Win32.Zafi.B

View previous topic View next topic Go down

Solved Win32.Zafi.B

Post by Parrot of Doom on Sun Jan 11, 2009 7:59 pm

I have no idea how I got this, but I went from browsing to a Windows XP firewall 'off' warning, to computer shutdown, restart. Firefox immediately would not work, Opera was fine for a while, now that just redirects every url to some crappy site or other.

It will not allow NOD32 to update. It won't allow Spyware Doctor to run or install. It won't allow mbam-setup.exe to run. On bootup it turns the XP firewall off, and then warns me of a win32.zafi.b virus - the keep blocking/allow options are greyed out and I can only either close the window or click 'enable protection', at which point a browser appears and redirects me to what is obviously some crappy malware.

Here are the requested logs from Hijackthis:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 19:48:27, on 11/01/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

Running processes:
C:\WINDOWS.0\System32\smss.exe
C:\WINDOWS.0\system32\winlogon.exe
C:\WINDOWS.0\system32\services.exe
C:\WINDOWS.0\system32\lsass.exe
C:\WINDOWS.0\system32\svchost.exe
C:\WINDOWS.0\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS.0\system32\spoolsv.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Digidesign\Drivers\MMERefresh.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS.0\system32\nvsvc32.exe
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
C:\WINDOWS.0\system32\svchost.exe
C:\WINDOWS.0\Explorer.EXE
C:\Program Files\Logitech\iTouch\iTouch.exe
C:\WINDOWS.0\RTHDCPL.EXE
C:\WINDOWS.0\System32\DeltaIITray.exe
C:\WINDOWS.0\system32\RUNDLL32.EXE
C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe
C:\program files\steam\steam.exe
C:\WINDOWS.0\system32\ctfmon.exe
C:\WINDOWS.0\system32\drivers\svchost.exe
C:\Program Files\Google\Google Calendar Sync\GoogleCalendarSync.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\Common Files\Logitech\KHAL\KHALMNPR.EXE
C:\WINDOWS.0\System32\svchost.exe
C:\WINDOWS.0\system32\wuauclt.exe
D:\hijackgpthis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS.0\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [zBrowser Launcher] C:\Program Files\Logitech\iTouch\iTouch.exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [M-Audio Taskbar Icon] C:\WINDOWS.0\System32\DeltaIITray.exe
O4 - HKLM\..\Run: [DeltaIITaskbarApp] C:\WINDOWS.0\system32\DeltaIITray.exe
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS.0\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [egui] "C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe" /hide /waitservice
O4 - HKLM\..\Run: [egui] "C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe" /hide /waitservice
O4 - HKCU\..\Run: [Steam] "c:\program files\steam\steam.exe" -silent
O4 - HKCU\..\Run: [AlcoholAutomount] "C:\Program Files\Alcohol Soft\Alcohol 120\axcmd.exe" /automount
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS.0\system32\ctfmon.exe
O4 - HKCU\..\Run: [Vidalia] "C:\Program Files\Vidalia Bundle\Vidalia\vidalia.exe"
O4 - HKCU\..\Run: [UIWatcher] C:\Program Files\Ashampoo\Ashampoo UnInstaller 3\UIWatcher.exe
O4 - HKCU\..\Run: [SVCHOST.EXE] C:\WINDOWS.0\system32\drivers\svchost.exe
O4 - HKUS\S-1-5-19\..\RunOnce: [nlpo_07] cmd.exe /c md "%USERPROFILE%\Local Settings\Temp" (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\RunOnce: [nlpo_08] cmd.exe /C move /Y "%SystemRoot%\System32\syssetub.dll" "%SystemRoot%\System32\syssetup.dll" (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\RunOnce: [nlpo_09] rundll32 advpack.dll,LaunchINFSection nlite.inf,nLiteReg (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\RunOnce: [nlpo_10] rundll32 advpack.dll,LaunchINFSection nlite.inf,S (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [nlpo_07] cmd.exe /c md "%USERPROFILE%\Local Settings\Temp" (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [Nokia.PCSync] C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Nokia.PCSync] C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog (User 'Default user')
O4 - Global Startup: Google Calendar Sync.lnk = C:\Program Files\Google\Google Calendar Sync\GoogleCalendarSync.exe
O4 - Global Startup: HPAiODevice(hp officejet 7100 series) - 1.lnk = C:\Program Files\Hewlett-Packard\AiO\hp officejet 7100 series\Bin\hpogrp07.exe
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - [You must be registered and logged in to see this link.]
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS.0\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS.0\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - [You must be registered and logged in to see this link.]
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Autodata Limited License Service - Unknown owner - C:\Program Files\Common Files\Autodata Limited Shared\Service\ADCDLicSvc.exe (file missing)
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Digidesign MME Refresh Service (DigiRefresh) - Digidesign, A Division of Avid Technology, Inc. - C:\Program Files\Digidesign\Drivers\MMERefresh.exe
O23 - Service: ESET HTTP Server (EhttpSrv) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\EHttpSrv.exe
O23 - Service: ESET Service (ekrn) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Pure Networks Platform Service (nmservice) - Unknown owner - C:\Program Files\Common Files\Pure Networks Shared\Platform\nmsrvc.exe (file missing)
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS.0\system32\nvsvc32.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: StarWind AE Service (StarWindServiceAE) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe

--
End of file - 7820 bytes

and here is an uninstall file:

