GeekPolice
Welcome to GeekPolice.net!

From "wow" to "whoa" - we're teaching practical technology and helping others with tech support. Join our family here!

You are viewing the forum as a "Guest" which doesn't give you member privileges to ask questions or post comments.

Take 30 seconds to register or log in below and unlock the limitations of this website to discover new computer knowledge!

Zafi.B and Browser Hijack

View previous topic View next topic Go down

Solved Zafi.B and Browser Hijack

Post by Wally on Tue Jan 20, 2009 8:10 pm

HELP!!!

I cant begin removal of Zafi.B because it keeps redirecting my IE Browser. Im actually typing this by being logged into a remote server. I cant eveon go to Lavasoft ot download the newest version of Adaware

Please help get this crappy Zafi.B of my computer ASAP!

Wally
Novice
Novice

Status :
Online
Offline

Posts : 7
Joined : 2009-01-20
OS : Windows XP
Points : 28740
# Likes : 0

View user profile

Back to top Go down

Solved Re: Zafi.B and Browser Hijack

Post by Belahzur on Tue Jan 20, 2009 8:18 pm

Please read here and post a Hijack This log.
[You must be registered and logged in to see this link.]


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Status :
Online
Offline

Posts : 34916
Joined : 2008-08-03
Gender : Male
OS : XP SP3 Media Centre
Points : 245039
# Likes : 1

View user profile

Back to top Go down

Solved Re: Zafi.B and Browser Hijack

Post by Wally on Tue Jan 20, 2009 8:26 pm

I cant do any of this stuff! My browser will not let me

Wally
Novice
Novice

Status :
Online
Offline

Posts : 7
Joined : 2009-01-20
OS : Windows XP
Points : 28740
# Likes : 0

View user profile

Back to top Go down

Solved Re: Zafi.B and Browser Hijack

Post by Belahzur on Tue Jan 20, 2009 8:54 pm

Okay, try this.


  • Please download DDS by sUBs to your Desktop (Important!!) from one of these locations:
    [You must be registered and logged in to see this link.]
    [You must be registered and logged in to see this link.]
    [You must be registered and logged in to see this link.]
  • Double click DDS.scr to run
  • When complete, DDS.txt will open.
  • Click No for Optional Scan.
  • Save the report to your Desktop.
  • Copy and paste DDS.txt back here, I don't need to see attach.txt.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Status :
Online
Offline

Posts : 34916
Joined : 2008-08-03
Gender : Male
OS : XP SP3 Media Centre
Points : 245039
# Likes : 1

View user profile

Back to top Go down

Solved Re: Zafi.B and Browser Hijack

Post by Wally on Tue Jan 20, 2009 9:29 pm

I cant do anything on my machine because the browser keeps saying "Internet Explore cannot display the webpage". Remember, im connected to this website only because im logged on remotely to my server at work and using its Internet Explorer to access your website.

I tried copying the links above into my address bar on my PC and into the Start, Run menu and I get the same results. Thanks for your help

Wally
Novice
Novice

Status :
Online
Offline

Posts : 7
Joined : 2009-01-20
OS : Windows XP
Points : 28740
# Likes : 0

View user profile

Back to top Go down

Solved Re: Zafi.B and Browser Hijack

Post by Belahzur on Tue Jan 20, 2009 9:36 pm

Lets run a rootkit.
Use the second link for the avenger here, it shouldn't be blocked.

1. Please download The Avenger by Swandog46 to your Desktop
Link: [You must be registered and logged in to see this link.] or [You must be registered and logged in to see this link.].

  • Click on Avenger.zip to open the file
  • Extract avenger.exe to your desktop

2. Now, start The Avenger program by clicking on its icon on your desktop.

  • Leave the script box empty.
  • Leave the ticked box "Scan for rootkit" ticked.
  • Then tick "Disable any rootkits found"
  • Now click on the Execute to begin execution of the script.
  • Answer "Yes" twice when prompted.

    The Avenger will automatically do the following:

  • It will Restart your computer.
  • On reboot, it will briefly open a black command window on your desktop, this is normal.
  • After the restart, it creates a log file that should open with the results of Avengerís actions. This log file will be located at C:\avenger.txt
  • The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.
3. Please copy/paste the content of c:\avenger.txt into your reply.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Status :
Online
Offline

Posts : 34916
Joined : 2008-08-03
Gender : Male
OS : XP SP3 Media Centre
Points : 245039
# Likes : 1

View user profile

Back to top Go down

Solved Re: Zafi.B and Browser Hijack

Post by Wally on Tue Jan 20, 2009 9:49 pm

**this freaked me out. It went to a blue screen then said a fatal error had occured. I had to log back on and this text was on my desktop. Please tell me your website is legit




Logfile of The Avenger Version 2.0, (c) by Swandog46
[You must be registered and logged in to see this link.]

