Optimizer\bak\bak\HPBootOp.csv"
"C:\Program Files\Hewlett-Packard\HP Boot Optimizer\bak\HPBootOp.csv"
"C:\Program Files\Hewlett-Packard\HP Boot Optimizer\bak\bak\HPBootOp.csv"
"C:\Program Files\Hewlett-Packard\HP Boot Optimizer\bak\bak\HPBootOp.exe"
"C:\Program Files\HP\HP Software Update\bak\HPWuSchd2.exe"
"C:\Program Files\Adobe\Reader 8.0\Reader\bak\Reader_sl.exe"
"C:\Program Files\Hewlett-Packard\HP Boot Optimizer\bak\HPBootOp.csv"
"C:\Program Files\Hewlett-Packard\HP Boot Optimizer\bak\bak\HPBootOp.csv"
"C:\Program Files\Hewlett-Packard\HP Boot Optimizer\bak\bak\HPBootOp.exe"

Close the .txt file and click Yes to save the changes.
When the tool has completed, a report will open up in notepad. Please post the results of the awf.txt in your next reply as an attachment.

Regards Howard

Pewter7 · #19 (**permalink**) **Top** 25th March 2008, 01:02 AM

Hey Howard,

I did as you said, three times, but no report was generated. When I copied the text into the report and hit yes to save it, then findawf ran some script very fast and winked out.

Howard · #20 (**permalink**) **Top** 25th March 2008, 01:09 AM

Mmm, not good mate.

Try the following.

Delete your current version of the FindAWF tool and redownload it. If you then still have the same problem in running option2, try running the tool from safe mode and let me know what happens.

Regards Howard