win32.Zafi.b Help

i made the mistake of restarting my computer when it started acting up and after reading from the other Zafi.b topics that was a bad idea. well now i got the fake pop up (Security Center Alert) and need help getting rid of it.

Thanks,

heres my Hijackthis log:

Last edited by ZEO on 13th January 2009, 8:40 pm; edited 1 time in total

Hello.

• Open HijackThis
  
• Choose "Do a system scan only"
  
• Check the boxes in front of these lines:
  
  
  O3 - Toolbar: (no name) - {4fcc864f-07ef-4409-95f5-cf62803e7d0e} - (no file)
  O4 - HKLM\..\RunServices: [Real Player Daemon] realplayd.exe
  O4 - HKCU\..\Run: [SVCHOST.EXE] C:\WINDOWS2\system32\drivers\svchost.exe
  O20 - Winlogon Notify: Shell - C:\WINDOWS2\system32\icseng.dll (file missing)
  O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
  O23 - Service: Windows Overlay Components - Unknown owner - C:\WINDOWS2\cvazkzn.exe (file missing)
  
  
  
• Press "Fix Checked"
  
• Close Hijack This.
  

1. Please download The Avenger by Swandog46 to your Desktop
Link: HERE or HERE.

• Click on Avenger.zip to open the file
  
• Extract avenger.exe to your desktop
  

2. Copy all the text contained in the code box below to your Clipboard by highlighting it and pressing (Ctrl+C):

Files to delete:
C:\WINDOWS2\system32\drivers\svchost.exe
C:\WINDOWS2\system32\realplayd.exe

Folders to delete:
C:\Program Files\Viewpoint

Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.

3. Now, start The Avenger program by clicking on its icon on your desktop.

• Under "Input script here:", paste in the script from the quote box above.
  
• Leave the ticked box "Scan for rootkit" ticked.
  
• Then tick "Disable any rootkits found"
  
• Now click on the Execute to begin execution of the script.
  
• Answer "Yes" twice when prompted.
  
  The Avenger will automatically do the following:
  
  
• It will Restart your computer.
  
• On reboot, it will briefly open a black command window on your desktop, this is normal.
  
• After the restart, it creates a log file that should open with the results of Avenger’s actions. This log file will be located at C:\avenger.txt
  
• The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.
  

4. Please copy/paste the content of c:\avenger.txt into your reply.

Logfile of The Avenger Version 2.0, (c) by Swandog46
*edit*

Last edited by ZEO on 13th January 2009, 8:40 pm; edited 1 time in total

the trojan is still there

Hello.
Yes, it's okay.

• Please download DDS by sUBs to your Desktop (Important!!) from one of these locations:
  Link 1
  Link 2
  Link 3
  
• Double click DDS.scr to run
  
• When complete, DDS.txt will open.
  
• Click No for Optional Scan.
  
• Save the report to your Desktop.
  
• Copy and paste DDS.txt back here, I don't need to see attach.txt.
  

*edit*

Last edited by ZEO on 13th January 2009, 8:42 pm; edited 1 time in total

Hello.

Please download the OTMoveIt3 by OldTimer.

• Save it to your desktop.
  
• Please double-click OTMoveIt3.exe to run it.
  
• Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):
  
  
  :processes
  explorer.exe
  
  :files
  c:\documents and settings\zeo\application data\google\*.*
  
  :reg
  [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
  "winclock"=-
  
  :commands
  [purity]
  [emptytemp]
  [start explorer]
  [reboot]
  
  
  
  
• Return to OTMoveIt3, right click in the "Paste instructions for items to be Moved" window (under the light blue bar) and choose Paste.
  
• Click the red Moveit! button.
  
• Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
  
• Close OTMoveIt3
  

If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.

Please post the OTMoveIt log.

*edit*

Last edited by ZEO on 13th January 2009, 8:43 pm; edited 1 time in total

Hello.
Looks good now, what problems remain?

Your version of Java is outdated and needs to be updated to take advantage of fixes that have eliminated security vulnerabilities.
Updating Java:

• Download the latest version of Java SE Runtime Environment (JRE) 6 Update 11.
  
• Select the first option where it says "Java SE Runtime Environment (JRE) 6 Update 11".
  
• Click the "Download" button to the right.
  
• In the Window that opens, select your platform and language, check the "agree" box, and click Continue.
  
