win32.Zafi.B removal

View previous topic View next topic Go down

Solved win32.Zafi.B removal

Post by petronella on Fri Jan 23, 2009 5:41 pm

Hello Geek Police,

I know this is not a new topic but I could not see for the life of me how to actually post a question. I read the New Members stuff but is isn't clear how to actually post a question or perhaps I'm just stupid. Anyway, I'm being driven mad with the ghastly worm which stops me getting on line a lot of the time and I can't receive or send any emails.

I would be SO grateful if somebody could please tell me how to get rid of it. I'm a bit of a technophobe but can follow instructions. I'm using Windows XP and I've had this worm for about a week now I think. I've read a few of the other Win32.Zap posts but I'm confused about whether the answers only relate to the specific posts or not. Also I'm confused by the long lists of files people seem to be including in the posts. As you see I'm pretty clueless!

Please help! Many thanks!

Petronella

petronella
Novice
Novice

Posts Posts : 8
Joined Joined : 2009-01-23
OS OS : Windows XP
Points Points : 28730
# Likes # Likes : 0

View user profile

Back to top Go down

Solved Re: win32.Zafi.B removal

Post by petronella on Fri Jan 23, 2009 6:21 pm

Dear Geek Police,

Can you give me any idea when somebody will be able to help me? ( I couldn't help noticing that someone else with a similar problem got a very quick reply from you last Tuesday.)

Is there anything I can do in the meantime to gather any information you might need in order to help me? If there is I'd be grateful if you could explain what I need to do in simple terms. Thank you!

Regards,
Petronella

petronella
Novice
Novice

Posts Posts : 8
Joined Joined : 2009-01-23
OS OS : Windows XP
Points Points : 28730
# Likes # Likes : 0

View user profile

Back to top Go down

Solved Re: win32.Zafi.B removal

Post by Belahzur on Fri Jan 23, 2009 6:27 pm

Hello.
Please have some patience, I have college 7hrs on a Friday and don't get home till 4:30pm-ish, and then have some personal things to take care of before I have time to answer these threads.

Please download the current version of HijackThis from [You must be registered and logged in to see this link.]

  • Double click and run the installer.
  • It will install to C:\Program Files\Trend Micro\HijackThis\hijackthis.exe
  • After installing, you should get the user agreement, press accept and Hijack This will run.
  • Select Do a system scan and save a log file. This will open a notepad file of everything Hijack This found, copy and paste it back here.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245059
# Likes # Likes : 1

View user profile

Back to top Go down

Solved Re: win32.Zafi.B removal

Post by petronella on Fri Jan 23, 2009 6:39 pm

I'm really sorry to have hassled you - I didn't realise you were doing this in your spare time. It's a fantastic job you're doing - Sorry again! I'll now do what you're suggesting. Many thanks!

Petronella

petronella
Novice
Novice

Posts Posts : 8
Joined Joined : 2009-01-23
OS OS : Windows XP
Points Points : 28730
# Likes # Likes : 0

View user profile

Back to top Go down

Solved Re: win32.Zafi.B removal

Post by petronella on Fri Jan 23, 2009 7:27 pm

Hi Belahzur,

I think I've done what you asked me to do right - let me know if I haven't. Thanks!

