Need help with Win32.Zafi.B infection

View previous topic View next topic Go down

Solved Need help with Win32.Zafi.B infection

Post by dk1photo on 7th January 2009, 5:04 pm

Somehow I too am a victim of this infection with the Security Center Alert abd what ever is running havik on the computer.I ran the Symantic fix tool, but it found nothing. I would appreciate your help and advise in removing it and any other invasions or troubles that may be appearant. Thanks you. Here is my Highjackthis log.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:46:56 AM, on 1/7/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16762)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\EPSON\EBAPI\eEBSVC.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\SYSTEM32\astsrv.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\system\bak\hpsysdrv.exe
C:\WINDOWS\AGRSMMSG.exe
C:\PROGRA~1\VISION~1\ONETOU~2.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\ALCWZRD.EXE
C:\WINDOWS\ALCMTR.EXE
C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Linksys EasyLink Advisor\LinksysAgent.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\Program Files\Collages.net Inc\Collages.net Desktop\CollagesSysTray.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\WINDOWS\System32\svchost.exe
c:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Datacolor\Spyder3Elite\Utility\Spyder3Utility.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkCalRem.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\PROGRA~1\NORTON~1\NORTON~1\NPROTECT.EXE
C:\WINDOWS\system32\PSIService.exe
C:\Program Files\Photodex\ProShowProducer\ScsiAccess.exe
C:\PROGRA~1\NORTON~1\NORTON~1\SPEEDD~1\NOPDB.EXE
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Documents and Settings\HP_Administrator\Desktop\hijackgpthis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = [You must be registered and logged in to see this link.]
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = [You must be registered and logged in to see this link.]
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = [You must be registered and logged in to see this link.]
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = [You must be registered and logged in to see this link.]
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = [You must be registered and logged in to see this link.]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = [You must be registered and logged in to see this link.]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = [You must be registered and logged in to see this link.]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = [You must be registered and logged in to see this link.]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = [You must be registered and logged in to see this link.]
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = [You must be registered and logged in to see this link.]
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1;*.local
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: FlpLauncher Class - {4401FDC3-7996-4774-8D2B-C1AE9CD6CC25} - C:\PROGRA~1\E-BOOK~1\FLIPVI~1\fplaunch.dll
O2 - BHO: Symantec Intrusion Prevention - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\PROGRA~1\COMMON~1\SYMANT~1\IDS\IPSBHO.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: HP view - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - c:\Program Files\HP\Digital Imaging\bin\HPDTLK02.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [hpsysdrv] C:\WINDOWS\system\bak\hpsysdrv.exe
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAudPropShortcut.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [OneTouch Monitor] C:\PROGRA~1\VISION~1\ONETOU~2.EXE
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [AlcWzrd] ALCWZRD.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [Acrobat Assistant 8.0] "C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe"
O4 - HKLM\..\Run: [NSWosCheck] "C:\Program Files\Norton SystemWorks Basic Edition\osCheck.exe"
O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton AntiVirus\osCheck.exe"
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [ccApp] C:\Program Files\Common Files\Symantec Shared\ccApp.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [PPWebCap] C:\PROGRA~1\ScanSoft\PAPERP~1\PPWebCap.exe
O4 - HKCU\..\Run: [BMUpdate] C:\WINDOWS\system32\BMUpdate.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [EasyLinkAdvisor] "C:\Program Files\Linksys EasyLink Advisor\LinksysAgent.exe" /startup
O4 - HKCU\..\Run: [EPSON Stylus Photo R280 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATICKA.EXE /FU "C:\WINDOWS\TEMP\E_S4532.tmp" /EF "HKCU"
O4 - HKCU\..\Run: [CollagesSystray] C:\Program Files\Collages.net Inc\Collages.net Desktop\CollagesSysTray.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKUS\S-1-5-19\..\Run: [CollagesSystray] C:\Program Files\Collages.net Inc\Collages.net Desktop\CollagesSysTray.exe (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CollagesSystray] C:\Program Files\Collages.net Inc\Collages.net Desktop\CollagesSysTray.exe (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CollagesSystray] C:\Program Files\Collages.net Inc\Collages.net Desktop\CollagesSysTray.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CollagesSystray] C:\Program Files\Collages.net Inc\Collages.net Desktop\CollagesSysTray.exe (User 'Default user')
O4 - S-1-5-18 Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe (User 'SYSTEM')
O4 - S-1-5-18 Startup: wkcalrem.LNK = C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkCalRem.exe (User 'SYSTEM')
O4 - .DEFAULT Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe (User 'Default user')
O4 - .DEFAULT Startup: wkcalrem.LNK = C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkCalRem.exe (User 'Default user')
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Startup: wkcalrem.LNK = C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkCalRem.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Logo Calibration Loader.lnk = C:\Program Files\GretagMacbeth\i1\Eye-One Match 3\CalibrationLoader\CalibrationLoader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Spyder3Utility.lnk = C:\Program Files\Datacolor\Spyder3Elite\Utility\Spyder3Utility.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &ieSpell Options - [You must be registered and logged in to see this link.] Files\ieSpell\iespell.dll/SPELLOPTION.HTM
O8 - Extra context menu item: &Lookup Meaning - [You must be registered and logged in to see this link.] Files\ieSpell\iespell.dll/LOOKUPMEANING.HTM
O8 - Extra context menu item: Append to existing PDF - [You must be registered and logged in to see this link.] Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Check &Spelling - [You must be registered and logged in to see this link.] Files\ieSpell\iespell.dll/SPELLCHECK.HTM
O8 - Extra context menu item: Convert link target to Adobe PDF - [You must be registered and logged in to see this link.] Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - [You must be registered and logged in to see this link.] Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - [You must be registered and logged in to see this link.] Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - [You must be registered and logged in to see this link.] Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - [You must be registered and logged in to see this link.] Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - [You must be registered and logged in to see this link.] Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - [You must be registered and logged in to see this link.] Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: E&xport to Microsoft Excel - [You must be registered and logged in to see this link.]
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra 'Tools' menuitem: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra button: (no name) - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra 'Tools' menuitem: ieSpell Options - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra button: Express Cleanup - {5E638779-1818-4754-A595-EF1C63B87A56} - C:\Program Files\Norton SystemWorks Basic Edition\Norton Cleanup\WCQuick.lnk
O9 - Extra 'Tools' menuitem: Express Cleanup - {5E638779-1818-4754-A595-EF1C63B87A56} - C:\Program Files\Norton SystemWorks Basic Edition\Norton Cleanup\WCQuick.lnk
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

dk1photo
Novice
Novice

Posts Posts : 17
Joined Joined : 2009-01-07
Gender Gender : Male
OS OS : Windows XP Media Center Edition Version 2002 - Service Pack 3
Points Points : 28930
# Likes # Likes : 0

