WiredWX Hobby Weather ToolsLog in

 


Win32.Zafi.b worm (spent 2 days: this thing will not rid itself from my pc)

3 posters

descriptionSolvedWin32.Zafi.b worm (spent 2 days: this thing will not rid itself from my pc)

more_horiz
This is the first time I've visited this site and seems like you are all able to fix this problem, which I was about to give up upon and force a reformat, but you might give me hope in resolving this.

I'll organize this since it's long. I went to another forum asking for help since this Saturday Morning, and they tried to troubleshoot with me all day (literally) using different programs and tools, didn't work. Here's a summary of what I've done (10 hours later):

---------------------------------------

post 1:

Win32.Zafi.b worm (spent 2 days: this thing will not rid itself from my pc) 32969370if3

I got hit with this yesterday, I don't know how, whether it was through surfing around, but it popped up as a security alert and when I thought it was the windows security alert, I clicked on "enable protection" and it pops up a browser that has me try to buy some antivirus software, which I know is a fake then. I had ESET Antivirus enabled before then but for some reason, it did not catch this virus

I ran full scan with Malwarebytes Antivirus, and it detected 2 problems, but none of them had the title of win32.zafi.b, they were related to svchost and something else. I rebooted into safe mode and did that full scan again and did a full scan of ESET, which after hours, found nothing.

I tried using hijackthis, but it did not catch anything suspicious when I analyzed the file.

but every time I log in to my normal boot login, it pops up and when I use any browser like IE 7 or Mozilla, it pops up as well. it slows now anything that I load as an app, and my browsing, even as simple as opening up a saved txt file.

I downloaded PC Spyware Doctor full version and ran a full scan last night, it was able to find some spyware, but not anything related to this virus. After cleaning a few dozen of what it found in the browsers, I rebooted and the same problems are happening again. Take a look at this screenshot

Win32.Zafi.b worm (spent 2 days: this thing will not rid itself from my pc) 66445468pf8

I'm currently installing and trying to update symantec endpoint protection, but it seems that virus seems to have disabled some options or something isn't right. If none of these work, are there manual ways that I can get some help in looking around in the registry or any hidden folders?

Symantec keeps catching things as you can see from how thin that scroll bar is. it's not taking out the source, something is replicating these files.

---------------------------------------

Post 2:

I'm using another computer I have around the house to reply right now. I was unable to revert back to a system restore point using windows. I had three listed when I booted in safe mode before the time of this incident yesterday spread throughout the week, but each time I used it, had it shut down, reboot, and got back to windows, it kept popping up that the thing was incomplete and could not restore. Is that because of the virus or just how crummy the windows automated scheduled restore points are?

msconfig caught nothing fishy. I tried peeking through each one. Not to my surprise. If HiJacker didn't catch this than MSCONFIG wouldn't have anything found on this either.

I even noticed when I was working in safe mode for some time that the damn virus was able to get into that mode, but symantec got something of a different "name" caught and removed it.

I've been using Mozilla Firefox 3 over IE 7 for quite some time now and this hit when i was using Mozilla.

---------------------------------------

Post 3:

Win32.Zafi.b worm (spent 2 days: this thing will not rid itself from my pc) 80269681zx4

this is frustrating...I'm going to try the rogue remover now

---------------------------------------

descriptionSolvedRe: Win32.Zafi.b worm (spent 2 days: this thing will not rid itself from my pc)

more_horiz
Post 4:

well, i got back to the infected machine, and had to boot back in because to use rogue remover, you have to update the database, and i can't do that in safe mode. anyways, I still get this

Win32.Zafi.b worm (spent 2 days: this thing will not rid itself from my pc) 32171751fl8

which I don't understand why the infection is coming from a source of a quarantine folder. isn't that contradicting what symantec's software is supposed to do

I just tried the rogue remover in safe mode, and it found nothing either.

Win32.Zafi.b worm (spent 2 days: this thing will not rid itself from my pc) 30389342hz5

well, this is a stubborn trojan on my machine and while typing this got the damn fake security alert window that just popped up on my machine

can you suggest the instructions on the manual procedure? I looked something up like that online, but it seems to easy, some blogger suggested to look into the registry key and his solution found only two things to delete, which I haven't tried yet, but for something that's this annoying, there has to be more than that.