Platform: Windows XP

*******************

Script file opened successfully.
Script file read successfully.

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Rootkit scan active.

Hidden driver "TDSSserv.sys" found!
ImagePath: \systemroot\system32\drivers\TDSSmaxt.sys
Driver disabled successfully.

Rootkit scan completed.


Completed script processing.

*******************

Finished! Terminate.

Wally
Novice
Novice

Status :
Online
Offline

Posts : 7
Joined : 2009-01-20
OS : Windows XP
Points : 28740
# Likes : 0

View user profile

Back to top Go down

Solved Re: Zafi.B and Browser Hijack

Post by Belahzur on Tue Jan 20, 2009 9:59 pm

Hello.
Yeah, sadly the rootkit doesn't like to be removed without causing more problems. Sad tearing
I don't think we did any damage as the rootkit is disabled now, so lets kill it off.

2. Copy all the text contained in the code box below to your Clipboard by highlighting it and pressing (Ctrl+CCrying


Drivers to delete:
TDSSserv.sys

Files to delete:
C:\WINDOWS\system32\drivers\TDSSmaxt.sys

Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.


3. Now, start The Avenger program by clicking on its icon on your desktop.

  • Under "Input script here:", paste in the script from the quote box above.
  • Leave the ticked box "Scan for rootkit" ticked.
  • Then tick "Disable any rootkits found"
  • Now click on the Execute to begin execution of the script.
  • Answer "Yes" twice when prompted.

    The Avenger will automatically do the following:

  • It will Restart your computer.
  • On reboot, it will briefly open a black command window on your desktop, this is normal.
  • After the restart, it creates a log file that should open with the results of Avengerís actions. This log file will be located at C:\avenger.txt
  • The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.
4. Please copy/paste the content of c:\avenger.txt into your reply.

Please post the DDS log now, the links will work.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Status :
Online
Offline

Posts : 34916
Joined : 2008-08-03
Gender : Male
OS : XP SP3 Media Centre
Points : 245039
# Likes : 1

View user profile

Back to top Go down

Solved Re: Zafi.B and Browser Hijack

Post by Wally on Wed Jan 21, 2009 11:15 am

Script file opened successfully.
Script file read successfully.

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:




Rootkit scan active.
No rootkits found!

Driver "TDSSserv.sys" deleted successfully.
File "C:\WINDOWS\system32\drivers\TDSSmaxt.sys" deleted successfully.

Completed script processing.


**Very Frustrated. After this, the fake security center message immediately popped up and my browser is doing the same thing. The weird thing is after the "proceed without protection" message I get, now I can go to the sites I couldnt go to earlier ie Lavasoft
*******************

Finished! Terminate.

Wally
Novice
Novice

Status :
Online
Offline

Posts : 7
Joined : 2009-01-20
OS : Windows XP
Points : 28740
# Likes : 0

View user profile

Back to top Go down

Solved Re: Zafi.B and Browser Hijack

Post by Belahzur on Wed Jan 21, 2009 3:00 pm

Yes, I know, it will do and will keep doing it until we remove the problem.
Just stay with me on this and we'll remove it together.

Please run DDS now, the links will work.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Status :
Online
Offline

Posts : 34916
Joined : 2008-08-03
Gender : Male
OS : XP SP3 Media Centre
Points : 245039
# Likes : 1

View user profile

Back to top Go down

Solved Re: Zafi.B and Browser Hijack

Post by Wally on Wed Jan 21, 2009 4:35 pm

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Juniper Networks\Common Files\dsNcService.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Documents and Settings\Dillion\Application Data\Google\cijwg16225165.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\mstsc.exe
C:\Program Files\AVG\AVG8\avgtray.exe
C:\Program Files\Outlook Express\msimn.exe
C:\Documents and Settings\Dillion\Local Settings\Temporary Internet Files\Content.IE5\TCGI2M0P\dds[1].scr

