Win32.Zafi.B Help Please

View previous topic View next topic Go down

Solved Win32.Zafi.B Help Please

Post by drogersca on 14th January 2009, 3:20 am

I keep receiving a "windows firewall has blocked some features of this program" alert telling me "Windows Firewall has detected unauthorized activity, but unfortunately it cannot help you to remove viruses, keyloggers and other spyware threats that seal your personal information from your computer. "Click here to pick recommended software" Name:Win32.Zafi.B; Risk Level: High; Description: This Trojan has a keyboard logging function, which is intended tpo steal information from users of a range of online payment systems."
My choices are to "click here" or chose a button titled "Protect" that looks officially from Windows. I have not chosen anything except to "x" out of the alert. Interesting enough, I have disabled my windows firewall and now run McAfee Security provided by Comcast Cablevision, my IP. Once the McAfee was installed thru Comcast, I keep receiving upon startup a notice from McAfee telling me that the Win32.Zafi.B has been identified and taken care of. Unfortunately, I do not know how to make sure the worm is completely removed from my system, I keep receiving these alerts. Please help. Thanks.

drogersca
Novice
Novice

Posts Posts : 15
Joined Joined : 2009-01-14
OS OS : vista
Points Points : 28921
# Likes # Likes : 0

View user profile

Back to top Go down

Solved Re: Win32.Zafi.B Help Please

Post by Doctor Inferno on 14th January 2009, 7:52 am

Please read this topic:

[You must be registered and logged in to see this link.]

And post a HijackThis log.


Please be a GeekPolice fan on [You must be registered and logged in to see this link.]



Have we helped you? [You must be registered and logged in to see this link.] | Doctor by day, ninja by night.

Doctor Inferno
Administrator
Administrator

Posts Posts : 12015
Joined Joined : 2007-12-26
Gender Gender : Male
OS OS : Windows 7 Home Premium and Ultimate X64
Protection Protection : Kaspersky PURE and Malwarebytes' Anti-Malware
Points Points : 104610
# Likes # Likes : 0

View user profile

Back to top Go down

Solved Scan log file as requested

Post by drogersca on 31st January 2009, 10:36 pm

I keep getting a pop-up that says My Windows Firewall has blocked some features of this program. It is a Windows Security Alert. It says Windows Firewall has detected unauthorized actifity, but unfortunately it can no0t help you to remove viruses, keyloggers and other spyware threats that steal your perosnal information from your computer. Click here to pick recommended software. Name @in32.Zafi.B Risk Level High, Description: this trojan has a keyboard logging function, which is intended to steal information from users of a range of online payment systems.

It then has two buttons, one greyed out that is Keep blocking and one that I can choose (which I have not) that says Protect and shows tghe windows shield.

My windows firewall is disabled and I am running McAfee. My McAfee informed me it previously cleaned a trojan, but also can not remove a trojan on the same scan.

Please help me remove this annoying popup. We have not clicked on either available link or button. We continually hit the X button on the top right of the pop-up box. It will go away for about 5 minutes and come back. Thank you!!!!!


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:11:21 PM, on 1/31/2009
Platform: Windows Vista SP1 (WinNT 6.00.1905)
MSIE: Internet Explorer v7.00 (7.00.6001.18000)
Boot mode: Normal

Running processes:
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Windows\system32\Dwm.exe
C:\Windows\system32\taskeng.exe
C:\Windows\Explorer.EXE
C:\Windows\RtHDVCpl.exe
C:\Program Files\Spare Backup\SpareBackup.exe
C:\Program Files\Microsoft IntelliType Pro\itype.exe
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
C:\Program Files\HP\HP Software Update\hpwuSchd2.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\eFax Messenger 4.4\J2GDllCmd.exe
C:\Users\bestbuy\AppData\Roaming\Google\winck.exe
C:\Program Files\eFax Messenger 4.4\J2GTray.exe
C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
C:\Program Files\Common Files\microsoft shared\Works Shared\WkCalRem.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Windows\ehome\ehmsas.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Users\bestbuy\Downloads\hijackgpthis.exe

