WiredWX Hobby Weather ToolsLog in

 


Win32.Zafi.b worm (spent 2 days: this thing will not rid itself from my pc)

3 posters

descriptionSolvedRe: Win32.Zafi.b worm (spent 2 days: this thing will not rid itself from my pc)

more_horiz
Belahzur wrote:
Hello.
Did Spyware Doctor fix these leftovers?


from the screenshot that I gave in my previous reply:

Win32.Zafi.b worm (spent 2 days: this thing will not rid itself from my pc) - Page 2 49926823xd4


it seems to have fixed those, but the reason why i need your help is that I think that although that little pop up fake security alert isn't on my screen anymore, that doesn't mean that there's still traces infected or that it didn't spawn other malware that these scanners haven't picked up, that's why i gave those hijacker logs and dds logs. Can you look to see what else I can fix or remove? (By the way, these were all hidden from the registry editor for some reason as my previous posts show, I don't know why, but I have a feeling there's more)

I just ran scanfsc in the meantime.

please help spot other things. After all of this is cleaned out, I'll do another system restore.

also, since the spydoctor found win32 files that were infected, if those are quarantined, does that mean that they're missing now as required system files in the folder? Do I have a hole now?

thanks

descriptionSolvedRe: Win32.Zafi.b worm (spent 2 days: this thing will not rid itself from my pc)

more_horiz
Wait.
DO NOT use system restore, that will restore the infection.

Please download the OTMoveIt3 by OldTimer from here:

Code:

http://download.bleepingcomputer.com/oldtimer/OTMoveIt3.exe


  • Save it to your desktop.
  • Please double-click OTMoveIt3.exe to run it.
  • Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):


    :processes
    explorer.exe

    :files
    C:\Windows\system32\windrvnt.sys

    :reg
    [-HKEY_LOCAL MACHINE\SYSTEM\ControlSet001\Services\windrvNT]
    [-HKEY_LOCAL MACHINE\SYSTEM\ControlSet002\Services\windrvNT]
    [-HKEY_LOCAL MACHINE\SYSTEM\CurrentControlSet\Services\windrvNT]

    :commands
    [purity]
    [emptytemp]
    [start explorer]
    [reboot]



  • Return to OTMoveIt3, right click in the "Paste instructions for items to be Moved" window (under the light blue bar) and choose Paste.
  • Click the red Moveit! button.
  • Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
  • Close OTMoveIt3
If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.

Please post the OTMoveIt log.

descriptionSolvedRe: Win32.Zafi.b worm (spent 2 days: this thing will not rid itself from my pc)

more_horiz
It's not letting me highlight the results. It's like it's locked or something.

descriptionSolvedRe: Win32.Zafi.b worm (spent 2 days: this thing will not rid itself from my pc)

more_horiz
Ah, it's okay, the report is saved to a txt file anyway.
Navigate to this folder in bold:
C:\_OTMoveIt

There is a .log file in there with the report, please post that.

descriptionSolvedRe: Win32.Zafi.b worm (spent 2 days: this thing will not rid itself from my pc)

more_horiz
Here is the log, I thought it froze, but it was just doing something else

From the results, C:\Windows\system32\windrvnt.sys, that was the file that got infected and quarantined when I ran spydoctor from the post earlier
:





========== PROCESSES ==========
Process explorer.exe killed successfully.
========== FILES ==========
File/Folder C:\Windows\system32\windrvnt.sys not found.
========== REGISTRY ==========
Registry key HKEY_LOCAL MACHINE\SYSTEM\ControlSet001\Services\windrvNT\\ deleted successfully.
Registry key HKEY_LOCAL MACHINE\SYSTEM\ControlSet002\Services\windrvNT\\ deleted successfully.
Registry key HKEY_LOCAL MACHINE\SYSTEM\CurrentControlSet\Services\windrvNT\\ not found.
========== COMMANDS ==========
File delete failed. C:\DOCUME~1\Mike\LOCALS~1\Temp\etilqs_7MuvplmcUhiPm1dAbIEY scheduled to be deleted on reboot.
User's Temp folder emptied.
User's Temporary Internet Files folder emptied.
User's Internet Explorer cache folder emptied.
Local Service Temp folder emptied.
Local Service Temporary Internet Files folder emptied.
File delete failed. C:\WINDOWS\temp\Perflib_Perfdata_7ac.dat scheduled to be deleted on reboot.
File delete failed. C:\WINDOWS\temp\Perflib_Perfdata_bc.dat scheduled to be deleted on reboot.
Windows Temp folder emptied.
Java cache emptied.
File delete failed. C:\Documents and Settings\Mike\Local Settings\Application Data\Mozilla\Firefox\Profiles\8y4k1ogv.Default User\Cache\_CACHE_001_ scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\Mike\Local Settings\Application Data\Mozilla\Firefox\Profiles\8y4k1ogv.Default User\Cache\_CACHE_002_ scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\Mike\Local Settings\Application Data\Mozilla\Firefox\Profiles\8y4k1ogv.Default User\Cache\_CACHE_003_ scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\Mike\Local Settings\Application Data\Mozilla\Firefox\Profiles\8y4k1ogv.Default User\Cache\_CACHE_MAP_ scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\Mike\Local Settings\Application Data\Mozilla\Firefox\Profiles\8y4k1ogv.Default User\urlclassifier3.sqlite scheduled to be deleted on reboot.
FireFox cache emptied.
Temp folders emptied.
Explorer started successfully