============== Pseudo HJT Report ===============

uStart Page = [You must be registered and logged in to see this link.]
uSearch Page = [You must be registered and logged in to see this link.]
uSearch Bar = [You must be registered and logged in to see this link.]
uSearchMigratedDefaultURL = [You must be registered and logged in to see this link.]
uInternet Settings,ProxyOverride = *.local
uSearchAssistant = [You must be registered and logged in to see this link.]
uSearchURL,(Default) = [You must be registered and logged in to see this link.]
mSearchAssistant = [You must be registered and logged in to see this link.]
uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} -
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\program files\real\realplayer\rpbrowserrecordplugin.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg8\avgssie.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0_01\bin\ssv.dll
BHO: AVG Security Toolbar: {a057a204-bacc-4d26-9990-79a187e2698e} - c:\progra~1\avg\avg8\AVGTOO~1.DLL
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\4.1.805.4472\swg.dll
TB: AVG Security Toolbar: {a057a204-bacc-4d26-9990-79a187e2698e} - c:\progra~1\avg\avg8\AVGTOO~1.DLL
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} -
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [swg] c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [realteke] "c:\documents and settings\dillion\application data\google\cijwg16225165.exe" 2
mRun: [AVG8_TRAY] c:\progra~1\avg\avg8\avgtray.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_01\bin\ssv.dll
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg8\avgpp.dll
AppInit_DLLs: avgrsstx.dll

============= SERVICES / DRIVERS ===============

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2009-1-21 97928]
R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2009-1-21 26824]
R4 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\avg\avg8\avgemc.exe [2009-1-21 875288]
R4 avg8wd;AVG Free8 WatchDog;c:\progra~1\avg\avg8\avgwdsvc.exe [2009-1-21 231704]
R4 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2009-1-21 76040]
S3 trid3d;trid3d;c:\windows\system32\drivers\trid3dm.sys [2006-7-6 222336]

=============== Created Last 30 ================

2009-01-21 05:31 --d-h--- C:\$AVG8.VAULT$
2009-01-21 05:26 10,520 a------- c:\windows\system32\avgrsstx.dll
2009-01-21 05:26 76,040 a------- c:\windows\system32\drivers\avgtdix.sys
2009-01-21 05:26 97,928 a------- c:\windows\system32\drivers\avgldx86.sys
2009-01-21 05:26 --d----- c:\windows\system32\drivers\Avg
2009-01-21 05:26 --d----- c:\docume~1\dillion\applic~1\AVGTOOLBAR
2009-01-21 05:26 --d----- c:\program files\AVG
2009-01-21 05:26 --d----- c:\docume~1\alluse~1\applic~1\avg8
2009-01-19 06:40 6,066,176 -c------ c:\windows\system32\dllcache\ieframe.dll
2009-01-19 06:40 2,455,488 -c------ c:\windows\system32\dllcache\ieapfltr.dat
2009-01-19 06:40 991,232 -c------ c:\windows\system32\dllcache\ieframe.dll.mui
2009-01-19 06:40 459,264 -c------ c:\windows\system32\dllcache\msfeeds.dll
2009-01-19 06:40 383,488 -c------ c:\windows\system32\dllcache\ieapfltr.dll
2009-01-19 06:40 267,776 -c------ c:\windows\system32\dllcache\iertutil.dll
2009-01-19 06:40 63,488 -c------ c:\windows\system32\dllcache\icardie.dll
2009-01-19 06:40 52,224 -c------ c:\windows\system32\dllcache\msfeedsbs.dll
2009-01-19 06:40 13,824 -c------ c:\windows\system32\dllcache\ieudinit.exe
2009-01-19 06:36 --d----- c:\windows\network diagnostic
2009-01-19 06:36 33,792 ac------ c:\windows\system32\dllcache\custsat.dll
2009-01-18 20:49 --d----- c:\windows\system32\CatRoot_bak
2009-01-18 20:49 272,128 -c------ c:\windows\system32\dllcache\bthport.sys
2009-01-18 20:47 331,776 -c------ c:\windows\system32\dllcache\msadce.dll
2009-01-18 11:29 54,843 a------- c:\windows\Sysvxd.exe
2009-01-18 09:52 2,204 a------- c:\windows\system32\TDSSfpmp.dll
2009-01-18 09:52 441 a------- c:\windows\system32\TDSSosvn.dat
2009-01-18 09:49 --d----- c:\docume~1\dillion\applic~1\Yahoo

==================== Find3M ====================

2009-01-06 10:10 4,348 a------- c:\windows\system32\d3d9caps.dat
2008-12-11 05:57 333,184 a------- c:\windows\system32\drivers\srv.sys
2008-10-24 19:55 4,124 a------- c:\windows\system32\d3d8caps.dat

============= FINISH: 10:31:04.58 ===============

Wally
Novice
Novice

Status :
Online
Offline

Posts : 7
Joined : 2009-01-20
OS : Windows XP
Points : 28740
# Likes : 0

View user profile

Back to top Go down

Solved Re: Zafi.B and Browser Hijack

Post by Belahzur on Wed Jan 21, 2009 4:38 pm

Okay, this will finish it off, the alerts will stop after this is done.