O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: NVIDIA Display Driver Service (nvsvc) - NVIDIA Corporation - C:\Windows\system32\nvvsvc.exe
O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
O23 - Service: XAudioService - Conexant Systems, Inc. - C:\Windows\system32\DRIVERS\xaudio.exe

--
End of file - 2501 bytes

drogersca
Novice
Novice

Posts Posts : 15
Joined Joined : 2009-01-14
OS OS : vista
Points Points : 28921
# Likes # Likes : 0

View user profile

Back to top Go down

Solved Re: Win32.Zafi.B Help Please

Post by Belahzur on 31st January 2009, 10:42 pm


  • Please download DDS by sUBs to your Desktop (Important!!) from one of these locations:
    [You must be registered and logged in to see this link.]
    [You must be registered and logged in to see this link.]
    [You must be registered and logged in to see this link.]
  • Right click DDS.scr > select "Run as administrator" to run DDS.
  • When complete, DDS.txt will open.
  • Click No for Optional Scan.
  • Save the report to your Desktop.
  • Copy and paste DDS.txt back here, I don't need to see attach.txt.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245079
# Likes # Likes : 1

View user profile

Back to top Go down

Solved Scan as requested...Thank you for your help.

Post by drogersca on 1st February 2009, 3:25 am

DDS (Ver_09-01-19.01) - NTFSx86
Run by bestbuy at 19:14:11.83 on Sat 01/31/2009
Internet Explorer: 7.0.6001.18000 BrowserJavaVersion: 1.6.0_11
Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.1.1033.18.894.325 [GMT -8:00]