---------------------------------------

Post 5:

Bad bad news

Well, first, this in safe mode

Win32.Zafi.b worm (spent 2 days: this thing will not rid itself from my pc) 66875381sl8

so super antispyware caught something not relevant to this trojan, so not bad i guess

Win32.Zafi.b worm (spent 2 days: this thing will not rid itself from my pc) 89019921wo2

symantec caught nothing (not surprised)


but I spent time looking around the registry editor , and could not find those paths for the virus based on what was mentioned

Win32.Zafi.b worm (spent 2 days: this thing will not rid itself from my pc) 14238920mc3


I must have the worst luck right now, these paths are supposed to be there, but I don't see them, and I've been in safe mode for most of the day not wanting to get back to the regular login (using another pc that's not infected to go here)

what's the reason why I might not be able to find those paths to delete those keys?

These hazafibb don't exist on my machine based on this path.

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run

"_Hazafibb"="%system%\.exe"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\_Hazafibb

---------------------------------------

Post 6:

I'm so frustrated at how this symantec keeps catching all these temp files and it's utilizing 90-100% cpu processing continuously that I decided to uninstall it. I still have Spy Doctor and ESET installed.

---------------------------------------

descriptionSolvedRe: Win32.Zafi.b worm (spent 2 days: this thing will not rid itself from my pc)

more_horiz
AND THIS IS WHERE I AM NOW. STUCK!!


Here's the HiJack Log

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:56:35 PM, on 1/10/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16735)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
C:\Program Files\FolderSize\FolderSizeSvc.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Spyware Doctor\pctsAuxs.exe
C:\Program Files\Spyware Doctor\pctsSvc.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\system32\WLTRAY.exe
C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\Program Files\Dell Support Center\bin\sprtcmd.exe
C:\Program Files\SigmaTel\C-Major Audio\WDM\stsystra.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe
C:\Program Files\Unlocker\UnlockerAssistant.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
C:\Program Files\Spyware Doctor\pctsTray.exe
C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\Program Files\Dell Support Center\bin\sprtsvc.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.1.807.1746\swg.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: Veoh Browser Plug-in - {D0943516-5076-4020-A3B5-AEFAF26AB263} - C:\Program Files\Veoh Networks\Veoh\Plugins\reg\VeohToolbar.dll
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [Broadcom Wireless Manager UI] C:\WINDOWS\system32\WLTRAY.exe
O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe"
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
O4 - HKLM\..\Run: [dscactivate] "C:\Program Files\Dell Support Center\gs_agent\custom\dsca.exe"
O4 - HKLM\..\Run: [DellSupportCenter] "C:\Program Files\Dell Support Center\bin\sprtcmd.exe" /P DellSupportCenter
O4 - HKLM\..\Run: [SigmatelSysTrayApp] %ProgramFiles%\SigmaTel\C-Major Audio\WDM\stsystra.exe
O4 - HKLM\..\Run: [egui] "C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe" /hide /waitservice
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [UnlockerAssistant] "C:\Program Files\Unlocker\UnlockerAssistant.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [StartCCC] "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
O4 - HKLM\..\Run: [ISTray] "C:\Program Files\Spyware Doctor\pctsTray.exe"
O4 - HKLM\..\Run: [ISTray] "C:\Program Files\Spyware Doctor\pctsTray.exe"
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [DellSupportCenter] "C:\Program Files\Dell Support Center\bin\sprtcmd.exe" /P DellSupportCenter
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default user')
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Download Flash with Flash &Grabber - res://C:\PROGRA~1\Flash Grabber\swfgrab.dll/iesave
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: PDFill PDF Editor - {FB858B22-55E2-413f-87F5-30ADC5552151} - C:\Program Files\PlotSoft\PDFill\DownloadPDF.exe
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1171423935984
O16 - DPF: {A922B6AB-3B87-11D3-B3C2-0008C7DA6CB9} (InetDownload Class) - https://media.pineconeresearch.com/ActiveX/downloadcontrol.cab
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Eset HTTP Server (EhttpSrv) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\EHttpSrv.exe
O23 - Service: Eset Service (ekrn) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
O23 - Service: Folder Size (FolderSize) - Brio - C:\Program Files\FolderSize\FolderSizeSvc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LiveUpdate\LuComServer_3_3.EXE
O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe (file missing)
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe
O23 - Service: SupportSoft Sprocket Service (dellsupportcenter) (sprtsvc_dellsupportcenter) - SupportSoft, Inc. - C:\Program Files\Dell Support Center\bin\sprtsvc.exe
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE

--
End of file - 10122 bytes


---------------------------------------

Uninstall List

7-Zip 4.44 beta
Adobe Acrobat 7.1.0 Professional
Adobe Flash Player ActiveX
Adobe Shockwave Player
Advanced WindowsCare Personal
AMD Processor Driver
AOLIcon
ATI - Software Uninstall Utility
ATI Catalyst Control Center
ATI Display Driver
Broadcom 440x 10/100 Integrated Controller
Broadcom Management Programs
BUFFALO Power Save Utility for HD
Catalyst Control Center - Branding
CCleaner (remove only)
ClearType Tuning Control Panel Applet
Compatibility Pack for the 2007 Office system
Dell Support Center (Support Software)
Dell Wireless WLAN Card
DivX Converter
DivX Player
DivX Web Player
ESET NOD32 Antivirus
FastStone Photo Resizer 2.5
Flash Grabber 1.0
Folder Size for Windows
FolderSort
Google Toolbar for Internet Explorer
Google Toolbar for Internet Explorer
GPL Ghostscript 8.57
GPL Ghostscript Fonts
High Definition Audio Driver Package - KB835221
HijackThis 2.0.2
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Windows Internet Explorer 7 (KB947864)
Hotfix for Windows XP (KB952287)
Java(TM) 6 Update 11
K-Lite Codec Pack 4.0.0 (Standard)
LiveUpdate 3.3 (Symantec Corporation)
LiveUpdate Notice (Symantec Corporation)
Malwarebytes' Anti-Malware
Malwarebytes' RogueRemover
Media Resizer PRO
mediaRECOVER Pro
MFZ0 codec (Remove Only)
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB928366)
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
Microsoft .NET Framework 3.5 SP1
Microsoft Device Emulator version 1.0 - ENU
Microsoft Document Explorer 2005
Microsoft Document Explorer 2005
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft National Language Support Downlevel APIs
Microsoft Office Live Meeting 2005
Microsoft Office Professional Edition 2003
Microsoft Office Project Professional 2003
Microsoft Office Visio Professional 2003
Microsoft Plus! Digital Media Edition Installer
Microsoft Plus! Photo Story 2 LE
Microsoft Silverlight
Modem Helper
Mozilla Firefox (3.0.5)
MSConfig CleanUp 1.2
NetWaiting
NOD32 v3.x FiX 1.1 by TemDono (Free Updates - Expire in 2050)
PDFill PDF Editor with FREE PDF Writer and Tools
PDFill PDF Writer
PowerDVD 5.7
PPTexpert PPTmovie
QuickSet
QuickTime
Real Alternative 1.9.0
Security Update for CAPICOM (KB931906)
Security Update for CAPICOM (KB931906)
Security Update for Step By Step Interactive Training (KB898458)
Security Update for Step By Step Interactive Training (KB923723)
Security Update for Windows Internet Explorer 7 (KB928090)
Security Update for Windows Internet Explorer 7 (KB950759)
Security Update for Windows Internet Explorer 7 (KB953838)
Security Update for Windows Internet Explorer 7 (KB956390)
Security Update for Windows Media Player 10 (KB917734)
Security Update for Windows Media Player 10 (KB936782)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950760)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB953155)
Security Update for Windows XP (KB953839)
Security Update for Windows XP (KB954211)
Security Update for Windows XP (KB956391)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB957095)
Security Update for Windows XP (KB958644)
SigmaTel Audio
Spyware Doctor 6.0
SUPERAntiSpyware Free Edition
Symantec KB-DocID:2003093015493306
Synaptics Pointing Device Driver
TurboTax ItsDeductible 2006
TVUPlayer 2.3.2.19
Unlocker 1.8.7
Update for Windows XP (KB951072-v2)
Update for Windows XP (KB951978)
Using the Estimator - Packaged Dev Demos
VDMSound
VeohTV BETA
Video Watermark Factory
Watermark Factory 2
Winamp (remove only)
Windows Media Format Runtime
Windows Media Player 10
Windows Media Player 10
Windows XP Service Pack 3

descriptionSolvedRe: Win32.Zafi.b worm (spent 2 days: this thing will not rid itself from my pc)

more_horiz
Hello.

Please download and run this tool.

Download Malwarebytes' Anti-Malware from Here

Double Click mbam-setup.exe to install the application.

  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
Note:
If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts.
Click OK to either and let MBAM proceed with the disinfection process.
If asked to restart the computer, please do so immediately.


Post the contents of the MBAM Log.