• Click on the link to download Windows Offline Installation and save to your desktop.
  
• Close any programs you may have running - especially your web browser.
  
• Go to Start > Control Panel double-click on Add or Remove Programs and remove all older versions of Java.
  
• Check any item with Java Runtime Environment (JRE or J2SE) in the name.
  - Examples of older versions in Add or Remove Programs:
  - Java 2 Runtime Environment, SE v1.4.2
  - J2SE Runtime Environment 5.0
  - J2SE Runtime Environment 5.0 Update 2
  
• Click the Remove or Change/Remove button.
  
• Repeat as many times as necessary to remove each Java versions.
  
• Reboot your computer once all Java components are removed.
  
• Then from your desktop double-click on jre-6u11-windows-i586-p.exe that you downloaded to install the newest version.
  

Please make sure the new version of Java is installed before you run JavaRa.

Please download JavaRa from here

• First, unzip it.
  
• Then run JavaRa.
  
• Select English from the drop down menu and press Select.
  
• This will open JavaRa.
  
• Press Remove older versions
  
• Press yes to the prompt.
  
• It will make a log file of what it's removed.
  
• Copy and paste the log back here.
  

k ill update that. the trojan is still there though on the last restart i got the fake popup again. and i just got a message saying my windows firewall just turned off again sounds like its trying to install itself again.

i deleted my browser cookies just incase idk

Okay, it could be a LOP infection, I see you have messenger plus 3.

Please download Deljob.exe and save it on your desktop.
Doubleclick Deljob.exe.

A log, (logit.txt) should open afterwards. This log will be present on your desktop. Please paste the contents of this log file in your next reply.

*edit*

Last edited by ZEO on 13th January 2009, 8:43 pm; edited 1 time in total

if you think msn plus might be causing problems ill delete it.

couple things i can think of that might of went wrong

when i ran moveit i had alot of pop up errors saying another program was blocking it.

and the it did report an error in the log

(sorry for the bad grammer and not remembering i havent slept all night.)

Yes, I think it probably is. Delete this folder in bold once you have removed messenger plus.
C:\Documents and Settings\All Users.WINDOWS2\Application Data\Messenger Plus!

Also, I have bad news.

Your computer has multiple infections, including a backdoor. A backdoor gives intruders complete control of your computer, logs your keystrokes, steal personal information, etc.

You are strongly advised to do the following:

• Disconnect the computer from the Internet and from any networked computers until it is cleaned.
  
• Back up all your important data except programs. The programs can be reinstalled back from the original disc or from the Net.
  
• Call all your banks, financial institutions, credit card companies and inform them that you may be a victim of identity theft and put a watch on your accounts. If you don't mind the hassle, change all your account numbers.
  
• From a clean computer, change all your passwords (ISP login password, your email address(es) passwords, financial accounts, PayPal, eBay, Amazon, online groups and forums and any other online activities you carry out which require a username and password).
  

Do NOT change your passwords from this computer as the attacker will be able to get all the new passwords and transaction records.

Due to its backdoor functionality, your computer is very likely to have been compromised and there is no way that it can be trusted again. Many experts in the security community believe that once infected with this type of Trojan, the best course of action would be to do a reformat and reinstallation of the operating system (OS). However, if you do not have the resources to reinstall your OS and would like me to attempt to clean your machine, I will be happy to do so.

To help you understand more, please take some time to read the following articles:

What are Remote Access Trojans and why are they dangerous
How do I respond to a possible identity theft and how do I prevent it
When should do a reformat and reinstallation of my OS
Where to backup your files
How to backup your files in Windows XP
Restoring your backups

well its been quite a few years now. its time that i reformat anyways. i got a new external hard drive to put my files on.

is there anyway to close that back door or find out whos getting that info? i dont do much of any kind of banking on this computer ir use a credit card just game accounts and email passwords.

or repeat the move it step and shut off the program blocking it

oh ya and i know what site i visited when i got the trojan. Ragzone.com i used to trust them. not anymore. i want to send that guy some hate mail.

but Thank you for trying

Nope, no way of knowing who's stealing the info, but they are.
This is a backdoor that targets game accounts and spreads via user accounts, so format is probably best.

Since this issue is resolved, this topic is closed.

If you need this topic reopened, please contact a staff member. This applies only to the original topic starter.

Everyone else, please open a new topic for your questions.