============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\nvvsvc.exe
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\rundll32.exe
C:\Windows\system32\svchost.exe -k NetworkService
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Windows\system32\svchost.exe -k hpdevmgmt
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Windows\System32\svchost.exe -k HPZ12
C:\Windows\System32\svchost.exe -k HPZ12
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\DRIVERS\xaudio.exe
C:\Windows\system32\WUDFHost.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Windows\system32\Dwm.exe
C:\Windows\system32\taskeng.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\taskeng.exe
C:\Windows\RtHDVCpl.exe
C:\Program Files\Spare Backup\SpareBackup.exe
C:\Program Files\Microsoft IntelliType Pro\itype.exe
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
C:\Program Files\HP\HP Software Update\hpwuSchd2.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Windows\ehome\ehtray.exe
C:\Users\bestbuy\AppData\Roaming\Google\winck.exe
C:\Program Files\eFax Messenger 4.4\J2GTray.exe
C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
C:\Program Files\Common Files\microsoft shared\Works Shared\WkCalRem.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Windows\ehome\ehmsas.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Program Files\iPod\bin\iPodService.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
C:\Users\bestbuy\Downloads\hijackgpthis.exe
C:\Windows\ehome\ehsched.exe
C:\Windows\system32\vssvc.exe
C:\Windows\System32\svchost.exe -k swprv
C:\Windows\system32\taskeng.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe
C:\Users\bestbuy\Desktop\dds.com
C:\Windows\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uStart Page = [You must be registered and logged in to see this link.]
mStart Page = [You must be registered and logged in to see this link.]
mDefault_Page_URL = [You must be registered and logged in to see this link.]
uInternet Settings,ProxyOverride = *.local
mSearchAssistant = [You must be registered and logged in to see this link.]
BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
BHO: NoExplorer - No File
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: Download Manager Browser Helper Object: {19c8e43b-07b3-49cb-bffc-6777b593e6f8} - c:\progra~1\common~1\fluxdvd\downlo~1\XEBDLH~1.DLL
BHO: Java(tm) Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\program files\mcafee\virusscan\scriptsn.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\4.1.805.4472\swg.dll
BHO: CBrowserHelperObject Object: {ca6319c0-31b7-401e-a518-a07c3db8f777} - c:\windows\system32\BAE.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
TB: {0BF43445-2F28-4351-9252-17FE6E806AA0} - No File
uRun: [OM2_Monitor] "c:\program files\olympus\olympus master 2\MMonitor.exe" -NoStart
uRun: [ehTray.exe] c:\windows\ehome\ehTray.exe
uRun: [eFax 4.4] "c:\program files\efax messenger 4.4\J2GDllCmd.exe" /R
uRun: [winclock] "c:\users\bestbuy\appdata\roaming\google\winck.exe" 2
uRun: [AROReminder] c:\program files\advanced registry optimizer\ARO.exe -rem
mRun: [Windows Defender] "c:\program files\windows defender\MSASCui.exe" -hide
mRun: [RtHDVCpl] "c:\windows\RtHDVCpl.exe"
mRun: [Spare Backup] "c:\program files\spare backup\SpareBackup.exe" /silent
mRun: [BigFix] "c:\program files\bigfix\bigfix.exe" /atstartup
mRun: [HPAIO_PrintFolderMgr] c:\windows\system32\spool\drivers\w32x86\hpoopm07.exe
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [itype] "c:\program files\microsoft intellitype pro\itype.exe"
mRun: [IntelliPoint] "c:\program files\microsoft intellipoint\ipoint.exe"
mRun: [HP Software Update] "c:\program files\hp\hp software update\HPWuSchd2.exe"
mRun: [Skytel] "c:\windows\Skytel.exe"
mRun: [NvCplDaemon] "c:\windows\system32\rundll32.exe" c:\windows\system32\NvCpl.dll,NvStartup
mRun: [NvMediaCenter] "c:\windows\system32\rundll32.exe" c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [CinemaNowMediaManagerApp]
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [mcagent_exe] c:\program files\mcafee.com\agent\mcagent.exe /runkey
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRunOnce: [Launcher] %WINDIR%\SMINST\launcher.exe
StartupFolder: c:\users\bestbuy\appdata\roaming\micros~1\windows\startm~1\programs\startup\efax44~1.lnk - c:\program files\efax messenger 4.4\J2GTray.exe
StartupFolder: c:\users\bestbuy\appdata\roaming\micros~1\windows\startm~1\programs\startup\onenot~1.lnk - c:\program files\microsoft office\office12\ONENOTEM.EXE
StartupFolder: c:\users\bestbuy\appdata\roaming\micros~1\windows\startm~1\programs\startup\wkcalrem.lnk - c:\program files\common files\microsoft shared\works shared\WkCalRem.exe
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
Trusted Zone: internet
Trusted Zone: mcafee.com
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - [You must be registered and logged in to see this link.]
DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - [You must be registered and logged in to see this link.]
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - [You must be registered and logged in to see this link.]
DPF: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} - [You must be registered and logged in to see this link.]
DPF: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} - [You must be registered and logged in to see this link.]
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - [You must be registered and logged in to see this link.]
Notify: DfLogon - LogonDll.dll

================= FIREFOX ===================

FF - ProfilePath - c:\users\bestbuy\appdata\roaming\mozilla\firefox\profiles\of5ofddf.default\
FF - prefs.js: browser.search.defaulturl - [You must be registered and logged in to see this link.]
FF - prefs.js: browser.search.selectedEngine - Comcast Search
FF - prefs.js: browser.startup.homepage - [You must be registered and logged in to see this link.]
FF - prefs.js: keyword.URL - [You must be registered and logged in to see this link.]
FF - plugin: c:\program files\common files\fluxdvd\apix\NPAPIX.dll
FF - plugin: c:\program files\common files\fluxdvd\browserintegration\NPFluxBrowserHelper.dll
FF - plugin: c:\program files\common files\mpdrm\NPMPDRM.dll
FF - plugin: c:\program files\google\google updater\2.4.1368.5602\npCIDetect13.dll
FF - plugin: c:\program files\mozilla firefox\extensions\{3112ca9c-de6d-4884-a869-9855de680400}\plugins\npCinemaNowPlugin.dll
FF - plugin: c:\program files\mozilla firefox\plugins\NPAPIX.dll
FF - plugin: c:\program files\mozilla firefox\plugins\NPFluxBrowserHelper.dll
FF - plugin: c:\program files\mozilla firefox\plugins\NPMPDRM.dll