View user profile

Back to top Go down

Solved Re: Need help with Win32.Zafi.B infection

Post by dk1photo on 7th January 2009, 5:05 pm

O15 - Trusted Zone: *.whataboutadog.com
O16 - DPF: {200B3EE9-7242-4EFD-B1E4-D97EE825BA53} (VerifyGMN Class) - [You must be registered and logged in to see this link.]
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - [You must be registered and logged in to see this link.]
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {341FF14B-00CB-49F5-A427-A164DF1D5E1F} (MALPlaybackCtrl Class) - [You must be registered and logged in to see this link.]
O16 - DPF: {44990301-3C9D-426D-81DF-AAB636FA4345} (Symantec Script Runner Class) - [You must be registered and logged in to see this link.]
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - [You must be registered and logged in to see this link.]
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - [You must be registered and logged in to see this link.]
O16 - DPF: {5C6698D9-7BE4-4122-8EC5-291D84DBD4A0} (Facebook Photo Uploader 4 Control) - [You must be registered and logged in to see this link.]
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - [You must be registered and logged in to see this link.]
O16 - DPF: {6A344D34-5231-452A-8A57-D064AC9B7862} (Symantec Download Manager) - [You must be registered and logged in to see this link.]
O16 - DPF: {6B75345B-AA36-438A-BBE6-4078B4C6984D} (HpProductDetection Class) - [You must be registered and logged in to see this link.]
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - [You must be registered and logged in to see this link.]
O16 - DPF: {6E5E167B-1566-4316-B27F-0DDAB3484CF7} (Image Uploader Control) - [You must be registered and logged in to see this link.]
O16 - DPF: {74C861A1-D548-4916-BC8A-FDE92EDFF62C} - [You must be registered and logged in to see this link.]
O16 - DPF: {7D1E9C49-BD6A-11D3-87A8-009027A35D73} (Yahoo! Audio UI1) - [You must be registered and logged in to see this link.]
O16 - DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} (Get_ActiveX Control) - [You must be registered and logged in to see this link.]
O16 - DPF: {B1E2B96C-12FE-45E2-BEF1-44A219113CDD} (SABScanProcesses Class) - [You must be registered and logged in to see this link.]
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - [You must be registered and logged in to see this link.]
O16 - DPF: {BA83FD38-CE14-4DA3-BEF5-96050D55F78A} (FViewerLoading Class) - [You must be registered and logged in to see this link.]
O16 - DPF: {CB50428B-657F-47DF-9B32-671F82AA73F7} (Photodex Presenter AX control) - [You must be registered and logged in to see this link.]
O16 - DPF: {E87F6C8E-16C0-11D3-BEF7-009027438003} (Persits Software XUpload) - [You must be registered and logged in to see this link.]
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AST Service (astcc) - Nalpeiron Ltd. - C:\WINDOWS\SYSTEM32\astsrv.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Collages Service - Collages.net, Inc. [You must be registered and logged in to see this link.] - C:\Program Files\Collages.net Inc\Collages.net Desktop\CollagesService.exe
O23 - Service: EpsonBidirectionalService - Unknown owner - C:\Program Files\Common Files\EPSON\EBAPI\eEBSVC.exe
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - c:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\LuComServer_3_4.EXE
O23 - Service: LiveUpdate Notice - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Norton UnErase Protection (NProtectService) - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~1\NPROTECT.EXE
O23 - Service: ProtexisLicensing - Unknown owner - C:\WINDOWS\system32\PSIService.exe
O23 - Service: ScsiAccess - Unknown owner - C:\Program Files\Photodex\ProShowProducer\ScsiAccess.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~1\SPEEDD~1\NOPDB.EXE
O23 - Service: Symantec Core LC - Unknown owner - C:\PROGRA~1\COMMON~1\SYMANT~1\CCPD-LC\symlcsvc.exe

--
End of file - 17378 bytes

dk1photo
Novice
Novice

Posts Posts : 17
Joined Joined : 2009-01-07
Gender Gender : Male
OS OS : Windows XP Media Center Edition Version 2002 - Service Pack 3
Points Points : 28930
# Likes # Likes : 0

View user profile

Back to top Go down

Solved Re: Need help with Win32.Zafi.B infection

Post by Belahzur on 7th January 2009, 5:10 pm

Hello.

  • Download combofix from here, use the top links - [You must be registered and logged in to see this link.]
  • Please disable your local AV (Anti-virus) by right clicking it's icon in the tray, and exit it.
  • Double click on ComboFix.exe.
  • Follow the prompts. NOTE:
  • ComboFix will check to see if the Microsoft Windows Recovery Console is installed.
    ***It's strongly recommended to have the Recovery Console installed before doing any malware removal.***

    **Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will automatically proceed with its scan.


  • The Recovery Console provides a recovery/repair mode should a problem occur during a Combofix run.



  • Allow ComboFix to download the Recovery Console.
  • Accept the End-User License Agreement.
  • The Recovery Console will be installed.
  • You will then get this next prompt that asks if you want to continue the malware scan, select yes



  • Allow combofix to run
  • Post C:\combofix.txt back here.

    Note:
    Do not mouseclick combofix's window whilst it's running. That may cause it to stall.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245101
# Likes # Likes : 1

View user profile

Back to top Go down

Solved Re: Need help with Win32.Zafi.B infection

Post by dk1photo on 7th January 2009, 5:54 pm

I downloaded and ran Combo fix. I left the computer while it was running and upon return I have a blank screen with a message in the upper letf corner "ssing operatin system". I assume it says missing operating system. Now what?

dk1photo
Novice
Novice

Posts Posts : 17
Joined Joined : 2009-01-07
Gender Gender : Male
OS OS : Windows XP Media Center Edition Version 2002 - Service Pack 3
Points Points : 28930
# Likes # Likes : 0

View user profile

Back to top Go down

Solved Re: Need help with Win32.Zafi.B infection

Post by Belahzur on 7th January 2009, 6:46 pm

Are you able to load windows normally?


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245101
# Likes # Likes : 1

View user profile

Back to top Go down

Solved Re: Need help with Win32.Zafi.B infection

Post by dk1photo on 7th January 2009, 6:55 pm

I have not tried to anything. I assumed Combofix rebooted my computer and that message is at the top. Should I attempt to turn the computer off and back on?

dk1photo
Novice
Novice

Posts Posts : 17
Joined Joined : 2009-01-07
Gender Gender : Male
OS OS : Windows XP Media Center Edition Version 2002 - Service Pack 3
Points Points : 28930
# Likes # Likes : 0

View user profile

Back to top Go down

Solved Re: Need help with Win32.Zafi.B infection

Post by Belahzur on 7th January 2009, 6:59 pm

Yes, lets me know if you can't boot.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245101
# Likes # Likes : 1

View user profile

Back to top Go down

Solved Re: Need help with Win32.Zafi.B infection

Post by dk1photo on 7th January 2009, 7:34 pm

I turned the computer off and then back on. Windows loaded and combofix came up to prepare the log report. Here is the report.