  • Please download DDS by sUBs to your Desktop (Important!!) from one of these locations:
    Link 1
    Link 2
    Link 3
  • Double click DDS.scr to run
  • When complete, DDS.txt will open.
  • Click No for Optional Scan.
  • Save the report to your Desktop.
  • Copy and paste DDS.txt back here, I don't need to see attach.txt.

descriptionSolvedRe: Win32.Zafi.b worm (spent 2 days: this thing will not rid itself from my pc)

more_horiz
Previous attempts before receiving your reply:

I know how to use the search and this comes up with no results for that _hazafibb listed. If I don't have that win32.zafi.b, then why did I see that originally pop up in my first post that I uploaded on my screen? Is it a mask for some other trojan?

Win32.Zafi.b worm (spent 2 days: this thing will not rid itself from my pc) Out.php?i25503_untitled12

Interestingly, When I scanned with MalwareBytes again in safe mode over night, it found a few things, and now that I'm back in my infected machine, I don't see that thing pop up no more, BUT ......my computer is still choppy and there's still the same lag from my browser that's similar to when that worm was there yesterday. It seems that there's things remaining in my system, but I need help cleaning it out.

Win32.Zafi.b worm (spent 2 days: this thing will not rid itself from my pc) Out.php?i25502_untitled11

----------------------------------

descriptionSolvedRe: Win32.Zafi.b worm (spent 2 days: this thing will not rid itself from my pc)

more_horiz
MalwareBytes Log

Malwarebytes' Anti-Malware 1.32
Database version: 1640
Windows 5.1.2600 Service Pack 3

1/11/2009 4:51:33 AM
mbam-log-2009-01-11 (04-51-33).txt

Scan type: Full Scan (C:\|)
Objects scanned: 135052
Time elapsed: 3 hour(s), 14 minute(s), 16 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 1
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 2

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winclock (Trojan.FakeAlert) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Documents and Settings\Mike\Application Data\Google\ptnptn.dll (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\Mike\Application Data\Google\jxzub5410451.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.


-------------------------------------

descriptionSolvedRe: Win32.Zafi.b worm (spent 2 days: this thing will not rid itself from my pc)

more_horiz
DDS Log



DDS (Ver_09-01-07.01) - NTFSx86
Run by Mike at 10:08:18.96 on Sun 01/11/2009
Internet Explorer: 7.0.5730.11 BrowserJavaVersion: 1.6.0_11
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.894.77 [GMT -8:00]

AV: Spyware Doctor with AntiVirus *On-access scanning enabled* (Updated)
AV: ESET NOD32 Antivirus 3.0 *On-access scanning enabled* (Updated)
FW: Norton Internet Worm Protection *disabled*