Please download the [You must be registered and logged in to see this link.].

  • Save it to your desktop.
  • Please double-click OTMoveIt3.exe to run it.
  • Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose CopyCrying


    :files
    c:\windows\system32\TDSSfpmp.dll
    c:\windows\system32\TDSSosvn.dat
    C:\avenger
    C:\avenger.txt
    C:\Documents and Settings\Dillion\Application Data\Google\*.*

    :reg
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "realteke"=-

    :commands
    [purity]
    [emptytemp]


  • Return to OTMoveIt3, right click in the "Paste instructions for items to be Moved" window (under the light blue bar) and choose Paste.
  • Click the red Moveit! button.
  • Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
  • Close OTMoveIt3
If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.

Please post the OTMoveIt log.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Status :
Online
Offline

Posts : 34916
Joined : 2008-08-03
Gender : Male
OS : XP SP3 Media Centre
Points : 245039
# Likes : 1

View user profile

Back to top Go down

Solved Re: Zafi.B and Browser Hijack

Post by Wally on Wed Jan 21, 2009 7:42 pm

========== FILES ==========
File/Folder c:\windows\system32\TDSSfpmp.dll not found.
File/Folder c:\windows\system32\TDSSosvn.dat not found.
File/Folder C:\avenger not found.
File/Folder C:\avenger.txt not found.
File/Folder C:\Documents and Settings\Dillion\Application Data\Google\*.* not found.
========== REGISTRY ==========
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\realteke deleted successfully.
========== COMMANDS ==========
File delete failed. C:\DOCUME~1\Dillion\LOCALS~1\Temp\Z@R117.tmp scheduled to be deleted on reboot.
File delete failed. C:\DOCUME~1\Dillion\LOCALS~1\Temp\Z@R11B.tmp scheduled to be deleted on reboot.
File delete failed. C:\DOCUME~1\Dillion\LOCALS~1\Temp\Z@R11F.tmp scheduled to be deleted on reboot.
File delete failed. C:\DOCUME~1\Dillion\LOCALS~1\Temp\Z@R123.tmp scheduled to be deleted on reboot.
File delete failed. C:\DOCUME~1\Dillion\LOCALS~1\Temp\Z@R127.tmp scheduled to be deleted on reboot.
File delete failed. C:\DOCUME~1\Dillion\LOCALS~1\Temp\Z@R12B.tmp scheduled to be deleted on reboot.
File delete failed. C:\DOCUME~1\Dillion\LOCALS~1\Temp\Z@R12F.tmp scheduled to be deleted on reboot.
File delete failed. C:\DOCUME~1\Dillion\LOCALS~1\Temp\Z@R133.tmp scheduled to be deleted on reboot.
File delete failed. C:\DOCUME~1\Dillion\LOCALS~1\Temp\Z@R143.tmp scheduled to be deleted on reboot.
File delete failed. C:\DOCUME~1\Dillion\LOCALS~1\Temp\Z@R147.tmp scheduled to be deleted on reboot.
File delete failed. C:\DOCUME~1\Dillion\LOCALS~1\Temp\Z@R14B.tmp scheduled to be deleted on reboot.
File delete failed. C:\DOCUME~1\Dillion\LOCALS~1\Temp\Z@R14F.tmp scheduled to be deleted on reboot.
File delete failed. C:\DOCUME~1\Dillion\LOCALS~1\Temp\Z@R153.tmp scheduled to be deleted on reboot.
File delete failed. C:\DOCUME~1\Dillion\LOCALS~1\Temp\Z@R157.tmp scheduled to be deleted on reboot.
File delete failed. C:\DOCUME~1\Dillion\LOCALS~1\Temp\Z@R15B.tmp scheduled to be deleted on reboot.
File delete failed. C:\DOCUME~1\Dillion\LOCALS~1\Temp\Z@R15F.tmp scheduled to be deleted on reboot.
File delete failed. C:\DOCUME~1\Dillion\LOCALS~1\Temp\Z@R59.tmp scheduled to be deleted on reboot.
File delete failed. C:\DOCUME~1\Dillion\LOCALS~1\Temp\Z@R5D.tmp scheduled to be deleted on reboot.
File delete failed. C:\DOCUME~1\Dillion\LOCALS~1\Temp\Z@R61.tmp scheduled to be deleted on reboot.
File delete failed. C:\DOCUME~1\Dillion\LOCALS~1\Temp\Z@R65.tmp scheduled to be deleted on reboot.
File delete failed. C:\DOCUME~1\Dillion\LOCALS~1\Temp\Z@R69.tmp scheduled to be deleted on reboot.
File delete failed. C:\DOCUME~1\Dillion\LOCALS~1\Temp\Z@R6D.tmp scheduled to be deleted on reboot.
File delete failed. C:\DOCUME~1\Dillion\LOCALS~1\Temp\Z@R71.tmp scheduled to be deleted on reboot.
File delete failed. C:\DOCUME~1\Dillion\LOCALS~1\Temp\Z@R75.tmp scheduled to be deleted on reboot.
File delete failed. C:\DOCUME~1\Dillion\LOCALS~1\Temp\Z@RC5.tmp scheduled to be deleted on reboot.
File delete failed. C:\DOCUME~1\Dillion\LOCALS~1\Temp\Z@RC9.tmp scheduled to be deleted on reboot.
File delete failed. C:\DOCUME~1\Dillion\LOCALS~1\Temp\Z@RCD.tmp scheduled to be deleted on reboot.
File delete failed. C:\DOCUME~1\Dillion\LOCALS~1\Temp\Z@RD1.tmp scheduled to be deleted on reboot.
User's Temp folder emptied.
User's Temporary Internet Files folder emptied.
User's Internet Explorer cache folder emptied.
Local Service Temp folder emptied.
File delete failed. C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat scheduled to be deleted on reboot.
Local Service Temporary Internet Files folder emptied.
Windows Temp folder emptied.
Java cache emptied.
Temp folders emptied.