ComboFix 09-01-07.01 - HP_Administrator 2009-01-07 12:32:50.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2935.2318 [GMT -5:00]
Running from: c:\documents and settings\HP_Administrator\Desktop\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\HP_Administrator\Application Data\Google\ocboo1892823.exe
c:\documents and settings\HP_Administrator\Application Data\Google\sysspc.dll
c:\windows\Downloaded Program Files\setup.inf
c:\windows\IE4 Error Log.txt
c:\windows\system32\drivers\npf.sys
c:\windows\system32\packet.dll
c:\windows\system32\wpcap.dll
D:\Autorun.inf

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_NPF
-------\Service_NPF


((((((((((((((((((((((((( Files Created from 2008-12-07 to 2009-01-07 )))))))))))))))))))))))))))))))
.

2009-01-06 22:21 . 2009-01-06 22:21 d--hs---- C:\found.000
2008-12-29 09:44 . 2008-12-29 09:44 268 --ah----- C:\sqmdata00.sqm
2008-12-29 09:44 . 2008-12-29 09:44 244 --ah----- C:\sqmnoopt00.sqm
2008-12-12 20:29 . 2008-12-12 20:29 d-------- c:\documents and settings\HP_Administrator\.NeoProPics

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-01-07 19:03 --------- d-----w c:\program files\Common Files\Symantec Shared
2009-01-07 06:33 --------- d-----w c:\program files\SUPERAntiSpyware
2009-01-07 00:06 806 ----a-w c:\windows\system32\drivers\SYMEVENT.INF
2009-01-07 00:06 124,464 ----a-w c:\windows\system32\drivers\SYMEVENT.SYS
2009-01-07 00:06 10,635 ----a-w c:\windows\system32\drivers\SYMEVENT.CAT
2009-01-07 00:06 --------- d-----w c:\program files\Symantec
2009-01-06 23:17 --------- d-----w c:\documents and settings\HP_Administrator\Application Data\Microsoft Web Folders
2009-01-06 23:17 --------- d-----w c:\documents and settings\HP_Administrator\Application Data\InstallShield
2009-01-06 23:17 --------- d-----w c:\documents and settings\HP_Administrator\Application Data\IcoFX
2009-01-06 23:17 --------- d-----w c:\documents and settings\HP_Administrator\Application Data\Corel
2009-01-06 23:17 --------- d-----w c:\documents and settings\HP_Administrator\Application Data\ArcSoft
2009-01-05 20:43 --------- d---a-w c:\documents and settings\All Users\Application Data\TEMP
2009-01-05 20:43 --------- d-----w c:\program files\Star Defender 4
2009-01-05 17:26 --------- d-----w c:\program files\MemadorPro
2009-01-04 07:46 --------- d-----w c:\program files\EPSON Print CD
2008-12-29 06:22 --------- d-----w c:\program files\Norton SystemWorks Basic Edition
2008-12-28 02:08 --------- d-----w c:\program files\OrderPicture
2008-12-19 20:36 --------- d-----w c:\documents and settings\HP_Administrator\Application Data\Photodex
2008-12-15 18:04 60,744 ----a-w c:\documents and settings\HP_Administrator\g2mdlhlpx.exe
2008-11-28 22:36 --------- d-----w c:\documents and settings\All Users\Application Data\FLEXnet
2008-11-27 19:41 --------- d-----w c:\program files\iTunes
2008-11-27 19:41 --------- d-----w c:\program files\iPod
2008-11-27 19:41 --------- d-----w c:\program files\Common Files\Apple
2008-11-27 19:41 --------- d-----w c:\documents and settings\All Users\Application Data\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}
2008-11-27 19:35 --------- d-----w c:\program files\QuickTime
2008-11-07 19:23 32,000 ----a-w c:\windows\system32\drivers\usbaapl.sys
2008-10-09 12:21 173,568 ----a-w c:\program files\KB41683.exe
2007-05-08 00:06 27,378 ----a-w c:\program files\Adobe Bridge Cache.bc
2006-06-04 12:43 58 ----a-w c:\program files\Adobe Bridge Cache.bct
2005-12-23 01:32 251 ----a-w c:\program files\wt3d.ini
2005-07-08 05:55 312 ---ha-w c:\documents and settings\HP_Administrator\Application Data\wklnhst.dat
2005-07-21 19:53 22 --sha-w c:\windows\SMINST\HPCD.sys
2008-09-08 04:05 32,768 --sha-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008090820080909\index.dat
.

((((((((((((((((((((((((((((((((((((((((((((( AWF ))))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
----a-w 253,952 2004-10-14 14:54:32 c:\hp\drivers\hplsbwatcher\bak\lsburnwatcher.exe

----a-w 61,440 2003-02-11 12:02:48 c:\hp\KBD\bak\KBD.EXE

----a-w 40,048 2007-05-11 07:06:32 c:\program files\Adobe\Reader 8.0\Reader\bak\Reader_sl.exe

----a-w 331,848 2003-08-18 05:00:00 c:\program files\Common Files\Sonic\Update Manager\bak\SFCWALL31.DLL
----a-w 331,848 2003-08-18 05:00:00 c:\program files\Common Files\Sonic\Update Manager\sfcwall31.dll

----a-w 110,592 2003-08-19 05:01:00 c:\program files\Common Files\Sonic\Update Manager\bak\sgtray.exe

----a-w 159,744 2003-08-18 05:00:00 c:\program files\Common Files\Sonic\Update Manager\bak\SUS.DLL
----a-w 159,744 2003-08-18 05:00:00 c:\program files\Common Files\Sonic\Update Manager\sus.dll

----a-w 61,440 2003-01-30 05:00:00 c:\program files\Common Files\Sonic\Update Manager\bak\VXHTTP.DLL
----a-w 61,440 2003-01-30 05:00:00 c:\program files\Common Files\Sonic\Update Manager\vxhttp.dll

----a-w 58,984 2007-01-09 22:32:02 c:\program files\Common Files\Symantec Shared\bak\ccApp.exe
----a-w 51,048 2008-10-17 19:52:10 c:\program files\Common Files\Symantec Shared\CCAPP.EXE

----a-w 49,152 2004-06-07 11:53:26 c:\program files\HP\{AAC4FC36-8F89-4587-8DD3-EBC57C83374D}\bak\hphupd06.exe

----a-w 267,064 2007-09-07 20:55:08 c:\program files\iTunes\bak\iTunesHelper.exe
----a-w 290,088 2008-11-20 18:20:54 c:\program files\iTunes\iTunesHelper.exe

----a-w 132,496 2007-07-12 08:00:36 c:\program files\Java\jre1.6.0_02\bin\bak\jusched.exe

----a-w 132,248 2004-09-10 02:12:00 c:\program files\Norton SystemWorks\bak\cfgwiz.exe

----a-w 229,376 2006-09-11 15:50:38 c:\program files\Phase One\Capture One PRO\bak\DCIMImp.exe

----a-w 286,720 2007-06-29 10:24:52 c:\program files\QuickTime\bak\qttask.exe
----a-w 413,696 2008-11-04 15:30:50 c:\program files\QuickTime\QTTask.exe

