win32.Zafi.b Help

View previous topic View next topic Go down

Solved win32.Zafi.b Help

Post by ZEO on 12th January 2009, 3:09 pm

i made the mistake of restarting my computer when it started acting up and after reading from the other Zafi.b topics that was a bad idea. well now i got the fake pop up (Security Center Alert) and need help getting rid of it.

Thanks,

heres my Hijackthis log:


Last edited by ZEO on 13th January 2009, 8:40 pm; edited 1 time in total

ZEO
Novice
Novice

Posts Posts : 10
Joined Joined : 2009-01-12
OS OS : Dell XP Home
Points Points : 28880
# Likes # Likes : 0

View user profile

Back to top Go down

Solved Re: win32.Zafi.b Help

Post by Belahzur on 12th January 2009, 3:22 pm

Hello.


  • Open HijackThis
  • Choose "Do a system scan only"
  • Check the boxes in front of these lines:


    O3 - Toolbar: (no name) - {4fcc864f-07ef-4409-95f5-cf62803e7d0e} - (no file)
    O4 - HKLM\..\RunServices: [Real Player Daemon] realplayd.exe
    O4 - HKCU\..\Run: [SVCHOST.EXE] C:\WINDOWS2\system32\drivers\svchost.exe
    O20 - Winlogon Notify: Shell - C:\WINDOWS2\system32\icseng.dll (file missing)
    O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
    O23 - Service: Windows Overlay Components - Unknown owner - C:\WINDOWS2\cvazkzn.exe (file missing)


  • Press "Fix Checked"
  • Close Hijack This.

1. Please download The Avenger by Swandog46 to your Desktop
Link: [You must be registered and logged in to see this link.] or [You must be registered and logged in to see this link.].

  • Click on Avenger.zip to open the file
  • Extract avenger.exe to your desktop
2. Copy all the text contained in the code box below to your Clipboard by highlighting it and pressing (Ctrl+CCrying


Files to delete:
C:\WINDOWS2\system32\drivers\svchost.exe
C:\WINDOWS2\system32\realplayd.exe

Folders to delete:
C:\Program Files\Viewpoint

Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.


3. Now, start The Avenger program by clicking on its icon on your desktop.

  • Under "Input script here:", paste in the script from the quote box above.
  • Leave the ticked box "Scan for rootkit" ticked.
  • Then tick "Disable any rootkits found"
  • Now click on the Execute to begin execution of the script.
  • Answer "Yes" twice when prompted.

    The Avenger will automatically do the following:

  • It will Restart your computer.
  • On reboot, it will briefly open a black command window on your desktop, this is normal.
  • After the restart, it creates a log file that should open with the results of Avengerís actions. This log file will be located at C:\avenger.txt
  • The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.
4. Please copy/paste the content of c:\avenger.txt into your reply.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245101
# Likes # Likes : 1

View user profile

Back to top Go down

Solved Re: win32.Zafi.b Help

Post by ZEO on 12th January 2009, 3:57 pm

Logfile of The Avenger Version 2.0, (c) by Swandog46
*edit*


Last edited by ZEO on 13th January 2009, 8:40 pm; edited 1 time in total

ZEO
Novice
Novice

Posts Posts : 10
Joined Joined : 2009-01-12
OS OS : Dell XP Home
Points Points : 28880
# Likes # Likes : 0

View user profile

Back to top Go down

Solved Re: win32.Zafi.b Help

Post by ZEO on 12th January 2009, 4:05 pm

the trojan is still there

ZEO
Novice
Novice

Posts Posts : 10
Joined Joined : 2009-01-12
OS OS : Dell XP Home
Points Points : 28880
# Likes # Likes : 0

View user profile

Back to top Go down

Solved Re: win32.Zafi.b Help

Post by Belahzur on 12th January 2009, 4:07 pm

Hello.
Yes, it's okay.


  • Please download DDS by sUBs to your Desktop (Important!!) from one of these locations:
    [You must be registered and logged in to see this link.]
    [You must be registered and logged in to see this link.]
    [You must be registered and logged in to see this link.]
  • Double click DDS.scr to run
  • When complete, DDS.txt will open.
  • Click No for Optional Scan.
  • Save the report to your Desktop.
  • Copy and paste DDS.txt back here, I don't need to see attach.txt.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245101
# Likes # Likes : 1

View user profile

Back to top Go down

Solved Re: win32.Zafi.b Help

Post by ZEO on 12th January 2009, 4:27 pm

*edit*


Last edited by ZEO on 13th January 2009, 8:42 pm; edited 1 time in total

ZEO
Novice
Novice

Posts Posts : 10
Joined Joined : 2009-01-12
OS OS : Dell XP Home
Points Points : 28880
# Likes # Likes : 0

View user profile

Back to top Go down

Solved Re: win32.Zafi.b Help

Post by Belahzur on 12th January 2009, 4:34 pm

Hello.