Ad-Aware
Adobe Anchor Service CS3
Adobe Asset Services CS3
Adobe Bridge CS3
Adobe Bridge Start Meeting
Adobe Camera Raw 4.0
Adobe CMaps
Adobe Color - Photoshop Specific
Adobe Color Common Settings
Adobe Color EU Extra Settings
Adobe Color JA Extra Settings
Adobe Color NA Recommended Settings
Adobe Default Language CS3
Adobe Device Central CS3
Adobe ExtendScript Toolkit 2
Adobe Flash Player 10 Plugin
Adobe Flash Player ActiveX
Adobe Fonts All
Adobe Help Viewer CS3
Adobe Illustrator CS3
Adobe Linguistics CS3
Adobe PDF Library Files
Adobe Photoshop CS3
Adobe Photoshop CS3
Adobe Reader 8.1.1
Adobe Setup
Adobe Stock Photos CS3
Adobe Type Support
Adobe Update Manager CS3
Adobe Version Cue CS3 Client
Adobe WinSoft Linguistics Plugin
Adobe XMP Panels CS3
Apple Software Update
ASIO4ALL
Audacity 1.2.6
Audiosurf
Avi2Dvd 0.4.5 beta
AviSynth 2.5
Bioshock
Canon EOS 20D WIA Driver
Color LaserJet 2600n
Defcon
Delta
Digidesign Audio Drivers 7.3.1
DirectVobSub (remove only)
DivX Codec
DivX Converter
DivX Player
DivX Web Player
dpMagic CE
DVD Shrink 3.2
FinalBurner Free v1.25.0.118
Flickr Uploadr 3.0.5
GoldWave v5.22
Google Calendar Sync
Google Earth
Half-Life 2: Episode One
High Definition Audio Driver Package - KB888111
HijackThis 2.0.2
Hotfix for Windows XP (KB952287)
hp officejet 7100 series
hp officejet 7100 series - 1
hp officejet 7100 series corporate driver
i-Cool
Inkscape 0.46
Java(TM) 6 Update 11
Java(TM) 6 Update 3
Java(TM) 6 Update 5
Java(TM) 6 Update 7
Logitech iTouch Software
Logitech SetPoint
Microsoft .NET Framework 2.0 Service Pack 1
Microsoft .NET Framework 3.0 Service Pack 1
Microsoft .NET Framework 3.5
Microsoft .NET Framework 3.5
Microsoft Bootvis
Microsoft Kernel-Mode Driver Framework Feature Pack 1.5
Microsoft Office Access MUI (English) 2007
Microsoft Office Access Setup Metadata MUI (English) 2007
Microsoft Office Enterprise 2007
Microsoft Office Enterprise 2007
Microsoft Office Excel MUI (English) 2007
Microsoft Office Groove MUI (English) 2007
Microsoft Office Groove Setup Metadata MUI (English) 2007
Microsoft Office InfoPath MUI (English) 2007
Microsoft Office OneNote MUI (English) 2007
Microsoft Office Outlook MUI (English) 2007
Microsoft Office PowerPoint MUI (English) 2007
Microsoft Office Proof (English) 2007
Microsoft Office Proof (French) 2007
Microsoft Office Proof (Spanish) 2007
Microsoft Office Proofing (English) 2007
Microsoft Office Publisher MUI (English) 2007
Microsoft Office Shared MUI (English) 2007
Microsoft Office Shared Setup Metadata MUI (English) 2007
Microsoft Office Word MUI (English) 2007
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2005 Redistributable
Mozilla Firefox (3.0.5)
Mozilla Thunderbird (2.0.0.14)
MSVC80_x86
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB954430)
MSXML 6.0 Parser
NASA World Wind 1.4
Native Instruments Kontakt 3
NCH Toolbox
Network Magic
Nokia Connectivity Cable Driver
Nokia Flashing Cable Driver
Nokia Map Loader
Nokia PC Suite
Nokia PC Suite
Nokia Software Updater
NVIDIA Drivers
NVIDIA PhysX v8.09.04
Opera 9.63
PC Connectivity Solution
PDF Settings
PeerGuardian 2.0
Photomatix Pro version 3.1
QuickTime
Realtek AC'97 Audio
REALTEK GbE & FE Ethernet PCI-E NIC Driver
Realtek High Definition Audio Driver
Reason 4.0
SeaTools for Windows
Security Update for Windows Media Encoder (KB954156)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player 10 (KB936782)
Security Update for Windows XP (KB923789)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950759)
Security Update for Windows XP (KB950760)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB953838)
Security Update for Windows XP (KB953839)
Security Update for Windows XP (KB954211)
Security Update for Windows XP (KB954459)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956390)
Security Update for Windows XP (KB956391)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB957095)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958215)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB960714)
Spyware Doctor 6.0
Steam
Team Fortress 2
Unlocker 1.8.5
Update for Windows XP (KB951072-v2)
Update for Windows XP (KB951978)
Update for Windows XP (KB955839)
ViewRanger Map Chooser
VLC media player 0.9.8a
VobSub v2.23 (Remove Only)
Winamp
Windows Driver Package - Nokia Modem (02/15/2007 3.1)
Windows Driver Package - Nokia Modem (02/15/2007 3.1)
Windows Driver Package - Nokia Modem (03/05/2008 3.7)
Windows Driver Package - Nokia Modem (03/13/2008 6.86.0.1)
Windows Driver Package - Nokia Modem (05/22/2008 3.8)
Windows Driver Package - Nokia Modem (05/22/2008 7.00.0.1)
Windows Driver Package - Nokia Modem (05/24/2007 6.84.0.1)
Windows Driver Package - Nokia pccsmcfd (10/12/2007 6.85.4.0)
Windows Media Encoder 9 Series
Windows Media Encoder 9 Series
Windows Media Format Runtime
Windows Media Player 10
Windows XP Service Pack 3
WinRAR archiver


I can still use the internet for a while as I have a laptop (which I'm on now) with Vista and Ubuntu, but my tax return is due shortly and I can't use my desktop PC because of this fault.

Parrot of Doom
Novice
Novice

Posts Posts : 16
Joined Joined : 2009-01-11
OS OS : pp3690
Points Points : 28840
# Likes # Likes : 0

View user profile

Back to top Go down

Solved Re: Win32.Zafi.B

Post by Parrot of Doom on Sun Jan 11, 2009 8:01 pm

Oh and I cannot enter safe mode at bootup either - just a black screen with the 'safe mode' text in each corner. A mouse pointer, but nothing else, no activity.

Parrot of Doom
Novice
Novice

Posts Posts : 16
Joined Joined : 2009-01-11
OS OS : pp3690
Points Points : 28840
# Likes # Likes : 0

View user profile

Back to top Go down

Solved Re: Win32.Zafi.B

Post by Belahzur on Sun Jan 11, 2009 8:21 pm

Hello.

Go to Start > Control Panel > Add/Remove Programs and remove the following programs if present.