----a-w 40,960 2001-08-10 14:50:38 c:\program files\ScanSoft\PaperPort\bak\PPWebCap.exe
----a-w 40,960 2001-08-10 14:50:38 c:\program files\ScanSoft\PaperPort\PPWEBCAP.EXE

----a-w 100,056 2007-05-04 20:44:12 c:\program files\SymNetDrv\bak\SNDMon.exe

----a-w 86,016 2001-10-30 11:09:10 c:\program files\Visioneer OneTouch\bak\ONETOU~2.EXE

----a-w 204,288 2006-10-19 01:05:26 c:\program files\Windows Media Player\bak\WMPNSCFG.exe

----a-w 64,512 2005-08-05 18:56:34 c:\windows\ehome\bak\ehtray.exe
----a-w 64,512 2005-08-05 18:56:34 c:\windows\ehome\ehtray.exe

----a-w 233,472 2004-04-14 13:43:46 c:\windows\SMINST\bak\RECGUARD.EXE

----a-w 186 2009-01-07 19:05:16 c:\windows\system\bak\hpsysdrv.DAT
----a-w 186 2007-10-07 16:57:50 c:\windows\system\hpsysdrv.DAT

----a-w 52,736 1998-05-07 09:04:38 c:\windows\system\bak\hpsysdrv.exe

----a-w 15,360 2004-08-10 04:00:00 c:\windows\system32\bak\ctfmon.exe
----a-w 15,360 2008-04-14 00:12:16 c:\windows\system32\ctfmon.exe

----a-w 126,976 2004-12-01 10:55:30 c:\windows\system32\bak\hkcmd.exe

----a-w 659,456 2004-06-07 11:42:30 c:\windows\system32\bak\hphmon06.exe

----a-w 90,112 2004-10-25 14:17:56 c:\windows\system32\bak\ps2.exe

.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"PPWebCap"="c:\progra~1\ScanSoft\PAPERP~1\PPWebCap.exe" [2001-08-10 40960]
"BMUpdate"="c:\windows\system32\BMUpdate.exe" [N/A]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]
"EasyLinkAdvisor"="c:\program files\Linksys EasyLink Advisor\LinksysAgent.exe" [2007-03-15 454784]
"EPSON Stylus Photo R280 Series"="c:\windows\System32\spool\DRIVERS\W32X86\3\E_FATICKA.EXE" [2007-04-13 182272]
"CollagesSystray"="c:\program files\Collages.net Inc\Collages.net" [N/A]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2009-01-07 1830128]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [N/A]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="c:\windows\ehome\ehtray.exe" [2005-08-05 64512]
"hpsysdrv"="c:\windows\system\bak\hpsysdrv.exe" [1998-05-07 52736]
"OneTouch Monitor"="c:\progra~1\VISION~1\ONETOU~2.EXE" [2001-10-30 86016]
"Acrobat Assistant 8.0"="c:\program files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe" [2008-10-14 623992]
"NSWosCheck"="c:\program files\Norton SystemWorks Basic Edition\osCheck.exe" [2007-09-18 25472]
"osCheck"="c:\program files\Norton AntiVirus\osCheck.exe" [2008-02-07 718704]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2008-09-03 111936]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2008-10-17 51048]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-11-04 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-11-20 290088]
"vinclock"="c:\documents and settings\HP_Administrator\Application Data\Google\ocboo1892823.exe" [N/A]
"High Definition Audio Property Page Shortcut"="HDAudPropShortcut.exe" [2004-03-17 c:\windows\system32\Hdaudpropshortcut.exe]
"AGRSMMSG"="AGRSMMSG.exe" [2005-03-04 c:\windows\AGRSMMSG.exe]
"SoundMan"="SOUNDMAN.EXE" [2005-09-21 c:\windows\SOUNDMAN.EXE]
"AlcWzrd"="ALCWZRD.EXE" [2005-09-21 c:\windows\ALCWZRD.EXE]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CollagesSystray"="c:\program files\Collages.net Inc\Collages.net" [N/A]

c:\documents and settings\HP_Administrator\Start Menu\Programs\Startup\
Adobe Gamma.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-07-04 113664]
wkcalrem.LNK - c:\program files\Common Files\Microsoft Shared\Works Shared\WkCalRem.exe [2004-06-23 15360]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2004-11-04 258048]
Logo Calibration Loader.lnk - c:\program files\GretagMacbeth\i1\Eye-One Match 3\CalibrationLoader\CalibrationLoader.exe [2005-02-02 536576]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [1999-02-17 65588]
Spyder3Utility.lnk - c:\program files\Datacolor\Spyder3Elite\Utility\Spyder3Utility.exe [2007-11-06 6306019]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoViewOnDrive"= 0 (0x0)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-10-28 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-01-07 01:33 356352 c:\program files\SUPERAntiSpyware\SASWINLO.DLL

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.ACDV"= ACDV.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^ProfileReminder.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\ProfileReminder.lnk
backup=c:\windows\pss\ProfileReminder.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Updates from HP.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Updates from HP.lnk
backup=c:\windows\pss\Updates from HP.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^HP_Administrator^Start Menu^Programs^Startup^Check for OneTouch Updates.lnk]
path=c:\documents and settings\HP_Administrator\Start Menu\Programs\Startup\Check for OneTouch Updates.lnk
backup=c:\windows\pss\Check for OneTouch Updates.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ccApp]
--a------ 2008-10-17 14:52 51048 c:\program files\Common Files\Symantec Shared\CCAPP.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CollagesSystray]
c:\program files\Collages.net Inc\Collages.net [N/A]

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

dk1photo
Novice
Novice

Posts Posts : 17
Joined Joined : 2009-01-07
Gender Gender : Male
OS OS : Windows XP Media Center Edition Version 2002 - Service Pack 3
Points Points : 28930
# Likes # Likes : 0

View user profile

Back to top Go down

Solved Re: Need help with Win32.Zafi.B infection

Post by dk1photo on 7th January 2009, 7:35 pm

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Updates from HP\\309731\\Program\\Updates from HP.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\ScanSoft\\PaperPort\\Config\\Ereg\\ITP32.EXE"=
"c:\\Documents and Settings\\HP_Administrator\\Desktop\\NeoFtp-dalekincaid.exe"=
"c:\\Program Files\\OrderPicture\\orderpicture.exe"=
"c:\\Program Files\\OrderPicture\\ImageManager.exe"=
"c:\\Program Files\\OrderPicture\\ProcessandUpload.exe"=
"c:\\WINDOWS\\system32\\fxsclnt.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"c:\\Program Files\\Collages.net Inc\\Collages.net Desktop\\CollagesSysTray.exe"=
"c:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"c:\\Program Files\\MSN Messenger\\livecall.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [2006-10-10 8944]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [2007-02-27 55024]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2009-01-06 99376]
R3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [2006-02-16 4096]
R4 Collages Service;Collages Service;c:\program files\Collages.net Inc\Collages.net Desktop\CollagesService.exe [2008-07-01 45056]
R4 LiveUpdate Notice;LiveUpdate Notice;c:\program files\Common Files\Symantec Shared\CCSVCHST.EXE [2008-01-25 149352]
R4 NProtectService;Norton UnErase Protection;c:\progra~1\NORTON~1\NORTON~1\NPROTECT.EXE [2005-11-03 95832]
R4 P1C1394;Phase One 1394 Camera Driver;c:\windows\system32\drivers\p1c1394.sys [2008-06-16 23552]
S3 COH_Mon;COH_Mon;c:\windows\system32\drivers\COH_Mon.sys [2008-01-12 23888]
S3 eyeonedp;eye-one display;c:\windows\system32\drivers\EyeOneDp.sys [2003-02-17 44344]
S3 Spyder3;Datacolor Spyder3;c:\windows\system32\drivers\Spyder3.sys [2007-11-06 12288]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - AUTOMATIC_LIVEUPDATE_SCHEDULER

