Win32.zafi.B Virus

View previous topic View next topic Go down

Solved Win32.zafi.B Virus

Post by priya1984 on 10th February 2009, 5:11 pm

hi,

Im having a tough time trying to remove this virus from my Laptop. Pl help me to remove this. It Is bringing up fake windows alert saying that My system may be infected .
Pl help.

-Priya-

priya1984
Intermediate
Intermediate

Posts Posts : 153
Joined Joined : 2009-02-10
Gender Gender : Male
OS OS : Windows XP Professional
Points Points : 29823
# Likes # Likes : 0

View user profile

Back to top Go down

Solved Re: Win32.zafi.B Virus

Post by Belahzur on 10th February 2009, 6:05 pm

Please read here and post a Hijack This log.
[You must be registered and logged in to see this link.]


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245101
# Likes # Likes : 1

View user profile

Back to top Go down

Solved Re: Win32.zafi.B Virus

Post by priya1984 on 10th February 2009, 8:15 pm

I tried to post a reply. But it says taht the post is too big.
I have the log file on my desktop

priya1984
Intermediate
Intermediate

Posts Posts : 153
Joined Joined : 2009-02-10
Gender Gender : Male
OS OS : Windows XP Professional
Points Points : 29823
# Likes # Likes : 0

View user profile

Back to top Go down

Solved Re: Win32.zafi.B Virus

Post by Belahzur on 10th February 2009, 8:16 pm

Split it up into more than one post.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245101
# Likes # Likes : 1

View user profile

Back to top Go down

Solved Re: Win32.zafi.B Virus

Post by priya1984 on 10th February 2009, 8:20 pm

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 13:07:31, on 2/10/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\ibmpmsvc.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\userinit.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\IBM\Bluetooth Software\bin\btwdins.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\IBM\IBM Rapid Restore Ultra\rrpcsb.exe
C:\Program Files\C4ebreg\c4ebreg.exe
c:\sdwork\issimsvc.exe
C:\WINDOWS\system32\TpShocks.exe
C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe
C:\Program Files\ThinkPad\PkgMgr\HOTKEY\TPONSCR.exe
C:\Program Files\ThinkPad\PkgMgr\HOTKEY_1\TpScrex.exe
C:\Program Files\Norton Internet Security\Engine\16.2.0.7\ccSvcHst.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
C:\Program Files\IBM\Messages By IBM\ibmmessages.exe
C:\IBMTOOLS\UTILS\ibmprc.exe
C:\WINDOWS\System32\QCONSVC.EXE
C:\Program Files\ThinkPad\ConnectUtilities\QCWLICON.EXE
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\C4ebreg\isamtray.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\System32\TPHDEXLG.EXE
C:\jre1.5.0_04\bin\jusched.exe
C:\WINDOWS\system32\TpKmpSVC.exe
C:\Program Files\Yahoo!\Common\YMailAdvisor.exe
C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe
C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe
C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe
C:\Program Files\Logitech\QuickCam\Quickcam.exe
C:\WINDOWS\system32\frmwrk32.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Veoh Networks\Veoh\VeohClient.exe
C:\Program Files\TomTom HOME 2\HOMERunner.exe
C:\Documents and Settings\Saravanan\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\Program Files\Norton Internet Security\Engine\16.2.0.7\ccSvcHst.exe
C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
C:\Program Files\WordWeb\wweb32.exe
C:\Program Files\Common Files\Logishrd\LQCVFX\COCIManager.exe
C:\Program Files\Google\Google Talk\googletalk.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Saravanan\Desktop\HiJack(GP)This.exe

priya1984
Intermediate
Intermediate

Posts Posts : 153
Joined Joined : 2009-02-10
Gender Gender : Male
OS OS : Windows XP Professional
Points Points : 29823
# Likes # Likes : 0

