Need to rid of trogan worm Win32.Zafi.B

View previous topic View next topic Go down

Solved Need to rid of trogan worm Win32.Zafi.B

Post by Emilio on Thu Jan 08, 2009 2:08 pm

Hi,
I've recently encountered the Win32.Zafi.B trojan on my PC. It has disabled my IE on one user id completely, and partially on another. When I click on the IE icon, I receive a message from "Security Center Alert", who prompts me to "Enable Protection", which means it wants me to purchase "Perfect Defender 2009". I already own a couple of freeware Anti Spyware and Virus software pkgs, like "Super Anti Spyware Free Edition", as well as "Intelinet" which I've paid for. None of my present software removes this trojan worm. I need help. Please review my hijackthis log and advise. Thanks ahead of time,
Sincerely,
Emilio

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:56:48 AM, on 1/8/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16762)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
c:\program files\common files\logitech\lvmvfm\LVPrcSrv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\HPZIPM12.EXE
C:\Program Files\Dell Support Center\bin\sprtsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\Intelinet\intelin2.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\SearchProtocolHost.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Logitech\QuickCam10\QuickCam10.exe
C:\Program Files\Fisher-Price\Easy-Link internet launch pad\Easy-Link internet launch pad.exe
C:\Program Files\Common Files\Logitech\LComMgr\Communications_Helper.exe
C:\Program Files\Dell Support Center\bin\sprtcmd.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Common Files\Logitech\LComMgr\LVComSX.exe
C:\Program Files\HP\hpcoretech\comp\hptskmgr.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Documents and Settings\Emilio Negron Jr\Application Data\Google\ocboo1892823.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\DellSupport\DSAgnt.exe
C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
C:\Program Files\Intelinet\Intelinet.exe
C:\Program Files\Logitech\QuickCam10\COCIManager.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Windows Desktop Search\WindowsSearch.exe
C:\WINDOWS\system32\msiexec.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = [You must be registered and logged in to see this link.]
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = [You must be registered and logged in to see this link.]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = [You must be registered and logged in to see this link.]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = [You must be registered and logged in to see this link.]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = [You must be registered and logged in to see this link.]
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = [You must be registered and logged in to see this link.]
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Windows Internet Explorer provided by Yahoo!
R3 - URLSearchHook: (no name) - {4D25F926-B9FE-4682-BF72-8AB8210D6D75} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.0.926.3450\swg.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [IntelMeM] C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [LogitechQuickCamRibbon] "C:\Program Files\Logitech\QuickCam10\QuickCam10.exe" /hide
O4 - HKLM\..\Run: [eligmini] C:\Program Files\Fisher-Price\Easy-Link internet launch pad\Easy-Link internet launch pad.exe 0
O4 - HKLM\..\Run: [dscactivate] "C:\Program Files\Dell Support Center\gs_agent\custom\dsca.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [DellSupportCenter] "C:\Program Files\Dell Support Center\bin\sprtcmd.exe" /P DellSupportCenter
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [vinclock] "C:\Documents and Settings\Emilio Negron Jr\Application Data\Google\ocboo1892823.exe" 2
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [LDM] C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
O4 - HKCU\..\Run: [Intelinet] C:\Program Files\Intelinet\Intelinet.exe
O4 - HKUS\S-1-5-21-3891594488-3343779507-1145884457-1006\..\Run: [QuickenScheduledUpdates] C:\Program Files\Quicken\bagent.exe (User 'Emilio Negron Jr')
O4 - HKUS\S-1-5-21-3891594488-3343779507-1145884457-1006\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User 'Emilio Negron Jr')
O4 - HKUS\S-1-5-21-3891594488-3343779507-1145884457-1006\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe (User 'Emilio Negron Jr')
O4 - HKUS\S-1-5-21-3891594488-3343779507-1145884457-1006\..\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startup (User 'Emilio Negron Jr')
O4 - HKUS\S-1-5-21-3891594488-3343779507-1145884457-1006\..\Run: [DellSupportCenter] "C:\Program Files\Dell Support Center\bin\sprtcmd.exe" /P DellSupportCenter (User 'Emilio Negron Jr')
O4 - HKUS\S-1-5-21-3891594488-3343779507-1145884457-1006\..\Run: [Intelinet] C:\Program Files\Intelinet\Intelinet.exe (User 'Emilio Negron Jr')
O4 - S-1-5-21-3891594488-3343779507-1145884457-1006 Startup: Picture Motion Browser Media Check Tool.lnk = C:\Program Files\Sony\Sony Picture Utility\VolumeWatcher\SPUVolumeWatcher.exe (User 'Emilio Negron Jr')
O4 - S-1-5-21-3891594488-3343779507-1145884457-1006 User Startup: Picture Motion Browser Media Check Tool.lnk = C:\Program Files\Sony\Sony Picture Utility\VolumeWatcher\SPUVolumeWatcher.exe (User 'Emilio Negron Jr')
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Windows Desktop Search.lnk = C:\Program Files\Windows Desktop Search\WindowsSearch.exe
O4 - Global Startup: Windows Search.lnk = C:\Program Files\Windows Desktop Search\WindowsSearch.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5 Control) - [You must be registered and logged in to see this link.]
O16 - DPF: {493ACF15-5CD9-4474-82A6-91670C3DD66E} (LinkedIn ContactFinderControl) - [You must be registered and logged in to see this link.]
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - [You must be registered and logged in to see this link.]
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - [You must be registered and logged in to see this link.]
O16 - DPF: {7FE26BE2-B923-4B41-9834-E84DA1CC1F96} (Maid Control) - [You must be registered and logged in to see this link.]
O16 - DPF: {9522B3FB-7A2B-4646-8AF6-36E7F593073C} (cpbrkpie Control) - [You must be registered and logged in to see this link.]
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - [You must be registered and logged in to see this link.]
O16 - DPF: {E9A7F56F-C40F-4928-8C6F-7A72F2A25222} (AxRUploadControl Object) - [You must be registered and logged in to see this link.]
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: IntelinetSecure - Unknown owner - C:\Program Files\Intelinet\intelin2.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Logitech Process Monitor (LVPrcSrv) - Logitech Inc. - c:\program files\common files\logitech\lvmvfm\LVPrcSrv.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\HPZIPM12.EXE
O23 - Service: SupportSoft Sprocket Service (dellsupportcenter) (sprtsvc_dellsupportcenter) - SupportSoft, Inc. - C:\Program Files\Dell Support Center\bin\sprtsvc.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