Please download the [You must be registered and logged in to see this link.].

  • Save it to your desktop.
  • Please double-click OTMoveIt3.exe to run it.
  • Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose CopyCrying


    :processes
    explorer.exe

    :files
    c:\documents and settings\zeo\application data\google\*.*

    :reg
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "winclock"=-

    :commands
    [purity]
    [emptytemp]
    [start explorer]
    [reboot]



  • Return to OTMoveIt3, right click in the "Paste instructions for items to be Moved" window (under the light blue bar) and choose Paste.
  • Click the red Moveit! button.
  • Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
  • Close OTMoveIt3
If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.

Please post the OTMoveIt log.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245101
# Likes # Likes : 1

View user profile

Back to top Go down

Solved Re: win32.Zafi.b Help

Post by ZEO on 12th January 2009, 4:46 pm

*edit*


Last edited by ZEO on 13th January 2009, 8:43 pm; edited 1 time in total

ZEO
Novice
Novice

Posts Posts : 10
Joined Joined : 2009-01-12
OS OS : Dell XP Home
Points Points : 28880
# Likes # Likes : 0

View user profile

Back to top Go down

Solved Re: win32.Zafi.b Help

Post by Belahzur on 12th January 2009, 4:53 pm

Hello.
Looks good now, what problems remain?

Your version of Java is outdated and needs to be updated to take advantage of fixes that have eliminated security vulnerabilities.
Updating Java:

  • Download the latest version of [You must be registered and logged in to see this link.].
  • Select the first option where it says "Java SE Runtime Environment (JRE) 6 Update 11".
  • Click the "Download" button to the right.
  • In the Window that opens, select your platform and language, check the "agree" box, and click Continue.
  • Click on the link to download Windows Offline Installation and save to your desktop.
  • Close any programs you may have running - especially your web browser.
  • Go to Start > Control Panel double-click on Add or Remove Programs and remove all older versions of Java.
  • Check any item with Java Runtime Environment (JRE or J2SE) in the name.
    - Examples of older versions in Add or Remove Programs:
    - Java 2 Runtime Environment, SE v1.4.2
    - J2SE Runtime Environment 5.0
    - J2SE Runtime Environment 5.0 Update 2
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-6u11-windows-i586-p.exe that you downloaded to install the newest version.
Please make sure the new version of Java is installed before you run JavaRa.

Please download JavaRa from [You must be registered and logged in to see this link.]

  • First, unzip it.
  • Then run JavaRa.
  • Select English from the drop down menu and press Select.
  • This will open JavaRa.
  • Press Remove older versions
  • Press yes to the prompt.
  • It will make a log file of what it's removed.
  • Copy and paste the log back here.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245101
# Likes # Likes : 1

View user profile

Back to top Go down

Solved Re: win32.Zafi.b Help

Post by ZEO on 12th January 2009, 4:56 pm

k ill update that. the trojan is still there though on the last restart i got the fake popup again. and i just got a message saying my windows firewall just turned off again sounds like its trying to install itself again.

ZEO
Novice
Novice

Posts Posts : 10
Joined Joined : 2009-01-12
OS OS : Dell XP Home
Points Points : 28880
# Likes # Likes : 0

View user profile

Back to top Go down

Solved Re: win32.Zafi.b Help

Post by ZEO on 12th January 2009, 4:56 pm

i deleted my browser cookies just incase idk

ZEO
Novice
Novice

Posts Posts : 10
Joined Joined : 2009-01-12
OS OS : Dell XP Home
Points Points : 28880
# Likes # Likes : 0

View user profile

Back to top Go down

Solved Re: win32.Zafi.b Help

Post by Belahzur on 12th January 2009, 5:03 pm

Okay, it could be a LOP infection, I see you have messenger plus 3.

Please download [You must be registered and logged in to see this link.] and save it on your desktop.
Doubleclick Deljob.exe.