View user profile

Back to top Go down

Solved Re: Win32.zafi.B Virus

Post by priya1984 on 10th February 2009, 8:20 pm

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = [You must be registered and logged in to see this link.]
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = [You must be registered and logged in to see this link.]
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = [You must be registered and logged in to see this link.]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = [You must be registered and logged in to see this link.]
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = [You must be registered and logged in to see this link.]
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = [You must be registered and logged in to see this link.]
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Cox High Speed Internet
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = ;
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: Symantec NCO BHO - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - C:\Program Files\Norton Internet Security\Engine\16.2.0.7\coIEPlg.dll
O2 - BHO: Symantec Intrusion Prevention - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\Program Files\Norton Internet Security\Engine\16.2.0.7\IPSBHO.DLL
O2 - BHO: (no name) - {6D794CB4-C7CD-4c6f-BFDC-9B77AFBDC02C} - C:\WINDOWS\system32\byXRlJAt.dll (file missing)
O2 - BHO: (no name) - {A07A2933-EBFD-432D-B1D4-E8CC985AFFA0} - C:\WINDOWS\system32\geBtSmMF.dll (file missing)
O3 - Toolbar: Veoh Browser Plug-in - {D0943516-5076-4020-A3B5-AEFAF26AB263} - C:\Program Files\Veoh Networks\Veoh\Plugins\reg\VeohToolbar.dll
O3 - Toolbar: Norton Toolbar - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files\Norton Internet Security\Engine\16.2.0.7\coIEPlg.dll
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [TPKMAPHELPER] C:\Program Files\ThinkPad\Utilities\TpKmapAp.exe -helper
O4 - HKLM\..\Run: [TpShocks] TpShocks.exe
O4 - HKLM\..\Run: [TPHOTKEY] C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
O4 - HKLM\..\Run: [TP4EX] tp4ex.exe
O4 - HKLM\..\Run: [EZEJMNAP] C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [UC_Start] C:\Program Files\IBM\Updater\\ucstartup.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [ibmmessages] C:\Program Files\IBM\Messages By IBM\\ibmmessages.exe
O4 - HKLM\..\Run: [IBMPRC] C:\IBMTOOLS\UTILS\ibmprc.exe
O4 - HKLM\..\Run: [QCWLICON] C:\Program Files\ThinkPad\ConnectUtilities\QCWLICON.EXE
O4 - HKLM\..\Run: [PWRMGRTR] rundll32 C:\PROGRA~1\ThinkPad\UTILIT~1\PWRMGRTR.DLL,PwrMgrBkGndMonitor
O4 - HKLM\..\Run: [0270101156066962mcinstcleanup] C:\DOCUME~1\SARAVA~1\LOCALS~1\Temp\027010~1.EXE C:\PROGRA~1\COMMON~1\McAfee\INSTAL~1\cleanup.ini -cleanup -nolog
O4 - HKLM\..\Run: [ISSI EZUpdate Service] "c:\sdwork\issimsvc.exe"
O4 - HKLM\..\Run: [ISAMTray] "C:\Program Files\C4ebreg\isamtray.exe"
O4 - HKLM\..\Run: [C4EBReg] "C:\Program Files\C4ebreg\c4ebreg.exe" /q
O4 - HKLM\..\Run: [stgclean] c:\sdwork\w32main2.exe /cleanup
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\jre1.5.0_04\bin\jusched.exe"
O4 - HKLM\..\Run: [YMailAdvisor] "C:\Program Files\Yahoo!\Common\YMailAdvisor.exe"
O4 - HKLM\..\Run: [YSearchProtection] "C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe"
O4 - HKLM\..\Run: [LogitechCommunicationsManager] "C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe"
O4 - HKLM\..\Run: [LogitechQuickCamRibbon] "C:\Program Files\Logitech\QuickCam\Quickcam.exe" /hide
O4 - HKLM\..\Run: [motoregcheck] C:\Program Files\Common Files\Motorola\Broadband\SB5101\RegCheck.exe
O4 - HKLM\..\Run: [Framework Windows] frmwrk32.exe
O4 - HKLM\..\Run: [Framework Windows] frmwrk32.exe
O4 - HKCU\..\Run: [ibmmessages] C:\Program Files\IBM\Messages By IBM\ibmmessages.exe
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Veoh] "C:\Program Files\Veoh Networks\Veoh\VeohClient.exe" /VeohHide
O4 - HKCU\..\Run: [Search Protection] C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe
O4 - HKCU\..\Run: [YSearchProtection] C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe
O4 - HKCU\..\Run: [TomTomHOME.exe] "C:\Program Files\TomTom HOME 2\HOMERunner.exe"
O4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\Saravanan\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKCU\..\Run: [AntivirusXP.exe] C:\Program Files\AntivirusXP\AntivirusXP.exe
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: WordWeb.lnk = C:\Program Files\WordWeb\wweb32.exe
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
O8 - Extra context menu item: &Yahoo! Search - [You must be registered and logged in to see this link.] Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - [You must be registered and logged in to see this link.]
O8 - Extra context menu item: Send To &Bluetooth - C:\Program Files\IBM\Bluetooth Software\btsendto_ie_ctx.htm
O8 - Extra context menu item: Yahoo! &Dictionary - [You must be registered and logged in to see this link.] Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - [You must be registered and logged in to see this link.] Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - [You must be registered and logged in to see this link.] Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\temp\ntdll64.dll
O10 - Unknown file in Winsock LSP: c:\windows\temp\ntdll64.dll
O16 - DPF: {01010200-5E80-11D8-9E86-0007E96C65AE} (SupportSoft Installer) - [You must be registered and logged in to see this link.]
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - [You must be registered and logged in to see this link.]
O16 - DPF: {0246ECA8-996F-11D1-BE2F-00A0C9037DFE} (TDServer Control) - [You must be registered and logged in to see this link.]
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - [You must be registered and logged in to see this link.]
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - [You must be registered and logged in to see this link.]
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - [You must be registered and logged in to see this link.]
O16 - DPF: {2DAD3559-2923-4935-AD49-B673D2539944} (IASRunner Class) - [You must be registered and logged in to see this link.]
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {3EA4FA88-E0BE-419A-A732-9B79B87A6ED0} (CTVUAxCtrl Object) - [You must be registered and logged in to see this link.]
O16 - DPF: {44990301-3C9D-426D-81DF-AAB636FA4345} - [You must be registered and logged in to see this link.]
O16 - DPF: {474F00F5-3853-492C-AC3A-476512BBC336} (UploadListView Class) - [You must be registered and logged in to see this link.]
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - [You must be registered and logged in to see this link.]
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - [You must be registered and logged in to see this link.]
O16 - DPF: {84B93AC6-A7F2-4420-9FED-EE6735EA9C8D} (VPlayer Control) - [You must be registered and logged in to see this link.]
O16 - DPF: {9519B2A2-6592-4E41-8290-D0298459270C} (LNWebAssist Class) - [You must be registered and logged in to see this link.]
O16 - DPF: {9FC5238F-12C4-454F-B1B5-74599A21DE47} (Webshots Photo Uploader) - [You must be registered and logged in to see this link.]
O16 - DPF: {A903E5AB-C67E-40FB-94F1-E1305982F6E0} (KooPlayer Control) - [You must be registered and logged in to see this link.]
O16 - DPF: {BB21F850-63F4-4EC9-BF9D-565BD30C9AE9} (a-squared Scanner) - [You must be registered and logged in to see this link.]
O16 - DPF: {C130F0B3-CD97-4DFC-B052-2BD17A7B82F5} - [You must be registered and logged in to see this link.]
O16 - DPF: {CA8A9780-280D-11CF-A24D-444553540000} (Adobe PDF Reader) - [You must be registered and logged in to see this link.]
O16 - DPF: {CB97291A-6603-466A-AA11-80C2EB74CB10} (CoxSelfInstallAx10 Control) - [You must be registered and logged in to see this link.]
O16 - DPF: {FE0BD779-44EE-4A4B-AA2E-743C63F2E5E6} (IWinAmpActiveX Class) - [You must be registered and logged in to see this link.]
O18 - Protocol: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll
O18 - Protocol: symres - {AA1061FE-6C41-421F-9344-69640C9732AB} - C:\Program Files\Norton Internet Security\Engine\16.2.0.7\coIEPlg.dll
O20 - Winlogon Notify: byXRlJAt - byXRlJAt.dll (file missing)
O20 - Winlogon Notify: hgGyWPfE - hgGyWPfE.dll (file missing)
O23 - Service: IBM Mobility Client DHCP Control (artdhcp) - Unknown owner - C:\Program Files\IBM\Mobility Client\artdhcp.exe (file missing)
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation - C:\Program Files\IBM\Bluetooth Software\bin\btwdins.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: EvtEng - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: IBM Rapid Restore Ultra Service - Unknown owner - C:\Program Files\IBM\IBM Rapid Restore Ultra\rrpcsb.exe
O23 - Service: IBM PM Service (IBMPMSVC) - Unknown owner - C:\WINDOWS\system32\ibmpmsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: IBM Standard Asset Manager Service (ISAMSvc) - IBM Corp. - C:\Program Files\C4ebreg\c4ebreg.exe
O23 - Service: ISSI EZUpdate (ISSIMon) - IBM Corp. - c:\sdwork\issimsvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LVCOMSer - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
O23 - Service: Process Monitor (LVPrcSrv) - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
O23 - Service: Norton Internet Security - Symantec Corporation - C:\Program Files\Norton Internet Security\Engine\16.2.0.7\ccSvcHst.exe
O23 - Service: IBM PSA Access Driver Control (PsaSrv) - Unknown owner - C:\WINDOWS\system32\PsaSrv.exe (file missing)
O23 - Service: QCONSVC - IBM Corp. - C:\WINDOWS\System32\QCONSVC.EXE
O23 - Service: RegSrvc - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: SupportSoft RemoteAssist - SupportSoft, Inc. - C:\Program Files\Common Files\supportsoft\bin\ssrc.exe
O23 - Service: IBM HDD APS Logging Service (TPHDEXLGSVC) - IBM Corporation - C:\WINDOWS\System32\TPHDEXLG.EXE
O23 - Service: IBM KCU Service (TpKmpSVC) - Unknown owner - C:\WINDOWS\system32\TpKmpSVC.exe
O23 - Service: Yahoo! Updater (YahooAUService) - Yahoo! Inc. - C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe

--
End of file - 16424 bytes

priya1984
Intermediate
Intermediate

Posts Posts : 153
Joined Joined : 2009-02-10
Gender Gender : Male
OS OS : Windows XP Professional
Points Points : 29823
# Likes # Likes : 0

View user profile

Back to top Go down

Solved Re: Win32.zafi.B Virus

Post by Belahzur on 10th February 2009, 8:23 pm

Hello.
Do you have your XP disc incase we need it?