--
End of file - 12716 bytes

Emilio
Novice
Novice

Status :
Online
Offline

Posts : 7
Joined : 2009-01-08
Gender : Male
OS : XP

View user profile

Back to top Go down

Solved Re: Need to rid of trogan worm Win32.Zafi.B

Post by Belahzur on Thu Jan 08, 2009 5:07 pm


  • Open HijackThis
  • Choose "Do a system scan only"
  • Check the boxes in front of these lines:


    O4 - HKLM\..\Run: [vinclock] "C:\Documents and Settings\Emilio Negron Jr\Application Data\Google\ocboo1892823.exe" 2


  • Press "Fix Checked"
  • Close Hijack This.

Please download the [You must be registered and logged in to see this link.].

  • Save it to your desktop.
  • Please double-click OTMoveIt3.exe to run it.
  • Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose CopyCrying


    :processes
    explorer.exe

    :files
    C:\Documents and Settings\Emilio Negron Jr\Application Data\Google\ocboo1892823.exe

    :commands
    [purity]
    [emptytemp]
    [start explorer]
    [reboot]



  • Return to OTMoveIt3, right click in the "Paste instructions for items to be Moved" window (under the light blue bar) and choose Paste.
  • Click the red Moveit! button.
  • Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
  • Close OTMoveIt3
If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.

Please post the OTMoveIt log.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Status :
Online
Offline

Posts : 34916
Joined : 2008-08-03
Gender : Male
OS : XP SP3 Media Centre

View user profile

Back to top Go down

Solved Re: Need to rid of trogan worm Win32.Zafi.B

Post by Emilio on Thu Jan 08, 2009 8:47 pm

Currently working my 9 to 5. I'll try this ASAP tonight and post my OTMoveIt.log.
A Million Thanks for the quick response!!

Emilio
Novice
Novice

Status :
Online
Offline

Posts : 7
Joined : 2009-01-08
Gender : Male
OS : XP

View user profile

Back to top Go down

Solved Re: Need to rid of trogan worm Win32.Zafi.B

Post by Emilio on Thu Jan 08, 2009 11:28 pm

Hi,

I followed your steps, and all seems to be fine. The only thing I noticed stiill flakey was that on startup, the install wizard trys to install fax software, and prompts me for the install disk. I just exit from the popup, and it tries one more time before giving up. Maybe I can get rid of this small problem with my "Intelint" malware SW. Anyway, Thanks for your help. Here is the logfile you requested:

Error: Unable to interpret in the current context!
Error: Unable to interpret in the current context!
========== FILES ==========
C:\Documents and Settings\Emilio Negron Jr\Application Data\Google\ocboo1892823.exe moved successfully.
========== COMMANDS ==========
File delete failed. C:\DOCUME~1\ANDREN~1\LOCALS~1\Temp\IadHide5.dll scheduled to be deleted on reboot.
User's Temp folder emptied.
User's Temporary Internet Files folder emptied.
User's Internet Explorer cache folder emptied.
Local Service Temp folder emptied.
File delete failed. C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat scheduled to be deleted on reboot.
Local Service Temporary Internet Files folder emptied.
File delete failed. C:\WINDOWS\temp\Perflib_Perfdata_3f0.dat scheduled to be deleted on reboot.
Windows Temp folder emptied.
Temp folders emptied.
Explorer started successfully