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
C:\WINDOWS\system32\svchost -k rpcss
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
C:\Program Files\FolderSize\FolderSizeSvc.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Spyware Doctor\pctsAuxs.exe
C:\Program Files\Spyware Doctor\pctsSvc.exe
C:\Program Files\Dell Support Center\bin\sprtsvc.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\system32\WLTRAY.exe
C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\Program Files\SigmaTel\C-Major Audio\WDM\stsystra.exe
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe
C:\Program Files\Unlocker\UnlockerAssistant.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\Program Files\Spyware Doctor\pctsTray.exe
C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\Program Files\Spyware Doctor\pctsGui.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\system32\taskmgr.exe
C:\WINDOWS\system32\notepad.exe
C:\Documents and Settings\Mike\Desktop\dds.scr
C:\WINDOWS\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/webhp?sourceid=navclient&ie=UTF-8
uSearch Bar =
BHO: Java(tm) Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\googletoolbar2.dll
BHO: Adobe PDF Conversion Toolbar Helper: {ae7cd045-e861-484f-8273-0445ee161910} - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\3.1.807.1746\swg.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll
TB: &Google: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\googletoolbar2.dll
TB: Veoh Browser Plug-in: {d0943516-5076-4020-a3b5-aefaf26ab263} - c:\program files\veoh networks\veoh\plugins\reg\VeohToolbar.dll
TB: {0B53EAC3-8D69-4B9E-9B19-A37C9A5676A7} - No File
TB: {C4069E3A-68F1-403E-B40E-20066696354B} - No File
EB: Adobe PDF: {182ec0be-5110-49c8-a062-beb1d02a220b} - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll
uRun: [swg] c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe
uRun: [DellSupportCenter] "c:\program files\dell support center\bin\sprtcmd.exe" /P DellSupportCenter
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [Broadcom Wireless Manager UI] c:\windows\system32\WLTRAY.exe
mRun: [Acrobat Assistant 7.0] "c:\program files\adobe\acrobat 7.0\distillr\Acrotray.exe"
mRun: [Dell QuickSet] c:\program files\dell\quickset\quickset.exe
mRun: [dscactivate] "c:\program files\dell support center\gs_agent\custom\dsca.exe"
mRun: [DellSupportCenter] "c:\program files\dell support center\bin\sprtcmd.exe" /P DellSupportCenter
mRun: [SigmatelSysTrayApp] %ProgramFiles%\SigmaTel\C-Major Audio\WDM\stsystra.exe
mRun: [egui] "c:\program files\eset\eset nod32 antivirus\egui.exe" /hide /waitservice
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [UnlockerAssistant] "c:\program files\unlocker\UnlockerAssistant.exe"
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [StartCCC] "c:\program files\ati technologies\ati.ace\core-static\CLIStart.exe" MSRun
mRun: [ISTray] "c:\program files\spyware doctor\pctsTray.exe"
mRun: [Symantec PIF AlertEng] "c:\program files\common files\symantec shared\pif\{b8e1dd85-8582-4c61-b58f-2f227fca9a08}\pifsvc.exe" /a /m "c:\program files\common files\symantec shared\pif\{b8e1dd85-8582-4c61-b58f-2f227fca9a08}\AlertEng.dll"
dRun: [DWQueuedReporting] "c:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -t
dRun: [SUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exe
IE: Convert link target to Adobe PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert to existing PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Download Flash with Flash &Grabber - c:\progra~1\flash grabber\swfgrab.dll/iesave
IE: E&xport to Microsoft Excel - c:\progra~1\mi1933~1\office11\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {FB858B22-55E2-413f-87F5-30ADC5552151} - c:\program files\plotsoft\pdfill\DownloadPDF.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\mi1933~1\office11\REFIEBAR.DLL
LSP: c:\program files\common files\pc tools\lsp\PCTLsp.dll
Trusted Zone: turbotax.com
Notify: AtiExtEvent - Ati2evxx.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL
SecurityProviders: msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, credssp.dll, digeste.dll
LSA: Authentication Packages = msv1_0 c:\windows\system32\mlJdDtUK
LSA: Notification Packages = scecli c:\windows\system32\sinehotu.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\mike\applic~1\mozilla\firefox\profiles\8y4k1ogv.default user\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://google.com
FF - component: c:\documents and settings\mike\application data\mozilla\firefox\profiles\8y4k1ogv.default user\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\googletoolbar.dll
FF - component: c:\documents and settings\mike\application data\mozilla\firefox\profiles\8y4k1ogv.default user\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\metrics.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npunagi2.dll
FF - plugin: c:\program files\veoh networks\veoh\plugins\noreg\NPVeohVersion.dll

============= SERVICES / DRIVERS ===============

R0 IKFileSec;File Security Driver;c:\windows\system32\drivers\ikfilesec.sys [2009-1-10 40840]
R1 epfwtdir;epfwtdir;c:\windows\system32\drivers\epfwtdir.sys [2007-12-21 33800]
R1 IKSysFlt;System Filter Driver;c:\windows\system32\drivers\iksysflt.sys [2009-1-10 66952]
R1 IKSysSec;System Security Driver;c:\windows\system32\drivers\iksyssec.sys [2009-1-10 81288]
R1 pctfw2;pctfw2;c:\windows\system32\drivers\pctfw2.sys [2009-1-10 160792]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2008-9-3 8944]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2008-9-3 55024]
R4 ekrn;Eset Service;c:\program files\eset\eset nod32 antivirus\ekrn.exe [2007-12-21 468224]
R4 IOPort;IOPort;c:\windows\system32\drivers\IOPORT.SYS [2008-2-28 6144]
R4 sdAuxService;PC Tools Auxiliary Service;c:\program files\spyware doctor\pctsAuxs.exe [2009-1-10 356920]
R4 sdCoreService;PC Tools Security Service;c:\program files\spyware doctor\pctsSvc.exe [2009-1-10 1079176]
S3 kvpndev;Kerio VPN adapter;c:\windows\system32\drivers\kvpndrv.sys [2008-6-24 65024]
S3 kwflower;Kerio WinRoute Firewall Driver - Lower Layer;c:\windows\system32\drivers\kwflower.sys --> c:\windows\system32\drivers\kwflower.sys [?]
S3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2008-9-3 7408]
S4 Symantec Core LC;Symantec Core LC;c:\program files\common files\symantec shared\ccpd-lc\symlcsvc.exe [2007-1-27 1251720]