    Java(TM) 6 Update 3
    Java(TM) 6 Update 5
    Java(TM) 6 Update 7


  • Open HijackThis
  • Choose "Do a system scan only"
  • Check the boxes in front of these lines:


    O4 - HKCU\..\Run: [SVCHOST.EXE] C:\WINDOWS.0\system32\drivers\svchost.exe
    O4 - HKUS\S-1-5-19\..\RunOnce: [nlpo_07] cmd.exe /c md "%USERPROFILE%\Local Settings\Temp" (User 'LOCAL SERVICE')
    O4 - HKUS\S-1-5-19\..\RunOnce: [nlpo_08] cmd.exe /C move /Y "%SystemRoot%\System32\syssetub.dll" "%SystemRoot%\System32\syssetup.dll" (User 'LOCAL SERVICE')
    O4 - HKUS\S-1-5-19\..\RunOnce: [nlpo_09] rundll32 advpack.dll,LaunchINFSection nlite.inf,nLiteReg (User 'LOCAL SERVICE')
    O4 - HKUS\S-1-5-19\..\RunOnce: [nlpo_10] rundll32 advpack.dll,LaunchINFSection nlite.inf,S (User 'LOCAL SERVICE')
    O4 - HKUS\S-1-5-20\..\RunOnce: [nlpo_07] cmd.exe /c md "%USERPROFILE%\Local Settings\Temp" (User 'NETWORK SERVICE')
    O23 - Service: Autodata Limited License Service - Unknown owner - C:\Program Files\Common Files\Autodata Limited Shared\Service\ADCDLicSvc.exe (file missing)


  • Press "Fix Checked"
  • Close Hijack This.


1. Please download The Avenger by Swandog46 to your Desktop
Link: [You must be registered and logged in to see this link.] or [You must be registered and logged in to see this link.].

  • Click on Avenger.zip to open the file
  • Extract avenger.exe to your desktop
2. Copy all the text contained in the code box below to your Clipboard by highlighting it and pressing (Ctrl+CCrying


Files to delete:
C:\WINDOWS\system32\drivers\svchost.exe

Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.


3. Now, start The Avenger program by clicking on its icon on your desktop.

  • Under "Input script here:", paste in the script from the quote box above.
  • Leave the ticked box "Scan for rootkit" ticked.
  • Then tick "Disable any rootkits found"
  • Now click on the Execute to begin execution of the script.
  • Answer "Yes" twice when prompted.

    The Avenger will automatically do the following:

  • It will Restart your computer.
  • On reboot, it will briefly open a black command window on your desktop, this is normal.
  • After the restart, it creates a log file that should open with the results of Avengerís actions. This log file will be located at C:\avenger.txt
  • The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.
4. Please copy/paste the content of c:\avenger.txt into your reply.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245049
# Likes # Likes : 1

View user profile

Back to top Go down

Solved Re: Win32.Zafi.B

Post by Parrot of Doom on Sun Jan 11, 2009 8:24 pm

ok doing that now.

By the way, changing the install name of mbam-setup.exe to something else (in this case affixing it with (3).exe) allows it to install. Once installed however, it still would not run - so I changed the exe file to mbam1.exe - and it ran fine.

It's scanning now.

Parrot of Doom
Novice
Novice

Posts Posts : 16
Joined Joined : 2009-01-11
OS OS : pp3690
Points Points : 28840
# Likes # Likes : 0

View user profile

Back to top Go down

Solved Re: Win32.Zafi.B

Post by Parrot of Doom on Sun Jan 11, 2009 8:39 pm

Can I ask, I don't have a Windows folder - I've always had a C:\Windows.0 folder. Should I change the above text to reflect this?

Parrot of Doom
Novice
Novice

Posts Posts : 16
Joined Joined : 2009-01-11
OS OS : pp3690
Points Points : 28840
# Likes # Likes : 0

View user profile

Back to top Go down

Solved Re: Win32.Zafi.B

Post by Belahzur on Sun Jan 11, 2009 8:42 pm

LMBO or ROFL
-Hits head against the wall-

Sorry, I've had to be this same tool nearly all day because we have had a flood of traffic all with the same infection, so it makes my life easier if I just copy and paste and I can answer users quicker. Yes, please reflect the change.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245049
# Likes # Likes : 1

View user profile

Back to top Go down

Solved Re: Win32.Zafi.B

Post by Parrot of Doom on Sun Jan 11, 2009 8:52 pm

[You must be registered and logged in to see this link.] wrote:Hello.

Go to Start > Control Panel > Add/Remove Programs and remove the following programs if present.

    Java(TM) 6 Update 3
    Java(TM) 6 Update 5
    Java(TM) 6 Update 7


Thankyou for the very quick response. I have uninstalled all three of the above.

[You must be registered and logged in to see this link.] wrote:

  • Open HijackThis
  • Choose "Do a system scan only"
  • Check the boxes in front of these lines:


    O4 - HKCU..Run: [SVCHOST.EXE] C:WINDOWS.0system32driverssvchost.exe
    O4 - HKUSS-1-5-19..RunOnce: [nlpo_07] cmd.exe /c md "%USERPROFILE%Local SettingsTemp" (User 'LOCAL SERVICE')
    O4 - HKUSS-1-5-19..RunOnce: [nlpo_08] cmd.exe /C move /Y "%SystemRoot%System32syssetub.dll" "%SystemRoot%System32syssetup.dll" (User 'LOCAL SERVICE')
    O4 - HKUSS-1-5-19..RunOnce: [nlpo_09] rundll32 advpack.dll,LaunchINFSection nlite.inf,nLiteReg (User 'LOCAL SERVICE')
    O4 - HKUSS-1-5-19..RunOnce: [nlpo_10] rundll32 advpack.dll,LaunchINFSection nlite.inf,S (User 'LOCAL SERVICE')
    O4 - HKUSS-1-5-20..RunOnce: [nlpo_07] cmd.exe /c md "%USERPROFILE%Local SettingsTemp" (User 'NETWORK SERVICE')
    O23 - Service: Autodata Limited License Service - Unknown owner - C:Program FilesCommon FilesAutodata Limited SharedServiceADCDLicSvc.exe (file missing)


  • Press "Fix Checked"
  • Close Hijack This.



Done


[You must be registered and logged in to see this link.] wrote:1. Please download The Avenger by Swandog46 to your Desktop
Link: [You must be registered and logged in to see this link.] or [You must be registered and logged in to see this link.].