OTMoveIt3 by OldTimer - Version 1.0.8.0 log created on 01082009_175428

Files moved on Reboot...
DllUnregisterServer procedure not found in C:\DOCUME~1\ANDREN~1\LOCALS~1\Temp\IadHide5.dll
C:\DOCUME~1\ANDREN~1\LOCALS~1\Temp\IadHide5.dll NOT unregistered.
C:\DOCUME~1\ANDREN~1\LOCALS~1\Temp\IadHide5.dll moved successfully.
File move failed. C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat scheduled to be moved on reboot.
File C:\WINDOWS\temp\Perflib_Perfdata_3f0.dat not found!

Thanks again sincerely,
Emilio

Emilio
Novice
Novice

Status :
Online
Offline

Posts : 7
Joined : 2009-01-08
Gender : Male
OS : XP

View user profile

Back to top Go down

Solved Re: Need to rid of trogan worm Win32.Zafi.B

Post by Belahzur on Thu Jan 08, 2009 11:34 pm

We'll focus on the startup faxer problem soon, lets make sure all is well. We'll use MBAM, then DDS.

Please download and run this tool.

Download Malwarebytes' Anti-Malware from [You must be registered and logged in to see this link.]

Double Click mbam-setup.exe to install the application.

  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
Note:
If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts.
Click OK to either and let MBAM proceed with the disinfection process.
If asked to restart the computer, please do so immediately.


Post the contents of the MBAM Log.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Status :
Online
Offline

Posts : 34916
Joined : 2008-08-03
Gender : Male
OS : XP SP3 Media Centre

View user profile

Back to top Go down

Solved Re: Need to rid of trogan worm Win32.Zafi.B

Post by Emilio on Fri Jan 09, 2009 1:57 am

You were right-on again!

Malwarebytes' Anti-Malware 1.32
Database version: 1632
Windows 5.1.2600 Service Pack 3

1/8/2009 8:56:55 PM
mbam-log-2009-01-08 (20-56-55).txt

Scan type: Quick Scan
Objects scanned: 68105
Time elapsed: 9 minute(s), 4 second(s)

Memory Processes Infected: 2
Memory Modules Infected: 9
Registry Keys Infected: 16
Registry Values Infected: 5
Registry Data Items Infected: 0
Folders Infected: 5
Files Infected: 39

Memory Processes Infected:
C:\Program Files\Intelinet\intelin2.exe (Rogue.Intelinet) -> Unloaded process successfully.
C:\Program Files\Intelinet\Intelinet.exe (Rogue.Intelinet) -> Unloaded process successfully.

Memory Modules Infected:
C:\Program Files\Intelinet\BCKManager.dll (Rogue.Intelinet) -> Delete on reboot.
C:\Program Files\Intelinet\CheckRegistry.dll (Rogue.Intelinet) -> Delete on reboot.
C:\Program Files\Intelinet\ListLogs.dll (Rogue.Intelinet) -> Delete on reboot.
C:\Program Files\Intelinet\ManageRegistry.dll (Rogue.Intelinet) -> Delete on reboot.
C:\Program Files\Intelinet\MFC71.dll (Rogue.Intelinet) -> Delete on reboot.
C:\Program Files\Intelinet\msvcp71.dll (Rogue.Intelinet) -> Delete on reboot.
C:\Program Files\Intelinet\msvcr71.dll (Rogue.Intelinet) -> Delete on reboot.
C:\Program Files\Intelinet\SpywareGuard.dll (Rogue.Intelinet) -> Delete on reboot.
C:\Program Files\Intelinet\Spywarehandler.dll (Rogue.Intelinet) -> Delete on reboot.