OTMoveIt3 by OldTimer - Version 1.0.8.0 log created on 01112009_140958

Files moved on Reboot...
File C:\DOCUME~1\Mike\LOCALS~1\Temp\etilqs_7MuvplmcUhiPm1dAbIEY not found!
C:\WINDOWS\temp\Perflib_Perfdata_7ac.dat moved successfully.
File C:\WINDOWS\temp\Perflib_Perfdata_bc.dat not found!
C:\Documents and Settings\Mike\Local Settings\Application Data\Mozilla\Firefox\Profiles\8y4k1ogv.Default User\Cache\_CACHE_001_ moved successfully.
C:\Documents and Settings\Mike\Local Settings\Application Data\Mozilla\Firefox\Profiles\8y4k1ogv.Default User\Cache\_CACHE_002_ moved successfully.
C:\Documents and Settings\Mike\Local Settings\Application Data\Mozilla\Firefox\Profiles\8y4k1ogv.Default User\Cache\_CACHE_003_ moved successfully.
C:\Documents and Settings\Mike\Local Settings\Application Data\Mozilla\Firefox\Profiles\8y4k1ogv.Default User\Cache\_CACHE_MAP_ moved successfully.
C:\Documents and Settings\Mike\Local Settings\Application Data\Mozilla\Firefox\Profiles\8y4k1ogv.Default User\urlclassifier3.sqlite moved successfully.

descriptionSolvedRe: Win32.Zafi.b worm (spent 2 days: this thing will not rid itself from my pc)

more_horiz
Well anyway, the zafi.b is gone and everything looks clean to me, any problems for you?

descriptionSolvedRe: Win32.Zafi.b worm (spent 2 days: this thing will not rid itself from my pc)

more_horiz
I ran the OTMoveIT the second time just in case for you to review:

========== PROCESSES ==========
Process explorer.exe killed successfully.
========== FILES ==========
File/Folder C:\Windows\system32\windrvnt.sys not found.
========== REGISTRY ==========
Registry key HKEY_LOCAL MACHINE\SYSTEM\ControlSet001\Services\windrvNT\\ not found.
Registry key HKEY_LOCAL MACHINE\SYSTEM\ControlSet002\Services\windrvNT\\ not found.
Registry key HKEY_LOCAL MACHINE\SYSTEM\CurrentControlSet\Services\windrvNT\\ not found.
========== COMMANDS ==========
File delete failed. C:\DOCUME~1\Mike\LOCALS~1\Temp\etilqs_0R5h8sBp1jzrNvtq1SgK scheduled to be deleted on reboot.
User's Temp folder emptied.
User's Temporary Internet Files folder emptied.
User's Internet Explorer cache folder emptied.
Local Service Temp folder emptied.
Local Service Temporary Internet Files folder emptied.
File delete failed. C:\WINDOWS\temp\Perflib_Perfdata_7dc.dat scheduled to be deleted on reboot.
Windows Temp folder emptied.
Java cache emptied.
File delete failed. C:\Documents and Settings\Mike\Local Settings\Application Data\Mozilla\Firefox\Profiles\8y4k1ogv.Default User\Cache\_CACHE_001_ scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\Mike\Local Settings\Application Data\Mozilla\Firefox\Profiles\8y4k1ogv.Default User\Cache\_CACHE_002_ scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\Mike\Local Settings\Application Data\Mozilla\Firefox\Profiles\8y4k1ogv.Default User\Cache\_CACHE_003_ scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\Mike\Local Settings\Application Data\Mozilla\Firefox\Profiles\8y4k1ogv.Default User\Cache\_CACHE_MAP_ scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\Mike\Local Settings\Application Data\Mozilla\Firefox\Profiles\8y4k1ogv.Default User\urlclassifier3.sqlite scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\Mike\Local Settings\Application Data\Mozilla\Firefox\Profiles\8y4k1ogv.Default User\XUL.mfl scheduled to be deleted on reboot.
FireFox cache emptied.
Temp folders emptied.
Explorer started successfully