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{64b1b2c8-b6cf-11dc-aca9-0011d8f60a79}]
\Shell\AutoRun\command - M:\Connect.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{f92ac5ae-b471-11dc-aca8-0011d8f60a79}]
\Shell\AutoRun\command - M:\Connect.exe
.
Contents of the 'Scheduled Tasks' folder

2009-01-06 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 11:34]

2009-01-07 c:\windows\Tasks\Norton AntiVirus - Run Full System Scan - HP_Administrator.job
- c:\program files\Norton AntiVirus\Navw32.exe [2008-02-07 09:05]

2009-01-05 c:\windows\Tasks\Norton SystemWorks One Button Checkup.job
- c:\program files\Norton SystemWorks Basic Edition\OBC.exe [2007-09-18 07:22]

2009-01-07 c:\windows\Tasks\Symantec NetDetect.job
- c:\program files\Symantec\LiveUpdate\NDetect.exe []
.
.
------- Supplementary Scan -------
.
uStart Page = [You must be registered and logged in to see this link.]
uDefault_Search_URL = [You must be registered and logged in to see this link.]
mSearch Bar = [You must be registered and logged in to see this link.]
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = 127.0.0.1;*.local
IE: &ieSpell Options - c:\program files\ieSpell\iespell.dll/SPELLOPTION.HTM
IE: &Lookup Meaning - c:\program files\ieSpell\iespell.dll/LOOKUPMEANING.HTM
IE: Append to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Check &Spelling - c:\program files\ieSpell\iespell.dll/SPELLCHECK.HTM
IE: Convert link target to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
Trusted Zone: *.whataboutadog.com

O16 -: Microsoft XML Parser for Java - [You must be registered and logged in to see this link.]
c:\windows\Downloaded Program Files\Microsoft XML Parser for Java.osd

c:\windows\Downloaded Program Files\httpfv.ini - c:\windows\Downloaded Program Files\httpfv.exe
O16 -: {BA83FD38-CE14-4DA3-BEF5-96050D55F78A}
[You must be registered and logged in to see this link.]
c:\windows\Downloaded Program Files\httpfv.inf
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, [You must be registered and logged in to see this link.]
Rootkit scan 2009-01-07 14:06:24
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1040)
c:\program files\SUPERAntiSpyware\SASWINLO.DLL
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\EPSON\EBAPI\eEBSvc.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\windows\system32\ASTSRV.EXE
c:\program files\Bonjour\mDNSResponder.exe
c:\windows\ehome\ehrecvr.exe
c:\windows\ehome\ehSched.exe
c:\program files\Common Files\EPSON\EBAPI\SAgent2.exe
c:\program files\Common Files\LightScribe\LSSrvc.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\windows\system32\PSIService.exe
c:\program files\Photodex\ProShowProducer\scsiaccess.exe
c:\progra~1\NORTON~1\NORTON~1\SPEEDD~1\NOPDB.exe
c:\windows\ehome\mcrdsvc.exe
c:\program files\Windows Media Player\wmpnetwk.exe
c:\program files\Canon\CAL\CALMAIN.exe
c:\windows\ehome\ehmsas.exe
c:\windows\system32\dllhost.exe
c:\program files\iPod\bin\iPodService.exe
c:\program files\Symantec\LiveUpdate\AluSchedulerSvc.exe
c:\program files\Common Files\Microsoft Shared\Works Shared\WksCal.exe
c:\program files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
.
**************************************************************************
.
Completion time: 2009-01-07 14:23:09 - machine was rebooted
ComboFix-quarantined-files.txt 2009-01-07 19:23:04

Pre-Run: 102,033,195,008 bytes free
Post-Run: 102,666,416,128 bytes free

288 --- E O F --- 2008-12-18 18:59:38

dk1photo
Novice
Novice

Posts Posts : 17
Joined Joined : 2009-01-07
Gender Gender : Male
OS OS : Windows XP Media Center Edition Version 2002 - Service Pack 3
Points Points : 28930
# Likes # Likes : 0

View user profile

Back to top Go down

Solved Re: Need help with Win32.Zafi.B infection

Post by Belahzur on 7th January 2009, 8:24 pm

Now open a new notepad file.
Input this into the notepad file:

KILLALL::

AWF::
c:\hp\drivers\hplsbwatcher\bak\lsburnwatcher.exe
c:\hp\KBD\bak\KBD.EXE
c:\program files\Adobe\Reader 8.0\Reader\bak\Reader_sl.exe
c:\program files\Common Files\Sonic\Update Manager\bak\SFCWALL31.DLL
c:\program files\Common Files\Sonic\Update Manager\bak\sgtray.exe
c:\program files\Common Files\Sonic\Update Manager\bak\SUS.DLL
c:\program files\Common Files\Sonic\Update Manager\bak\VXHTTP.DLL
c:\program files\Common Files\Symantec Shared\bak\ccApp.exe
c:\program files\HP\{AAC4FC36-8F89-4587-8DD3-EBC57C83374D}\bak\hphupd06.exe
c:\program files\iTunes\bak\iTunesHelper.exe
c:\program files\Java\jre1.6.0_02\bin\bak\jusched.exe
c:\program files\Norton SystemWorks\bak\cfgwiz.exe
c:\program files\Phase One\Capture One PRO\bak\DCIMImp.exe
c:\program files\QuickTime\bak\qttask.exe
c:\program files\ScanSoft\PaperPort\bak\PPWebCap.exe
c:\program files\SymNetDrv\bak\SNDMon.exe
c:\program files\Visioneer OneTouch\bak\ONETOU~2.EXE
c:\program files\Windows Media Player\bak\WMPNSCFG.exe
c:\windows\ehome\bak\ehtray.exe
c:\windows\SMINST\bak\RECGUARD.EXE
c:\windows\system\bak\hpsysdrv.DAT
c:\windows\system\bak\hpsysdrv.exe
c:\windows\system32\bak\ctfmon.exe
c:\windows\system32\bak\hkcmd.exe
c:\windows\system32\bak\hphmon06.exe
c:\windows\system32\bak\ps2.exe