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\intelinetsecure (Rogue.Intelinet) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\intelinetsecure (Rogue.Intelinet) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\intelinetsecure (Rogue.Intelinet) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\cpbrkpie.coupon6ctrl.1 (Adware.Coupons) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\c:/windows/cpbrkpie.ocx (Adware.Coupons) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\TypeLib\{87255c51-cd7d-4506-b9ad-97606daf53f3} (Adware.Coupons) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{6e780f0b-bcd6-40cb-b2db-7af47ab4d4a4} (Adware.Coupons) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{a138be8b-f051-4802-9a3f-a750a6d862d4} (Adware.Coupons) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{9522b3fb-7a2b-4646-8af6-36e7f593073c} (Adware.Coupons) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{9522b3fb-7a2b-4646-8af6-36e7f593073c} (Adware.Coupons) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{a85a5e6a-de2c-4f4e-99dc-f469df5a0eec} (Adware.Coupons) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{87255c51-cd7d-4506-b9ad-97606daf53f3} (Adware.Coupons) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{d7adf7c1-14fb-4110-b2df-187884cac12a} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{b7d3e479-cc68-42b5-a338-938ece35f419} (Adware.SoftMate) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Intelinet_is1 (Rogue.Intelinet) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Intelinet (Rogue.Intelinet) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\SharedDLLs\C:\WINDOWS\cpbrkpie.ocx (Adware.Coupons) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Toolbar\WebBrowser\{b7d3e479-cc68-42b5-a338-938ece35f419} (Adware.SoftMate) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Extensions\CmdMapping\{c5428486-50a0-4a02-9d20-520b59a9f9b2} (Adware.Shopping.Report) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Extensions\CmdMapping\{c5428486-50a0-4a02-9d20-520b59a9f9b3} (Adware.Shopping.Report) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\intelinet (Rogue.Intelinet) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
C:\Program Files\Intelinet (Rogue.Intelinet) -> Quarantined and deleted successfully.
C:\Program Files\Intelinet\Backup (Rogue.Intelinet) -> Quarantined and deleted successfully.
C:\Program Files\Intelinet\Database (Rogue.Intelinet) -> Quarantined and deleted successfully.
C:\Program Files\Intelinet\Logs (Rogue.Intelinet) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Start Menu\Programs\Intelinet (Rogue.Intelinet) -> Quarantined and deleted successfully.

Files Infected:
C:\Program Files\Intelinet\intelin2.exe (Rogue.Intelinet) -> Quarantined and deleted successfully.
C:\WINDOWS\cpbrkpie.ocx (Adware.Coupons) -> Quarantined and deleted successfully.
C:\Program Files\Intelinet\BCKManager.dll (Rogue.Intelinet) -> Quarantined and deleted successfully.
C:\Program Files\Intelinet\CheckRegistry.dll (Rogue.Intelinet) -> Quarantined and deleted successfully.
C:\Program Files\Intelinet\hashes.md5 (Rogue.Intelinet) -> Quarantined and deleted successfully.
C:\Program Files\Intelinet\Intelinet.exe (Rogue.Intelinet) -> Quarantined and deleted successfully.
C:\Program Files\Intelinet\ListLogs.dll (Rogue.Intelinet) -> Quarantined and deleted successfully.
C:\Program Files\Intelinet\ManageRegistry.dll (Rogue.Intelinet) -> Quarantined and deleted successfully.
C:\Program Files\Intelinet\MFC71.dll (Rogue.Intelinet) -> Quarantined and deleted successfully.
C:\Program Files\Intelinet\msvcp71.dll (Rogue.Intelinet) -> Quarantined and deleted successfully.
C:\Program Files\Intelinet\msvcr71.dll (Rogue.Intelinet) -> Quarantined and deleted successfully.
C:\Program Files\Intelinet\SpywareGuard.dll (Rogue.Intelinet) -> Quarantined and deleted successfully.
C:\Program Files\Intelinet\Spywarehandler.dll (Rogue.Intelinet) -> Quarantined and deleted successfully.
C:\Program Files\Intelinet\unins000.dat (Rogue.Intelinet) -> Quarantined and deleted successfully.
C:\Program Files\Intelinet\unins000.exe (Rogue.Intelinet) -> Quarantined and deleted successfully.
C:\Program Files\Intelinet\Backup\{13A9AC86-92BD-4EB3-B3B5-A7772F3D5917}.rbk (Rogue.Intelinet) -> Quarantined and deleted successfully.
C:\Program Files\Intelinet\Backup\{16AEE5F7-6352-4CE5-8801-3C4C9EAA3C9A}.rbk (Rogue.Intelinet) -> Quarantined and deleted successfully.
C:\Program Files\Intelinet\Backup\{2F6C1C89-F463-4120-B353-638C778A53B8}.rbk (Rogue.Intelinet) -> Quarantined and deleted successfully.
C:\Program Files\Intelinet\Backup\{409B6D79-F13E-49C7-9CF8-5E88043C1681}.rbk (Rogue.Intelinet) -> Quarantined and deleted successfully.
C:\Program Files\Intelinet\Backup\{7036C0AC-5BB2-45BA-8CD2-0716BB8A7322}.rbk (Rogue.Intelinet) -> Quarantined and deleted successfully.
C:\Program Files\Intelinet\Backup\{D4CE115A-9266-40EB-9BEC-83D858F8A618}.rbk (Rogue.Intelinet) -> Quarantined and deleted successfully.
C:\Program Files\Intelinet\Backup\{DF6D9219-4723-4264-A46D-F520ACA5C5D8}.rbk (Rogue.Intelinet) -> Quarantined and deleted successfully.
C:\Program Files\Intelinet\Database\Immunizer.db (Rogue.Intelinet) -> Quarantined and deleted successfully.
C:\Program Files\Intelinet\Database\Spyware.db (Rogue.Intelinet) -> Quarantined and deleted successfully.
C:\Program Files\Intelinet\Logs\2009_01_08.log (Rogue.Intelinet) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Start Menu\Programs\Intelinet\Intelinet.lnk (Rogue.Intelinet) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Start Menu\Programs\Intelinet\Uninstall Intelinet.lnk (Rogue.Intelinet) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\regedit.com (Backdoor.Bot) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\cmd.com (Backdoor.Bot) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\ping.com (Backdoor.Bot) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\netstat.com (Worm.Alcra) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\tasklist.com (Worm.Alcra) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\tracert.com (Worm.Alcra) -> Quarantined and deleted successfully.
C:\RECYCLER\ADAPT_Installer.exe (Heuristics.Malware) -> Quarantined and deleted successfully.
C:\Documents and Settings\Emilio Negron Jr\Desktop\Intelinet.lnk (Rogue.Intelinet) -> Quarantined and deleted successfully.
C:\Documents and Settings\Andre Negron\Desktop\Intelinet.lnk (Rogue.Intelinet) -> Quarantined and deleted successfully.
C:\Documents and Settings\Emilio Negron Jr\Application Data\Microsoft\Internet Explorer\Quick Launch\Intelinet.lnk (Rogue.Intelinet) -> Quarantined and deleted successfully.
C:\Documents and Settings\Andre Negron\Application Data\Microsoft\Internet Explorer\Quick Launch\Intelinet.lnk (Rogue.Intelinet) -> Quarantined and deleted successfully.
C:\Documents and Settings\Emilio Negron Jr\Application Data\Google\sysspc.dll (Trojan.FakeAlert) -> Quarantined and deleted successfully.