=============== Created Last 30 ================

2009-01-10 12:56 --d----- c:\program files\RogueRemover FREE
2009-01-10 00:57 160,792 a------- c:\windows\system32\drivers\pctfw2.sys
2009-01-10 00:57 --d----- c:\program files\common files\PC Tools
2009-01-10 00:57 81,288 a------- c:\windows\system32\drivers\iksyssec.sys
2009-01-10 00:57 66,952 a------- c:\windows\system32\drivers\iksysflt.sys
2009-01-10 00:57 40,840 a------- c:\windows\system32\drivers\ikfilesec.sys
2009-01-10 00:57 29,576 a------- c:\windows\system32\drivers\kcom.sys
2009-01-10 00:57 --d----- c:\program files\Spyware Doctor
2009-01-10 00:57 --d----- c:\docume~1\mike\applic~1\PC Tools
2009-01-10 00:57 --d----- c:\docume~1\alluse~1\applic~1\PC Tools
2008-12-12 11:45 0 a------- c:\windows\ativpsrm.bin
2008-12-12 11:37 593,920 -------- c:\windows\system32\ati2sgag.exe
2008-12-12 11:35 --d----- C:\ATI

==================== Find3M ====================

2009-01-04 18:38 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-01-04 18:38 15,504 a------- c:\windows\system32\drivers\mbam.sys
2008-12-03 10:42 410,984 a------- c:\windows\system32\deploytk.dll
2008-12-01 14:13 3,452,928 a------- c:\windows\system32\drivers\ati2mtag.sys
2008-12-01 14:13 3,452,928 a------- c:\windows\system32\dllcache\ati2mtag.sys
2008-12-01 12:52 425,984 a------- c:\windows\system32\ATIDEMGX.dll
2008-12-01 12:51 318,464 a------- c:\windows\system32\ati2dvag.dll
2008-12-01 12:46 11,304,960 a------- c:\windows\system32\atioglxx.dll
2008-12-01 12:41 188,416 a------- c:\windows\system32\atipdlxx.dll
2008-12-01 12:40 147,456 a------- c:\windows\system32\Oemdspif.dll
2008-12-01 12:40 26,112 a------- c:\windows\system32\Ati2mdxx.exe
2008-12-01 12:40 43,520 a------- c:\windows\system32\ati2edxx.dll
2008-12-01 12:40 143,360 a------- c:\windows\system32\ati2evxx.dll
2008-12-01 12:38 598,016 a------- c:\windows\system32\ati2evxx.exe
2008-12-01 12:37 53,248 a------- c:\windows\system32\ATIDDC.DLL
2008-12-01 12:27 4,120,384 a------- c:\windows\system32\ati3duag.dll
2008-12-01 12:19 307,200 a------- c:\windows\system32\atiiiexx.dll
2008-12-01 12:11 2,495,360 a------- c:\windows\system32\ativvaxx.dll
2008-12-01 12:11 3,107,788 a------- c:\windows\system32\ativva5x.dat
2008-12-01 12:11 887,724 a------- c:\windows\system32\ativva6x.dat
2008-12-01 11:57 48,640 a------- c:\windows\system32\amdpcom32.dll
2008-12-01 11:53 401,408 a------- c:\windows\system32\atikvmag.dll
2008-12-01 11:53 45,056 a------- c:\windows\system32\amdcalrt.dll
2008-12-01 11:53 45,056 a------- c:\windows\system32\amdcalcl.dll
2008-12-01 11:52 86,016 a------- c:\windows\system32\atiadlxx.dll
2008-12-01 11:52 17,408 a------- c:\windows\system32\atitvo32.dll
2008-12-01 11:51 53,248 a------- c:\windows\system32\drivers\ati2erec.dll
2008-12-01 11:50 286,720 a------- c:\windows\system32\atiok3x2.dll
2008-12-01 11:50 3,252,224 a------- c:\windows\system32\Amdcaldd.dll
2008-12-01 11:45 577,536 a------- c:\windows\system32\ati2cqag.dll
2008-11-08 20:23 930,203 a--sh--- c:\windows\system32\KUtDdJlm.ini2
2008-10-30 06:45 180,720 a------- c:\windows\system32\atiicdxx.dat
2008-10-28 14:36 823,296 a------- c:\windows\system32\divx_xx0c.dll
2008-10-28 14:36 823,296 a------- c:\windows\system32\divx_xx07.dll
2008-10-28 14:35 815,104 a------- c:\windows\system32\divx_xx0a.dll
2008-10-28 14:35 802,816 a------- c:\windows\system32\divx_xx11.dll
2008-10-28 14:35 684,032 a------- c:\windows\system32\DivX.dll
2008-10-21 10:51 118,784 a------- c:\windows\system32\atibrtmon.exe
2008-10-15 13:57 1,257,472 a------- c:\windows\system32\kticonv80_1.11.1.dll
2008-10-15 13:57 925,696 a------- c:\windows\system32\ktlibeay80_0.9.8g.dll
2008-10-15 13:57 192,512 a------- c:\windows\system32\ktssleay80_0.9.8g.dll
2008-10-15 13:57 102,400 a------- c:\windows\system32\ktzlib80_1.2.3.dll
2008-10-15 08:34 337,408 a------- c:\windows\system32\dllcache\netapi32.dll
2007-11-12 18:37 60,968 a------- c:\documents and settings\mike\GoToAssistDownloadHelper.exe
2007-10-14 11:52 90 a------- c:\docume~1\mike\applic~1\wklnhst.dat
2008-05-17 14:40 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008051720080518\index.dat