Please becareful with this next tool.
If you don't understand, then ask. Do not go ahead.

Please download the LSPfix from here: [You must be registered and logged in to see this link.]
Unzip it to the Desktop (Important!!) and run it. Check the box that says "I know what I'm doing", and then select each instance of "ntdll64.dll" in the left-hand panel and click >> button to move it to the right-hand panel. Then click Finish to allow LSPfix to rebuild the LSP chain.

Reboot normally.
After reboot,

  • Open HijackThis
  • Choose "Do a system scan only"
  • Check the boxes in front of these lines:


    O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
    O2 - BHO: (no name) - {6D794CB4-C7CD-4c6f-BFDC-9B77AFBDC02C} - C:\WINDOWS\system32\byXRlJAt.dll (file missing)
    O2 - BHO: (no name) - {A07A2933-EBFD-432D-B1D4-E8CC985AFFA0} - C:\WINDOWS\system32\geBtSmMF.dll (file missing)
    O4 - HKLM\..\Run: [Framework Windows] frmwrk32.exe
    O4 - HKLM\..\Run: [Framework Windows] frmwrk32.exe
    O4 - HKCU\..\Run: [AntivirusXP.exe] C:\Program Files\AntivirusXP\AntivirusXP.exe
    O20 - Winlogon Notify: byXRlJAt - byXRlJAt.dll (file missing)
    O20 - Winlogon Notify: hgGyWPfE - hgGyWPfE.dll (file missing)


  • Press "Fix Checked"
  • Close Hijack This.

Please download and run this tool.

Download Malwarebytes' Anti-Malware from [You must be registered and logged in to see this link.]

Double Click mbam-setup.exe to install the application.

  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
Note:
If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts.
Click OK to either and let MBAM proceed with the disinfection process.
If asked to restart the computer, please do so immediately.


Post the contents of the MBAM Log.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245101
# Likes # Likes : 1

View user profile

Back to top Go down

Solved Re: Win32.zafi.B Virus

Post by priya1984 on 10th February 2009, 8:26 pm

Sir,

I have done wat u have told.
1. Im getting alerts in the right hand side of the desktop screen saying that "Your computer is infected. It is recommended to start spyware cleaner tool"

2. My desktop wallpaper has changed. It has a flashing thing saying "Warning Dangerous Spyware". Im unable to change it also. Tried through rightclick-->Properties....

Pl help.


-Priya-
3.

priya1984
Intermediate
Intermediate

Posts Posts : 153
Joined Joined : 2009-02-10
Gender Gender : Male
OS OS : Windows XP Professional
Points Points : 29823
# Likes # Likes : 0

View user profile

Back to top Go down

Solved Re: Win32.zafi.B Virus

Post by Belahzur on 10th February 2009, 8:27 pm

It's the malware doing it.
We will restore what we can, but do MBAM scan. (does it let you access the link?)


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245101
# Likes # Likes : 1

View user profile

Back to top Go down

Solved Re: Win32.zafi.B Virus

Post by priya1984 on 10th February 2009, 8:28 pm

Sir,

I have done wat u have told.
1. Im getting alerts in the right hand side of the desktop screen saying that "Your computer is infected. It is recommended to start spyware cleaner tool"

2. My desktop wallpaper has changed. It has a flashing thing saying "Warning Dangerous Spyware". Im unable to change it also. Tried through rightclick-->Properties....

Pl help.


-Priya-
3.

priya1984
Intermediate
Intermediate

Posts Posts : 153
Joined Joined : 2009-02-10
Gender Gender : Male
OS OS : Windows XP Professional
Points Points : 29823
# Likes # Likes : 0

View user profile

Back to top Go down

Solved Re: Win32.zafi.B Virus

Post by priya1984 on 10th February 2009, 8:30 pm

I don have a XP disc sir. Im unable to understand the steps sir.

priya1984
Intermediate
Intermediate

Posts Posts : 153
Joined Joined : 2009-02-10
Gender Gender : Male
OS OS : Windows XP Professional
Points Points : 29823
# Likes # Likes : 0

View user profile

Back to top Go down

Solved Re: Win32.zafi.B Virus

Post by Belahzur on 10th February 2009, 8:34 pm

Okay.
So all you have to do for LSPFix is this in simple steps:
1. Download and extract the files.
2. Run the program.
3. Highlight "ntdll64.dll", press the >> button to move it out of the LSP chain.
4. Hit "Finish" and reboot.

The Hijack This steps should be simple enough, then once the HJT fixes are done, move onto the MBAM scan.


Last edited by Belahzur on 10th February 2009, 8:38 pm; edited 1 time in total


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245101
# Likes # Likes : 1

View user profile

Back to top Go down

Solved Re: Win32.zafi.B Virus

Post by priya1984 on 10th February 2009, 8:37 pm

Okay sir. Ill do it and get back to u!


-Priya-

priya1984
Intermediate
Intermediate

Posts Posts : 153
Joined Joined : 2009-02-10
Gender Gender : Male
OS OS : Windows XP Professional
Points Points : 29823
# Likes # Likes : 0

View user profile

Back to top Go down

Solved Re: Win32.zafi.B Virus

Post by priya1984 on 10th February 2009, 9:00 pm

Im in the process of quick scan Sir. Will update u accordingly

priya1984
Intermediate
Intermediate

Posts Posts : 153
Joined Joined : 2009-02-10
Gender Gender : Male
OS OS : Windows XP Professional
Points Points : 29823
# Likes # Likes : 0

View user profile

Back to top Go down

Solved Re: Win32.zafi.B Virus

Post by Belahzur on 10th February 2009, 9:06 pm

Okay.
Have to go for 1hr, but will be back then.

Just don't want you to think I've vanished on you. LMBO or ROFL


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245101
# Likes # Likes : 1

View user profile

Back to top Go down

Solved Re: Win32.zafi.B Virus

Post by priya1984 on 10th February 2009, 9:11 pm

Thats okay Sir.
I think this scan will take some time. Im cooking side by side.
Hope u come back soon and help me.
Thanks once again.