Emilio
Novice
Novice

Status :
Online
Offline

Posts : 7
Joined : 2009-01-08
Gender : Male
OS : XP

View user profile

Back to top Go down

Solved Re: Need to rid of trogan worm Win32.Zafi.B

Post by Belahzur on Fri Jan 09, 2009 1:58 am

Okay, lets have a look around.


  • Please download DDS by sUBs to your Desktop (Important!!) from one of these locations:
    [You must be registered and logged in to see this link.]
    [You must be registered and logged in to see this link.]
    [You must be registered and logged in to see this link.]
  • Double click DDS.scr to run
  • When complete, DDS.txt will open.
  • Click No for Optional Scan.
  • Save the report to your Desktop.
  • Copy and paste DDS.txt back here, I don't need to see attach.txt.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Status :
Online
Offline

Posts : 34916
Joined : 2008-08-03
Gender : Male
OS : XP SP3 Media Centre

View user profile

Back to top Go down

Solved Re: Need to rid of trogan worm Win32.Zafi.B

Post by Emilio on Fri Jan 09, 2009 2:10 am

DDS:

DDS (Ver_09-01-07.01) - NTFSx86
Run by Emilio Negron Jr at 21:05:22.76 on Thu 01/08/2009
Internet Explorer: 7.0.5730.11
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1022.534 [GMT -5:00]


============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
c:\program files\common files\logitech\lvmvfm\LVPrcSrv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Logitech\QuickCam10\QuickCam10.exe
C:\Program Files\Fisher-Price\Easy-Link internet launch pad\Easy-Link internet launch pad.exe
C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\DellSupport\DSAgnt.exe
C:\Program Files\Common Files\Logitech\LComMgr\Communications_Helper.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Windows Desktop Search\WindowsSearch.exe
C:\Program Files\Sony\Sony Picture Utility\VolumeWatcher\SPUVolumeWatcher.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\HPZIPM12.EXE
C:\Program Files\Dell Support Center\bin\sprtsvc.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\Program Files\Common Files\Logitech\LComMgr\LVComSX.exe
C:\Program Files\HP\hpcoretech\comp\hptskmgr.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\msiexec.exe
C:\Program Files\Logitech\QuickCam10\COCIManager.exe
C:\WINDOWS\system32\SearchProtocolHost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Emilio Negron Jr\Local Settings\Temporary Internet Files\Content.IE5\P3X5H0L6\dds[1].com