  • Click on Avenger.zip to open the file
  • Extract avenger.exe to your desktop
2. Copy all the text contained in the code box below to your Clipboard by highlighting it and pressing (Ctrl+CCrying


Files to delete:
C:WINDOWSsystem32driverssvchost.exe

Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.


3. Now, start The Avenger program by clicking on its icon on your desktop.

  • Under "Input script here:", paste in the script from the quote box above.
  • Leave the ticked box "Scan for rootkit" ticked.
  • Then tick "Disable any rootkits found"
  • Now click on the Execute to begin execution of the script.
  • Answer "Yes" twice when prompted.

    The Avenger will automatically do the following:

  • It will Restart your computer.
  • On reboot, it will briefly open a black command window on your desktop, this is normal.
  • After the restart, it creates a log file that should open with the results of Avengerís actions. This log file will be located at C:avenger.txt
  • The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:avengerbackup.zip.
4. Please copy/paste the content of c:avenger.txt into your reply.

Done. Here is the Avenger.txt file contents. I did not change the text as I enquired above, I entered exactly what you wrote figuring that it wouldn't do any harm just to see. I can however re-run the avenger scan if you wish?

Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist

File "C:Documents and SettingsTomApplication DataGooglemjkspc.dll" deleted successfully.
File "C:Documents and SettingsTomApplication DataGoogleyfijv17721328.exe" deleted successfully.

Error: file "C:WINDOWS.0system32driversetcservices" not found!
Deletion of file "C:WINDOWS.0system32driversetcservices" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist


Error: file "C:WINDOWS.0system32driverssvchost.exe" not found!
Deletion of file "C:WINDOWS.0system32driverssvchost.exe" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist

File "C:WINDOWS.0system32TDSScfum.dll" deleted successfully.
File "C:WINDOWS.0system32TDSSfxmp.dll" deleted successfully.
File "C:WINDOWS.0system32TDSStkdv.log" deleted successfully.

Completed script processing.

*******************

Finished! Terminate.



Logfile of The Avenger Version 2.0, (c) by Swandog46
[You must be registered and logged in to see this link.]

Platform: Windows XP

*******************

Script file opened successfully.
Script file read successfully.

Backups directory opened successfully at C:Avenger

*******************

Beginning to process script file:

Rootkit scan active.

Hidden driver "cyqjub" found!
Could not open driver cyqjub for rootkit scan. Error:c0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist

Hidden driver "TDSSserv.sys" found!
ImagePath: systemrootsystem32driversTDSSmaxt.sys
Driver disabled successfully.

Rootkit scan completed.


Error: could not open file "C:WINDOWSsystem32driverssvchost.exe"
Deletion of file "C:WINDOWSsystem32driverssvchost.exe" failed!
Status: 0xc000003a (STATUS_OBJECT_PATH_NOT_FOUND)
--> bad path / the parent directory does not exist


Completed script processing.

*******************

Finished! Terminate.

Parrot of Doom
Novice
Novice

Posts Posts : 16
Joined Joined : 2009-01-11
OS OS : pp3690
Points Points : 28840
# Likes # Likes : 0

View user profile

Back to top Go down

Solved Re: Win32.Zafi.B

Post by Parrot of Doom on Sun Jan 11, 2009 8:55 pm

[You must be registered and logged in to see this link.] wrote:LMBO or ROFL
-Hits head against the wall-

Sorry, I've had to be this same tool nearly all day because we have had a flood of traffic all with the same infection, so it makes my life easier if I just copy and paste and I can answer users quicker. Yes, please reflect the change.

It's ok, I looked in this directory and saw all the posts and wondered if I'd get a response. I really must thank you for being so gracious and replying so quickly. The assistance is already showing results as Malwarebytes has already found and deleted a few naughty things. I'm hoping that running those scans will only help, and not hinder our progress.

Parrot of Doom
Novice
Novice

Posts Posts : 16
Joined Joined : 2009-01-11
OS OS : pp3690
Points Points : 28840
# Likes # Likes : 0

View user profile

Back to top Go down

Solved Re: Win32.Zafi.B

Post by Belahzur on Sun Jan 11, 2009 8:58 pm

Hello.
Please don't run MBAM yet, running two tools at the same time without being asked to can cause confusion on my half, and then I don't know where we stand.
We need to use the avenger again, and this time, my script is right.

2. Copy all the text contained in the code box below to your Clipboard by highlighting it and pressing (Ctrl+CCrying


Drivers to disable:
cyqjub

Drivers to delete:
TDSSserv.sys

Files to delete:
C:\WINDOWS.0\system32\drivers\TDSSmaxt.sys

Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.


3. Now, start The Avenger program by clicking on its icon on your desktop.

  • Under "Input script here:", paste in the script from the quote box above.
  • Leave the ticked box "Scan for rootkit" ticked.
  • Then tick "Disable any rootkits found"
  • Now click on the Execute to begin execution of the script.
  • Answer "Yes" twice when prompted.

    The Avenger will automatically do the following:

  • It will Restart your computer.
  • On reboot, it will briefly open a black command window on your desktop, this is normal.
  • After the restart, it creates a log file that should open with the results of Avengerís actions. This log file will be located at C:\avenger.txt
  • The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.
4. Please copy/paste the content of c:\avenger.txt into your reply.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245049
# Likes # Likes : 1

View user profile

Back to top Go down

Solved Re: Win32.Zafi.B

Post by Parrot of Doom on Sun Jan 11, 2009 9:11 pm

Ok I ran avenger as requested, the text file returned is:

Avenger second run wrote:
Logfile of The Avenger Version 2.0, (c) by Swandog46
[You must be registered and logged in to see this link.]

Platform: Windows XP

*******************

Script file opened successfully.
Script file read successfully.

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Rootkit scan active.
No rootkits found!


Error: could not open driver "cyqjub"
Disablement of driver "cyqjub" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist

Driver "TDSSserv.sys" deleted successfully.

Error: file "C:\Windows.0\system32\drivers\TDSSmaxt.sys" not found!
Deletion of file "C:\Windows.0\system32\drivers\TDSSmaxt.sys" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist


Completed script processing.