OTMoveIt3 by OldTimer - Version 1.0.8.0 log created on 01212009_133229

Files moved on Reboot...
C:\DOCUME~1\Dillion\LOCALS~1\Temp\Z@R117.tmp moved successfully.
C:\DOCUME~1\Dillion\LOCALS~1\Temp\Z@R11B.tmp moved successfully.
C:\DOCUME~1\Dillion\LOCALS~1\Temp\Z@R11F.tmp moved successfully.
C:\DOCUME~1\Dillion\LOCALS~1\Temp\Z@R123.tmp moved successfully.
C:\DOCUME~1\Dillion\LOCALS~1\Temp\Z@R127.tmp moved successfully.
C:\DOCUME~1\Dillion\LOCALS~1\Temp\Z@R12B.tmp moved successfully.
C:\DOCUME~1\Dillion\LOCALS~1\Temp\Z@R12F.tmp moved successfully.
C:\DOCUME~1\Dillion\LOCALS~1\Temp\Z@R133.tmp moved successfully.
C:\DOCUME~1\Dillion\LOCALS~1\Temp\Z@R143.tmp moved successfully.
C:\DOCUME~1\Dillion\LOCALS~1\Temp\Z@R147.tmp moved successfully.
C:\DOCUME~1\Dillion\LOCALS~1\Temp\Z@R14B.tmp moved successfully.
C:\DOCUME~1\Dillion\LOCALS~1\Temp\Z@R14F.tmp moved successfully.
C:\DOCUME~1\Dillion\LOCALS~1\Temp\Z@R153.tmp moved successfully.
C:\DOCUME~1\Dillion\LOCALS~1\Temp\Z@R157.tmp moved successfully.
C:\DOCUME~1\Dillion\LOCALS~1\Temp\Z@R15B.tmp moved successfully.
C:\DOCUME~1\Dillion\LOCALS~1\Temp\Z@R15F.tmp moved successfully.
C:\DOCUME~1\Dillion\LOCALS~1\Temp\Z@R59.tmp moved successfully.
C:\DOCUME~1\Dillion\LOCALS~1\Temp\Z@R5D.tmp moved successfully.
C:\DOCUME~1\Dillion\LOCALS~1\Temp\Z@R61.tmp moved successfully.
C:\DOCUME~1\Dillion\LOCALS~1\Temp\Z@R65.tmp moved successfully.
C:\DOCUME~1\Dillion\LOCALS~1\Temp\Z@R69.tmp moved successfully.
C:\DOCUME~1\Dillion\LOCALS~1\Temp\Z@R6D.tmp moved successfully.
C:\DOCUME~1\Dillion\LOCALS~1\Temp\Z@R71.tmp moved successfully.
C:\DOCUME~1\Dillion\LOCALS~1\Temp\Z@R75.tmp moved successfully.
C:\DOCUME~1\Dillion\LOCALS~1\Temp\Z@RC5.tmp moved successfully.
C:\DOCUME~1\Dillion\LOCALS~1\Temp\Z@RC9.tmp moved successfully.
C:\DOCUME~1\Dillion\LOCALS~1\Temp\Z@RCD.tmp moved successfully.
C:\DOCUME~1\Dillion\LOCALS~1\Temp\Z@RD1.tmp moved successfully.
File move failed. C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat scheduled to be moved on reboot.




