GeekPolice
Welcome to GeekPolice.net!

From "wow" to "whoa" - we're teaching practical technology and helping others with tech support. Join our family here!

You are viewing the forum as a "Guest" which doesn't give you member privileges to ask questions or post comments.

Take 30 seconds to register or log in below and unlock the limitations of this website to discover new computer knowledge!

Win32.Zafi.b worm (spent 2 days: this thing will not rid itself from my pc)

View previous topic View next topic Go down

Solved Win32.Zafi.b worm (spent 2 days: this thing will not rid itself from my pc)

Post by mike69 on Sun Jan 11, 2009 5:12 am

This is the first time I've visited this site and seems like you are all able to fix this problem, which I was about to give up upon and force a reformat, but you might give me hope in resolving this.

I'll organize this since it's long. I went to another forum asking for help since this Saturday Morning, and they tried to troubleshoot with me all day (literally) using different programs and tools, didn't work. Here's a summary of what I've done (10 hours later):

---------------------------------------

post 1:



I got hit with this yesterday, I don't know how, whether it was through surfing around, but it popped up as a security alert and when I thought it was the windows security alert, I clicked on "enable protection" and it pops up a browser that has me try to buy some antivirus software, which I know is a fake then. I had ESET Antivirus enabled before then but for some reason, it did not catch this virus

I ran full scan with Malwarebytes Antivirus, and it detected 2 problems, but none of them had the title of win32.zafi.b, they were related to svchost and something else. I rebooted into safe mode and did that full scan again and did a full scan of ESET, which after hours, found nothing.

I tried using hijackthis, but it did not catch anything suspicious when I analyzed the file.

but every time I log in to my normal boot login, it pops up and when I use any browser like IE 7 or Mozilla, it pops up as well. it slows now anything that I load as an app, and my browsing, even as simple as opening up a saved txt file.

I downloaded PC Spyware Doctor full version and ran a full scan last night, it was able to find some spyware, but not anything related to this virus. After cleaning a few dozen of what it found in the browsers, I rebooted and the same problems are happening again. Take a look at this screenshot



I'm currently installing and trying to update symantec endpoint protection, but it seems that virus seems to have disabled some options or something isn't right. If none of these work, are there manual ways that I can get some help in looking around in the registry or any hidden folders?

Symantec keeps catching things as you can see from how thin that scroll bar is. it's not taking out the source, something is replicating these files.

---------------------------------------

Post 2:

I'm using another computer I have around the house to reply right now. I was unable to revert back to a system restore point using windows. I had three listed when I booted in safe mode before the time of this incident yesterday spread throughout the week, but each time I used it, had it shut down, reboot, and got back to windows, it kept popping up that the thing was incomplete and could not restore. Is that because of the virus or just how crummy the windows automated scheduled restore points are?

msconfig caught nothing fishy. I tried peeking through each one. Not to my surprise. If HiJacker didn't catch this than MSCONFIG wouldn't have anything found on this either.

I even noticed when I was working in safe mode for some time that the damn virus was able to get into that mode, but symantec got something of a different "name" caught and removed it.

I've been using Mozilla Firefox 3 over IE 7 for quite some time now and this hit when i was using Mozilla.

---------------------------------------

Post 3:



this is frustrating...I'm going to try the rogue remover now

---------------------------------------

mike69
Intermediate
Intermediate

Status :
Online
Offline

Posts : 85
Joined : 2009-01-11
OS : Windows XP
Points : 28914
# Likes : 0

View user profile

Back to top Go down

Solved Re: Win32.Zafi.b worm (spent 2 days: this thing will not rid itself from my pc)

Post by mike69 on Sun Jan 11, 2009 5:13 am

Post 4:

well, i got back to the infected machine, and had to boot back in because to use rogue remover, you have to update the database, and i can't do that in safe mode. anyways, I still get this



which I don't understand why the infection is coming from a source of a quarantine folder. isn't that contradicting what symantec's software is supposed to do

I just tried the rogue remover in safe mode, and it found nothing either.



well, this is a stubborn trojan on my machine and while typing this got the damn fake security alert window that just popped up on my machine

can you suggest the instructions on the manual procedure? I looked something up like that online, but it seems to easy, some blogger suggested to look into the registry key and his solution found only two things to delete, which I haven't tried yet, but for something that's this annoying, there has to be more than that.

---------------------------------------

Post 5:

Bad bad news

Well, first, this in safe mode



so super antispyware caught something not relevant to this trojan, so not bad i guess



symantec caught nothing (not surprised)


but I spent time looking around the registry editor , and could not find those paths for the virus based on what was mentioned




I must have the worst luck right now, these paths are supposed to be there, but I don't see them, and I've been in safe mode for most of the day not wanting to get back to the regular login (using another pc that's not infected to go here)

what's the reason why I might not be able to find those paths to delete those keys?

These hazafibb don't exist on my machine based on this path.

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run

"_Hazafibb"="%system%\.exe"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\_Hazafibb

---------------------------------------

Post 6:

I'm so frustrated at how this symantec keeps catching all these temp files and it's utilizing 90-100% cpu processing continuously that I decided to uninstall it. I still have Spy Doctor and ESET installed.

---------------------------------------

mike69
Intermediate
Intermediate

Status :
Online
Offline

Posts : 85
Joined : 2009-01-11
OS : Windows XP
Points : 28914
# Likes : 0

View user profile

Back to top Go down

Solved Re: Win32.Zafi.b worm (spent 2 days: this thing will not rid itself from my pc)

Post by mike69 on Sun Jan 11, 2009 5:13 am

AND THIS IS WHERE I AM NOW. STUCK!!


Here's the HiJack Log

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:56:35 PM, on 1/10/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16735)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
C:\Program Files\FolderSize\FolderSizeSvc.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Spyware Doctor\pctsAuxs.exe
C:\Program Files\Spyware Doctor\pctsSvc.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\system32\WLTRAY.exe
C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\Program Files\Dell Support Center\bin\sprtcmd.exe
C:\Program Files\SigmaTel\C-Major Audio\WDM\stsystra.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe
C:\Program Files\Unlocker\UnlockerAssistant.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
C:\Program Files\Spyware Doctor\pctsTray.exe
C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\Program Files\Dell Support Center\bin\sprtsvc.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.1.807.1746\swg.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: Veoh Browser Plug-in - {D0943516-5076-4020-A3B5-AEFAF26AB263} - C:\Program Files\Veoh Networks\Veoh\Plugins\reg\VeohToolbar.dll
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [Broadcom Wireless Manager UI] C:\WINDOWS\system32\WLTRAY.exe
O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe"
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
O4 - HKLM\..\Run: [dscactivate] "C:\Program Files\Dell Support Center\gs_agent\custom\dsca.exe"
O4 - HKLM\..\Run: [DellSupportCenter] "C:\Program Files\Dell Support Center\bin\sprtcmd.exe" /P DellSupportCenter
O4 - HKLM\..\Run: [SigmatelSysTrayApp] %ProgramFiles%\SigmaTel\C-Major Audio\WDM\stsystra.exe
O4 - HKLM\..\Run: [egui] "C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe" /hide /waitservice
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [UnlockerAssistant] "C:\Program Files\Unlocker\UnlockerAssistant.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [StartCCC] "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
O4 - HKLM\..\Run: [ISTray] "C:\Program Files\Spyware Doctor\pctsTray.exe"
O4 - HKLM\..\Run: [ISTray] "C:\Program Files\Spyware Doctor\pctsTray.exe"
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [DellSupportCenter] "C:\Program Files\Dell Support Center\bin\sprtcmd.exe" /P DellSupportCenter
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default user')
O8 - Extra context menu item: Convert link target to Adobe PDF - [You must be registered and logged in to see this link.] Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - [You must be registered and logged in to see this link.] Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - [You must be registered and logged in to see this link.] Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - [You must be registered and logged in to see this link.] Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - [You must be registered and logged in to see this link.] Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - [You must be registered and logged in to see this link.] Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - [You must be registered and logged in to see this link.] Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - [You must be registered and logged in to see this link.] Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Download Flash with Flash &Grabber - [You must be registered and logged in to see this link.] Grabber\swfgrab.dll/iesave
O8 - Extra context menu item: E&xport to Microsoft Excel - [You must be registered and logged in to see this link.]
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: PDFill PDF Editor - {FB858B22-55E2-413f-87F5-30ADC5552151} - C:\Program Files\PlotSoft\PDFill\DownloadPDF.exe
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - [You must be registered and logged in to see this link.]
O16 - DPF: {A922B6AB-3B87-11D3-B3C2-0008C7DA6CB9} (InetDownload Class) - [You must be registered and logged in to see this link.]
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Eset HTTP Server (EhttpSrv) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\EHttpSrv.exe
O23 - Service: Eset Service (ekrn) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
O23 - Service: Folder Size (FolderSize) - Brio - C:\Program Files\FolderSize\FolderSizeSvc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LiveUpdate\LuComServer_3_3.EXE
O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe (file missing)
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe
O23 - Service: SupportSoft Sprocket Service (dellsupportcenter) (sprtsvc_dellsupportcenter) - SupportSoft, Inc. - C:\Program Files\Dell Support Center\bin\sprtsvc.exe
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE

--
End of file - 10122 bytes


---------------------------------------

Uninstall List

7-Zip 4.44 beta
Adobe Acrobat 7.1.0 Professional
Adobe Flash Player ActiveX
Adobe Shockwave Player
Advanced WindowsCare Personal
AMD Processor Driver
AOLIcon
ATI - Software Uninstall Utility
ATI Catalyst Control Center
ATI Display Driver
Broadcom 440x 10/100 Integrated Controller
Broadcom Management Programs
BUFFALO Power Save Utility for HD
Catalyst Control Center - Branding
CCleaner (remove only)
ClearType Tuning Control Panel Applet
Compatibility Pack for the 2007 Office system
Dell Support Center (Support Software)
Dell Wireless WLAN Card
DivX Converter
DivX Player
DivX Web Player
ESET NOD32 Antivirus
FastStone Photo Resizer 2.5
Flash Grabber 1.0
Folder Size for Windows
FolderSort
Google Toolbar for Internet Explorer
Google Toolbar for Internet Explorer
GPL Ghostscript 8.57
GPL Ghostscript Fonts
High Definition Audio Driver Package - KB835221
HijackThis 2.0.2
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Windows Internet Explorer 7 (KB947864)
Hotfix for Windows XP (KB952287)
Java(TM) 6 Update 11
K-Lite Codec Pack 4.0.0 (Standard)
LiveUpdate 3.3 (Symantec Corporation)
LiveUpdate Notice (Symantec Corporation)
Malwarebytes' Anti-Malware
Malwarebytes' RogueRemover
Media Resizer PRO
mediaRECOVER Pro
MFZ0 codec (Remove Only)
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB928366)
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
Microsoft .NET Framework 3.5 SP1
Microsoft Device Emulator version 1.0 - ENU
Microsoft Document Explorer 2005
Microsoft Document Explorer 2005
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft National Language Support Downlevel APIs
Microsoft Office Live Meeting 2005
Microsoft Office Professional Edition 2003
Microsoft Office Project Professional 2003
Microsoft Office Visio Professional 2003
Microsoft Plus! Digital Media Edition Installer
Microsoft Plus! Photo Story 2 LE
Microsoft Silverlight
Modem Helper
Mozilla Firefox (3.0.5)
MSConfig CleanUp 1.2
NetWaiting
NOD32 v3.x FiX 1.1 by TemDono (Free Updates - Expire in 2050)
PDFill PDF Editor with FREE PDF Writer and Tools
PDFill PDF Writer
PowerDVD 5.7
PPTexpert PPTmovie
QuickSet
QuickTime
Real Alternative 1.9.0
Security Update for CAPICOM (KB931906)
Security Update for CAPICOM (KB931906)
Security Update for Step By Step Interactive Training (KB898458)
Security Update for Step By Step Interactive Training (KB923723)
Security Update for Windows Internet Explorer 7 (KB928090)
Security Update for Windows Internet Explorer 7 (KB950759)
Security Update for Windows Internet Explorer 7 (KB953838)
Security Update for Windows Internet Explorer 7 (KB956390)
Security Update for Windows Media Player 10 (KB917734)
Security Update for Windows Media Player 10 (KB936782)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950760)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB953155)
Security Update for Windows XP (KB953839)
Security Update for Windows XP (KB954211)
Security Update for Windows XP (KB956391)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB957095)
Security Update for Windows XP (KB958644)
SigmaTel Audio
Spyware Doctor 6.0
SUPERAntiSpyware Free Edition
Symantec KB-DocID:2003093015493306
Synaptics Pointing Device Driver
TurboTax ItsDeductible 2006
TVUPlayer 2.3.2.19
Unlocker 1.8.7
Update for Windows XP (KB951072-v2)
Update for Windows XP (KB951978)
Using the Estimator - Packaged Dev Demos
VDMSound
VeohTV BETA
Video Watermark Factory
Watermark Factory 2
Winamp (remove only)
Windows Media Format Runtime
Windows Media Player 10
Windows Media Player 10
Windows XP Service Pack 3

mike69
Intermediate
Intermediate

Status :
Online
Offline

Posts : 85
Joined : 2009-01-11
OS : Windows XP
Points : 28914
# Likes : 0

View user profile

Back to top Go down

Solved Re: Win32.Zafi.b worm (spent 2 days: this thing will not rid itself from my pc)

Post by Belahzur on Sun Jan 11, 2009 1:19 pm

Hello.

Please download and run this tool.

Download Malwarebytes' Anti-Malware from [You must be registered and logged in to see this link.]

Double Click mbam-setup.exe to install the application.

  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
Note:
If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts.
Click OK to either and let MBAM proceed with the disinfection process.
If asked to restart the computer, please do so immediately.


Post the contents of the MBAM Log.

  • Please download DDS by sUBs to your Desktop (Important!!) from one of these locations:
    [You must be registered and logged in to see this link.]
    [You must be registered and logged in to see this link.]
    [You must be registered and logged in to see this link.]
  • Double click DDS.scr to run
  • When complete, DDS.txt will open.
  • Click No for Optional Scan.
  • Save the report to your Desktop.
  • Copy and paste DDS.txt back here, I don't need to see attach.txt.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Status :
Online
Offline

Posts : 34916
Joined : 2008-08-03
Gender : Male
OS : XP SP3 Media Centre
Points : 245039
# Likes : 1

View user profile

Back to top Go down

Solved Re: Win32.Zafi.b worm (spent 2 days: this thing will not rid itself from my pc)

Post by mike69 on Sun Jan 11, 2009 6:18 pm

Previous attempts before receiving your reply:

I know how to use the search and this comes up with no results for that _hazafibb listed. If I don't have that win32.zafi.b, then why did I see that originally pop up in my first post that I uploaded on my screen? Is it a mask for some other trojan?