*******************

Finished! Terminate.


I have a feeling it could not find the above entries because MBAM already found 5 infections, which I deleted. I apologise if this is creating problems for you.

Parrot of Doom
Novice
Novice

Posts Posts : 16
Joined Joined : 2009-01-11
OS OS : pp3690
Points Points : 28840
# Likes # Likes : 0

View user profile

Back to top Go down

Solved Re: Win32.Zafi.B

Post by Belahzur on Sun Jan 11, 2009 9:17 pm

Hello.
The files weren't removed probably because MBAM has found them and removed them, but the driver has been deleted.

Please run MBAM now and remove everything found, then once MBAM has done and everything is removed, please do this.


  • Please download DDS by sUBs to your Desktop (Important!!) from one of these locations:
    [You must be registered and logged in to see this link.]
    [You must be registered and logged in to see this link.]
    [You must be registered and logged in to see this link.]
  • Double click DDS.scr to run
  • When complete, DDS.txt will open.
  • Click No for Optional Scan.
  • Save the report to your Desktop.
  • Copy and paste DDS.txt back here, I don't need to see attach.txt.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245049
# Likes # Likes : 1

View user profile

Back to top Go down

Solved Re: Win32.Zafi.B

Post by Parrot of Doom on Sun Jan 11, 2009 9:21 pm

MBAM is running now on a full system scan, so it may be a while before I reply. Things are already looking much better though, no annoying firewall turnoffs and things, and no crashes upon startup.

Does this site accept donations? I will happily contribute if so.

Parrot of Doom
Novice
Novice

Posts Posts : 16
Joined Joined : 2009-01-11
OS OS : pp3690
Points Points : 28840
# Likes # Likes : 0

View user profile

Back to top Go down

Solved Re: Win32.Zafi.B

Post by Belahzur on Sun Jan 11, 2009 9:23 pm

No, sorry, we don't. Wink


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245049
# Likes # Likes : 1

View user profile

Back to top Go down

Solved Re: Win32.Zafi.B

Post by Parrot of Doom on Sun Jan 11, 2009 9:34 pm

Oh ok, well anything I can do to help just let me know. Don't need any music writing do you Big Grin Or anything on wikipedia I can help you out with, I'm a regular contributor there.

Scan still running, so I'm watching Billy Connelly on the telly.

Parrot of Doom
Novice
Novice

Posts Posts : 16
Joined Joined : 2009-01-11
OS OS : pp3690
Points Points : 28840
# Likes # Likes : 0

View user profile

Back to top Go down

Solved Re: Win32.Zafi.B

Post by Belahzur on Sun Jan 11, 2009 9:49 pm

Haha.
I'm watching the Most Haunted Live.
Nope, don't need music, sorry.

Standing by for MBAM.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245049
# Likes # Likes : 1

View user profile

Back to top Go down

Solved Re: Win32.Zafi.B

Post by Parrot of Doom on Sun Jan 11, 2009 10:27 pm

Full system scan completed. Nothing found.

I clicked the first DDS link which was a .com file - I hope this is ok, and just another version of the .scr file?

DDS.txt wrote:

DDS (Ver_09-01-07.01) - NTFSx86
Run by Tom at 22:24:25.31 on 11/01/2009
Internet Explorer: 6.0.2900.5512 BrowserJavaVersion: 1.6.0_11
Microsoft Windows XP Professional 5.1.2600.3.1252.44.1033.18.2046.1545 [GMT 0:00]

AV: Spyware Doctor with AntiVirus *On-access scanning disabled* (Updated)
AV: ESET NOD32 Antivirus 3.0 *On-access scanning enabled* (Updated)

============== Running Processes ===============

C:\WINDOWS.0\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS.0\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS.0\system32\spoolsv.exe
C:\WINDOWS.0\Explorer.EXE
C:\Program Files\Logitech\iTouch\iTouch.exe
C:\WINDOWS.0\RTHDCPL.EXE
C:\WINDOWS.0\System32\DeltaIITray.exe
C:\WINDOWS.0\system32\RUNDLL32.EXE
C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS.0\system32\ctfmon.exe
C:\Program Files\Google\Google Calendar Sync\GoogleCalendarSync.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\Common Files\Logitech\KHAL\KHALMNPR.EXE
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Digidesign\Drivers\MMERefresh.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS.0\system32\nvsvc32.exe
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
C:\WINDOWS.0\system32\svchost.exe -k imgsvc
C:\Documents and Settings\Tom\Desktop\dds.com

============== Pseudo HJT Report ===============

uInternet Settings,ProxyOverride = *.local
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\progra~1\micros~2\office12\GRA8E1~1.DLL
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
uRun: [Steam] "c:\program files\steam\steam.exe" -silent
uRun: [AlcoholAutomount] "c:\program files\alcohol soft\alcohol 120\axcmd.exe" /automount
uRun: [ctfmon.exe] c:\windows.0\system32\ctfmon.exe
uRun: [Vidalia] "c:\program files\vidalia bundle\vidalia\vidalia.exe"
uRun: [UIWatcher] c:\program files\ashampoo\ashampoo uninstaller 3\UIWatcher.exe
mRun: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows.0\system32\NvCpl.dll,NvStartup
mRun: [zBrowser Launcher] c:\program files\logitech\itouch\iTouch.exe
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [M-Audio Taskbar Icon] c:\windows.0\system32\DeltaIITray.exe
mRun: [DeltaIITaskbarApp] c:\windows.0\system32\DeltaIITray.exe
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows.0\system32\NvMcTray.dll,NvTaskbarInit
mRun: [wclock] "c:\documents and settings\tom\application data\google\yfijv17721328.exe" 2
mRun: [egui] "c:\program files\eset\eset nod32 antivirus\egui.exe" /hide /waitservice
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
dRun: [Nokia.PCSync] c:\program files\nokia\nokia pc suite 6\PcSync2.exe /NoDialog
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\google~1.lnk - c:\program files\google\google calendar sync\GoogleCalendarSync.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpaiod~1.lnk - c:\program files\hewlett-packard\aio\hp officejet 7100 series\bin\hpogrp07.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\logite~1.lnk - c:\program files\logitech\setpoint\SetPoint.exe
uPolicies-explorer: NoResolveTrack = 1 (0x1)
dPolicies-explorer: NoResolveTrack = 1 (0x1)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBC} - c:\program files\java\jre6\bin\ssv.dll
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
LSP: c:\program files\common files\pc tools\lsp\PCTLsp.dll
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\progra~1\micros~2\office12\GR99D3~1.DLL
Handler: pure-go - {4746C79A-2042-4332-8650-48966E44ABA8} -
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\progra~1\micros~2\office12\GRA8E1~1.DLL