OTMoveIt3 by OldTimer - Version 1.0.8.0 log created on 01112009_142346

Files moved on Reboot...
File C:\DOCUME~1\Mike\LOCALS~1\Temp\etilqs_0R5h8sBp1jzrNvtq1SgK not found!
File C:\WINDOWS\temp\Perflib_Perfdata_7dc.dat not found!
C:\Documents and Settings\Mike\Local Settings\Application Data\Mozilla\Firefox\Profiles\8y4k1ogv.Default User\Cache\_CACHE_001_ moved successfully.
C:\Documents and Settings\Mike\Local Settings\Application Data\Mozilla\Firefox\Profiles\8y4k1ogv.Default User\Cache\_CACHE_002_ moved successfully.
C:\Documents and Settings\Mike\Local Settings\Application Data\Mozilla\Firefox\Profiles\8y4k1ogv.Default User\Cache\_CACHE_003_ moved successfully.
C:\Documents and Settings\Mike\Local Settings\Application Data\Mozilla\Firefox\Profiles\8y4k1ogv.Default User\Cache\_CACHE_MAP_ moved successfully.
C:\Documents and Settings\Mike\Local Settings\Application Data\Mozilla\Firefox\Profiles\8y4k1ogv.Default User\urlclassifier3.sqlite moved successfully.
C:\Documents and Settings\Mike\Local Settings\Application Data\Mozilla\Firefox\Profiles\8y4k1ogv.Default User\XUL.mfl moved successfully.

descriptionSolvedRe: Win32.Zafi.b worm (spent 2 days: this thing will not rid itself from my pc)

more_horiz
mike69 wrote:
Here is the log, I thought it froze, but it was just doing something else

From the results, C:\Windows\system32\windrvnt.sys, that was the file that got infected and quarantined when I ran spydoctor from the post earlier
:





========== PROCESSES ==========
Process explorer.exe killed successfully.
========== FILES ==========
File/Folder C:\Windows\system32\windrvnt.sys not found.
========== REGISTRY ==========
Registry key HKEY_LOCAL MACHINE\SYSTEM\ControlSet001\Services\windrvNT\\ deleted successfully.
Registry key HKEY_LOCAL MACHINE\SYSTEM\ControlSet002\Services\windrvNT\\ deleted successfully.
Registry key HKEY_LOCAL MACHINE\SYSTEM\CurrentControlSet\Services\windrvNT\\ not found.
========== COMMANDS ==========
File delete failed. C:\DOCUME~1\Mike\LOCALS~1\Temp\etilqs_7MuvplmcUhiPm1dAbIEY scheduled to be deleted on reboot.
User's Temp folder emptied.
User's Temporary Internet Files folder emptied.
User's Internet Explorer cache folder emptied.
Local Service Temp folder emptied.
Local Service Temporary Internet Files folder emptied.
File delete failed. C:\WINDOWS\temp\Perflib_Perfdata_7ac.dat scheduled to be deleted on reboot.
File delete failed. C:\WINDOWS\temp\Perflib_Perfdata_bc.dat scheduled to be deleted on reboot.
Windows Temp folder emptied.
Java cache emptied.
File delete failed. C:\Documents and Settings\Mike\Local Settings\Application Data\Mozilla\Firefox\Profiles\8y4k1ogv.Default User\Cache\_CACHE_001_ scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\Mike\Local Settings\Application Data\Mozilla\Firefox\Profiles\8y4k1ogv.Default User\Cache\_CACHE_002_ scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\Mike\Local Settings\Application Data\Mozilla\Firefox\Profiles\8y4k1ogv.Default User\Cache\_CACHE_003_ scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\Mike\Local Settings\Application Data\Mozilla\Firefox\Profiles\8y4k1ogv.Default User\Cache\_CACHE_MAP_ scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\Mike\Local Settings\Application Data\Mozilla\Firefox\Profiles\8y4k1ogv.Default User\urlclassifier3.sqlite scheduled to be deleted on reboot.
FireFox cache emptied.
Temp folders emptied.
Explorer started successfully