-Priya-

priya1984
Intermediate
Intermediate

Posts Posts : 153
Joined Joined : 2009-02-10
Gender Gender : Male
OS OS : Windows XP Professional
Points Points : 29823
# Likes # Likes : 0

View user profile

Back to top Go down

Solved Re: Win32.zafi.B Virus

Post by priya1984 on 10th February 2009, 9:38 pm

Malwarebytes' Anti-Malware 1.33
Database version: 1744
Windows 5.1.2600 Service Pack 3

2/10/2009 2:26:38 PM
mbam-log-2009-02-10 (14-26-38).txt

Scan type: Quick Scan
Objects scanned: 79951
Time elapsed: 24 minute(s), 29 second(s)

Memory Processes Infected: 1
Memory Modules Infected: 0
Registry Keys Infected: 41
Registry Values Infected: 1
Registry Data Items Infected: 10
Folders Infected: 18
Files Infected: 33

Memory Processes Infected:
C:\WINDOWS\system32\ntdll64.exe (Trojan.Agent) -> Unloaded process successfully.

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\Interface\{2e9937fc-cf2f-4f56-af54-5a6a3dd375cc} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{741de825-a6f0-4497-9aa6-8023cf9b0fff} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{cf54be1c-9359-4395-8533-1657cf209cfe} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{014da6c9-189f-421a-88cd-07cfe51cff10} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{04079851-5845-4dea-848c-3ecd647aa554} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{04079851-5845-4dea-848c-3ecd647aa554} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{147a976f-eee1-4377-8ea7-4716e4cdd239} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{a4730ebe-43a6-443e-9776-36915d323ad3} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\{d518921a-4a03-425e-9873-b9a71756821e} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{6d794cb4-c7cd-4c6f-bfdc-9b77afbdc02c} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{56256a51-b582-467e-b8d4-7786eda79ae0} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{56256a51-b582-467e-b8d4-7786eda79ae0} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{1d4db7d2-6ec9-47a3-bd87-1e41684e07bb} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{59c7fc09-1c83-4648-b3e6-003d2bbc7481} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{68af847f-6e91-45dd-9b68-d6a12c30e5d7} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{9170b96c-28d4-4626-8358-27e6caeef907} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{d1a71fa0-ff48-48dd-9b6d-7a13a3e42127} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{ddb1968e-ead6-40fd-8dae-ff14757f60c7} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{f138d901-86f0-4383-99b6-9cdd406036da} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\seneka (Trojan.TDSS) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\seneka (Trojan.TDSS) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\seneka (Trojan.TDSS) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\ofpsodmi (Rootkit.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\ofpsodmi (Rootkit.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ofpsodmi (Rootkit.Agent) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\AntivirusXP (Rogue.AntivirusXP) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\xpreapp (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Error Safe Free (Rogue.Errorsafe) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\RunDll32Policy\f3ScrCtr.dll (Adware.MyWay) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\MySearch (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\xpre (Trojan.Downloader) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\instkey (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\FCOVM (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\RemoveRP (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\MyWebSearch (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Multimedia\WMPlayer\Schemes\f3pss (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\FunWebProducts (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Fun Web Products (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\MyWebSearch (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\FocusInteractive (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Fun Web Products (Adware.MyWebSearch) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\{6d794cb4-c7cd-4c6f-bfdc-9b77afbdc02c} (Trojan.Vundo) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Trojan.Agent) -> Data: c:\windows\system32\userinit.exe -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Trojan.Agent) -> Data: system32\userinit.exe -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL\CheckedValue (Hijack.System.Hidden) -> Bad: (0) Good: (1) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr (Hijack.TaskManager) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop\NoChangingWallpaper (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\activedesktop\NoChangingWallpaper (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoSetActiveDesktop (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoActiveDesktopChanges (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoSetActiveDesktop (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoActiveDesktopChanges (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
C:\Program Files\MyWebSearch (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar\History (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar\Settings (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MySearch (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MySearch\bar (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MySearch\bar\History (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MySearch\bar\Settings (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MySearch\SrchAstt (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MySearch\SrchAstt\1.bin (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MySearch\SrchAstt\Cache (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MySearch\SrchAstt\Settings (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\AntivirusXP (Rogue.AntivirusXP) -> Quarantined and deleted successfully.
C:\Program Files\AntivirusXP\Infected (Rogue.AntivirusXP) -> Quarantined and deleted successfully.
C:\Program Files\AntivirusXP\Suspicious (Rogue.AntivirusXP) -> Quarantined and deleted successfully.
C:\Documents and Settings\Saravanan\Application Data\FunWebProducts (Adware.MyWay) -> Quarantined and deleted successfully.
C:\Documents and Settings\Saravanan\Application Data\FunWebProducts\Data (Adware.MyWay) -> Quarantined and deleted successfully.
C:\Documents and Settings\Saravanan\Application Data\FunWebProducts\Data\Saravanan (Adware.MyWay) -> Quarantined and deleted successfully.

Files Infected:
C:\Program Files\MySearch\SrchAstt\1.bin\MYSRCHAS.DLL (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\senekadcerijjy.dll (Trojan.TDSS) -> Delete on reboot.
C:\WINDOWS\system32\senekaewvhgypp.dll (Trojan.TDSS) -> Delete on reboot.
C:\WINDOWS\system32\drivers\senekamyvuupyy.sys (Trojan.TDSS) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\Drivers\vtlfijov.sys (Rootkit.Agent) -> Delete on reboot.
C:\SetupAntivirusXP.exe (Rogue.XPAntivirus) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar\History\search2 (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar\Settings\setting2.htm (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar\Settings\settings.dat (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar\Settings\s_pid.dat (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MySearch\bar\History\search (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MySearch\SrchAstt\Cache\00085BF4 (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MySearch\SrchAstt\Cache\files.ini (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MySearch\SrchAstt\Settings\prevcfg.htm (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\AntivirusXP\AntivirusXP.exe (Rogue.AntivirusXP) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\ntdll64.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\TDSSlxwp.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\delself.bat (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\rqRIaWOI.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\wvUnKDVm.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\warning.gif (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\ahtn.htm (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\frmwrk32.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\Saravanan\Application Data\Google\pfysw721318.exe (Trojan.FakeAlert) -> Delete on reboot.
C:\WINDOWS\Temp\ntdll64.dll (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\Saravanan\Local Settings\Temp\ntdll64.dll (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\mousehook.dll (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\Saravanan\Local Settings\Temp\mousehook.dll (Trojan.FakeAlert) -> Delete on reboot.
C:\WINDOWS\system32\senekaecfjnjkl.dll (Trojan.Agent) -> Delete on reboot.
C:\WINDOWS\system32\senekaixvsuikd.dat (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\senekavexwhhgf.dat (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\TDSStkdu.log (Trojan.TDSS) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\drivers\seneka.sys (Trojan.Agent) -> Quarantined and deleted successfully.

priya1984
Intermediate
Intermediate

Posts Posts : 153
Joined Joined : 2009-02-10
Gender Gender : Male
OS OS : Windows XP Professional
Points Points : 29823
# Likes # Likes : 0

View user profile

Back to top Go down

Solved Re: Win32.zafi.B Virus

Post by priya1984 on 10th February 2009, 9:44 pm

Sir,

1. Im not getting those alerts telling me that my system is affected.
2. My desktop wallpaper is fine and i could change it to the one i had before.
3. No suspicious icons in the startup items.