============= SERVICES / DRIVERS ===============

S3 NETw2v32;Intel(R) PRO/Wireless 2200BG Network Connection Driver for Windows Vista;c:\windows\system32\drivers\NETw2v32.sys [2006-11-2 2589184]

=============== Created Last 30 ================

2009-01-31 13:39 97,800 a------- c:\windows\system32\infocardapi.dll
2009-01-31 13:39 105,016 a------- c:\windows\system32\PresentationCFFRasterizerNative_v0300.dll
2009-01-31 13:39 622,080 a------- c:\windows\system32\icardagt.exe
2009-01-31 13:39 37,384 a------- c:\windows\system32\infocardcpl.cpl
2009-01-31 13:39 11,264 a------- c:\windows\system32\icardres.dll
2009-01-31 13:39 43,544 a------- c:\windows\system32\PresentationHostProxy.dll
2009-01-31 13:39 781,344 a------- c:\windows\system32\PresentationNative_v0300.dll
2009-01-31 13:39 326,160 a------- c:\windows\system32\PresentationHost.exe
2009-01-31 13:25 96,760 a------- c:\windows\system32\dfshim.dll
2009-01-31 13:25 282,112 a------- c:\windows\system32\mscoree.dll
2009-01-31 13:25 41,984 a------- c:\windows\system32\netfxperf.dll
2009-01-31 13:24 158,720 a------- c:\windows\system32\mscorier.dll
2009-01-31 13:24 83,968 a------- c:\windows\system32\mscories.dll
2009-01-31 13:04 --d----- c:\users\bestbuy\.SunDownloadManager
2009-01-31 09:14 --d----- c:\windows\system32\Adobe
2009-01-24 10:54 410,984 a------- c:\windows\system32\deploytk.dll
2009-01-24 09:37 --d----- c:\program files\eFax
2009-01-24 09:29 --d----- c:\users\bestbuy\appdata\roaming\McAfee
2009-01-13 18:15 288,768 a------- c:\windows\system32\drivers\srv.sys
2009-01-11 11:54 --d----- c:\program files\common files\Wise Installation Wizard
2009-01-11 11:49 --d----- c:\users\bestbuy\appdata\roaming\Sammsoft
2009-01-11 11:49 --d----- c:\program files\Advanced Registry Optimizer
2009-01-10 11:06 13,249 a------- c:\windows\system32\Config.MPF
2009-01-10 11:05 143,360 a------- c:\windows\system32\dunzip32.dll
2009-01-10 11:02 33,832 a------- c:\windows\system32\drivers\mferkdk.sys
2009-01-10 11:02 79,304 a------- c:\windows\system32\drivers\mfeavfk.sys
2009-01-10 11:02 40,488 a------- c:\windows\system32\drivers\mfesmfk.sys
2009-01-10 11:02 35,240 a------- c:\windows\system32\drivers\mfebopk.sys
2009-01-10 11:02 201,320 a------- c:\windows\system32\drivers\mfehidk.sys
2009-01-10 11:02 125,728 a------- c:\windows\system32\drivers\Mpfp.sys
2009-01-10 11:02 --d----- c:\program files\McAfee.com
2009-01-10 11:02 --d----- c:\program files\common files\McAfee
2009-01-10 11:01 --d----- c:\program files\McAfee
2009-01-09 08:01 --d----- c:\users\bestbuy\appdata\roaming\Southwest Airlines