File::
C:\sqmdata00.sqm
C:\sqmnoopt00.sqm

Folder::
C:\found.000

Registry::
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoViewOnDrive"=-
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{64b1b2c8-b6cf-11dc-aca9-0011d8f60a79}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{f92ac5ae-b471-11dc-aca8-0011d8f60a79}]

Save this as CFScript.txt, save it to your desktop also.
Then drag and drop CFScript.txt into combofix as seen below:


This will open combofix.exe again, agree to it's terms and allow it to run, it may want to reboot after it's done. Post the resulting log back here.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245101
# Likes # Likes : 1

View user profile

Back to top Go down

Solved Re: Need help with Win32.Zafi.B infection

Post by dk1photo on 7th January 2009, 8:44 pm

I followed the process you described. Combofix ran and went to reboot. The same thing happened as before. I get the boot screen and then goes black with a message at the top "ssing operating system", which I assume says missing operating system. I turn off the computer and back on agin twice with the same result. Uggh..

dk1photo
Novice
Novice

Posts Posts : 17
Joined Joined : 2009-01-07
Gender Gender : Male
OS OS : Windows XP Media Center Edition Version 2002 - Service Pack 3
Points Points : 28930
# Likes # Likes : 0

View user profile

Back to top Go down

Solved Re: Need help with Win32.Zafi.B infection

Post by Belahzur on 7th January 2009, 8:47 pm

So it won't boot back to windows this time?


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245101
# Likes # Likes : 1

View user profile

Back to top Go down

Solved Re: Need help with Win32.Zafi.B infection

Post by dk1photo on 7th January 2009, 8:48 pm

That is correct.

dk1photo
Novice
Novice

Posts Posts : 17
Joined Joined : 2009-01-07
Gender Gender : Male
OS OS : Windows XP Media Center Edition Version 2002 - Service Pack 3
Points Points : 28930
# Likes # Likes : 0

View user profile

Back to top Go down

Solved Re: Need help with Win32.Zafi.B infection

Post by Belahzur on 7th January 2009, 9:23 pm

Okay, reboot your machine and after the beep, starting tapping F12, this will bring up an advanced menu list, are you able to do a last known good configuration?


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245101
# Likes # Likes : 1

View user profile

Back to top Go down

Solved Re: Need help with Win32.Zafi.B infection

Post by dk1photo on 7th January 2009, 9:52 pm

F12 did not prompt any action. I don't recall hearing a beep either. But, F8 did work to open a boot menu. Hope that was ok to do. I selected the "last known good configuration and that worked to load windows. Combofix returned to prepare a log report. Here is the resulting log.

ComboFix 09-01-07.01 - HP_Administrator 2009-01-07 15:33:51.2 - NTFSx86

Running from: c:\documents and settings\HP_Administrator\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\HP_Administrator\Desktop\CFscript.txt
* Created a new restore point

FILE ::
C:\sqmdata00.sqm
C:\sqmnoopt00.sqm
.
ADS - WINDOWS: deleted 0 bytes in 1 streams.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\found.000
c:\found.000\dir0000.chk\Setup.ilg
c:\found.000\dir0000.chk\setup.inx
C:\sqmdata00.sqm
C:\sqmnoopt00.sqm

.
((((((((((((((((((((((((( Files Created from 2008-12-07 to 2009-01-07 )))))))))))))))))))))))))))))))
.

2009-01-07 15:33 . 2009-01-07 15:33 d-------- c:\windows\LastGood
2009-01-07 15:33 . 2004-08-09 23:00 15,360 --a------ c:\windows\system32\OLDC.tmp
2009-01-07 15:33 . 2004-08-09 23:00 15,360 --a------ c:\windows\system32\ctfmon.exe
2008-12-12 20:29 . 2008-12-12 20:29 d-------- c:\documents and settings\HP_Administrator\.NeoProPics

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-01-07 21:33 --------- d-----w c:\program files\QuickTime
2009-01-07 21:33 --------- d-----w c:\program files\Common Files\Symantec Shared
2009-01-07 20:33 --------- d-----w c:\program files\Visioneer OneTouch
2009-01-07 20:33 --------- d-----w c:\program files\SymNetDrv
2009-01-07 20:33 --------- d-----w c:\program files\Norton SystemWorks
2009-01-07 20:33 --------- d-----w c:\program files\iTunes
2009-01-07 06:33 --------- d-----w c:\program files\SUPERAntiSpyware
2009-01-07 00:06 806 ----a-w c:\windows\system32\drivers\SYMEVENT.INF
2009-01-07 00:06 124,464 ----a-w c:\windows\system32\drivers\SYMEVENT.SYS
2009-01-07 00:06 10,635 ----a-w c:\windows\system32\drivers\SYMEVENT.CAT
2009-01-07 00:06 --------- d-----w c:\program files\Symantec
2009-01-06 23:17 --------- d-----w c:\documents and settings\HP_Administrator\Application Data\Microsoft Web Folders
2009-01-06 23:17 --------- d-----w c:\documents and settings\HP_Administrator\Application Data\InstallShield
2009-01-06 23:17 --------- d-----w c:\documents and settings\HP_Administrator\Application Data\IcoFX
2009-01-06 23:17 --------- d-----w c:\documents and settings\HP_Administrator\Application Data\Corel
2009-01-06 23:17 --------- d-----w c:\documents and settings\HP_Administrator\Application Data\ArcSoft
2009-01-05 20:43 --------- d---a-w c:\documents and settings\All Users\Application Data\TEMP
2009-01-05 20:43 --------- d-----w c:\program files\Star Defender 4
2009-01-05 17:26 --------- d-----w c:\program files\MemadorPro
2009-01-04 07:46 --------- d-----w c:\program files\EPSON Print CD
2008-12-29 06:22 --------- d-----w c:\program files\Norton SystemWorks Basic Edition
2008-12-28 02:08 --------- d-----w c:\program files\OrderPicture
2008-12-19 20:36 --------- d-----w c:\documents and settings\HP_Administrator\Application Data\Photodex
2008-12-15 18:04 60,744 ----a-w c:\documents and settings\HP_Administrator\g2mdlhlpx.exe
2008-11-28 22:36 --------- d-----w c:\documents and settings\All Users\Application Data\FLEXnet
2008-11-27 19:41 --------- d-----w c:\program files\iPod
2008-11-27 19:41 --------- d-----w c:\program files\Common Files\Apple
2008-11-27 19:41 --------- d-----w c:\documents and settings\All Users\Application Data\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}
2008-11-07 19:23 32,000 ----a-w c:\windows\system32\drivers\usbaapl.sys
2008-10-09 12:21 173,568 ----a-w c:\program files\KB41683.exe
2007-05-08 00:06 27,378 ----a-w c:\program files\Adobe Bridge Cache.bc
2006-06-04 12:43 58 ----a-w c:\program files\Adobe Bridge Cache.bct
2005-12-23 01:32 251 ----a-w c:\program files\wt3d.ini
2005-07-08 05:55 312 ---ha-w c:\documents and settings\HP_Administrator\Application Data\wklnhst.dat
2005-07-21 19:53 22 --sha-w c:\windows\SMINST\HPCD.sys
2008-09-08 04:05 32,768 --sha-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008090820080909\index.dat
.