Thanks a million! You made my day! :-)

Though being a engineer myself, i found it a himalayan task to remove this virus. Thanks for ur help

I have posted the log above.
Wats next? Wat else do i have to do?

-Priya-

priya1984
Intermediate
Intermediate

Posts Posts : 153
Joined Joined : 2009-02-10
Gender Gender : Male
OS OS : Windows XP Professional
Points Points : 29823
# Likes # Likes : 0

View user profile

Back to top Go down

Solved Re: Win32.zafi.B Virus

Post by Belahzur on 10th February 2009, 10:03 pm

Lets make sure it's been removed.

  • Please download DDS by sUBs to your Desktop (Important!!) from one of these locations:
    [You must be registered and logged in to see this link.]
    [You must be registered and logged in to see this link.]
    [You must be registered and logged in to see this link.]
  • Double click DDS.scr to run
  • When complete, DDS.txt will open.
  • Save the report to your Desktop.
  • Copy and paste DDS.txt back here, I don't need to see attach.txt.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245101
# Likes # Likes : 1

View user profile

Back to top Go down

Solved Re: Win32.zafi.B Virus

Post by priya1984 on 10th February 2009, 10:19 pm

DDS (Ver_09-02-01.01) - NTFSx86
Run by Saravanan at 15:16:25.60 on Tue 02/10/2009
Internet Explorer: 6.0.2900.5512
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1022.449 [GMT -7:00]


============== Running Processes ===============

C:\WINDOWS\system32\ibmpmsvc.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\IBM\Bluetooth Software\bin\btwdins.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\IBM\IBM Rapid Restore Ultra\rrpcsb.exe
C:\Program Files\C4ebreg\c4ebreg.exe
c:\sdwork\issimsvc.exe
C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
C:\Program Files\Norton Internet Security\Engine\16.2.0.7\ccSvcHst.exe
C:\WINDOWS\System32\QCONSVC.EXE
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\System32\TPHDEXLG.EXE
C:\WINDOWS\system32\TpKmpSVC.exe
C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe
C:\Program Files\Norton Internet Security\Engine\16.2.0.7\ccSvcHst.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\system32\TpShocks.exe
C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\IBMTOOLS\UTILS\ibmprc.exe
C:\Program Files\ThinkPad\ConnectUtilities\QCWLICON.EXE
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\ThinkPad\PkgMgr\HOTKEY\TPONSCR.exe
C:\Program Files\ThinkPad\PkgMgr\HOTKEY_1\TpScrex.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\jre1.5.0_04\bin\jusched.exe
C:\Program Files\Yahoo!\Common\YMailAdvisor.exe
C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe
C:\Program Files\IBM\Messages By IBM\ibmmessages.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Veoh Networks\Veoh\VeohClient.exe
C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe
C:\Program Files\TomTom HOME 2\HOMERunner.exe
C:\Documents and Settings\Saravanan\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
C:\Program Files\Common Files\Logishrd\LQCVFX\COCIManager.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Microsoft Office\OFFICE11\EXCEL.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Saravanan\Desktop\dds.pif

============== Pseudo HJT Report ===============

uStart Page = about:blank
uSearch Page = [You must be registered and logged in to see this link.]
uSearch Bar = [You must be registered and logged in to see this link.]
uSearchMigratedDefaultURL = [You must be registered and logged in to see this link.]

US&ie=utf8&oe=utf8
uWindow Title = Cox High Speed Internet
mDefault_Page_URL = [You must be registered and logged in to see this link.]
mDefault_Search_URL = [You must be registered and logged in to see this link.]
mSearch Page = [You must be registered and logged in to see this link.]
mStart Page = [You must be registered and logged in to see this link.]
mSearch Bar =

[You must be registered and logged in to see this link.]
uInternet Settings,ProxyOverride = ;
uSearchAssistant = [You must be registered and logged in to see this link.]
uSearchURL,(Default) = [You must be registered and logged in to see this link.]
mSearchAssistant = [You must be registered and logged in to see this link.]
BHO: Symantec NCO BHO: {602adb0e-4aff-4217-8aa1-95dac4dfa408} - c:\program files\norton internet

security\engine\16.2.0.7\coIEPlg.dll
BHO: Symantec Intrusion Prevention: {6d53ec84-6aae-4787-aeee-f4628f01010c} - c:\program files\norton internet

security\engine\16.2.0.7\IPSBHO.DLL
TB: Veoh Browser Plug-in: {d0943516-5076-4020-a3b5-aefaf26ab263} - c:\program files\veoh

networks\veoh\plugins\reg\VeohToolbar.dll
TB: Norton Toolbar: {7febefe3-6b19-4349-98d2-ffb09d4b49ca} - c:\program files\norton internet

security\engine\16.2.0.7\coIEPlg.dll
TB: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - No File
TB: {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No File
TB: {E67C74F4-A00A-4F2C-9FEC-FD9DC004A67F} - No File
TB: {A057A204-BACC-4D26-9990-79A187E2698E} - No File
EB: &Yahoo! Messenger: {4528bbe0-4e08-11d5-ad55-00010333d0ad} - c:\progra~1\yahoo!\common\yhexbmesus.dll
uRun: [ibmmessages] c:\program files\ibm\messages by ibm\ibmmessages.exe
uRun: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "c:\program files\common

files\ahead\lib\NMBgMonitor.exe"
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [Veoh] "c:\program files\veoh networks\veoh\VeohClient.exe" /VeohHide
uRun: []
uRun: [Search Protection] c:\program files\yahoo!\search protection\SearchProtection.exe
uRun: [YSearchProtection] c:\program files\yahoo!\search protection\SearchProtection.exe
uRun: [TomTomHOME.exe] "c:\program files\tomtom home 2\HOMERunner.exe"
uRun: [Google Update] "c:\documents and settings\saravanan\local settings\application

data\google\update\GoogleUpdate.exe" /c
uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe
mRun: [SynTPLpr] c:\program files\synaptics\syntp\SynTPLpr.exe
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [TPKMAPHELPER] c:\program files\thinkpad\utilities\TpKmapAp.exe -helper
mRun: [TpShocks] TpShocks.exe
mRun: [TPHOTKEY] c:\progra~1\thinkpad\pkgmgr\hotkey\TPHKMGR.exe
mRun: [TP4EX] tp4ex.exe
mRun: [EZEJMNAP] c:\progra~1\thinkpad\utilit~1\EzEjMnAp.Exe
mRun: [ATIPTA] c:\program files\ati technologies\ati control panel\atiptaxx.exe
mRun: [UC_Start] c:\program files\ibm\updater\\ucstartup.exe
mRun: [UC_SMB]
mRun: [dla] c:\windows\system32\dla\tfswctrl.exe
mRun: []
mRun: [ibmmessages] c:\program files\ibm\messages by ibm\\ibmmessages.exe
mRun: [IBMPRC] c:\ibmtools\utils\ibmprc.exe
mRun: [QCWLICON] c:\program files\thinkpad\connectutilities\QCWLICON.EXE
mRun: [PWRMGRTR] rundll32 c:\progra~1\thinkpad\utilit~1\PWRMGRTR.DLL,PwrMgrBkGndMonitor
mRun: [0270101156066962mcinstcleanup] c:\docume~1\sarava~1\locals~1\temp\027010~1.exe c:\progra~1\common~1