OTMoveIt3 by OldTimer - Version 1.0.8.0 log created on 01112009_140958

Files moved on Reboot...
File C:\DOCUME~1\Mike\LOCALS~1\Temp\etilqs_7MuvplmcUhiPm1dAbIEY not found!
C:\WINDOWS\temp\Perflib_Perfdata_7ac.dat moved successfully.
File C:\WINDOWS\temp\Perflib_Perfdata_bc.dat not found!
C:\Documents and Settings\Mike\Local Settings\Application Data\Mozilla\Firefox\Profiles\8y4k1ogv.Default User\Cache\_CACHE_001_ moved successfully.
C:\Documents and Settings\Mike\Local Settings\Application Data\Mozilla\Firefox\Profiles\8y4k1ogv.Default User\Cache\_CACHE_002_ moved successfully.
C:\Documents and Settings\Mike\Local Settings\Application Data\Mozilla\Firefox\Profiles\8y4k1ogv.Default User\Cache\_CACHE_003_ moved successfully.
C:\Documents and Settings\Mike\Local Settings\Application Data\Mozilla\Firefox\Profiles\8y4k1ogv.Default User\Cache\_CACHE_MAP_ moved successfully.
C:\Documents and Settings\Mike\Local Settings\Application Data\Mozilla\Firefox\Profiles\8y4k1ogv.Default User\urlclassifier3.sqlite moved successfully.


q1)
What are all of those "not found" entries mean?


q2) Also, I got a response from another forum when they examined my dds log and needed to see if you can translate to how to remove:'

"
The logs look ok apart from these entries.
Code: Select All

O16 - DPF: {A922B6AB-3B87-11D3-B3C2-0008C7DA6CB9} (InetDownload Class) - https://media.pineconeresearch.com/A...oadcontrol.cab

Not sure what ActiveX control is trying to be downloaded.

Code: Select All

O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe (file missing)

Norton live update must have gotten screwed.

Code: Select All

TB: {0B53EAC3-8D69-4B9E-9B19-A37C9A5676A7} - No File
TB: {C4069E3A-68F1-403E-B40E-20066696354B} - No File

"


please help with this

q3) I know that the zafi.b might not be there anymore, but there seems to still be traces of things spawned from it. My process list looks strange from the post I showed earlier, things a still a little slow and still a lag from the browser.

Are there supposed to be 3 svchost.exe in the process list?

descriptionSolvedRe: Win32.Zafi.b worm (spent 2 days: this thing will not rid itself from my pc)

more_horiz
Hello.
If you are being helped elsewhere, please let me know.
Helpers time is valuable and shouldn't be wasted.

Please let the other forum know you are being helped elsewhere.

The active X object is harmless.
I don't want to remove that service, it may say missing, but I don't want to stop the live update service.

Empty toolbar objects, harmless also.

descriptionSolvedRe: Win32.Zafi.b worm (spent 2 days: this thing will not rid itself from my pc)

more_horiz
well, I asked around in another forum since a lot of folks were unsure and that's how I was told about this site, otherwise, I wouldn't have found this geekpolice.net site, and that's why I'm here posting what I've gotten.

Could you inspect the logs shown from the previous apps you mentioned to install and run?? Including

========== FILES ==========
File/Folder C:\Windows\system32\windrvnt.sys not found.

I noticed when I ran the scan, this sys file was infected and quarantined, is that trouble?

descriptionSolvedRe: Win32.Zafi.b worm (spent 2 days: this thing will not rid itself from my pc)

more_horiz
No, the file isn't active now, it can't cause anymore problems.
What problems remain now?

descriptionSolvedRe: Win32.Zafi.b worm (spent 2 days: this thing will not rid itself from my pc)

more_horiz
I can't tell myself, because I see no more popups, but still a slow down in the processor as if something funny is happening behind the scenes. From your inspection of the logs that I've been posting here like the dds, hijacker, and imoveit, do you see anything at all that might be worth noting?

descriptionSolvedRe: Win32.Zafi.b worm (spent 2 days: this thing will not rid itself from my pc)

more_horiz
I can only help by killing some un-needed startup items and cleaning temp files, etc.

If you want us to kill some of the un-needed stuff, let me know.

descriptionSolvedRe: Win32.Zafi.b worm (spent 2 days: this thing will not rid itself from my pc)

more_horiz
Yes, I would like your help. I don't know how to interpret these logs that you requested to paste in the last few replies.

descriptionSolvedRe: Win32.Zafi.b worm (spent 2 days: this thing will not rid itself from my pc)

more_horiz
Okay. Smile...
Please post a NEW Hijack This log.

descriptionSolvedRe: Win32.Zafi.b worm (spent 2 days: this thing will not rid itself from my pc)

more_horiz
privacy_tip Permissions in this forum:
You cannot reply to topics in this forum