==================== Find3M ====================

2009-01-11 19:45 31 a------- c:\users\bestbuy\jagex_runescape_preferences.dat
2009-01-09 08:02 143,360 a------- c:\windows\inf\infstrng.dat
2009-01-09 08:02 86,016 a------- c:\windows\inf\infstor.dat
2009-01-09 08:02 51,200 a------- c:\windows\inf\infpub.dat
2008-12-30 22:24 0 a---h--- c:\windows\system32\drivers\Msft_User_WpdMtpDr_01_00_00.Wdf
2008-12-12 11:18 87,336 a------- c:\windows\system32\dns-sd.exe
2008-12-12 11:11 61,440 a------- c:\windows\system32\dnssd.dll
2008-08-01 04:29 60,744 a------- c:\users\bestbuy\g2mdlhlpx.exe
2008-06-24 12:39 174 a--sh--- c:\program files\desktop.ini
2008-06-24 12:16 665,600 a------- c:\windows\inf\drvindex.dat
2008-02-04 12:42 144 a------- c:\users\bestbuy\appdata\roaming\wklnhst.dat
2006-11-02 04:42 287,440 a------- c:\windows\inf\perflib\0409\perfi.dat
2006-11-02 04:42 287,440 a------- c:\windows\inf\perflib\0409\perfh.dat
2006-11-02 04:42 30,674 a------- c:\windows\inf\perflib\0409\perfd.dat
2006-11-02 04:42 30,674 a------- c:\windows\inf\perflib\0409\perfc.dat
2006-11-02 01:20 287,440 a------- c:\windows\inf\perflib\0000\perfi.dat
2006-11-02 01:20 287,440 a------- c:\windows\inf\perflib\0000\perfh.dat
2006-11-02 01:20 30,674 a------- c:\windows\inf\perflib\0000\perfd.dat
2006-11-02 01:20 30,674 a------- c:\windows\inf\perflib\0000\perfc.dat

============= FINISH: 19:14:58.54 ===============

drogersca
Novice
Novice

Posts Posts : 15
Joined Joined : 2009-01-14
OS OS : vista
Points Points : 28921
# Likes # Likes : 0

View user profile

Back to top Go down

Solved Re: Win32.Zafi.B Help Please

Post by Belahzur on 1st February 2009, 2:07 pm

Please download the [You must be registered and logged in to see this link.].

  • Save it to your desktop.
  • Please double-click OTMoveIt3.exe to run it.
  • Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose CopyCrying


    :files
    c:\users\bestbuy\appdata\roaming\google\*.*

    :reg
    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "winclock"=-

    :commands
    [purity]
    [emptytemp]
    [reboot]


  • Return to OTMoveIt3, right click in the "Paste instructions for items to be Moved" window (under the light blue bar) and choose Paste.
  • Click the red Moveit! button.
  • Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
  • Close OTMoveIt3
If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.

Please post the OTMoveIt log.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245079
# Likes # Likes : 1

View user profile

Back to top Go down

Solved Re: Win32.Zafi.B Help Please

Post by drogersca on 1st February 2009, 7:35 pm

========== FILES ==========
c:\users\bestbuy\appdata\roaming\google\winck.exe moved successfully.
========== REGISTRY ==========
Registry value HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\winclock deleted successfully.
========== COMMANDS ==========
File delete failed. C:\Users\bestbuy\AppData\Local\Temp\IDC2.tmp\installer.exe scheduled to be deleted on reboot.
File delete failed. C:\Users\bestbuy\AppData\Local\Temp\etilqs_WgH7QZlkG617Y3oCU2mV scheduled to be deleted on reboot.
User's Temp folder emptied.
User's Temporary Internet Files folder emptied.
User's Internet Explorer cache folder emptied.
Local Service Temp folder emptied.
Local Service Temporary Internet Files folder emptied.
Windows Temp folder emptied.
File delete failed. C:\Users\bestbuy\AppData\Local\Mozilla\Firefox\Profiles\of5ofddf.default\Cache\_CACHE_001_ scheduled to be deleted on reboot.
File delete failed. C:\Users\bestbuy\AppData\Local\Mozilla\Firefox\Profiles\of5ofddf.default\Cache\_CACHE_002_ scheduled to be deleted on reboot.
File delete failed. C:\Users\bestbuy\AppData\Local\Mozilla\Firefox\Profiles\of5ofddf.default\Cache\_CACHE_003_ scheduled to be deleted on reboot.
File delete failed. C:\Users\bestbuy\AppData\Local\Mozilla\Firefox\Profiles\of5ofddf.default\Cache\_CACHE_MAP_ scheduled to be deleted on reboot.
File delete failed. C:\Users\bestbuy\AppData\Local\Mozilla\Firefox\Profiles\of5ofddf.default\urlclassifier3.sqlite scheduled to be deleted on reboot.
File delete failed. C:\Users\bestbuy\AppData\Local\Mozilla\Firefox\Profiles\of5ofddf.default\XUL.mfl scheduled to be deleted on reboot.
FireFox cache emptied.
Temp folders emptied.