============== Pseudo HJT Report ===============

uSearchMigratedDefaultURL = [You must be registered and logged in to see this link.]
uWindow Title = Windows Internet Explorer provided by Yahoo!
uStart Page = [You must be registered and logged in to see this link.]
uDefault_Page_URL = [You must be registered and logged in to see this link.]
mDefault_Page_URL = [You must be registered and logged in to see this link.]
mStart Page = [You must be registered and logged in to see this link.]
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = [You must be registered and logged in to see this link.]
uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} -
mURLSearchHooks: H - No File
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\program files\real\realplayer\rpbrowserrecordplugin.dll
BHO: DriveLetterAccess: {5ca3d70e-1895-11cf-8e15-001234567890} - c:\windows\system32\dla\tfswshx.dll
BHO: Java(tm) Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.0.926.3450\swg.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: {0B53EAC3-8D69-4B9E-9B19-A37C9A5676A7} - No File
TB: {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No File
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} -
TB: {724D43A0-0D85-11D4-9908-00400523E39A} - No File
uRun: [QuickenScheduledUpdates] c:\program files\quicken\bagent.exe
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [swg] c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe
uRun: [DellSupport] "c:\program files\dellsupport\DSAgnt.exe" /startup
uRun: [DellSupportCenter] "c:\program files\dell support center\bin\sprtcmd.exe" /P DellSupportCenter
mRun: [SoundMAXPnP] c:\program files\analog devices\core\smax4pnp.exe
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [IntelMeM] c:\program files\intel\modem event monitor\IntelMEM.exe
mRun: [DVDLauncher] "c:\program files\cyberlink\powerdvd\DVDLauncher.exe"
mRun: [dla] c:\windows\system32\dla\tfswctrl.exe
mRun: [ISUSPM Startup] c:\progra~1\common~1\instal~1\update~1\ISUSPM.exe -startup
mRun: [ISUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start
mRun: [HP Component Manager] "c:\program files\hp\hpcoretech\hpcmpmgr.exe"
mRun: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
mRun: [igfxtray] c:\windows\system32\igfxtray.exe
mRun: [igfxhkcmd] c:\windows\system32\hkcmd.exe
mRun: [igfxpers] c:\windows\system32\igfxpers.exe
mRun: [LogitechQuickCamRibbon] "c:\program files\logitech\quickcam10\QuickCam10.exe" /hide
mRun: [eligmini] c:\program files\fisher-price\easy-link internet launch pad\Easy-Link internet launch pad.exe 0
mRun: [dscactivate] "c:\program files\dell support center\gs_agent\custom\dsca.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [DellSupportCenter] "c:\program files\dell support center\bin\sprtcmd.exe" /P DellSupportCenter
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device support\bin\AppleSyncNotifier.exe
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
StartupFolder: c:\docume~1\emilio~1\startm~1\programs\startup\pictur~1.lnk - c:\program files\sony\sony picture utility\volumewatcher\SPUVolumeWatcher.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\window~1.lnk - c:\program files\windows desktop search\WindowsSearch.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\window~2.lnk - c:\program files\windows desktop search\WindowsSearch.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
Handler: cetihpz - {CF184AD3-CDCB-4168-A3F7-8E447D129300} - c:\program files\hp\hpcoretech\comp\hpuiprot.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.DLL
Notify: igfxcui - igfxdev.dll
Notify: WRNotifier - WRLogonNTF.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL

============= SERVICES / DRIVERS ===============

R0 sonypvl2;sonypvl2;c:\windows\system32\drivers\sonypvl2.sys [2005-9-16 19478]
R0 SSI;SSI;c:\windows\system32\drivers\ssi.sys [2006-7-2 78336]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\SASDIFSV.SYS [2006-2-16 8944]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2006-6-9 55024]
R1 sonypvf2;sonypvf2;c:\windows\system32\drivers\sonypvf2.sys [2005-9-16 635017]
R1 sonypvt2;sonypvt2;c:\windows\system32\drivers\sonypvt2.sys [2005-9-16 431236]
R3 Eacfilt;Eacfilt Miniport;c:\windows\system32\drivers\eacfilt.sys [2007-10-3 9433]
R3 wdm_au8830;Aureal Vortex 8830 Audio Driver (WDM);c:\windows\system32\drivers\adm8830.sys [2008-3-8 747392]
R4 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\viewpoint\common\ViewpointService.exe [2008-12-29 24652]
S1 sonypvd2;sonypvd2;c:\windows\system32\drivers\sonypvd2.sys [2005-9-16 64093]
S3 RmAx;RMAXUSB;c:\windows\system32\drivers\RmAx.sys [2008-11-7 40502]
S3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2006-2-16 4096]
S4 IPSECEXT;Nortel Extranet Access Protocol;c:\windows\system32\drivers\ipsecw2k.sys [2007-10-3 115008]