\mcafee\instal~1\cleanup.ini -cleanup -nolog
mRun: [ISSI EZUpdate Service] "c:\sdwork\issimsvc.exe"
mRun: [ISAMTray] "c:\program files\c4ebreg\isamtray.exe"
mRun: [C4EBReg] "c:\program files\c4ebreg\c4ebreg.exe" /q
mRun: [stgclean] c:\sdwork\w32main2.exe /cleanup
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [SunJavaUpdateSched] "c:\jre1.5.0_04\bin\jusched.exe"
mRun: [YMailAdvisor] "c:\program files\yahoo!\common\YMailAdvisor.exe"
mRun: [YSearchProtection] "c:\program files\yahoo!\search protection\SearchProtection.exe"
mRun: [LogitechCommunicationsManager] "c:\program files\common

files\logishrd\lcommgr\Communications_Helper.exe"
mRun: [LogitechQuickCamRibbon] "c:\program files\logitech\quickcam\Quickcam.exe" /hide
mRun: [motoregcheck] c:\program files\common files\motorola\broadband\sb5101\RegCheck.exe
mRun: [realteczs] "c:\documents and settings\saravanan\application data\google\pfysw721318.exe" 2
mRunOnce: [Malwarebytes' Anti-Malware] c:\program files\malwarebytes' anti-malware\mbamgui.exe /install /silent
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
dRun: [DWQueuedReporting] "c:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -t
StartupFolder: c:\docume~1\sarava~1\startm~1\programs\startup\wordweb.lnk - c:\program files\wordweb\wweb32.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\logite~1.lnk - c:\program files\logitech\desktop

messenger\8876480\program\LogitechDesktopMessenger.exe
dPolicies-explorer: NoSetActiveDesktop = 1 (0x1)
dPolicies-explorer: NoActiveDesktopChanges = 1 (0x1)
dPolicies-system: DisableTaskMgr = 1 (0x1)
IE: &Yahoo! Search - [You must be registered and logged in to see this link.] files\yahoo!\Common/ycsrch.htm
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: Send To &Bluetooth - c:\program files\ibm\bluetooth software\btsendto_ie_ctx.htm
IE: Yahoo! &Dictionary - [You must be registered and logged in to see this link.] files\yahoo!\Common/ycdict.htm
IE: Yahoo! &Maps - [You must be registered and logged in to see this link.] files\yahoo!\Common/ycmap.htm
IE: Yahoo! &SMS - [You must be registered and logged in to see this link.] files\yahoo!\Common/ycsms.htm
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0015-0000-0004-ABCDEFFEDCBC} - c:\jre1.5.0_04

\bin\npjpi150_04.dll
IE: {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - c:\program files\yahoo!

\common\yiesrvc.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2

\office11\REFIEBAR.DLL
DPF: {01010200-5E80-11D8-9E86-0007E96C65AE} - [You must be registered and logged in to see this link.]
DPF: {01113300-3E00-11D2-8470-0060089874ED} - [You must be registered and logged in to see this link.]
DPF: {0246ECA8-996F-11D1-BE2F-00A0C9037DFE} - [You must be registered and logged in to see this link.]
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - [You must be registered and logged in to see this link.]
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - [You must be registered and logged in to see this link.]
DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} -

[You must be registered and logged in to see this link.]
DPF: {2DAD3559-2923-4935-AD49-B673D2539944} - [You must be registered and logged in to see this link.]

portal/cab/autodetect/acpir.cab
DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} - c:\program files\yahoo!\common\Yinsthelper.dll
DPF: {3EA4FA88-E0BE-419A-A732-9B79B87A6ED0} - [You must be registered and logged in to see this link.]
DPF: {44990301-3C9D-426D-81DF-AAB636FA4345} - [You must be registered and logged in to see this link.]

secure.symantec.com/techsupp/asa/ss/sa/sa_cabs/tgctlsr.cab
DPF: {474F00F5-3853-492C-AC3A-476512BBC336} - [You must be registered and logged in to see this link.]
DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} -

[You must be registered and logged in to see this link.]
DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} - [You must be registered and logged in to see this link.]
DPF: {84B93AC6-A7F2-4420-9FED-EE6735EA9C8D} - [You must be registered and logged in to see this link.]
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - [You must be registered and logged in to see this link.]

i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} -

[You must be registered and logged in to see this link.]
DPF: {9519B2A2-6592-4E41-8290-D0298459270C} - [You must be registered and logged in to see this link.]
DPF: {9FC5238F-12C4-454F-B1B5-74599A21DE47} - [You must be registered and logged in to see this link.]
DPF: {A903E5AB-C67E-40FB-94F1-E1305982F6E0} - [You must be registered and logged in to see this link.]
DPF: {BB21F850-63F4-4EC9-BF9D-565BD30C9AE9} - [You must be registered and logged in to see this link.]
DPF: {C130F0B3-CD97-4DFC-B052-2BD17A7B82F5} - [You must be registered and logged in to see this link.]
DPF: {CA8A9780-280D-11CF-A24D-444553540000} - [You must be registered and logged in to see this link.]
DPF: {CAFEEFAC-0014-0002-0013-ABCDEFFEDCBA} - [You must be registered and logged in to see this link.]

i586.cab
DPF: {CAFEEFAC-0015-0000-0004-ABCDEFFEDCBA} - [You must be registered and logged in to see this link.]

i586.cab
DPF: {CB97291A-6603-466A-AA11-80C2EB74CB10} - [You must be registered and logged in to see this link.]
DPF: {FE0BD779-44EE-4A4B-AA2E-743C63F2E5E6} - [You must be registered and logged in to see this link.]
Handler: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - c:\program files\logitech\desktop

messenger\8876480\program\GAPlugProtocol-8876480.dll
Handler: symres - {AA1061FE-6C41-421f-9344-69640C9732AB} - c:\program files\norton internet

security\engine\16.2.0.7\CoIEPlg.dll
Handler: widimg - {EE7C2AFF-5742-44FF-BD0E-E521B0D3C3BA} - c:\windows\system32\BTXPPanel.dll
Notify: AtiExtEvent - Ati2evxx.dll
Notify: QConGina - QConGina.dll
Notify: tphotkey - tphklock.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Microsoft AntiMalware ShellExecuteHook: {091eb208-39dd-417d-a5dd-7e2c2d8fb9cb} - c:\progra~1\wifd1f~1