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\tom\applic~1\mozilla\firefox\profiles\oxm6nchg.default\
FF - prefs.js: browser.startup.homepage - [You must be registered and logged in to see this link.]
FF - plugin: c:\program files\mozilla firefox\plugins\npmusicn.dll

============= SERVICES / DRIVERS ===============

R1 epfwtdir;epfwtdir;c:\windows.0\system32\drivers\epfwtdir.sys [2008-11-10 92168]
R1 pctfw2;pctfw2;c:\windows.0\system32\drivers\pctfw2.sys [2009-1-11 160792]
R3 DELTAII;Service for M-Audio Delta Driver (WDM);c:\windows.0\system32\drivers\deltaII.sys [2008-1-2 297992]
R3 RDID1004;EDIROL UM-4;c:\windows.0\system32\drivers\Rdwm1004.sys [2007-12-29 79425]
R4 aawservice;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\aawservice.exe [2008-9-10 611664]
R4 DigiNet;Digidesign Ethernet Support;c:\windows.0\system32\drivers\diginet.sys [2008-4-9 11776]
R4 ekrn;ESET Service;c:\program files\eset\eset nod32 antivirus\ekrn.exe [2008-11-10 711240]
S3 IKFileSec;File Security Driver;c:\windows.0\system32\drivers\ikfilesec.sys [2009-1-11 40840]
S3 IKSysFlt;System Filter Driver;c:\windows.0\system32\drivers\iksysflt.sys [2009-1-11 66952]
S3 IKSysSec;System Security Driver;c:\windows.0\system32\drivers\iksyssec.sys [2009-1-11 81288]
S3 nmwcdnsu;Nokia USB Flashing Phone Parent;c:\windows.0\system32\drivers\nmwcdnsu.sys [2008-8-12 138112]
S3 nmwcdnsuc;Nokia USB Flashing Generic;c:\windows.0\system32\drivers\nmwcdnsuc.sys [2008-8-12 8320]
S3 sdAuxService;PC Tools Auxiliary Service;c:\program files\spyware doctor\pctsAuxs.exe [2009-1-11 356920]
S3 sdCoreService;PC Tools Security Service;c:\program files\spyware doctor\pctsSvc.exe [2009-1-11 1079176]

=============== Created Last 30 ================

2009-01-11 20:22 --d----- c:\docume~1\tom\applic~1\Malwarebytes
2009-01-11 20:21 15,504 a------- c:\windows.0\system32\drivers\mbam.sys
2009-01-11 20:21 38,496 a------- c:\windows.0\system32\drivers\mbamswissarmy.sys
2009-01-11 20:20 --d----- c:\program files\Malwarebytes' Anti-Malware
2009-01-11 20:20 --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-01-11 19:29 160,792 a------- c:\windows.0\system32\drivers\pctfw2.sys
2009-01-11 19:29 --d----- c:\program files\common files\PC Tools
2009-01-11 19:29 81,288 a------- c:\windows.0\system32\drivers\iksyssec.sys
2009-01-11 19:29 66,952 a------- c:\windows.0\system32\drivers\iksysflt.sys
2009-01-11 19:29 40,840 a------- c:\windows.0\system32\drivers\ikfilesec.sys
2009-01-11 19:29 29,576 a------- c:\windows.0\system32\drivers\kcom.sys
2009-01-11 19:29 --d----- c:\program files\Spyware Doctor
2009-01-11 19:29 --d----- c:\docume~1\tom\applic~1\PC Tools
2009-01-11 19:29 --d----- c:\docume~1\alluse~1\applic~1\PC Tools
2009-01-11 18:43 --d----- c:\program files\ESET
2009-01-11 18:17 --d----- c:\program files\Lavasoft
2009-01-11 18:01 441 a------- c:\windows.0\system32\TDSSosvd.dat
2008-12-20 18:37 --d----- c:\docume~1\tom\applic~1\FinalBurner Audio CD

==================== Find3M ====================

2008-12-12 17:31 410,984 a------- c:\windows.0\system32\deploytk.dll
2008-10-28 22:36 823,296 a------- c:\windows.0\system32\divx_xx0c.dll
2008-10-28 22:36 823,296 a------- c:\windows.0\system32\divx_xx07.dll
2008-10-28 22:35 815,104 a------- c:\windows.0\system32\divx_xx0a.dll
2008-10-28 22:35 802,816 a------- c:\windows.0\system32\divx_xx11.dll
2008-10-28 22:35 684,032 a------- c:\windows.0\system32\DivX.dll
2008-10-23 12:36 286,720 a------- c:\windows.0\system32\gdi32.dll
2008-10-16 01:00 666,112 a------- c:\windows.0\system32\wininet.dll

============= FINISH: 22:24:40.00 ===============

Parrot of Doom
Novice
Novice

Posts Posts : 16
Joined Joined : 2009-01-11
OS OS : pp3690
Points Points : 28840
# Likes # Likes : 0

View user profile

Back to top Go down

Solved Re: Win32.Zafi.B

Post by Belahzur on Sun Jan 11, 2009 10:32 pm

Hello.
There is one or two things we need to remove, but they are not high threat right now, we'll remove them along with some policies set by the malware, so lets see what policies are active.