Interestingly, When I scanned with MalwareBytes again in safe mode over night, it found a few things, and now that I'm back in my infected machine, I don't see that thing pop up no more, BUT ......my computer is still choppy and there's still the same lag from my browser that's similar to when that worm was there yesterday. It seems that there's things remaining in my system, but I need help cleaning it out.



----------------------------------

mike69
Intermediate
Intermediate

Status :
Online
Offline

Posts : 85
Joined : 2009-01-11
OS : Windows XP
Points : 28914
# Likes : 0

View user profile

Back to top Go down

Solved Re: Win32.Zafi.b worm (spent 2 days: this thing will not rid itself from my pc)

Post by mike69 on Sun Jan 11, 2009 6:18 pm

MalwareBytes Log

Malwarebytes' Anti-Malware 1.32
Database version: 1640
Windows 5.1.2600 Service Pack 3

1/11/2009 4:51:33 AM
mbam-log-2009-01-11 (04-51-33).txt

Scan type: Full Scan (C:\|)
Objects scanned: 135052
Time elapsed: 3 hour(s), 14 minute(s), 16 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 1
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 2

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winclock (Trojan.FakeAlert) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Documents and Settings\Mike\Application Data\Google\ptnptn.dll (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\Mike\Application Data\Google\jxzub5410451.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.


-------------------------------------

mike69
Intermediate
Intermediate

Status :
Online
Offline

Posts : 85
Joined : 2009-01-11
OS : Windows XP
Points : 28914
# Likes : 0

View user profile

Back to top Go down

Solved Re: Win32.Zafi.b worm (spent 2 days: this thing will not rid itself from my pc)

Post by mike69 on Sun Jan 11, 2009 6:19 pm

DDS Log



DDS (Ver_09-01-07.01) - NTFSx86
Run by Mike at 10:08:18.96 on Sun 01/11/2009
Internet Explorer: 7.0.5730.11 BrowserJavaVersion: 1.6.0_11
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.894.77 [GMT -8:00]

AV: Spyware Doctor with AntiVirus *On-access scanning enabled* (Updated)
AV: ESET NOD32 Antivirus 3.0 *On-access scanning enabled* (Updated)
FW: Norton Internet Worm Protection *disabled*

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
C:\WINDOWS\system32\svchost -k rpcss
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
C:\Program Files\FolderSize\FolderSizeSvc.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Spyware Doctor\pctsAuxs.exe
C:\Program Files\Spyware Doctor\pctsSvc.exe
C:\Program Files\Dell Support Center\bin\sprtsvc.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\system32\WLTRAY.exe
C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\Program Files\SigmaTel\C-Major Audio\WDM\stsystra.exe
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe
C:\Program Files\Unlocker\UnlockerAssistant.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\Program Files\Spyware Doctor\pctsTray.exe
C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\Program Files\Spyware Doctor\pctsGui.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\system32\taskmgr.exe
C:\WINDOWS\system32\notepad.exe
C:\Documents and Settings\Mike\Desktop\dds.scr
C:\WINDOWS\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uStart Page = [You must be registered and logged in to see this link.]
uSearch Bar =
BHO: Java(tm) Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\googletoolbar2.dll
BHO: Adobe PDF Conversion Toolbar Helper: {ae7cd045-e861-484f-8273-0445ee161910} - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\3.1.807.1746\swg.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll
TB: &Google: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\googletoolbar2.dll
TB: Veoh Browser Plug-in: {d0943516-5076-4020-a3b5-aefaf26ab263} - c:\program files\veoh networks\veoh\plugins\reg\VeohToolbar.dll
TB: {0B53EAC3-8D69-4B9E-9B19-A37C9A5676A7} - No File
TB: {C4069E3A-68F1-403E-B40E-20066696354B} - No File
EB: Adobe PDF: {182ec0be-5110-49c8-a062-beb1d02a220b} - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll
uRun: [swg] c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe
uRun: [DellSupportCenter] "c:\program files\dell support center\bin\sprtcmd.exe" /P DellSupportCenter
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [Broadcom Wireless Manager UI] c:\windows\system32\WLTRAY.exe
mRun: [Acrobat Assistant 7.0] "c:\program files\adobe\acrobat 7.0\distillr\Acrotray.exe"
mRun: [Dell QuickSet] c:\program files\dell\quickset\quickset.exe
mRun: [dscactivate] "c:\program files\dell support center\gs_agent\custom\dsca.exe"
mRun: [DellSupportCenter] "c:\program files\dell support center\bin\sprtcmd.exe" /P DellSupportCenter
mRun: [SigmatelSysTrayApp] %ProgramFiles%\SigmaTel\C-Major Audio\WDM\stsystra.exe
mRun: [egui] "c:\program files\eset\eset nod32 antivirus\egui.exe" /hide /waitservice
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [UnlockerAssistant] "c:\program files\unlocker\UnlockerAssistant.exe"
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [StartCCC] "c:\program files\ati technologies\ati.ace\core-static\CLIStart.exe" MSRun
mRun: [ISTray] "c:\program files\spyware doctor\pctsTray.exe"
mRun: [Symantec PIF AlertEng] "c:\program files\common files\symantec shared\pif\{b8e1dd85-8582-4c61-b58f-2f227fca9a08}\pifsvc.exe" /a /m "c:\program files\common files\symantec shared\pif\{b8e1dd85-8582-4c61-b58f-2f227fca9a08}\AlertEng.dll"
dRun: [DWQueuedReporting] "c:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -t
dRun: [SUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exe
IE: Convert link target to Adobe PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert to existing PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Download Flash with Flash &Grabber - c:\progra~1\flash grabber\swfgrab.dll/iesave
IE: E&xport to Microsoft Excel - c:\progra~1\mi1933~1\office11\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {FB858B22-55E2-413f-87F5-30ADC5552151} - c:\program files\plotsoft\pdfill\DownloadPDF.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\mi1933~1\office11\REFIEBAR.DLL
LSP: c:\program files\common files\pc tools\lsp\PCTLsp.dll
Trusted Zone: turbotax.com
Notify: AtiExtEvent - Ati2evxx.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL
SecurityProviders: msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, credssp.dll, digeste.dll
LSA: Authentication Packages = msv1_0 c:\windows\system32\mlJdDtUK
LSA: Notification Packages = scecli c:\windows\system32\sinehotu.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\mike\applic~1\mozilla\firefox\profiles\8y4k1ogv.default user\
FF - prefs.js: browser.search.defaulturl - [You must be registered and logged in to see this link.]
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - [You must be registered and logged in to see this link.]
FF - component: c:\documents and settings\mike\application data\mozilla\firefox\profiles\8y4k1ogv.default user\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\googletoolbar.dll
FF - component: c:\documents and settings\mike\application data\mozilla\firefox\profiles\8y4k1ogv.default user\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\metrics.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npunagi2.dll
FF - plugin: c:\program files\veoh networks\veoh\plugins\noreg\NPVeohVersion.dll