OTMoveIt3 by OldTimer - Version 1.0.8.0 log created on 02012009_113319

drogersca
Novice
Novice

Posts Posts : 15
Joined Joined : 2009-01-14
OS OS : vista
Points Points : 28921
# Likes # Likes : 0

View user profile

Back to top Go down

Solved Re: Win32.Zafi.B Help Please

Post by Belahzur on 1st February 2009, 7:37 pm

Hello.
How is the machine now?


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245079
# Likes # Likes : 1

View user profile

Back to top Go down

Solved Re: Win32.Zafi.B Help Please

Post by drogersca on 1st February 2009, 8:40 pm

The first few minutes are good; I will contact you soon with further update. Thank you.

drogersca
Novice
Novice

Posts Posts : 15
Joined Joined : 2009-01-14
OS OS : vista
Points Points : 28921
# Likes # Likes : 0

View user profile

Back to top Go down

Solved Re: Win32.Zafi.B Help Please

Post by Belahzur on 1st February 2009, 8:41 pm

I see you have Adobe Reader version 8 installed on this machine, this is old and has holes malware can use to abuse to re-infect you, so we need to close these holes.

Go to Start > Control Panel > Add/Remove Programs and remove the following programs if present.

  • Adobe Reader 8
Then download and install version 9 from here:
[You must be registered and logged in to see this link.]


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245079
# Likes # Likes : 1

View user profile

Back to top Go down

Solved Re: Win32.Zafi.B Help Please

Post by drogersca on 1st February 2009, 11:11 pm

Thank you - my problem is solved!!
Also, thank you for noticing that the upgrade I attempted per your previous instructions did not work. I have successfully upgraded to version 9.
You guys are the BEST!!!!!

drogersca
Novice
Novice

Posts Posts : 15
Joined Joined : 2009-01-14
OS OS : vista
Points Points : 28921
# Likes # Likes : 0

View user profile

Back to top Go down

Solved Re: Win32.Zafi.B Help Please

Post by drogersca on 1st February 2009, 11:13 pm

Thank You!

drogersca
Novice
Novice

Posts Posts : 15
Joined Joined : 2009-01-14
OS OS : vista
Points Points : 28921
# Likes # Likes : 0

View user profile

Back to top Go down

Solved Re: Win32.Zafi.B Help Please

Post by Belahzur on 1st February 2009, 11:15 pm

Below I have included a number of recommendations for how to protect your computer in order to prevent future malware infections. Please take these recommendations seriously; these few simple steps can stave off the vast majority of spyware problems. As happy as we are to help you, for your sake we would rather not have repeat customers. Goofy

1) Please navigate to [You must be registered and logged in to see this link.] and download all the "critical updates" for Windows. This can patch many of the security holes through which attackers can gain access to your computer.

Please either enable Automatic Updates under Start -> Control Panel -> Automatic Updates , or get into the habit of checking for Windows updates regularly. I cannot stress enough how important this is.

2) In order to protect yourself against spyware, you should consider installing and running the following free programs:

[You must be registered and logged in to see this link.]
A tutorial on using Ad-Aware to remove spyware from your computer may be found [You must be registered and logged in to see this link.].

