|
|
#2
September 18th, 2007, 02:45 PM
|
||||
|
||||
Re: Backdoor:Win32/Zonebac.gen!B NOT detected by Nod32?
Last edited by ronjor : September 18th, 2007 at 02:54 PM. Reason: Wording |
|
#4
September 21st, 2007, 02:48 AM
|
|||
|
|||
|
Re: Backdoor:Win32/Zonebac.gen!B **REMOVAL METHOD**
RE:
http://www.microsoft.com/security/po...32/Zonebac.gen =========================================================================== ==== The 'Microsoft Malicious Software Removal Tool' that specifically finds this trojan provides a text 'LOG' - - detailing the time of the performed scans, and displaying the 'process' of where a trojan or virus is actually located... It opens with Notepad under the name of: 'mrt.log' - you'll easily find this log in a basic Windows SEARCH for files and folders under C:\Documents and Settings... This trojan had the capability to 'spread' into various PID files, where via the MRT log's scanned report you can identify these concerned 'PID Numbered Files' to immediately decipher by way of the Windows Task Manager: http://img524.imageshack.us/img524/2...mgrpidsdx9.jpg - (note the red arrows) Go to: RUN - enter: taskmgr - THEN on the MGR: go to PROCESSES, then right above to VIEW, and then to SELECT COLUMNS, - where you click on the box for the PID numbers to 'APPEAR' Running repeated scans of the tool and ONLY on normal windows start-ups did we FIND the infected pid files on the log. We THEN - and at each time thereafter - had to reboot into SAFE MODE to manually 'delete' these infected process files - and we were surprised to learn that it was not just ONE file infected; painstakingly booting/rebooting about 6-7 times: ************************************************************************* (AN EXAMPLE - from the MRT Log): ***************************** 1--------------------------------------------------------------------------------------- Microsoft Windows Malicious Software Removal Tool v1.32, August 2007 Started On Sun Sep 02 23:15:17 2007 Quick Scan Results: ---------------- Found possible virus: Backdoor:Win32/Zonebac.gen!B in process://pid:2588 Results Summary: ---------------- Found Backdoor:Win32/Zonebac.gen!B (detected generically) Return code: 6 Microsoft Windows Malicious Software Removal Tool Finished On Sun Sep 02 23:15:54 2007 2--------------------------------------------------------------------------------------- Microsoft Windows Malicious Software Removal Tool v1.32, August 2007 Started On Mon Sep 03 00:43:13 2007 Quick Scan Results: ---------------- Found possible virus: Backdoor:Win32/Zonebac.gen!B in process://pid:2748 Results Summary: ---------------- Found Backdoor:Win32/Zonebac.gen!B (detected generically) Return code: 6 Microsoft Windows Malicious Software Removal Tool Finished On Mon Sep 03 00:44:13 2007 3--------------------------------------------------------------------------------------- Microsoft Windows Malicious Software Removal Tool v1.32, August 2007 Started On Mon Sep 03 01:01:17 2007 Quick Scan Results: ---------------- Found possible virus: Backdoor:Win32/Zonebac.gen!B in process://pid:2688 Results Summary: ---------------- Found Backdoor:Win32/Zonebac.gen!B (detected generically) Return code: 6 Microsoft Windows Malicious Software Removal Tool Finished On Mon Sep 03 01:01:55 2007 4--------------------------------------------------------------------------------------- Microsoft Windows Malicious Software Removal Tool v1.32, August 2007 Started On Mon Sep 03 01:21:06 2007 Results Summary: ---------------- No infection found. Return code: 0 Microsoft Windows Malicious Software Removal Tool Finished On Mon Sep 03 01:21:53 2007 // *************************************************************************** ************************* **NOTE in scans 1-3 indicating 'different' PID numbers - under where it says "Quick Scan Results" Each reboot BACK to normal Windows 'from' SAFE MODE to check the MRT scan after each pid deletion - did we discover that the trojan had 'indeed' SPREAD: The numbered pids were infected .EXE files, where the majority of them came from different folders in the PROGRAM FILES - thus making certain before each major file deletion to COPY and SAVE each file on a flash drive...to put BACK in - if absolutely necessary (the saved infected files in this case - totaled about 3 MB). These infected .EXE files were in folders from programs such as: Quicktime, MusicMatch, Toshiba (our brand of PC) and Synaptics - - one infected file that was NOT in programs was: Microsoft's Isass.exe LSA Shell (export version). As far as we can tell, removing all these files did NOT disrupt our computer system now, nor on the programs that were associated with the deleted files; also these files DID NOT reoccur back into the system. We also ran a 'registry scrub scan' after each file deletion - basically to clear-out the nulled 'registry entry' that was associated with EACH removed file. **TIP: when searching for these identified pid files, also DELETE any other files (.PF) that appear associated with the NAME of the infected file, as a few of these were located in the Windows 'PreFetch' folder - **also SAVE these type of files before extraction. ..will keep you posted if any discrepencies DO at some time - occur. |
| « Previous Thread | Next Thread » |
| Thread Tools | Search this Thread |
|
|
Backdoor:Win32/Zonebac.gen!B NOT detected by Nod32?