A log, (logit.txt) should open afterwards. This log will be present on your desktop. Please paste the contents of this log file in your next reply.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245101
# Likes # Likes : 1

View user profile

Back to top Go down

Solved Re: win32.Zafi.b Help

Post by ZEO on 12th January 2009, 5:07 pm

*edit*


Last edited by ZEO on 13th January 2009, 8:43 pm; edited 1 time in total

ZEO
Novice
Novice

Posts Posts : 10
Joined Joined : 2009-01-12
OS OS : Dell XP Home
Points Points : 28880
# Likes # Likes : 0

View user profile

Back to top Go down

Solved Re: win32.Zafi.b Help

Post by ZEO on 12th January 2009, 5:11 pm

if you think msn plus might be causing problems ill delete it.

couple things i can think of that might of went wrong

when i ran moveit i had alot of pop up errors saying another program was blocking it.

and the it did report an error in the log

(sorry for the bad grammer and not remembering i havent slept all night.)

ZEO
Novice
Novice

Posts Posts : 10
Joined Joined : 2009-01-12
OS OS : Dell XP Home
Points Points : 28880
# Likes # Likes : 0

View user profile

Back to top Go down

Solved Re: win32.Zafi.b Help

Post by Belahzur on 12th January 2009, 5:13 pm

Yes, I think it probably is. Delete this folder in bold once you have removed messenger plus.
C:\Documents and Settings\All Users.WINDOWS2\Application Data\Messenger Plus!

Also, I have bad news.

Your computer has multiple infections, including a backdoor. A backdoor gives intruders complete control of your computer, logs your keystrokes, steal personal information, etc.

You are strongly advised to do the following:

  • Disconnect the computer from the Internet and from any networked computers until it is cleaned.
  • Back up all your important data except programs. The programs can be reinstalled back from the original disc or from the Net.
  • Call all your banks, financial institutions, credit card companies and inform them that you may be a victim of identity theft and put a watch on your accounts. If you don't mind the hassle, change all your account numbers.
  • From a clean computer, change all your passwords (ISP login password, your email address(es) passwords, financial accounts, PayPal, eBay, Amazon, online groups and forums and any other online activities you carry out which require a username and password).

Do NOT change your passwords from this computer as the attacker will be able to get all the new passwords and transaction records.

Due to its backdoor functionality, your computer is very likely to have been compromised and there is no way that it can be trusted again. Many experts in the security community believe that once infected with this type of Trojan, the best course of action would be to do a reformat and reinstallation of the operating system (OS). However, if you do not have the resources to reinstall your OS and would like me to attempt to clean your machine, I will be happy to do so.

To help you understand more, please take some time to read the following articles:

[You must be registered and logged in to see this link.]
[You must be registered and logged in to see this link.]
[You must be registered and logged in to see this link.]
[You must be registered and logged in to see this link.]
[You must be registered and logged in to see this link.]
[You must be registered and logged in to see this link.]


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245101
# Likes # Likes : 1

View user profile

Back to top Go down

Solved Re: win32.Zafi.b Help

Post by ZEO on 12th January 2009, 5:21 pm

well its been quite a few years now. its time that i reformat anyways. i got a new external hard drive to put my files on.

is there anyway to close that back door or find out whos getting that info? i dont do much of any kind of banking on this computer ir use a credit card just game accounts and email passwords.

or repeat the move it step and shut off the program blocking it

oh ya and i know what site i visited when i got the trojan. Ragzone.com i used to trust them. not anymore. i want to send that guy some hate mail.

but Thank you for trying

ZEO
Novice
Novice

Posts Posts : 10
Joined Joined : 2009-01-12
OS OS : Dell XP Home
Points Points : 28880
# Likes # Likes : 0

View user profile

Back to top Go down

Solved Re: win32.Zafi.b Help

Post by Belahzur on 12th January 2009, 5:27 pm

Nope, no way of knowing who's stealing the info, but they are.
This is a backdoor that targets game accounts and spreads via user accounts, so format is probably best.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245101
# Likes # Likes : 1

View user profile

Back to top Go down

Solved Re: win32.Zafi.b Help

Post by Doctor Inferno on 28th March 2009, 8:54 am

Since this issue is resolved, this topic is closed.

If you need this topic reopened, please contact a staff member. This applies only to the original topic starter.

Everyone else, please open a new topic for your questions.


Please be a GeekPolice fan on [You must be registered and logged in to see this link.]



Have we helped you? [You must be registered and logged in to see this link.] | Doctor by day, ninja by night.

Doctor Inferno
Administrator
Administrator

Posts Posts : 11976
Joined Joined : 2007-12-26
Gender Gender : Male
OS OS : Windows 7 Home Premium and Ultimate X64
Protection Protection : Kaspersky PURE and Malwarebytes' Anti-Malware
Points Points : 104630
# Likes # Likes : 0

View user profile

Back to top Go down

View previous topic View next topic Back to top

- Similar topics

 
Permissions in this forum:
You cannot reply to topics in this forum