============= FINISH: 10:09:33.42 ===============

descriptionSolvedRe: Win32.Zafi.b worm (spent 2 days: this thing will not rid itself from my pc)

more_horiz
I just scanned with spy doctor again and found this it seems that this is continuous, i don't want to reformat, but at this rate, this is going to keep on going, even though I don't get that zafi.b popup security anymore, there's 'remnants" that seems to still be there or from something else it spawned off which is slowing down my processor and internet navigation severely.

Win32.Zafi.b worm (spent 2 days: this thing will not rid itself from my pc) 49926823xd4

Last edited by mike69 on 11th January 2009, 7:58 pm; edited 1 time in total

descriptionSolvedRe: Win32.Zafi.b worm (spent 2 days: this thing will not rid itself from my pc)

more_horiz
I wanted to see if someone can examine my windows processes to see if everything is okay, I don't know why svchost is listed three times, but maybe that's the way it is


Image Hosted by ImageShack.us


http://img136.imageshack.us/my.php?image=73760303zz8.jpg

descriptionSolvedRe: Win32.Zafi.b worm (spent 2 days: this thing will not rid itself from my pc)

more_horiz
Hello.
Did Spyware Doctor fix these leftovers?

descriptionSolvedRe: Win32.Zafi.b worm (spent 2 days: this thing will not rid itself from my pc)

more_horiz
Belahzur wrote:
Hello.
Did Spyware Doctor fix these leftovers?


from the screenshot that I gave in my previous reply:

Win32.Zafi.b worm (spent 2 days: this thing will not rid itself from my pc) 49926823xd4


it seems to have fixed those, but the reason why i need your help is that I think that although that little pop up fake security alert isn't on my screen anymore, that doesn't mean that there's still traces infected or that it didn't spawn other malware that these scanners haven't picked up, that's why i gave those hijacker logs and dds logs. Can you look to see what else I can fix or remove? (By the way, these were all hidden from the registry editor for some reason as my previous posts show, I don't know why, but I have a feeling there's more)

I just ran scanfsc in the meantime.

please help spot other things. After all of this is cleaned out, I'll do another system restore.

also, since the spydoctor found win32 files that were infected, if those are quarantined, does that mean that they're missing now as required system files in the folder? Do I have a hole now?

thanks

descriptionSolvedRe: Win32.Zafi.b worm (spent 2 days: this thing will not rid itself from my pc)

more_horiz
Wait.
DO NOT use system restore, that will restore the infection.

Please download the OTMoveIt3 by OldTimer from here:

Code:

http://download.bleepingcomputer.com/oldtimer/OTMoveIt3.exe


  • Save it to your desktop.
  • Please double-click OTMoveIt3.exe to run it.
  • Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):


    :processes
    explorer.exe

    :files
    C:\Windows\system32\windrvnt.sys

    :reg
    [-HKEY_LOCAL MACHINE\SYSTEM\ControlSet001\Services\windrvNT]
    [-HKEY_LOCAL MACHINE\SYSTEM\ControlSet002\Services\windrvNT]
    [-HKEY_LOCAL MACHINE\SYSTEM\CurrentControlSet\Services\windrvNT]

    :commands
    [purity]
    [emptytemp]
    [start explorer]
    [reboot]



  • Return to OTMoveIt3, right click in the "Paste instructions for items to be Moved" window (under the light blue bar) and choose Paste.
  • Click the red Moveit! button.
  • Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
  • Close OTMoveIt3
If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.