------- Sigcheck -------

2004-08-09 23:00 15360 24232996a38c0b0cf151c2140ae29fc8 c:\windows\$NtServicePackUninstall$\ctfmon.exe
2008-04-13 19:12 15360 5f1d5f88303d4a4dbc8e5f97ba967cc3 c:\windows\ServicePackFiles\i386\ctfmon.exe
2004-08-09 23:00 15360 24232996a38c0b0cf151c2140ae29fc8 c:\windows\system32\ctfmon.exe
2008-04-13 19:12 15360 5f1d5f88303d4a4dbc8e5f97ba967cc3 c:\windows\system32\dllcache\ctfmon.exe
.
((((((((((((((((((((((((((((( [You must be registered and logged in to see this link.] )))))))))))))))))))))))))))))))))))))))))
.
+ 2004-04-14 13:43:46 233,472 ----a-w c:\windows\SMINST\RECGUARD.EXE
+ 1998-05-07 09:04:38 52,736 ----a-w c:\windows\system\hpsysdrv.exe
+ 2004-12-01 10:55:30 126,976 ----a-w c:\windows\system32\hkcmd.exe
+ 2004-06-07 11:42:30 659,456 ----a-w c:\windows\system32\hphmon06.exe
+ 2004-10-25 14:17:56 90,112 ----a-w c:\windows\system32\ps2.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"PPWebCap"="c:\progra~1\ScanSoft\PAPERP~1\PPWebCap.exe" [2001-08-10 40960]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-09 15360]
"EasyLinkAdvisor"="c:\program files\Linksys EasyLink Advisor\LinksysAgent.exe" [2007-03-15 454784]
"EPSON Stylus Photo R280 Series"="c:\windows\System32\spool\DRIVERS\W32X86\3\E_FATICKA.EXE" [2007-04-13 182272]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2009-01-07 1830128]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2006-10-18 204288]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="c:\windows\ehome\ehtray.exe" [2005-08-05 64512]
"OneTouch Monitor"="c:\progra~1\VISION~1\ONETOU~2.EXE" [2001-10-30 86016]
"Acrobat Assistant 8.0"="c:\program files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe" [2008-10-14 623992]
"NSWosCheck"="c:\program files\Norton SystemWorks Basic Edition\osCheck.exe" [2007-09-18 25472]
"osCheck"="c:\program files\Norton AntiVirus\osCheck.exe" [2008-02-07 718704]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2008-09-03 111936]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2007-01-09 58984]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2007-06-29 286720]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2007-09-07 267064]
"High Definition Audio Property Page Shortcut"="HDAudPropShortcut.exe" [2004-03-17 c:\windows\system32\Hdaudpropshortcut.exe]
"AGRSMMSG"="AGRSMMSG.exe" [2005-03-04 c:\windows\AGRSMMSG.exe]
"SoundMan"="SOUNDMAN.EXE" [2005-09-21 c:\windows\SOUNDMAN.EXE]
"AlcWzrd"="ALCWZRD.EXE" [2005-09-21 c:\windows\ALCWZRD.EXE]

c:\documents and settings\HP_Administrator\Start Menu\Programs\Startup\
Adobe Gamma.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-07-04 113664]
wkcalrem.LNK - c:\program files\Common Files\Microsoft Shared\Works Shared\WkCalRem.exe [2004-06-23 15360]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2004-11-04 258048]
Logo Calibration Loader.lnk - c:\program files\GretagMacbeth\i1\Eye-One Match 3\CalibrationLoader\CalibrationLoader.exe [2005-02-02 536576]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [1999-02-17 65588]
Spyder3Utility.lnk - c:\program files\Datacolor\Spyder3Elite\Utility\Spyder3Utility.exe [2007-11-06 6306019]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-10-28 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-01-07 01:33 356352 c:\program files\SUPERAntiSpyware\SASWINLO.DLL

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.ACDV"= ACDV.dll

dk1photo
Novice
Novice

Posts Posts : 17
Joined Joined : 2009-01-07
Gender Gender : Male
OS OS : Windows XP Media Center Edition Version 2002 - Service Pack 3
Points Points : 28930
# Likes # Likes : 0

View user profile

Back to top Go down

Solved Re: Need help with Win32.Zafi.B infection

Post by dk1photo on 7th January 2009, 9:53 pm

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^ProfileReminder.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\ProfileReminder.lnk
backup=c:\windows\pss\ProfileReminder.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Updates from HP.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Updates from HP.lnk
backup=c:\windows\pss\Updates from HP.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^HP_Administrator^Start Menu^Programs^Startup^Check for OneTouch Updates.lnk]
path=c:\documents and settings\HP_Administrator\Start Menu\Programs\Startup\Check for OneTouch Updates.lnk
backup=c:\windows\pss\Check for OneTouch Updates.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ccApp]
--a------ 2007-01-09 17:32 58984 c:\program files\Common Files\Symantec Shared\ccApp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Updates from HP\\309731\\Program\\Updates from HP.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\ScanSoft\\PaperPort\\Config\\Ereg\\ITP32.EXE"=
"c:\\Documents and Settings\\HP_Administrator\\Desktop\\NeoFtp-dalekincaid.exe"=
"c:\\Program Files\\OrderPicture\\orderpicture.exe"=
"c:\\Program Files\\OrderPicture\\ImageManager.exe"=
"c:\\Program Files\\OrderPicture\\ProcessandUpload.exe"=
"c:\\WINDOWS\\system32\\fxsclnt.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"c:\\Program Files\\Collages.net Inc\\Collages.net Desktop\\CollagesSysTray.exe"=
"c:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"c:\\Program Files\\MSN Messenger\\livecall.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [2006-10-10 8944]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [2007-02-27 55024]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2009-01-06 99376]
R3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [2006-02-16 4096]
R4 LiveUpdate Notice;LiveUpdate Notice;c:\program files\Common Files\Symantec Shared\CCSVCHST.EXE [2008-01-25 149352]
R4 NProtectService;Norton UnErase Protection;c:\progra~1\NORTON~1\NORTON~1\NPROTECT.EXE [2005-11-03 95832]
R4 P1C1394;Phase One 1394 Camera Driver;c:\windows\system32\drivers\p1c1394.sys [2008-06-16 23552]
S3 COH_Mon;COH_Mon;c:\windows\system32\drivers\COH_Mon.sys [2008-01-12 23888]
S3 eyeonedp;eye-one display;c:\windows\system32\drivers\EyeOneDp.sys [2003-02-17 44344]
S3 Spyder3;Datacolor Spyder3;c:\windows\system32\drivers\Spyder3.sys [2007-11-06 12288]
S4 Collages Service;Collages Service;c:\program files\Collages.net Inc\Collages.net Desktop\CollagesService.exe [2008-07-01 45056]
.
Contents of the 'Scheduled Tasks' folder