[You must be registered and logged in to see this link.]
A tutorial on using Spybot to remove spyware from your computer may be found [You must be registered and logged in to see this link.]. Please also remember to enable Spybot's "Immunize" and "TeaTimer" features.

[You must be registered and logged in to see this link.]
A tutorial on using SpywareBlaster to prevent spyware from ever installing on your computer may be found [You must be registered and logged in to see this link.].

[You must be registered and logged in to see this link.]
A tutorial on using SpywareGuard for realtime protection against spyware and hijackers may be found [You must be registered and logged in to see this link.].

Make sure to keep these programs up-to-date and to run them regularly, as this can prevent a great deal of spyware hassle.

3) Please consider using an alternate browser. Mozilla's Firefox browser is fantastic; it is much more secure than Internet Explorer, immune to almost all known browser hijackers, and also has the best built-in popup blocker (as an added benefit!) that I have ever seen. If you are interested, Firefox may be downloaded from here:
[You must be registered and logged in to see this link.]
I also recommand the following add-ons for Firefox, they will help keep you safe from malicious scripts or activeX exploits.
[You must be registered and logged in to see this link.]
[You must be registered and logged in to see this link.]
[You must be registered and logged in to see this link.]

4) Also make sure to run your antivirus software regularly, and to keep it up-to-date.

To help you keep your software updated, please considering using this free software program that will check for program updates.
[You must be registered and logged in to see this link.]

5) Finally, consider maintaining a firewall. Some good free firewalls are [You must be registered and logged in to see this link.], or
[You must be registered and logged in to see this link.]
A tutorial on understanding and using firewalls may be found [You must be registered and logged in to see this link.].

Please also read Tony Klein's excellent article: [You must be registered and logged in to see this link.]

If you would take a moment to fill out our feedback form, we would appreciate it.
The link can be found [You must be registered and logged in to see this link.].

Hopefully this should take care of your problems! Good luck. Big Grin


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245079
# Likes # Likes : 1

View user profile

Back to top Go down

Solved Re: Win32.Zafi.B Help Please

Post by Doctor Inferno on 9th May 2009, 10:10 am

Since this issue has been addressed, a "solved" tag will be added and this topic will be closed.

If you need this topic reopened, please contact a staff member. This applies only to the original topic starter.

Everyone else, please open a [You must be registered and logged in to see this link.] for your questions.


Please be a GeekPolice fan on [You must be registered and logged in to see this link.]



Have we helped you? [You must be registered and logged in to see this link.] | Doctor by day, ninja by night.

Doctor Inferno
Administrator
Administrator

Posts Posts : 12015
Joined Joined : 2007-12-26
Gender Gender : Male
OS OS : Windows 7 Home Premium and Ultimate X64
Protection Protection : Kaspersky PURE and Malwarebytes' Anti-Malware
Points Points : 104610
# Likes # Likes : 0

View user profile

Back to top Go down

Solved Re: Win32.Zafi.B Help Please

Post by Doctor Inferno on 9th May 2009, 10:10 am

Since this issue has been addressed, a "solved" tag will be added and this topic will be closed.

If you need this topic reopened, please contact a staff member. This applies only to the original topic starter.

Everyone else, please open a [You must be registered and logged in to see this link.] for your questions.


Please be a GeekPolice fan on [You must be registered and logged in to see this link.]



Have we helped you? [You must be registered and logged in to see this link.] | Doctor by day, ninja by night.

Doctor Inferno
Administrator
Administrator

Posts Posts : 12015
Joined Joined : 2007-12-26
Gender Gender : Male
OS OS : Windows 7 Home Premium and Ultimate X64
Protection Protection : Kaspersky PURE and Malwarebytes' Anti-Malware
Points Points : 104610
# Likes # Likes : 0

View user profile

Back to top Go down

View previous topic View next topic Back to top

- Similar topics

 
Permissions in this forum:
You cannot reply to topics in this forum