Petronella

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 19:19:31, on 23/01/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16762)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe
C:\Program Files\Canon\IJPLM\IJPLMSVC.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Ahead\ODD Toolkit\DVDTray.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\RunDll32.exe
C:\Program Files\Canon\MyPrinter\BJMyPrt.exe
C:\Program Files\ScanSoft\OmniPageSE4\OpwareSE4.exe
C:\Program Files\Dell Support\DSAgnt.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\WINDOWS\system32\dwwin.exe
C:\WINDOWS\system32\dwwin.exe
C:\WINDOWS\system32\dwwin.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = [You must be registered and logged in to see this link.]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = [You must be registered and logged in to see this link.]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = [You must be registered and logged in to see this link.]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = [You must be registered and logged in to see this link.]
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = [You must be registered and logged in to see this link.]
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = [You must be registered and logged in to see this link.]
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Trellian BHO Impl - {24180B00-2EB6-11d7-BD6F-004854603DCE} - C:\Program Files\TRELLIAN\Toolbar\toolbar.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.1.807.1746\swg.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O3 - Toolbar: Trellian &Toolbar - {71AAABE5-1F0F-11d7-BD6F-004854603DCE} - C:\Program Files\TRELLIAN\Toolbar\toolbar.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [IntelMeM] C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [MSKDetectorExe] C:\Program Files\McAfee\SpamKiller\MSKDetct.exe /uninstall
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [DVDTray] C:\Program Files\Ahead\ODD Toolkit\DVDTray.exe
O4 - HKLM\..\Run: [CmUsbSound] RunDll32 cmcnfgu.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [CanonSolutionMenu] C:\Program Files\Canon\SolutionMenu\CNSLMAIN.exe /logon
O4 - HKLM\..\Run: [CanonMyPrinter] C:\Program Files\Canon\MyPrinter\BJMyPrt.exe /logon
O4 - HKLM\..\Run: [SSBkgdUpdate] "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
O4 - HKLM\..\Run: [OpwareSE4] "C:\Program Files\ScanSoft\OmniPageSE4\OpwareSE4.exe"
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_9 -reboot 1
O4 - HKCU\..\Run: [ieupdate] "C:\WINDOWS\system32\ieexplorer32.exe"
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - [You must be registered and logged in to see this link.]
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - [You must be registered and logged in to see this link.]
O17 - HKLM\System\CCS\Services\Tcpip\..\{EC4B4E94-B2AA-449E-80F6-EEAF5A107194}: NameServer = 195.184.228.6 195.184.228.7
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: PIXMA Extended Survey Program (IJPLMSVC) - Unknown owner - C:\Program Files\Canon\IJPLM\IJPLMSVC.EXE
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe

--
End of file - 8284 bytes

petronella
Novice
Novice

Posts Posts : 8
Joined Joined : 2009-01-23
OS OS : Windows XP
Points Points : 28730
# Likes # Likes : 0

View user profile

Back to top Go down

Solved Re: win32.Zafi.B removal

Post by Belahzur on Fri Jan 23, 2009 7:32 pm

Hello.
Not good. Sad tearing

Your computer has multiple infections, including a backdoor. A backdoor gives intruders complete control of your computer, logs your keystrokes, steal personal information, etc.

You are strongly advised to do the following:

  • Disconnect the computer from the Internet and from any networked computers until it is cleaned.
  • Back up all your important data except programs. The programs can be reinstalled back from the original disc or from the Net.
  • Call all your banks, financial institutions, credit card companies and inform them that you may be a victim of identity theft and put a watch on your accounts. If you don't mind the hassle, change all your account numbers.
  • From a clean computer, change all your passwords (ISP login password, your email address(es) passwords, financial accounts, PayPal, eBay, Amazon, online groups and forums and any other online activities you carry out which require a username and password).

Do NOT change your passwords from this computer as the attacker will be able to get all the new passwords and transaction records.

Due to its backdoor functionality, your computer is very likely to have been compromised and there is no way that it can be trusted again. Many experts in the security community believe that once infected with this type of Trojan, the best course of action would be to do a reformat and reinstallation of the operating system (OS). However, if you do not have the resources to reinstall your OS and would like me to attempt to clean your machine, I will be happy to do so.

To help you understand more, please take some time to read the following articles:

[You must be registered and logged in to see this link.]
[You must be registered and logged in to see this link.]
[You must be registered and logged in to see this link.]
[You must be registered and logged in to see this link.]
[You must be registered and logged in to see this link.]
[You must be registered and logged in to see this link.]


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245059
# Likes # Likes : 1

View user profile

Back to top Go down

Solved Re: win32.Zafi.B removal

Post by petronella on Fri Jan 23, 2009 9:57 pm

Thanks so much for all this information. I'm just running off the information from the links you've provided so I can read and digest it.

I'm horrified that my computer is so badly infected when I've got anti virus and spyware which I check regularly. Thank you for offering to clean my computer which I think I'll want you to do but I need to read all the information first. It's very kind of you!

Did you mean back up all important data apart from programs i.e.programs on the Start menu?

I'm going to disconnect now and read all the stuff. Thank you again for your help; I am very grateful and I will be in touch soon when I'm more clued up about all the implications.

Regards
Petronella

petronella
Novice
Novice

Posts Posts : 8
Joined Joined : 2009-01-23
OS OS : Windows XP
Points Points : 28730
# Likes # Likes : 0

View user profile

Back to top Go down

Solved Re: win32.Zafi.B removal

Post by Belahzur on Fri Jan 23, 2009 10:04 pm

Hello.
No, just back up anything like word documents that are important to you, all installed programs can be downloaded and installed again.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245059
# Likes # Likes : 1

View user profile

Back to top Go down

Solved Re: win32.Zafi.B removal

Post by petronella on Sun Jan 25, 2009 4:44 pm

Hello,

I've read through everything now and will be backing up my documents shortly.