Please post the OTMoveIt log.

descriptionSolvedRe: Win32.Zafi.b worm (spent 2 days: this thing will not rid itself from my pc)

more_horiz
It's not letting me highlight the results. It's like it's locked or something.

descriptionSolvedRe: Win32.Zafi.b worm (spent 2 days: this thing will not rid itself from my pc)

more_horiz
Ah, it's okay, the report is saved to a txt file anyway.
Navigate to this folder in bold:
C:\_OTMoveIt

There is a .log file in there with the report, please post that.

descriptionSolvedRe: Win32.Zafi.b worm (spent 2 days: this thing will not rid itself from my pc)

more_horiz
Here is the log, I thought it froze, but it was just doing something else

From the results, C:\Windows\system32\windrvnt.sys, that was the file that got infected and quarantined when I ran spydoctor from the post earlier
:





========== PROCESSES ==========
Process explorer.exe killed successfully.
========== FILES ==========
File/Folder C:\Windows\system32\windrvnt.sys not found.
========== REGISTRY ==========
Registry key HKEY_LOCAL MACHINE\SYSTEM\ControlSet001\Services\windrvNT\\ deleted successfully.
Registry key HKEY_LOCAL MACHINE\SYSTEM\ControlSet002\Services\windrvNT\\ deleted successfully.
Registry key HKEY_LOCAL MACHINE\SYSTEM\CurrentControlSet\Services\windrvNT\\ not found.
========== COMMANDS ==========
File delete failed. C:\DOCUME~1\Mike\LOCALS~1\Temp\etilqs_7MuvplmcUhiPm1dAbIEY scheduled to be deleted on reboot.
User's Temp folder emptied.
User's Temporary Internet Files folder emptied.
User's Internet Explorer cache folder emptied.
Local Service Temp folder emptied.
Local Service Temporary Internet Files folder emptied.
File delete failed. C:\WINDOWS\temp\Perflib_Perfdata_7ac.dat scheduled to be deleted on reboot.
File delete failed. C:\WINDOWS\temp\Perflib_Perfdata_bc.dat scheduled to be deleted on reboot.
Windows Temp folder emptied.
Java cache emptied.
File delete failed. C:\Documents and Settings\Mike\Local Settings\Application Data\Mozilla\Firefox\Profiles\8y4k1ogv.Default User\Cache\_CACHE_001_ scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\Mike\Local Settings\Application Data\Mozilla\Firefox\Profiles\8y4k1ogv.Default User\Cache\_CACHE_002_ scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\Mike\Local Settings\Application Data\Mozilla\Firefox\Profiles\8y4k1ogv.Default User\Cache\_CACHE_003_ scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\Mike\Local Settings\Application Data\Mozilla\Firefox\Profiles\8y4k1ogv.Default User\Cache\_CACHE_MAP_ scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\Mike\Local Settings\Application Data\Mozilla\Firefox\Profiles\8y4k1ogv.Default User\urlclassifier3.sqlite scheduled to be deleted on reboot.
FireFox cache emptied.
Temp folders emptied.
Explorer started successfully

OTMoveIt3 by OldTimer - Version 1.0.8.0 log created on 01112009_140958

Files moved on Reboot...
File C:\DOCUME~1\Mike\LOCALS~1\Temp\etilqs_7MuvplmcUhiPm1dAbIEY not found!
C:\WINDOWS\temp\Perflib_Perfdata_7ac.dat moved successfully.
File C:\WINDOWS\temp\Perflib_Perfdata_bc.dat not found!
C:\Documents and Settings\Mike\Local Settings\Application Data\Mozilla\Firefox\Profiles\8y4k1ogv.Default User\Cache\_CACHE_001_ moved successfully.
C:\Documents and Settings\Mike\Local Settings\Application Data\Mozilla\Firefox\Profiles\8y4k1ogv.Default User\Cache\_CACHE_002_ moved successfully.
C:\Documents and Settings\Mike\Local Settings\Application Data\Mozilla\Firefox\Profiles\8y4k1ogv.Default User\Cache\_CACHE_003_ moved successfully.
C:\Documents and Settings\Mike\Local Settings\Application Data\Mozilla\Firefox\Profiles\8y4k1ogv.Default User\Cache\_CACHE_MAP_ moved successfully.
C:\Documents and Settings\Mike\Local Settings\Application Data\Mozilla\Firefox\Profiles\8y4k1ogv.Default User\urlclassifier3.sqlite moved successfully.

descriptionSolvedRe: Win32.Zafi.b worm (spent 2 days: this thing will not rid itself from my pc)

more_horiz
privacy_tip Permissions in this forum:
You cannot reply to topics in this forum