=============== Created Last 30 ================

2009-01-08 20:38 --d----- c:\docume~1\emilio~1\applic~1\Malwarebytes
2009-01-08 20:38 15,504 a------- c:\windows\system32\drivers\mbam.sys
2009-01-08 20:38 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-01-08 20:38 --d----- c:\program files\Malwarebytes' Anti-Malware
2009-01-08 20:38 --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-01-08 17:54 --d----- C:\_OTMoveIt
2009-01-08 08:11 29,134 -------- c:\windows\hpoins03.dat.temp
2009-01-08 08:11 38,867 -------- c:\windows\hpomdl03.dat.temp
2009-01-08 07:57 --d----- c:\docume~1\emilio~1\applic~1\Windows Search
2009-01-08 04:54 0 a------- C:\proc.id
2009-01-08 04:54 0 a------- C:\asdasd.asdasd
2009-01-07 23:07 0 a------- C:\~GLHTTP1.TMP
2009-01-07 22:58 --d----- c:\windows\system32\GroupPolicy
2009-01-07 22:56 192,000 -------- c:\windows\system32\dllcache\offfilt.dll
2009-01-07 22:56 98,304 -------- c:\windows\system32\dllcache\nlhtml.dll
2009-01-07 22:56 29,696 -------- c:\windows\system32\dllcache\mimefilt.dll
2008-12-29 19:58 --d----- c:\docume~1\alluse~1\applic~1\acccore
2008-12-29 19:58 --d----- c:\program files\AIM6

==================== Find3M ====================

2009-01-08 21:00 0 a------- c:\windows\system32\drivers\lvuvc.hs
2008-12-13 01:40 3,593,216 a------- c:\windows\system32\dllcache\mshtml.dll
2008-12-09 08:40 77,915 a------- c:\windows\pchealth\helpctr\offlinecache\index.dat
2008-12-09 08:25 410,984 a------- c:\windows\system32\deploytk.dll
2008-10-24 06:21 455,296 -------- c:\windows\system32\dllcache\mrxsmb.sys
2008-10-23 07:36 286,720 a------- c:\windows\system32\gdi32.dll
2008-10-23 07:36 286,720 -------- c:\windows\system32\dllcache\gdi32.dll
2008-10-20 22:38 1,890 a--sh--- c:\windows\system32\KGyGaAvL.sys
2008-10-16 14:13 1,809,944 a------- c:\windows\system32\dllcache\wuaueng.dll
2008-10-16 14:13 202,776 a------- c:\windows\system32\dllcache\wuweb.dll
2008-10-16 14:12 323,608 a------- c:\windows\system32\dllcache\wucltui.dll
2008-10-16 14:12 561,688 a------- c:\windows\system32\dllcache\wuapi.dll
2008-10-16 14:09 92,696 a------- c:\windows\system32\dllcache\cdm.dll
2008-10-16 14:09 51,224 a------- c:\windows\system32\dllcache\wuauclt.exe
2008-10-16 14:08 34,328 a------- c:\windows\system32\dllcache\wups.dll
2008-10-16 14:06 268,648 a------- c:\windows\system32\mucltui.dll
2008-10-16 14:06 208,744 a------- c:\windows\system32\muweb.dll
2008-10-16 08:11 70,656 -------- c:\windows\system32\dllcache\ie4uinit.exe
2008-10-16 08:11 13,824 -------- c:\windows\system32\dllcache\ieudinit.exe
2008-10-15 11:34 337,408 -------- c:\windows\system32\dllcache\netapi32.dll
2008-10-15 02:06 633,632 -------- c:\windows\system32\dllcache\iexplore.exe
2008-10-15 02:04 161,792 -------- c:\windows\system32\dllcache\ieakui.dll
2008-07-12 06:59 32 a------- c:\docume~1\alluse~1\applic~1\ezsid.dat
2007-01-04 17:52 92,064 a------- c:\documents and settings\emilio negron jr\mqdmmdm.sys
2007-01-04 17:52 79,328 a------- c:\documents and settings\emilio negron jr\mqdmserd.sys
2007-01-04 17:52 66,656 a------- c:\documents and settings\emilio negron jr\mqdmbus.sys
2007-01-04 17:52 25,600 a------- c:\documents and settings\emilio negron jr\usbsermptxp.sys
2007-01-04 17:52 22,768 a------- c:\documents and settings\emilio negron jr\usbsermpt.sys
2007-01-04 17:52 9,232 a------- c:\documents and settings\emilio negron jr\mqdmmdfl.sys
2007-01-04 17:52 6,208 a------- c:\documents and settings\emilio negron jr\mqdmcmnt.sys
2007-01-04 17:52 5,936 a------- c:\documents and settings\emilio negron jr\mqdmwhnt.sys
2007-01-04 17:52 4,048 a------- c:\documents and settings\emilio negron jr\mqdmcr.sys
2006-07-01 12:23 0 ---sh--- c:\windows\system32\taskkill.com

============= FINISH: 21:05:58.26 ===============

Emilio
Novice
Novice

Status :
Online
Offline

Posts : 7
Joined : 2009-01-08
Gender : Male
OS : XP

View user profile

Back to top Go down

Solved Re: Need to rid of trogan worm Win32.Zafi.B

Post by Belahzur on Fri Jan 09, 2009 2:16 am

Hello.
Were gonna use OTMoveIt to remove these leftovers.