From the information you've looked at and given that I've got a built-in firewall with Windows XP, had installed AVG Anti-Virus (free version), SpyBot, Ad-Aware from the start (although Ad-Aware stopped updating some time ago which I couldn't get to the bottom of but I continued performing scans); I don't use games or visit chat rooms and am careful of opening email attachments, is there any clue or identity of the RAT and how I picked it up and how long I've had it so I can avoid this situation in future? (I was fooled into buying some bogus security software in October which I have since tried to remove.)

Thank you for offering to clean my machine but If I do need to Reformat and Reinstall the OS for greater future security, I do not feel at all confident in trying to do this myself, can you help or advise me how to go about getting it done and how much it might cost. Many thanks again for your help!

Petronella

petronella
Novice
Novice

Posts Posts : 8
Joined Joined : 2009-01-23
OS OS : Windows XP
Points Points : 28730
# Likes # Likes : 0

View user profile

Back to top Go down

Solved Re: win32.Zafi.B removal

Post by Belahzur on Sun Jan 25, 2009 4:52 pm

Not sure how this got in, but I suspect it maybe from an email, even emails from legit emails of friends maybe infected, it's so easy to fake an email address.
It could even be just from visiting a bad website, you don't actually have to run any exe files or do anything nowdays to get infected.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245059
# Likes # Likes : 1

View user profile

Back to top Go down

Solved Re: win32.Zafi.B removal

Post by petronella on Mon Jan 26, 2009 2:49 pm

Thanks for that. If I need to Reformat & Reinstall the os in order to have maximum future security, can you advise me how best to get this done. I've read the Reformat notes but would not feel confident to do it myself and don't know anyone else who I feel confident would do it properly.

Petronella

petronella
Novice
Novice

Posts Posts : 8
Joined Joined : 2009-01-23
OS OS : Windows XP
Points Points : 28730
# Likes # Likes : 0

View user profile

Back to top Go down

Solved Re: win32.Zafi.B removal

Post by Belahzur on Mon Jan 26, 2009 2:53 pm

Sure.
To format, you'll need an XP disc.
Put it in and boot from it.

You'll reach a blue screen with text that tells you what to do.

You should be able to use the guides from there, because it could take along time if I type this out. LMBO or ROFL


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245059
# Likes # Likes : 1

View user profile

Back to top Go down

Solved Re: win32.Zafi.B removal

Post by petronella on Mon Jan 26, 2009 3:36 pm

I'll obviously have to give it a try but I feel overwhelmed by the technology and am afraid that if I don't do it properly, I'll be back to square one. Is there anyone you could recommend who could do it for me?

Petronella

petronella
Novice
Novice

Posts Posts : 8
Joined Joined : 2009-01-23
OS OS : Windows XP
Points Points : 28730
# Likes # Likes : 0

View user profile

Back to top Go down

Solved Re: win32.Zafi.B removal

Post by Belahzur on Mon Jan 26, 2009 3:39 pm

From us? not really.
You could take it to a local tech guy, or someone who knows this stuff around where you live.
I dunno if someone like PCWorld will format it for you if you pay, but you can ask.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245059
# Likes # Likes : 1

View user profile

Back to top Go down

Solved Re: win32.Zafi.B removal

Post by Doctor Inferno on Sat May 09, 2009 9:56 am

Since this issue has been addressed, a "solved" tag will be added and this topic will be closed.

If you need this topic reopened, please contact a staff member. This applies only to the original topic starter.

Everyone else, please open a [You must be registered and logged in to see this link.] for your questions.


Please be a GeekPolice fan on [You must be registered and logged in to see this link.]



Have we helped you? [You must be registered and logged in to see this link.] | Doctor by day, ninja by night.

Doctor Inferno
Administrator
Administrator

Posts Posts : 12017
Joined Joined : 2007-12-26
Gender Gender : Male
OS OS : Windows 7 Home Premium and Ultimate X64
Protection Protection : Kaspersky PURE and Malwarebytes' Anti-Malware
Points Points : 104594
# Likes # Likes : 0

View user profile

Back to top Go down

View previous topic View next topic Back to top

- Similar topics

 
Permissions in this forum:
You cannot reply to topics in this forum