\MpShHook.dll
LSA: Authentication Packages = msv1_0 c:\windows\system32\geBtSmMF
LSA: Notification Packages = scecli pwdmon

priya1984
Intermediate
Intermediate

Posts Posts : 153
Joined Joined : 2009-02-10
Gender Gender : Male
OS OS : Windows XP Professional
Points Points : 29823
# Likes # Likes : 0

View user profile

Back to top Go down

Solved Re: Win32.zafi.B Virus

Post by priya1984 on 10th February 2009, 10:20 pm

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\sarava~1\applic~1\mozilla\firefox\profiles\nvhb8pi6.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - about:blank
FF - component: c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-

85ef591126e7}\norton\coffplgn\components\coFFPlgn.dll
FF - component: c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-

85ef591126e7}\norton\ipsffplgn\components\IPSFFPl.dll

---- FIREFOX POLICIES ----
FF - user.js: dom.disable_open_during_load - true // Popupblocker control handled by McAfee Privacy Service

============= SERVICES / DRIVERS ===============

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2009-2-10 64160]
R0 Shockprf;Shockprf;c:\windows\system32\drivers\shockprf.sys [2005-8-25 59776]
R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\nis\1002000.007\SymEFA.sys [2009-2-9

309296]
R0 TPDiskPM;TPDiskPM;c:\windows\system32\drivers\TPDiskPM.sys [2005-8-25 14208]
R1 ANC;ANC;c:\windows\system32\drivers\ANC.sys [2005-8-25 11520]
R1 BHDrvx86;Symantec Heuristics Driver;c:\windows\system32\drivers\nis\1002000.007\BHDrvx86.sys [2009-2-9

255536]
R1 ccHP;Symantec Hash Provider;c:\windows\system32\drivers\nis\1002000.007\cchpx86.sys [2009-2-9 362544]
R1 IBMTPCHK;IBMTPCHK;c:\windows\system32\drivers\IBMBLDID.SYS [2005-8-25 2432]
R1 IDSxpx86;IDSxpx86;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-

85ef591126e7}\norton\definitions\ipsdefs\20090129.005\IDSxpx86.sys [2009-1-29 276344]
R1 ShockMgr;ShockMgr;c:\windows\system32\drivers\ShockMgr.sys [2005-8-25 4608]
R1 TPPWRIF;TPPWRIF;c:\windows\system32\drivers\TPPWRIF.SYS [2005-8-25 4442]
R2 ibmfilter;ibmfilter;c:\windows\system32\drivers\ibmfilter.sys [2004-12-16 63616]
R2 ISAMSvc;IBM Standard Asset Manager Service;c:\program files\c4ebreg\c4ebreg.exe [2007-9-7 364544]
R2 Norton Internet Security;Norton Internet Security;c:\program files\norton internet security\engine\16.2.0.7

\ccSvcHst.exe [2009-2-9 115560]
R2 WinDefend;Windows Defender;c:\program files\windows defender\MsMpEng.exe [2006-11-3 13592]
R2 YahooAUService;Yahoo! Updater;c:\program files\yahoo!\softwareupdate\YahooAUService.exe [2008-11-9 602392]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec

shared\eengine\EraserUtilRebootDrv.sys [2009-2-9 99376]
R3 NAVENG;NAVENG;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-

85ef591126e7}\norton\definitions\virusdefs\20090209.057\NAVENG.SYS [2009-2-10 89104]
R3 NAVEX15;NAVEX15;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-

85ef591126e7}\norton\definitions\virusdefs\20090209.057\NAVEX15.SYS [2009-2-10 876112]
R3 TPInput;TPInput;c:\windows\system32\drivers\TPInput.sys [2005-8-25 6016]
S1 iwdrxeer;iwdrxeer;\??\c:\windows\system32\drivers\iwdrxeer.sys --> c:\windows\system32\drivers\iwdrxeer.sys

[?]
S1 kosmbxyr;kosmbxyr;\??\c:\windows\system32\drivers\kosmbxyr.sys --> c:\windows\system32\drivers\kosmbxyr.sys

[?]
S1 plaptfzi;plaptfzi;\??\c:\windows\system32\drivers\plaptfzi.sys --> c:\windows\system32\drivers\plaptfzi.sys

[?]
S3 artour;IBM Mobility Interface for Windows;c:\windows\system32\drivers\artndint.sys [2007-7-3 7760]
S3 QCNDISIF;QCNDISIF;c:\windows\system32\drivers\qcndisif.sys [2005-8-25 12288]

============== File Associations ===============

inifile=%SystemRoot%\System32\NOTEPAD.EXE %1"
piffile="%1" %*"

=============== Created Last 30 ================

2009-02-10 14:26 0 a------- c:\windows\system32\drivers\senekajbbvvrxl.sys
2009-02-10 13:58 --d----- c:\docume~1\sarava~1\applic~1\Malwarebytes
2009-02-10 13:58 15,504 a------- c:\windows\system32\drivers\mbam.sys
2009-02-10 13:58 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-02-10 13:58 --d----- c:\program files\Malwarebytes' Anti-Malware
2009-02-10 13:58 --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-02-10 11:59 64,160 a------- c:\windows\system32\drivers\Lbd.sys
2009-02-10 11:56 5,678 a------- c:\windows\system32\tmp.reg
2009-02-10 11:56 --d----- c:\program files\Lavasoft
2009-02-10 11:13 --d----- c:\program files\Enigma Software Group
2009-02-10 08:42 509 a------- c:\windows\system32\win32hlp.cnf
2009-02-10 08:42 133,632 a------- c:\windows\system32\dllcache\userinit.exe
2009-02-10 08:42 1 a------- c:\windows\system32\uniq.tll
2009-02-10 08:42 24,064 a------- c:\windows\system32\998.exe
2009-02-10 08:27 a-d----- c:\program files\Norton Support
2009-02-09 23:02 36,272 a----r-- c:\windows\system32\drivers\SymIM.sys
2009-02-09 23:02 124,464 a------- c:\windows\system32\drivers\SYMEVENT.SYS
2009-02-09 23:02 60,808 a------- c:\windows\system32\S32EVNT1.DLL
2009-02-09 23:02 10,635 a------- c:\windows\system32\drivers\SYMEVENT.CAT
2009-02-09 23:02 806 a------- c:\windows\system32\drivers\SYMEVENT.INF
2009-02-09 23:01 --d----- c:\windows\system32\drivers\NIS
2009-02-09 23:01 --d----- c:\program files\Norton Internet Security
2009-02-09 23:01 --d----- c:\program files\NortonInstaller
2009-02-09 22:59 --d----- c:\documents and settings\all users\Symantec Temporary Files
2009-02-09 18:25 --d----- c:\docume~1\alluse~1\applic~1\SITEguard
2009-02-09 18:21 --d----- c:\program files\common files\iS3
2009-02-09 18:21 --d----- c:\docume~1\alluse~1\applic~1\STOPzilla!
2009-02-08 13:49 --d----- c:\windows\system32\drivers\NAV
2009-02-08 13:49 --d----- c:\docume~1\alluse~1\applic~1\Norton
2009-02-07 15:43 --d----- c:\docume~1\alluse~1\applic~1\NortonInstaller
2009-02-06 11:58 --d-h--- C:\$AVG8.VAULT$
2009-02-06 11:53 --d----- c:\docume~1\alluse~1\applic~1\avg8
2009-02-05 23:34 529 a------- c:\windows\system32\winlogon2.exe
2009-02-04 09:50 2,239 a--sh--- c:\windows\system32\FMmStBeg.ini2
2009-02-04 09:50 2,204 a------- c:\windows\ofpsodmi
2009-02-04 09:50 2,239 a--sh--- c:\windows\system32\FMmStBeg.ini
2009-01-26 14:21 --d----- c:\docume~1\sarava~1\applic~1\CoxFastConnect20
2009-01-26 14:03 --d----- c:\program files\common files\Motorola