  • Now open a new notepad file.
  • Input this into the notepad file:

    regedit /e peek1.txt "HKEY_Local_Machine\Software\Microsoft\Windows\CurrentVersion\Policies"
    regedit /e peek2.txt "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies"
    type peek1.txt >> look.txt
    type peek2.txt >> look.txt
    del peek*.txt
    start notepad look.txt

  • Save this as look.bat, save it to your desktop.
  • Double click look.bat to run it.
  • Copy and paste the report back here.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245049
# Likes # Likes : 1

View user profile

Back to top Go down

Solved Re: Win32.Zafi.B

Post by Parrot of Doom on Sun Jan 11, 2009 10:39 pm

look.bat wrote:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\NonEnum]
"{BDEADF00-C265-11D0-BCED-00A0C90AB50F}"=dword:00000001
"{6DFD7C5C-2451-11d3-A299-00C04F8EF6AF}"=dword:40000021
"{0DF44EAA-FF21-4412-828E-260A8728E7F1}"=dword:00000020

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Ratings]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\system]
"dontdisplaylastusername"=dword:00000000
"legalnoticecaption"=""
"legalnoticetext"=""
"shutdownwithoutlogon"=dword:00000001
"undockwithoutlogon"=dword:00000001

Windows Registry Editor Version 5.00

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer]
"NoDriveTypeAutoRun"=dword:00000091
"NoResolveTrack"=dword:00000001
"LinkResolveIgnoreLinkInfo"=dword:00000001
"NoResolveSearch"=dword:00000001
"NoLowDiskSpaceChecks"=dword:00000001

Parrot of Doom
Novice
Novice

Posts Posts : 16
Joined Joined : 2009-01-11
OS OS : pp3690
Points Points : 28840
# Likes # Likes : 0

View user profile

Back to top Go down

Solved Re: Win32.Zafi.B

Post by Belahzur on Sun Jan 11, 2009 10:45 pm

Please download the [You must be registered and logged in to see this link.].

  • Save it to your desktop.
  • Please double-click OTMoveIt3.exe to run it.
  • Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose CopyCrying


    :processes
    explorer.exe

    :files
    c:\documents and settings\tom\application data\google\*.*
    c:\windows.0\system32\TDSSosvd.dat

    :reg
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "wclock"="-

    :commands
    [purity]
    [emptytemp]
    [start explorer]
    [reboot]



  • Return to OTMoveIt3, right click in the "Paste instructions for items to be Moved" window (under the light blue bar) and choose Paste.
  • Click the red Moveit! button.
  • Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
  • Close OTMoveIt3
If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.

Please post the OTMoveIt log.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245049
# Likes # Likes : 1

View user profile

Back to top Go down

Solved Re: Win32.Zafi.B

Post by Parrot of Doom on Sun Jan 11, 2009 10:52 pm

OTMoveIT log wrote:========== PROCESSES ==========
Process explorer.exe killed successfully.
========== FILES ==========
File/Folder c:\documents and settings\tom\application data\google\*.* not found.
c:\windows.0\system32\TDSSosvd.dat moved successfully.
========== REGISTRY ==========
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\"wclock"|"- /E : value set successfully!
========== COMMANDS ==========
User's Temp folder emptied.
User's Temporary Internet Files folder emptied.
User's Internet Explorer cache folder emptied.
Local Service Temp folder emptied.
File delete failed. C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat scheduled to be deleted on reboot.
Local Service Temporary Internet Files folder emptied.
Windows Temp folder emptied.
Java cache emptied.
FireFox cache emptied.
Opera cache emptied.
Temp folders emptied.
Explorer started successfully

OTMoveIt3 by OldTimer - Version 1.0.8.0 log created on 01112009_224902

Files moved on Reboot...
File move failed. C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat scheduled to be moved on reboot.

Parrot of Doom
Novice
Novice

Posts Posts : 16
Joined Joined : 2009-01-11
OS OS : pp3690
Points Points : 28840
# Likes # Likes : 0

View user profile

Back to top Go down

Solved Re: Win32.Zafi.B

Post by Belahzur on Sun Jan 11, 2009 10:56 pm

Hello.
I made a mistake and it set a value instead of deleting it.


  • Now open a new notepad file.
  • Input this into the notepad file:

    Windows Registry Editor Version 5.00

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "wclock"=-

  • Save this as fix.reg, save it to your desktop.
  • Double click fix.reg to run it.
  • Select yes to the registry merge prompt.


What problems remain?


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245049
# Likes # Likes : 1

View user profile

Back to top Go down

Solved Re: Win32.Zafi.B

Post by Parrot of Doom on Sun Jan 11, 2009 11:09 pm

At first glance, both browsers (FF and Opera) now appear to be functioning correctly. Google searches are not being redirected, and I can get onto the Eset website without problem (was being redirected before).

I am removing NOD32 and reinstalling, for the duration of the infection I had removed my existing (paid) version and installed the latest beta test, however the virus wouldn't allow it to update to the latest virus library, and there may be an issue with the password I have been provided with. I am reinstalling my existing version to see if it will allow me to update the virus libraries.

Other than that, everything seems fine. Would it be a good idea to change my login password, and my email passwords? Presumably the access passwords to my router will be unaffected but should I change them anyway? Forums I'm not concerned with, and I do not use internet banking although I do use Paypal and Ebay - I'll change those.

Parrot of Doom
Novice
Novice

Posts Posts : 16
Joined Joined : 2009-01-11
OS OS : pp3690
Points Points : 28840
# Likes # Likes : 0

View user profile

Back to top Go down

Solved Re: Win32.Zafi.B

Post by Belahzur on Sun Jan 11, 2009 11:10 pm

Change them if you feel you want to, but the virus hasn't stolen any passwords.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245049
# Likes # Likes : 1

View user profile

Back to top Go down

Solved Re: Win32.Zafi.B

Post by Parrot of Doom on Sun Jan 11, 2009 11:16 pm

NOD32 reinstalled (downloaded direct from ftp) perfectly and has updated itself without issue.

I will keep a close eye on the computer for now, but I'd like to express my sincere gratitude for your help resolving this. I know I'm just words on a screen, but believe me when I say I am one very very grateful computer owner, and that if there is anything I can do to return your hard work, please just let me know.

Thank you very much.

Parrot of Doom
Novice
Novice

Posts Posts : 16
Joined Joined : 2009-01-11
OS OS : pp3690
Points Points : 28840
# Likes # Likes : 0

View user profile

Back to top Go down

Solved Re: Win32.Zafi.B

Post by Belahzur on Sun Jan 11, 2009 11:18 pm

We need to make a new restore point.

To turn off System Restore, follow these steps:
1. Click Start, right-click My Computer, and then click Properties.
2. Click the System Restore tab.
3. Click the Turn off System Restore check box (or the Turn off System Restore on all drives check box), and then click OK.
4. Click Yes when you receive the prompt to the turn off System Restore.