  • Please double-click OTMoveIt3.exe to run it.
  • Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose CopyCrying


    :processes
    explorer.exe

    :files
    c:\windows\hpoins03.dat.temp
    c:\windows\hpomdl03.dat.temp
    C:\proc.id
    C:\asdasd.asdasd
    C:\~GLHTTP1.TMP
    c:\windows\system32\drivers\lvuvc.hs
    c:\windows\system32\taskkill.com

    :commands
    [purity]
    [emptytemp]
    [start explorer]
    [reboot]


  • Return to OTMoveIt3, right click in the "Paste instructions for items to be Moved" window (under the light blue bar) and choose Paste.
  • Click the red Moveit! button.
  • Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
  • Close OTMoveIt3
If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.

Please post the OTMoveIt log.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Status :
Online
Offline

Posts : 34916
Joined : 2008-08-03
Gender : Male
OS : XP SP3 Media Centre

View user profile

Back to top Go down

Solved Re: Need to rid of trogan worm Win32.Zafi.B

Post by Emilio on Fri Jan 09, 2009 2:41 am

========== PROCESSES ==========
Process explorer.exe killed successfully.
========== FILES ==========
c:\windows\hpoins03.dat.temp moved successfully.
c:\windows\hpomdl03.dat.temp moved successfully.
C:\proc.id moved successfully.
C:\asdasd.asdasd moved successfully.
C:\~GLHTTP1.TMP moved successfully.
c:\windows\system32\drivers\lvuvc.hs moved successfully.
c:\windows\system32\taskkill.com moved successfully.
========== COMMANDS ==========
File delete failed. C:\DOCUME~1\EMILIO~1\LOCALS~1\Temp\~DF1D80.tmp scheduled to be deleted on reboot.
File delete failed. C:\DOCUME~1\EMILIO~1\LOCALS~1\Temp\~DF1D8E.tmp scheduled to be deleted on reboot.
User's Temp folder emptied.
User's Temporary Internet Files folder emptied.
User's Internet Explorer cache folder emptied.
Local Service Temp folder emptied.
File delete failed. C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat scheduled to be deleted on reboot.
Local Service Temporary Internet Files folder emptied.
File delete failed. C:\WINDOWS\temp\Perflib_Perfdata_774.dat scheduled to be deleted on reboot.
Windows Temp folder emptied.
Java cache emptied.
Temp folders emptied.
Explorer started successfully

OTMoveIt3 by OldTimer - Version 1.0.8.0 log created on 01082009_213632

Files moved on Reboot...
File C:\DOCUME~1\EMILIO~1\LOCALS~1\Temp\~DF1D80.tmp not found!
File C:\DOCUME~1\EMILIO~1\LOCALS~1\Temp\~DF1D8E.tmp not found!
File move failed. C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat scheduled to be moved on reboot.
File C:\WINDOWS\temp\Perflib_Perfdata_774.dat not found!

Emilio
Novice
Novice

Status :
Online
Offline

Posts : 7
Joined : 2009-01-08
Gender : Male
OS : XP

View user profile

Back to top Go down

Solved Re: Need to rid of trogan worm Win32.Zafi.B

Post by Emilio on Fri Jan 09, 2009 3:19 am

Really appreciate all you've done!! Thanks!

Emilio
Novice
Novice

Status :
Online
Offline

Posts : 7
Joined : 2009-01-08
Gender : Male
OS : XP

View user profile

Back to top Go down

Solved Re: Need to rid of trogan worm Win32.Zafi.B

Post by Belahzur on Fri Jan 09, 2009 4:53 pm

Now the malware is gone, please install one of these AV's if you haven't got an AV running.

1) [You must be registered and logged in to see this link.]
-Free anti-virus software for Windows.
-Detects and removes more than 50,000 viruses. Free support.
2) [You must be registered and logged in to see this link.]
-Anti-virus program for Windows.
-The home edition is freeware for noncommercial user.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Status :
Online
Offline

Posts : 34916
Joined : 2008-08-03
Gender : Male
OS : XP SP3 Media Centre

View user profile

Back to top Go down

Solved Re: Need to rid of trogan worm Win32.Zafi.B

Post by Doctor Inferno on Mon Mar 02, 2009 9:58 am

Since this issue is resolved, this topic is closed.

If you need this topic reopened, please contact a staff member. This applies only to the original topic starter.

Everyone else, please open a new topic for your questions.


Please be a GeekPolice fan on [You must be registered and logged in to see this link.]



Have we helped you? [You must be registered and logged in to see this link.] | Doctor by day, ninja by night.

Doctor Inferno
Administrator
Administrator

Status :
Online
Offline

Posts : 12017
Joined : 2007-12-26
Gender : Male
OS : Windows 7 Home Premium and Ultimate X64

View user profile

Back to top Go down

View previous topic View next topic Back to top

- Similar topics

 
Permissions in this forum:
You cannot reply to topics in this forum