============= SERVICES / DRIVERS ===============

R0 IKFileSec;File Security Driver;c:\windows\system32\drivers\ikfilesec.sys [2009-1-10 40840]
R1 epfwtdir;epfwtdir;c:\windows\system32\drivers\epfwtdir.sys [2007-12-21 33800]
R1 IKSysFlt;System Filter Driver;c:\windows\system32\drivers\iksysflt.sys [2009-1-10 66952]
R1 IKSysSec;System Security Driver;c:\windows\system32\drivers\iksyssec.sys [2009-1-10 81288]
R1 pctfw2;pctfw2;c:\windows\system32\drivers\pctfw2.sys [2009-1-10 160792]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2008-9-3 8944]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2008-9-3 55024]
R4 ekrn;Eset Service;c:\program files\eset\eset nod32 antivirus\ekrn.exe [2007-12-21 468224]
R4 IOPort;IOPort;c:\windows\system32\drivers\IOPORT.SYS [2008-2-28 6144]
R4 sdAuxService;PC Tools Auxiliary Service;c:\program files\spyware doctor\pctsAuxs.exe [2009-1-10 356920]
R4 sdCoreService;PC Tools Security Service;c:\program files\spyware doctor\pctsSvc.exe [2009-1-10 1079176]
S3 kvpndev;Kerio VPN adapter;c:\windows\system32\drivers\kvpndrv.sys [2008-6-24 65024]
S3 kwflower;Kerio WinRoute Firewall Driver - Lower Layer;c:\windows\system32\drivers\kwflower.sys --> c:\windows\system32\drivers\kwflower.sys [?]
S3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2008-9-3 7408]
S4 Symantec Core LC;Symantec Core LC;c:\program files\common files\symantec shared\ccpd-lc\symlcsvc.exe [2007-1-27 1251720]

=============== Created Last 30 ================

2009-01-10 12:56 --d----- c:\program files\RogueRemover FREE
2009-01-10 00:57 160,792 a------- c:\windows\system32\drivers\pctfw2.sys
2009-01-10 00:57 --d----- c:\program files\common files\PC Tools
2009-01-10 00:57 81,288 a------- c:\windows\system32\drivers\iksyssec.sys
2009-01-10 00:57 66,952 a------- c:\windows\system32\drivers\iksysflt.sys
2009-01-10 00:57 40,840 a------- c:\windows\system32\drivers\ikfilesec.sys
2009-01-10 00:57 29,576 a------- c:\windows\system32\drivers\kcom.sys
2009-01-10 00:57 --d----- c:\program files\Spyware Doctor
2009-01-10 00:57 --d----- c:\docume~1\mike\applic~1\PC Tools
2009-01-10 00:57 --d----- c:\docume~1\alluse~1\applic~1\PC Tools
2008-12-12 11:45 0 a------- c:\windows\ativpsrm.bin
2008-12-12 11:37 593,920 -------- c:\windows\system32\ati2sgag.exe
2008-12-12 11:35 --d----- C:\ATI

==================== Find3M ====================

2009-01-04 18:38 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-01-04 18:38 15,504 a------- c:\windows\system32\drivers\mbam.sys
2008-12-03 10:42 410,984 a------- c:\windows\system32\deploytk.dll
2008-12-01 14:13 3,452,928 a------- c:\windows\system32\drivers\ati2mtag.sys
2008-12-01 14:13 3,452,928 a------- c:\windows\system32\dllcache\ati2mtag.sys
2008-12-01 12:52 425,984 a------- c:\windows\system32\ATIDEMGX.dll
2008-12-01 12:51 318,464 a------- c:\windows\system32\ati2dvag.dll
2008-12-01 12:46 11,304,960 a------- c:\windows\system32\atioglxx.dll
2008-12-01 12:41 188,416 a------- c:\windows\system32\atipdlxx.dll
2008-12-01 12:40 147,456 a------- c:\windows\system32\Oemdspif.dll
2008-12-01 12:40 26,112 a------- c:\windows\system32\Ati2mdxx.exe
2008-12-01 12:40 43,520 a------- c:\windows\system32\ati2edxx.dll
2008-12-01 12:40 143,360 a------- c:\windows\system32\ati2evxx.dll
2008-12-01 12:38 598,016 a------- c:\windows\system32\ati2evxx.exe
2008-12-01 12:37 53,248 a------- c:\windows\system32\ATIDDC.DLL
2008-12-01 12:27 4,120,384 a------- c:\windows\system32\ati3duag.dll
2008-12-01 12:19 307,200 a------- c:\windows\system32\atiiiexx.dll
2008-12-01 12:11 2,495,360 a------- c:\windows\system32\ativvaxx.dll
2008-12-01 12:11 3,107,788 a------- c:\windows\system32\ativva5x.dat
2008-12-01 12:11 887,724 a------- c:\windows\system32\ativva6x.dat
2008-12-01 11:57 48,640 a------- c:\windows\system32\amdpcom32.dll
2008-12-01 11:53 401,408 a------- c:\windows\system32\atikvmag.dll
2008-12-01 11:53 45,056 a------- c:\windows\system32\amdcalrt.dll
2008-12-01 11:53 45,056 a------- c:\windows\system32\amdcalcl.dll
2008-12-01 11:52 86,016 a------- c:\windows\system32\atiadlxx.dll
2008-12-01 11:52 17,408 a------- c:\windows\system32\atitvo32.dll
2008-12-01 11:51 53,248 a------- c:\windows\system32\drivers\ati2erec.dll
2008-12-01 11:50 286,720 a------- c:\windows\system32\atiok3x2.dll
2008-12-01 11:50 3,252,224 a------- c:\windows\system32\Amdcaldd.dll
2008-12-01 11:45 577,536 a------- c:\windows\system32\ati2cqag.dll
2008-11-08 20:23 930,203 a--sh--- c:\windows\system32\KUtDdJlm.ini2
2008-10-30 06:45 180,720 a------- c:\windows\system32\atiicdxx.dat
2008-10-28 14:36 823,296 a------- c:\windows\system32\divx_xx0c.dll
2008-10-28 14:36 823,296 a------- c:\windows\system32\divx_xx07.dll
2008-10-28 14:35 815,104 a------- c:\windows\system32\divx_xx0a.dll
2008-10-28 14:35 802,816 a------- c:\windows\system32\divx_xx11.dll
2008-10-28 14:35 684,032 a------- c:\windows\system32\DivX.dll
2008-10-21 10:51 118,784 a------- c:\windows\system32\atibrtmon.exe
2008-10-15 13:57 1,257,472 a------- c:\windows\system32\kticonv80_1.11.1.dll
2008-10-15 13:57 925,696 a------- c:\windows\system32\ktlibeay80_0.9.8g.dll
2008-10-15 13:57 192,512 a------- c:\windows\system32\ktssleay80_0.9.8g.dll
2008-10-15 13:57 102,400 a------- c:\windows\system32\ktzlib80_1.2.3.dll
2008-10-15 08:34 337,408 a------- c:\windows\system32\dllcache\netapi32.dll
2007-11-12 18:37 60,968 a------- c:\documents and settings\mike\GoToAssistDownloadHelper.exe
2007-10-14 11:52 90 a------- c:\docume~1\mike\applic~1\wklnhst.dat
2008-05-17 14:40 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008051720080518\index.dat

============= FINISH: 10:09:33.42 ===============

mike69
Intermediate
Intermediate

Status :
Online
Offline

Posts : 85
Joined : 2009-01-11
OS : Windows XP
Points : 28914
# Likes : 0

View user profile

Back to top Go down

Solved Re: Win32.Zafi.b worm (spent 2 days: this thing will not rid itself from my pc)

Post by mike69 on Sun Jan 11, 2009 7:01 pm

I just scanned with spy doctor again and found this it seems that this is continuous, i don't want to reformat, but at this rate, this is going to keep on going, even though I don't get that zafi.b popup security anymore, there's 'remnants" that seems to still be there or from something else it spawned off which is slowing down my processor and internet navigation severely.