2009-01-06 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 11:34]

2009-01-07 c:\windows\Tasks\Norton AntiVirus - Run Full System Scan - HP_Administrator.job
- c:\program files\Norton AntiVirus\Navw32.exe [2008-02-07 09:05]

2009-01-05 c:\windows\Tasks\Norton SystemWorks One Button Checkup.job
- c:\program files\Norton SystemWorks Basic Edition\OBC.exe [2007-09-18 07:22]

2009-01-07 c:\windows\Tasks\Symantec NetDetect.job
- c:\program files\Symantec\LiveUpdate\NDetect.exe []
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-BMUpdate - c:\windows\system32\BMUpdate.exe
HKCU-Run-CollagesSystray - c:\program files\Collages.net Inc\Collages.net
HKLM-Run-hpsysdrv - c:\windows\system\bak\hpsysdrv.exe
HKLM-Run-vinclock - c:\documents and settings\HP_Administrator\Application Data\Google\ocboo1892823.exe
HKU-Default-Run-CollagesSystray - c:\program files\Collages.net Inc\Collages.net
MSConfigStartUp-CollagesSystray - c:\program files\Collages.net Inc\Collages.net


.
------- Supplementary Scan -------
.
uStart Page = [You must be registered and logged in to see this link.]
uDefault_Search_URL = [You must be registered and logged in to see this link.]
mSearch Bar = [You must be registered and logged in to see this link.]
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = 127.0.0.1;*.local
IE: &ieSpell Options - c:\program files\ieSpell\iespell.dll/SPELLOPTION.HTM
IE: &Lookup Meaning - c:\program files\ieSpell\iespell.dll/LOOKUPMEANING.HTM
IE: Append to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Check &Spelling - c:\program files\ieSpell\iespell.dll/SPELLCHECK.HTM
IE: Convert link target to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~1\MI1933~1\OFFICE11\EXCEL.EXE/3000

O16 -: Microsoft XML Parser for Java - [You must be registered and logged in to see this link.]
c:\windows\Downloaded Program Files\Microsoft XML Parser for Java.osd

c:\windows\Downloaded Program Files\httpfv.ini - c:\windows\Downloaded Program Files\httpfv.exe
O16 -: {BA83FD38-CE14-4DA3-BEF5-96050D55F78A}
[You must be registered and logged in to see this link.]
c:\windows\Downloaded Program Files\httpfv.inf
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, [You must be registered and logged in to see this link.]
Rootkit scan 2009-01-07 16:33:49
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1028)
c:\program files\SUPERAntiSpyware\SASWINLO.DLL
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\EPSON\EBAPI\eEBSvc.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\windows\system32\ASTSRV.EXE
c:\program files\Bonjour\mDNSResponder.exe
c:\windows\ehome\ehrecvr.exe
c:\windows\ehome\ehSched.exe
c:\program files\Common Files\EPSON\EBAPI\SAgent2.exe
c:\program files\Common Files\LightScribe\LSSrvc.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\windows\system32\PSIService.exe
c:\program files\Photodex\ProShowProducer\scsiaccess.exe
c:\progra~1\NORTON~1\NORTON~1\SPEEDD~1\NOPDB.exe
c:\windows\ehome\mcrdsvc.exe
c:\program files\Windows Media Player\wmpnetwk.exe
c:\program files\Canon\CAL\CALMAIN.exe
c:\windows\system32\dllhost.exe
c:\windows\system32\wscntfy.exe
c:\windows\ehome\ehmsas.exe
c:\program files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
.
**************************************************************************
.
Completion time: 2009-01-07 16:47:23 - machine was rebooted
ComboFix-quarantined-files.txt 2009-01-07 21:47:19
ComboFix2.txt 2009-01-07 19:23:11

Pre-Run: 102,802,120,704 bytes free
Post-Run: 102,531,829,760 bytes free

252 --- E O F --- 2008-12-18 18:59:38

dk1photo
Novice
Novice

Posts Posts : 17
Joined Joined : 2009-01-07
Gender Gender : Male
OS OS : Windows XP Media Center Edition Version 2002 - Service Pack 3
Points Points : 28930
# Likes # Likes : 0

View user profile

Back to top Go down

Solved Re: Need help with Win32.Zafi.B infection

Post by Belahzur on 7th January 2009, 9:56 pm

I think we can say this is a rap now.
What problems remain?


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245101
# Likes # Likes : 1

View user profile

Back to top Go down

Solved Re: Need help with Win32.Zafi.B infection

Post by dk1photo on 7th January 2009, 10:30 pm

Thank you. There doesn't seem to by any problems related to the infection I had. The only thing is my Norton Systemworks and Antivirus will not work. I get a popup message titled, ccApp.exe - Unable to locate component.
"This application has failed to start because ccL30.dll was not found.

dk1photo
Novice
Novice

Posts Posts : 17
Joined Joined : 2009-01-07
Gender Gender : Male
OS OS : Windows XP Media Center Edition Version 2002 - Service Pack 3
Points Points : 28930
# Likes # Likes : 0

View user profile

Back to top Go down

Solved Re: Need help with Win32.Zafi.B infection

Post by Belahzur on 7th January 2009, 10:35 pm

You may need to uninstall it and then re-installing, that's probably the only way of replacing a missing dll.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245101
# Likes # Likes : 1

View user profile

Back to top Go down

Solved Re: Need help with Win32.Zafi.B infection

Post by dk1photo on 7th January 2009, 10:38 pm

Ok. I'll give that a go. Thanks so much for all your help. I'll let you know if any problems arear as I start using the computer more.

dk1photo
Novice
Novice

Posts Posts : 17
Joined Joined : 2009-01-07
Gender Gender : Male
OS OS : Windows XP Media Center Edition Version 2002 - Service Pack 3
Points Points : 28930
# Likes # Likes : 0

View user profile

Back to top Go down

Solved Re: Need help with Win32.Zafi.B infection

Post by Doctor Inferno on 2nd March 2009, 9:56 am

Since this issue is resolved, this topic is closed.

If you need this topic reopened, please contact a staff member. This applies only to the original topic starter.

Everyone else, please open a new topic for your questions.


Please be a GeekPolice fan on [You must be registered and logged in to see this link.]



Have we helped you? [You must be registered and logged in to see this link.] | Doctor by day, ninja by night.

Doctor Inferno
Administrator
Administrator

Posts Posts : 11976
Joined Joined : 2007-12-26
Gender Gender : Male
OS OS : Windows 7 Home Premium and Ultimate X64
Protection Protection : Kaspersky PURE and Malwarebytes' Anti-Malware
Points Points : 104630
# Likes # Likes : 0

View user profile

Back to top Go down

View previous topic View next topic Back to top

- Similar topics

 
Permissions in this forum:
You cannot reply to topics in this forum