~~Looks like they may have stopped. Do I need to delete all of the things I downloaded to help this problem? ie Avenger, DDS

Im not really computer savy and really paranoid about this stuff so forgive me if these are stupid questions

Wally
Novice
Novice

Status :
Online
Offline

Posts : 7
Joined : 2009-01-20
OS : Windows XP
Points : 28740
# Likes : 0

View user profile

Back to top Go down

Solved Re: Zafi.B and Browser Hijack

Post by Belahzur on Wed Jan 21, 2009 7:57 pm

Hello.
Yes, delete the tools, the infection should be gone now.

Your version of Java is outdated and needs to be updated to take advantage of fixes that have eliminated security vulnerabilities.
Updating Java:

  • Download the latest version of [You must be registered and logged in to see this link.].
  • Select the first option where it says "Java SE Runtime Environment (JRE) 6 Update 11".
  • Click the "Download" button to the right.
  • In the Window that opens, select your platform and language, check the "agree" box, and click Continue.
  • Click on the link to download Windows Offline Installation and save to your desktop.
  • Close any programs you may have running - especially your web browser.
  • Go to Start > Control Panel double-click on Add or Remove Programs and remove all older versions of Java.
  • Check any item with Java Runtime Environment (JRE or J2SE) in the name.
    - Examples of older versions in Add or Remove Programs:
    - Java 2 Runtime Environment, SE v1.4.2
    - J2SE Runtime Environment 5.0
    - J2SE Runtime Environment 5.0 Update 2
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-6u11-windows-i586-p.exe that you downloaded to install the newest version.
Please make sure the new version of Java is installed before you run JavaRa.

Please download JavaRa from [You must be registered and logged in to see this link.]

  • First, unzip it.
  • Then run JavaRa.
  • Select English from the drop down menu and press Select.
  • This will open JavaRa.
  • Press Remove older versions
  • Press yes to the prompt.
  • It will make a log file of what it's removed.
  • Copy and paste the log back here.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Status :
Online
Offline

Posts : 34916
Joined : 2008-08-03
Gender : Male
OS : XP SP3 Media Centre
Points : 245039
# Likes : 1

View user profile

Back to top Go down

Solved Re: Zafi.B and Browser Hijack

Post by Doctor Inferno on Sat May 02, 2009 6:45 am

Since this issue has been addressed, a "solved" tag will be added and this topic will be closed.

If you need this topic reopened, please contact a staff member. This applies only to the original topic starter.

Everyone else, please open a new topic for your questions.


Please be a GeekPolice fan on [You must be registered and logged in to see this link.]



Have we helped you? [You must be registered and logged in to see this link.] | Doctor by day, ninja by night.

Doctor Inferno
Administrator
Administrator

Status :
Online
Offline

Posts : 12017
Joined : 2007-12-26
Gender : Male
OS : Windows 7 Home Premium and Ultimate X64
Points : 104574
# Likes : 0

View user profile

Back to top Go down

Solved Re: Zafi.B and Browser Hijack

Post by Doctor Inferno on Sat May 02, 2009 6:46 am

Since this issue has been addressed, a "solved" tag will be added and this topic will be closed.

If you need this topic reopened, please contact a staff member. This applies only to the original topic starter.

Everyone else, please open a new topic for your questions.


Please be a GeekPolice fan on [You must be registered and logged in to see this link.]



Have we helped you? [You must be registered and logged in to see this link.] | Doctor by day, ninja by night.

Doctor Inferno
Administrator
Administrator

Status :
Online
Offline

Posts : 12017
Joined : 2007-12-26
Gender : Male
OS : Windows 7 Home Premium and Ultimate X64
Points : 104574
# Likes : 0

View user profile

Back to top Go down

View previous topic View next topic Back to top

- Similar topics

 
Permissions in this forum:
You cannot reply to topics in this forum