Last edited by mike69 on Sun Jan 11, 2009 7:58 pm; edited 1 time in total

mike69
Intermediate
Intermediate

Status :
Online
Offline

Posts : 85
Joined : 2009-01-11
OS : Windows XP
Points : 28914
# Likes : 0

View user profile

Back to top Go down

Solved Re: Win32.Zafi.b worm (spent 2 days: this thing will not rid itself from my pc)

Post by mike69 on Sun Jan 11, 2009 7:58 pm

I wanted to see if someone can examine my windows processes to see if everything is okay, I don't know why svchost is listed three times, but maybe that's the way it is


[You must be registered and logged in to see this link.]
[You must be registered and logged in to see this link.]

[You must be registered and logged in to see this link.]

mike69
Intermediate
Intermediate

Status :
Online
Offline

Posts : 85
Joined : 2009-01-11
OS : Windows XP
Points : 28914
# Likes : 0

View user profile

Back to top Go down

Solved Re: Win32.Zafi.b worm (spent 2 days: this thing will not rid itself from my pc)

Post by Belahzur on Sun Jan 11, 2009 8:19 pm

Hello.
Did Spyware Doctor fix these leftovers?


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Status :
Online
Offline

Posts : 34916
Joined : 2008-08-03
Gender : Male
OS : XP SP3 Media Centre
Points : 245039
# Likes : 1

View user profile

Back to top Go down

Solved Re: Win32.Zafi.b worm (spent 2 days: this thing will not rid itself from my pc)

Post by mike69 on Sun Jan 11, 2009 9:34 pm

[You must be registered and logged in to see this link.] wrote:Hello.
Did Spyware Doctor fix these leftovers?

from the screenshot that I gave in my previous reply:




it seems to have fixed those, but the reason why i need your help is that I think that although that little pop up fake security alert isn't on my screen anymore, that doesn't mean that there's still traces infected or that it didn't spawn other malware that these scanners haven't picked up, that's why i gave those hijacker logs and dds logs. Can you look to see what else I can fix or remove? (By the way, these were all hidden from the registry editor for some reason as my previous posts show, I don't know why, but I have a feeling there's more)

I just ran scanfsc in the meantime.

please help spot other things. After all of this is cleaned out, I'll do another system restore.

also, since the spydoctor found win32 files that were infected, if those are quarantined, does that mean that they're missing now as required system files in the folder? Do I have a hole now?

thanks

mike69
Intermediate
Intermediate

Status :
Online
Offline

Posts : 85
Joined : 2009-01-11
OS : Windows XP
Points : 28914
# Likes : 0

View user profile

Back to top Go down

Solved Re: Win32.Zafi.b worm (spent 2 days: this thing will not rid itself from my pc)

Post by Belahzur on Sun Jan 11, 2009 9:48 pm

Wait.
DO NOT use system restore, that will restore the infection.

Please download the OTMoveIt3 by OldTimer from here:
Code:
http://download.bleepingcomputer.com/oldtimer/OTMoveIt3.exe

  • Save it to your desktop.
  • Please double-click OTMoveIt3.exe to run it.
  • Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose CopyCrying


    :processes
    explorer.exe

    :files
    C:\Windows\system32\windrvnt.sys

    :reg
    [-HKEY_LOCAL MACHINE\SYSTEM\ControlSet001\Services\windrvNT]
    [-HKEY_LOCAL MACHINE\SYSTEM\ControlSet002\Services\windrvNT]
    [-HKEY_LOCAL MACHINE\SYSTEM\CurrentControlSet\Services\windrvNT]

    :commands
    [purity]
    [emptytemp]
    [start explorer]
    [reboot]



  • Return to OTMoveIt3, right click in the "Paste instructions for items to be Moved" window (under the light blue bar) and choose Paste.
  • Click the red Moveit! button.
  • Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
  • Close OTMoveIt3
If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.

Please post the OTMoveIt log.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Status :
Online
Offline

Posts : 34916
Joined : 2008-08-03
Gender : Male
OS : XP SP3 Media Centre
Points : 245039
# Likes : 1

View user profile

Back to top Go down

Solved Re: Win32.Zafi.b worm (spent 2 days: this thing will not rid itself from my pc)

Post by mike69 on Sun Jan 11, 2009 10:14 pm

It's not letting me highlight the results. It's like it's locked or something.

mike69
Intermediate
Intermediate

Status :
Online
Offline

Posts : 85
Joined : 2009-01-11
OS : Windows XP
Points : 28914
# Likes : 0

View user profile

Back to top Go down

Solved Re: Win32.Zafi.b worm (spent 2 days: this thing will not rid itself from my pc)

Post by Belahzur on Sun Jan 11, 2009 10:19 pm

Ah, it's okay, the report is saved to a txt file anyway.
Navigate to this folder in bold:
C:\_OTMoveIt

There is a .log file in there with the report, please post that.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Status :
Online
Offline

Posts : 34916
Joined : 2008-08-03
Gender : Male
OS : XP SP3 Media Centre
Points : 245039
# Likes : 1

View user profile

Back to top Go down

Solved Re: Win32.Zafi.b worm (spent 2 days: this thing will not rid itself from my pc)

Post by mike69 on Sun Jan 11, 2009 10:25 pm

Here is the log, I thought it froze, but it was just doing something else

From the results, C:\Windows\system32\windrvnt.sys, that was the file that got infected and quarantined when I ran spydoctor from the post earlier
:





========== PROCESSES ==========
Process explorer.exe killed successfully.
========== FILES ==========
File/Folder C:\Windows\system32\windrvnt.sys not found.
========== REGISTRY ==========
Registry key HKEY_LOCAL MACHINE\SYSTEM\ControlSet001\Services\windrvNT\\ deleted successfully.
Registry key HKEY_LOCAL MACHINE\SYSTEM\ControlSet002\Services\windrvNT\\ deleted successfully.
Registry key HKEY_LOCAL MACHINE\SYSTEM\CurrentControlSet\Services\windrvNT\\ not found.
========== COMMANDS ==========
File delete failed. C:\DOCUME~1\Mike\LOCALS~1\Temp\etilqs_7MuvplmcUhiPm1dAbIEY scheduled to be deleted on reboot.
User's Temp folder emptied.
User's Temporary Internet Files folder emptied.
User's Internet Explorer cache folder emptied.
Local Service Temp folder emptied.
Local Service Temporary Internet Files folder emptied.
File delete failed. C:\WINDOWS\temp\Perflib_Perfdata_7ac.dat scheduled to be deleted on reboot.
File delete failed. C:\WINDOWS\temp\Perflib_Perfdata_bc.dat scheduled to be deleted on reboot.
Windows Temp folder emptied.
Java cache emptied.
File delete failed. C:\Documents and Settings\Mike\Local Settings\Application Data\Mozilla\Firefox\Profiles\8y4k1ogv.Default User\Cache\_CACHE_001_ scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\Mike\Local Settings\Application Data\Mozilla\Firefox\Profiles\8y4k1ogv.Default User\Cache\_CACHE_002_ scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\Mike\Local Settings\Application Data\Mozilla\Firefox\Profiles\8y4k1ogv.Default User\Cache\_CACHE_003_ scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\Mike\Local Settings\Application Data\Mozilla\Firefox\Profiles\8y4k1ogv.Default User\Cache\_CACHE_MAP_ scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\Mike\Local Settings\Application Data\Mozilla\Firefox\Profiles\8y4k1ogv.Default User\urlclassifier3.sqlite scheduled to be deleted on reboot.
FireFox cache emptied.
Temp folders emptied.
Explorer started successfully