Now we need to make a new restore point.
To turn on System Restore, follow these steps:
1. Click Start, right-click My Computer, and then click Properties.
2. Click the System Restore tab.
3. Click the Turn off System Restore check box (To turn on System Restore), and then click OK.

Below I have included a number of recommendations for how to protect your computer in order to prevent future malware infections. Please take these recommendations seriously; these few simple steps can stave off the vast majority of spyware problems. As happy as we are to help you, for your sake we would rather not have repeat customers. Goofy

1) Please navigate to [You must be registered and logged in to see this link.] and download all the "critical updates" for Windows. This can patch many of the security holes through which attackers can gain access to your computer.

Please either enable Automatic Updates under Start -> Control Panel -> Automatic Updates , or get into the habit of checking for Windows updates regularly. I cannot stress enough how important this is.

2) In order to protect yourself against spyware, you should consider installing and running the following free programs:

[You must be registered and logged in to see this link.]
A tutorial on using Ad-Aware to remove spyware from your computer may be found [You must be registered and logged in to see this link.].

[You must be registered and logged in to see this link.]
A tutorial on using Spybot to remove spyware from your computer may be found [You must be registered and logged in to see this link.]. Please also remember to enable Spybot's "Immunize" and "TeaTimer" features.

[You must be registered and logged in to see this link.]
A tutorial on using SpywareBlaster to prevent spyware from ever installing on your computer may be found [You must be registered and logged in to see this link.].

[You must be registered and logged in to see this link.]
A tutorial on using SpywareGuard for realtime protection against spyware and hijackers may be found [You must be registered and logged in to see this link.].

Make sure to keep these programs up-to-date and to run them regularly, as this can prevent a great deal of spyware hassle.

3) Please consider using an alternate browser. Mozilla's Firefox browser is fantastic; it is much more secure than Internet Explorer, immune to almost all known browser hijackers, and also has the best built-in popup blocker (as an added benefit!) that I have ever seen. If you are interested, Firefox may be downloaded from here:
[You must be registered and logged in to see this link.]
I also recommand the following add-ons for Firefox, they will help keep you safe from malicious scripts or activeX exploits.
[You must be registered and logged in to see this link.]
[You must be registered and logged in to see this link.]
[You must be registered and logged in to see this link.]

4) Also make sure to run your antivirus software regularly, and to keep it up-to-date.

To help you keep your software updated, please considering using this free software program that will check for program updates.
[You must be registered and logged in to see this link.]

5) Finally, consider maintaining a firewall. Some good free firewalls are [You must be registered and logged in to see this link.], or
[You must be registered and logged in to see this link.]
A tutorial on understanding and using firewalls may be found [You must be registered and logged in to see this link.].

Please also read Tony Klein's excellent article: [You must be registered and logged in to see this link.]

Hopefully this should take care of your problems! Good luck. Big Grin


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245049
# Likes # Likes : 1

View user profile

Back to top Go down

Solved Re: Win32.Zafi.B

Post by Parrot of Doom on Sun Jan 11, 2009 11:27 pm

Thankyou for the excellent advice Smile I have created a new restore point. I will download some of the spyware tools you recommended, other than that I already follow the rest of the advice. Everything is updated automatically, on a daily basis.

I am utterly clueless as to how this infection occurred, I never open unknown attachments so I'll have a read of that guide.

Once again, thank you very much for your help. By the way, I don't suppose you have a link that explains what this virus does?

Parrot of Doom
Novice
Novice

Posts Posts : 16
Joined Joined : 2009-01-11
OS OS : pp3690
Points Points : 28840
# Likes # Likes : 0

View user profile

Back to top Go down

Solved Re: Win32.Zafi.B

Post by Belahzur on Sun Jan 11, 2009 11:29 pm

Read about it here:
[You must be registered and logged in to see this link.]


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245049
# Likes # Likes : 1

View user profile

Back to top Go down

Solved Re: Win32.Zafi.B

Post by Parrot of Doom on Sun Jan 11, 2009 11:38 pm

ahh, email gathering only. That's alright, I tend to think most of the people I email myself have limited or no virus protection anyway. They can have some back ;)

Parrot of Doom
Novice
Novice

Posts Posts : 16
Joined Joined : 2009-01-11
OS OS : pp3690
Points Points : 28840
# Likes # Likes : 0

View user profile

Back to top Go down

Solved Re: Win32.Zafi.B

Post by Doctor Inferno on Sat Mar 28, 2009 8:06 am

Since this issue is resolved, this topic is closed.

If you need this topic reopened, please contact a staff member. This applies only to the original topic starter.

Everyone else, please open a new topic for your questions.


Please be a GeekPolice fan on [You must be registered and logged in to see this link.]



Have we helped you? [You must be registered and logged in to see this link.] | Doctor by day, ninja by night.

Doctor Inferno
Administrator
Administrator

Posts Posts : 12017
Joined Joined : 2007-12-26
Gender Gender : Male
OS OS : Windows 7 Home Premium and Ultimate X64
Protection Protection : Kaspersky PURE and Malwarebytes' Anti-Malware
Points Points : 104584
# Likes # Likes : 0

View user profile

Back to top Go down

Solved Re: Win32.Zafi.B

Post by Doctor Inferno on Sat Mar 28, 2009 8:07 am

Since this issue is resolved, this topic is closed.

If you need this topic reopened, please contact a staff member. This applies only to the original topic starter.

Everyone else, please open a new topic for your questions.


Please be a GeekPolice fan on [You must be registered and logged in to see this link.]



Have we helped you? [You must be registered and logged in to see this link.] | Doctor by day, ninja by night.

Doctor Inferno
Administrator
Administrator

Posts Posts : 12017
Joined Joined : 2007-12-26
Gender Gender : Male
OS OS : Windows 7 Home Premium and Ultimate X64
Protection Protection : Kaspersky PURE and Malwarebytes' Anti-Malware
Points Points : 104584
# Likes # Likes : 0

View user profile

Back to top Go down

View previous topic View next topic Back to top

- Similar topics

 
Permissions in this forum:
You cannot reply to topics in this forum