OTMoveIt3 by OldTimer - Version 1.0.8.0 log created on 01112009_140958

Files moved on Reboot...
File C:\DOCUME~1\Mike\LOCALS~1\Temp\etilqs_7MuvplmcUhiPm1dAbIEY not found!
C:\WINDOWS\temp\Perflib_Perfdata_7ac.dat moved successfully.
File C:\WINDOWS\temp\Perflib_Perfdata_bc.dat not found!
C:\Documents and Settings\Mike\Local Settings\Application Data\Mozilla\Firefox\Profiles\8y4k1ogv.Default User\Cache\_CACHE_001_ moved successfully.
C:\Documents and Settings\Mike\Local Settings\Application Data\Mozilla\Firefox\Profiles\8y4k1ogv.Default User\Cache\_CACHE_002_ moved successfully.
C:\Documents and Settings\Mike\Local Settings\Application Data\Mozilla\Firefox\Profiles\8y4k1ogv.Default User\Cache\_CACHE_003_ moved successfully.
C:\Documents and Settings\Mike\Local Settings\Application Data\Mozilla\Firefox\Profiles\8y4k1ogv.Default User\Cache\_CACHE_MAP_ moved successfully.
C:\Documents and Settings\Mike\Local Settings\Application Data\Mozilla\Firefox\Profiles\8y4k1ogv.Default User\urlclassifier3.sqlite moved successfully.

mike69
Intermediate
Intermediate

Status :
Online
Offline

Posts : 85
Joined : 2009-01-11
OS : Windows XP
Points : 28914
# Likes : 0

View user profile

Back to top Go down

Solved Re: Win32.Zafi.b worm (spent 2 days: this thing will not rid itself from my pc)

Post by Belahzur on Sun Jan 11, 2009 10:30 pm

Well anyway, the zafi.b is gone and everything looks clean to me, any problems for you?


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Status :
Online
Offline

Posts : 34916
Joined : 2008-08-03
Gender : Male
OS : XP SP3 Media Centre
Points : 245039
# Likes : 1

View user profile

Back to top Go down

Solved Re: Win32.Zafi.b worm (spent 2 days: this thing will not rid itself from my pc)

Post by mike69 on Sun Jan 11, 2009 10:36 pm

I ran the OTMoveIT the second time just in case for you to review:

========== PROCESSES ==========
Process explorer.exe killed successfully.
========== FILES ==========
File/Folder C:\Windows\system32\windrvnt.sys not found.
========== REGISTRY ==========
Registry key HKEY_LOCAL MACHINE\SYSTEM\ControlSet001\Services\windrvNT\\ not found.
Registry key HKEY_LOCAL MACHINE\SYSTEM\ControlSet002\Services\windrvNT\\ not found.
Registry key HKEY_LOCAL MACHINE\SYSTEM\CurrentControlSet\Services\windrvNT\\ not found.
========== COMMANDS ==========
File delete failed. C:\DOCUME~1\Mike\LOCALS~1\Temp\etilqs_0R5h8sBp1jzrNvtq1SgK scheduled to be deleted on reboot.
User's Temp folder emptied.
User's Temporary Internet Files folder emptied.
User's Internet Explorer cache folder emptied.
Local Service Temp folder emptied.
Local Service Temporary Internet Files folder emptied.
File delete failed. C:\WINDOWS\temp\Perflib_Perfdata_7dc.dat scheduled to be deleted on reboot.
Windows Temp folder emptied.
Java cache emptied.
File delete failed. C:\Documents and Settings\Mike\Local Settings\Application Data\Mozilla\Firefox\Profiles\8y4k1ogv.Default User\Cache\_CACHE_001_ scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\Mike\Local Settings\Application Data\Mozilla\Firefox\Profiles\8y4k1ogv.Default User\Cache\_CACHE_002_ scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\Mike\Local Settings\Application Data\Mozilla\Firefox\Profiles\8y4k1ogv.Default User\Cache\_CACHE_003_ scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\Mike\Local Settings\Application Data\Mozilla\Firefox\Profiles\8y4k1ogv.Default User\Cache\_CACHE_MAP_ scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\Mike\Local Settings\Application Data\Mozilla\Firefox\Profiles\8y4k1ogv.Default User\urlclassifier3.sqlite scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\Mike\Local Settings\Application Data\Mozilla\Firefox\Profiles\8y4k1ogv.Default User\XUL.mfl scheduled to be deleted on reboot.
FireFox cache emptied.
Temp folders emptied.
Explorer started successfully

OTMoveIt3 by OldTimer - Version 1.0.8.0 log created on 01112009_142346

Files moved on Reboot...
File C:\DOCUME~1\Mike\LOCALS~1\Temp\etilqs_0R5h8sBp1jzrNvtq1SgK not found!
File C:\WINDOWS\temp\Perflib_Perfdata_7dc.dat not found!
C:\Documents and Settings\Mike\Local Settings\Application Data\Mozilla\Firefox\Profiles\8y4k1ogv.Default User\Cache\_CACHE_001_ moved successfully.
C:\Documents and Settings\Mike\Local Settings\Application Data\Mozilla\Firefox\Profiles\8y4k1ogv.Default User\Cache\_CACHE_002_ moved successfully.
C:\Documents and Settings\Mike\Local Settings\Application Data\Mozilla\Firefox\Profiles\8y4k1ogv.Default User\Cache\_CACHE_003_ moved successfully.
C:\Documents and Settings\Mike\Local Settings\Application Data\Mozilla\Firefox\Profiles\8y4k1ogv.Default User\Cache\_CACHE_MAP_ moved successfully.
C:\Documents and Settings\Mike\Local Settings\Application Data\Mozilla\Firefox\Profiles\8y4k1ogv.Default User\urlclassifier3.sqlite moved successfully.
C:\Documents and Settings\Mike\Local Settings\Application Data\Mozilla\Firefox\Profiles\8y4k1ogv.Default User\XUL.mfl moved successfully.

mike69
Intermediate
Intermediate

Status :
Online
Offline

Posts : 85
Joined : 2009-01-11
OS : Windows XP
Points : 28914
# Likes : 0

View user profile

Back to top Go down

Solved Re: Win32.Zafi.b worm (spent 2 days: this thing will not rid itself from my pc)

Post by mike69 on Sun Jan 11, 2009 10:38 pm

[You must be registered and logged in to see this link.] wrote:Here is the log, I thought it froze, but it was just doing something else

From the results, C:\Windows\system32\windrvnt.sys, that was the file that got infected and quarantined when I ran spydoctor from the post earlier
:





========== PROCESSES ==========
Process explorer.exe killed successfully.
========== FILES ==========
File/Folder C:\Windows\system32\windrvnt.sys not found.
========== REGISTRY ==========
Registry key HKEY_LOCAL MACHINE\SYSTEM\ControlSet001\Services\windrvNT\\ deleted successfully.
Registry key HKEY_LOCAL MACHINE\SYSTEM\ControlSet002\Services\windrvNT\\ deleted successfully.
Registry key HKEY_LOCAL MACHINE\SYSTEM\CurrentControlSet\Services\windrvNT\\ not found.
========== COMMANDS ==========
File delete failed. C:\DOCUME~1\Mike\LOCALS~1\Temp\etilqs_7MuvplmcUhiPm1dAbIEY scheduled to be deleted on reboot.
User's Temp folder emptied.
User's Temporary Internet Files folder emptied.
User's Internet Explorer cache folder emptied.
Local Service Temp folder emptied.
Local Service Temporary Internet Files folder emptied.
File delete failed. C:\WINDOWS\temp\Perflib_Perfdata_7ac.dat scheduled to be deleted on reboot.
File delete failed. C:\WINDOWS\temp\Perflib_Perfdata_bc.dat scheduled to be deleted on reboot.
Windows Temp folder emptied.
Java cache emptied.
File delete failed. C:\Documents and Settings\Mike\Local Settings\Application Data\Mozilla\Firefox\Profiles\8y4k1ogv.Default User\Cache\_CACHE_001_ scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\Mike\Local Settings\Application Data\Mozilla\Firefox\Profiles\8y4k1ogv.Default User\Cache\_CACHE_002_ scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\Mike\Local Settings\Application Data\Mozilla\Firefox\Profiles\8y4k1ogv.Default User\Cache\_CACHE_003_ scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\Mike\Local Settings\Application Data\Mozilla\Firefox\Profiles\8y4k1ogv.Default User\Cache\_CACHE_MAP_ scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\Mike\Local Settings\Application Data\Mozilla\Firefox\Profiles\8y4k1ogv.Default User\urlclassifier3.sqlite scheduled to be deleted on reboot.
FireFox cache emptied.
Temp folders emptied.
Explorer started successfully

OTMoveIt3 by OldTimer - Version 1.0.8.0 log created on 01112009_140958

Files moved on Reboot...
File C:\DOCUME~1\Mike\LOCALS~1\Temp\etilqs_7MuvplmcUhiPm1dAbIEY not found!
C:\WINDOWS\temp\Perflib_Perfdata_7ac.dat moved successfully.
File C:\WINDOWS\temp\Perflib_Perfdata_bc.dat not found!
C:\Documents and Settings\Mike\Local Settings\Application Data\Mozilla\Firefox\Profiles\8y4k1ogv.Default User\Cache\_CACHE_001_ moved successfully.
C:\Documents and Settings\Mike\Local Settings\Application Data\Mozilla\Firefox\Profiles\8y4k1ogv.Default User\Cache\_CACHE_002_ moved successfully.
C:\Documents and Settings\Mike\Local Settings\Application Data\Mozilla\Firefox\Profiles\8y4k1ogv.Default User\Cache\_CACHE_003_ moved successfully.
C:\Documents and Settings\Mike\Local Settings\Application Data\Mozilla\Firefox\Profiles\8y4k1ogv.Default User\Cache\_CACHE_MAP_ moved successfully.
C:\Documents and Settings\Mike\Local Settings\Application Data\Mozilla\Firefox\Profiles\8y4k1ogv.Default User\urlclassifier3.sqlite moved successfully.

q1)
What are all of those "not found" entries mean?


q2) Also, I got a response from another forum when they examined my dds log and needed to see if you can translate to how to remove:'

"
The logs look ok apart from these entries.
Code: Select All

O16 - DPF: {A922B6AB-3B87-11D3-B3C2-0008C7DA6CB9} (InetDownload Class) - [You must be registered and logged in to see this link.]

Not sure what ActiveX control is trying to be downloaded.

Code: Select All

O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe (file missing)

Norton live update must have gotten screwed.

Code: Select All

TB: {0B53EAC3-8D69-4B9E-9B19-A37C9A5676A7} - No File
TB: {C4069E3A-68F1-403E-B40E-20066696354B} - No File

"


please help with this

q3) I know that the zafi.b might not be there anymore, but there seems to still be traces of things spawned from it. My process list looks strange from the post I showed earlier, things a still a little slow and still a lag from the browser.

Are there supposed to be 3 svchost.exe in the process list?

mike69
Intermediate
Intermediate

Status :
Online
Offline

Posts : 85
Joined : 2009-01-11
OS : Windows XP
Points : 28914
# Likes : 0

View user profile

Back to top Go down

Solved Re: Win32.Zafi.b worm (spent 2 days: this thing will not rid itself from my pc)

Post by Belahzur on Sun Jan 11, 2009 10:41 pm

Hello.
If you are being helped elsewhere, please let me know.
Helpers time is valuable and shouldn't be wasted.

Please let the other forum know you are being helped elsewhere.

The active X object is harmless.
I don't want to remove that service, it may say missing, but I don't want to stop the live update service.

Empty toolbar objects, harmless also.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Status :
Online
Offline

Posts : 34916
Joined : 2008-08-03
Gender : Male
OS : XP SP3 Media Centre
Points : 245039
# Likes : 1

View user profile

Back to top Go down

Solved Re: Win32.Zafi.b worm (spent 2 days: this thing will not rid itself from my pc)

Post by mike69 on Mon Jan 12, 2009 6:32 am

well, I asked around in another forum since a lot of folks were unsure and that's how I was told about this site, otherwise, I wouldn't have found this geekpolice.net site, and that's why I'm here posting what I've gotten.

Could you inspect the logs shown from the previous apps you mentioned to install and run?? Including

========== FILES ==========
File/Folder C:\Windows\system32\windrvnt.sys not found.

I noticed when I ran the scan, this sys file was infected and quarantined, is that trouble?

mike69
Intermediate
Intermediate

Status :
Online
Offline

Posts : 85
Joined : 2009-01-11
OS : Windows XP
Points : 28914
# Likes : 0

View user profile

Back to top Go down

Solved Re: Win32.Zafi.b worm (spent 2 days: this thing will not rid itself from my pc)

Post by Belahzur on Mon Jan 12, 2009 2:13 pm

No, the file isn't active now, it can't cause anymore problems.
What problems remain now?


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Status :
Online
Offline

Posts : 34916
Joined : 2008-08-03
Gender : Male
OS : XP SP3 Media Centre
Points : 245039
# Likes : 1

View user profile

Back to top Go down

Solved Re: Win32.Zafi.b worm (spent 2 days: this thing will not rid itself from my pc)

Post by mike69 on Tue Jan 13, 2009 1:39 am

I can't tell myself, because I see no more popups, but still a slow down in the processor as if something funny is happening behind the scenes. From your inspection of the logs that I've been posting here like the dds, hijacker, and imoveit, do you see anything at all that might be worth noting?

mike69
Intermediate
Intermediate

Status :
Online
Offline

Posts : 85
Joined : 2009-01-11
OS : Windows XP
Points : 28914
# Likes : 0

View user profile

Back to top Go down

Solved Re: Win32.Zafi.b worm (spent 2 days: this thing will not rid itself from my pc)

Post by Belahzur on Tue Jan 13, 2009 9:12 am

I can only help by killing some un-needed startup items and cleaning temp files, etc.

If you want us to kill some of the un-needed stuff, let me know.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Status :
Online
Offline

Posts : 34916
Joined : 2008-08-03
Gender : Male
OS : XP SP3 Media Centre
Points : 245039
# Likes : 1

View user profile

Back to top Go down

Solved Re: Win32.Zafi.b worm (spent 2 days: this thing will not rid itself from my pc)

Post by mike69 on Tue Jan 13, 2009 4:28 pm

Yes, I would like your help. I don't know how to interpret these logs that you requested to paste in the last few replies.

mike69
Intermediate
Intermediate

Status :
Online
Offline

Posts : 85
Joined : 2009-01-11
OS : Windows XP
Points : 28914
# Likes : 0

View user profile

Back to top Go down

Solved Re: Win32.Zafi.b worm (spent 2 days: this thing will not rid itself from my pc)

Post by Belahzur on Tue Jan 13, 2009 5:06 pm

Okay. Smile
Please post a NEW Hijack This log.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Status :
Online
Offline

Posts : 34916
Joined : 2008-08-03
Gender : Male
OS : XP SP3 Media Centre
Points : 245039
# Likes : 1

View user profile

Back to top Go down

Solved Re: Win32.Zafi.b worm (spent 2 days: this thing will not rid itself from my pc)

Post by mike69 on Wed Jan 21, 2009 8:54 pm

Here is a new HiJack This log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:50:59 PM, on 1/21/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16735)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\FolderSize\FolderSizeSvc.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Spyware Doctor\pctsAuxs.exe
C:\Program Files\Spyware Doctor\pctsSvc.exe
C:\Program Files\Dell Support Center\bin\sprtsvc.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\system32\WLTRAY.exe
C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe
C:\Program Files\Dell Support Center\bin\sprtcmd.exe
C:\Program Files\SigmaTel\C-Major Audio\WDM\stsystra.exe
C:\Program Files\Unlocker\UnlockerAssistant.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
C:\Program Files\Spyware Doctor\pctsTray.exe
C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\Program Files\Hewlett-Packard\HP Wireless Elite Desktop\HPKEYBOARDg.EXE
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Java\jre6\launch4j-tmp\JDownloader.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe

O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.1.807.1746\swg.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: Veoh Browser Plug-in - {D0943516-5076-4020-A3B5-AEFAF26AB263} - C:\Program Files\Veoh Networks\Veoh\Plugins\reg\VeohToolbar.dll
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [Broadcom Wireless Manager UI] C:\WINDOWS\system32\WLTRAY.exe
O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe"
O4 - HKLM\..\Run: [dscactivate] "C:\Program Files\Dell Support Center\gs_agent\custom\dsca.exe"
O4 - HKLM\..\Run: [DellSupportCenter] "C:\Program Files\Dell Support Center\bin\sprtcmd.exe" /P DellSupportCenter
O4 - HKLM\..\Run: [SigmatelSysTrayApp] %ProgramFiles%\SigmaTel\C-Major Audio\WDM\stsystra.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [UnlockerAssistant] "C:\Program Files\Unlocker\UnlockerAssistant.exe"
O4 - HKLM\..\Run: [StartCCC] "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
O4 - HKLM\..\Run: [ISTray] "C:\Program Files\Spyware Doctor\pctsTray.exe"
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [HP KEYBOARDg] "C:\Program Files\Hewlett-Packard\HP Wireless Elite Desktop\HPKEYBOARDg.EXE"
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [DellSupportCenter] "C:\Program Files\Dell Support Center\bin\sprtcmd.exe" /P DellSupportCenter
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default user')
O8 - Extra context menu item: Convert link target to Adobe PDF - [You must be registered and logged in to see this link.] Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - [You must be registered and logged in to see this link.] Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - [You must be registered and logged in to see this link.] Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - [You must be registered and logged in to see this link.] Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - [You must be registered and logged in to see this link.] Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - [You must be registered and logged in to see this link.] Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - [You must be registered and logged in to see this link.] Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - [You must be registered and logged in to see this link.] Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Download Flash with Flash &Grabber - [You must be registered and logged in to see this link.] Grabber\swfgrab.dll/iesave
O8 - Extra context menu item: E&xport to Microsoft Excel - [You must be registered and logged in to see this link.]
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: PDFill PDF Editor - {FB858B22-55E2-413f-87F5-30ADC5552151} - C:\Program Files\PlotSoft\PDFill\DownloadPDF.exe
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - [You must be registered and logged in to see this link.]
O16 - DPF: {A922B6AB-3B87-11D3-B3C2-0008C7DA6CB9} (InetDownload Class) - [You must be registered and logged in to see this link.]
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Folder Size (FolderSize) - Brio - C:\Program Files\FolderSize\FolderSizeSvc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LiveUpdate\LuComServer_3_3.EXE
O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe (file missing)
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe
O23 - Service: SupportSoft Sprocket Service (dellsupportcenter) (sprtsvc_dellsupportcenter) - SupportSoft, Inc. - C:\Program Files\Dell Support Center\bin\sprtsvc.exe
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE

--
End of file - 10126 bytes

mike69
Intermediate
Intermediate

Status :
Online
Offline

Posts : 85
Joined : 2009-01-11
OS : Windows XP
Points : 28914
# Likes : 0

View user profile

Back to top Go down

Solved Re: Win32.Zafi.b worm (spent 2 days: this thing will not rid itself from my pc)

Post by Belahzur on Wed Jan 21, 2009 9:01 pm

Hello.

  • Open HijackThis
  • Choose "Do a system scan only"
  • Check the boxes in front of these lines:


    O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
    O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe"
    O4 - HKLM\..\Run: [SigmatelSysTrayApp] %ProgramFiles%\SigmaTel\C-Major Audio\WDM\stsystra.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [UnlockerAssistant] "C:\Program Files\Unlocker\UnlockerAssistant.exe"
    O4 - HKLM\..\Run: [StartCCC] "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
    O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
    O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
    O23 - Service: Folder Size (FolderSize) - Brio - C:\Program Files\FolderSize\FolderSizeSvc.exe
    O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
    O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe


  • Press "Fix Checked"
  • Close Hijack This.

I see you have Adobe Reader version 7 installed on here, this is old and has holes malware may abuse, we need to close these holes.

Go to Start > Control Panel > Add/Remove Programs and remove the following programs if present.

  • Adobe Reader 7

Then download and install version 9 from here:
[You must be registered and logged in to see this link.]

Reboot normally.
Any difference?


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Status :
Online
Offline

Posts : 34916
Joined : 2008-08-03
Gender : Male
OS : XP SP3 Media Centre
Points : 245039
# Likes : 1

View user profile

Back to top Go down

Solved Re: Win32.Zafi.b worm (spent 2 days: this thing will not rid itself from my pc)

Post by Doctor Inferno on Sat May 02, 2009 6:45 am

Since this issue has been addressed, a "solved" tag will be added and this topic will be closed.

If you need this topic reopened, please contact a staff member. This applies only to the original topic starter.

Everyone else, please open a new topic for your questions.


Please be a GeekPolice fan on [You must be registered and logged in to see this link.]



Have we helped you? [You must be registered and logged in to see this link.] | Doctor by day, ninja by night.

Doctor Inferno
Administrator
Administrator

Status :
Online
Offline

Posts : 12017
Joined : 2007-12-26
Gender : Male
OS : Windows 7 Home Premium and Ultimate X64
Points : 104574
# Likes : 0

View user profile

Back to top Go down

Solved Re: Win32.Zafi.b worm (spent 2 days: this thing will not rid itself from my pc)

Post by Doctor Inferno on Sat May 02, 2009 6:46 am

Since this issue has been addressed, a "solved" tag will be added and this topic will be closed.

If you need this topic reopened, please contact a staff member. This applies only to the original topic starter.

Everyone else, please open a new topic for your questions.


Please be a GeekPolice fan on [You must be registered and logged in to see this link.]



Have we helped you? [You must be registered and logged in to see this link.] | Doctor by day, ninja by night.

Doctor Inferno
Administrator
Administrator

Status :
Online
Offline

Posts : 12017
Joined : 2007-12-26
Gender : Male
OS : Windows 7 Home Premium and Ultimate X64
Points : 104574
# Likes : 0

View user profile

Back to top Go down

View previous topic View next topic Back to top

- Similar topics

 
Permissions in this forum:
You cannot reply to topics in this forum