==================== Find3M ====================

2009-02-10 08:42 133,632 a------- c:\windows\system32\userinit.exe
2009-02-09 10:27 0 a------- c:\windows\system32\drivers\lvuvc.hs
2009-02-09 10:27 0 a------- c:\windows\system32\drivers\logiflt.iad
2008-12-12 10:01 3,067,904 -------- c:\windows\system32\dllcache\mshtml.dll
2008-12-12 00:57 78,336 a------- c:\windows\system32\Agent.OMZ.Fix.exe
2008-12-11 03:57 333,952 -------- c:\windows\system32\dllcache\srv.sys
2008-12-04 19:41 127,034 -----r-- c:\windows\bwUnin-8.1.1.50-8876480SL.exe
2008-12-02 15:19 262,144 a------- C:\ntuser.dat
2008-11-29 17:58 82,944 a------- c:\windows\system32\IEDFix.C.exe
2008-04-20 18:31 0 a--sh--- c:\docume~1\sarava~1\applic~1

\00480b6c2220abaae601dea3d1eee802c4adb4ff6553a9e331.dat
2007-12-04 23:48 77 a------- c:\program files\ilc_schdl.bat
2006-10-25 12:33 8,313,088 a------- c:\program files\Winamp.zip

============= FINISH: 15:17:19.57 ===============

priya1984
Intermediate
Intermediate

Posts Posts : 153
Joined Joined : 2009-02-10
Gender Gender : Male
OS OS : Windows XP Professional
Points Points : 29823
# Likes # Likes : 0

View user profile

Back to top Go down

Solved Re: Win32.zafi.B Virus

Post by priya1984 on 10th February 2009, 10:20 pm

Sir,
I have sent it in two parts since it prompted me telling that it was too big

priya1984
Intermediate
Intermediate

Posts Posts : 153
Joined Joined : 2009-02-10
Gender Gender : Male
OS OS : Windows XP Professional
Points Points : 29823
# Likes # Likes : 0

View user profile

Back to top Go down

Solved Re: Win32.zafi.B Virus

Post by priya1984 on 10th February 2009, 10:30 pm

Sir,
Is everything alright? Have u vanished?


-Priya-

priya1984
Intermediate
Intermediate

Posts Posts : 153
Joined Joined : 2009-02-10
Gender Gender : Male
OS OS : Windows XP Professional
Points Points : 29823
# Likes # Likes : 0

View user profile

Back to top Go down

Solved Re: Win32.zafi.B Virus

Post by Belahzur on 10th February 2009, 11:04 pm

Hello.
Not vanished, just had something to do.

The log is hard to read because Notepads Word Wrap function is on, please turn it off. Userinit is patched as I suspected.


  • Download combofix from here
    [You must be registered and logged in to see this link.]
    [You must be registered and logged in to see this link.]
  • Please disable your local AV (Anti-virus) by right clicking it's icon in the tray, and exit it. See [You must be registered and logged in to see this link.] for how to disable your AV.
  • Double click on ComboFix.exe.
  • Follow the prompts. NOTE:
  • ComboFix will check to see if the Microsoft Windows Recovery Console is installed.
    ***It's strongly recommended to have the Recovery Console installed before doing any malware removal.***

    **Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will automatically proceed with its scan.


  • The Recovery Console provides a recovery/repair mode should a problem occur during a Combofix run.



  • Allow ComboFix to download the Recovery Console.
  • Accept the End-User License Agreement.
  • The Recovery Console will be installed.
  • You will then get this next prompt that asks if you want to continue the malware scan, select yes



  • Allow combofix to run
  • Post C:\combofix.txt back here.

    Note:
    Do not mouseclick combofix's window whilst it's running. That may cause it to stall.


Last edited by Belahzur on 18th March 2009, 8:54 pm; edited 1 time in total


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245101
# Likes # Likes : 1

View user profile

Back to top Go down

Solved Re: Win32.zafi.B Virus

Post by priya1984 on 10th February 2009, 11:48 pm

Hey,
For some reason i had to log off and log in my laptop. :-(
I deleted the one that i installed. After loggin in again...i noticed that the internet is not working. Now i have connected to a wireless connection.
:-(
Pl help.
The internet in my house is fine. The status shows connected in the right hand corner.

-Priya-

priya1984
Intermediate
Intermediate

Posts Posts : 153
Joined Joined : 2009-02-10
Gender Gender : Male
OS OS : Windows XP Professional
Points Points : 29823
# Likes # Likes : 0

View user profile

Back to top Go down

Solved Re: Win32.zafi.B Virus

Post by Belahzur on 10th February 2009, 11:50 pm

Could be a broken LSP because of that file, we'll try to repair it later.
Is CF running fine though?


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245101
# Likes # Likes : 1

View user profile

Back to top Go down

Solved Re: Win32.zafi.B Virus

Post by priya1984 on 10th February 2009, 11:59 pm

Sorry sir. I had to download that again now. Im doing it now. It is taking time due to bad internet connection.
Pl tell me how to work on this internet issue since i have to fix it by half n hour.
Pl sir.

priya1984
Intermediate
Intermediate

Posts Posts : 153
Joined Joined : 2009-02-10
Gender Gender : Male
OS OS : Windows XP Professional
Points Points : 29823
# Likes # Likes : 0

View user profile

Back to top Go down

Solved Re: Win32.zafi.B Virus

Post by Belahzur on 11th February 2009, 12:01 am

Okay.
If you still have LSPFix, open it again.
If the ntdll64.dll is there, move it again.

If it's NOT there, just press Finish and don't mess about with it.
Reboot normally.

Does your net connection work now?


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245101
# Likes # Likes : 1

View user profile

Back to top Go down

Solved Re: Win32.zafi.B Virus

Post by priya1984 on 11th February 2009, 12:20 am

SIR,
Back after the reboot. the internet is working fine now. thank u very much.
Wat shall i do next?

priya1984
Intermediate
Intermediate

Posts Posts : 153
Joined Joined : 2009-02-10
Gender Gender : Male
OS OS : Windows XP Professional
Points Points : 29823
# Likes # Likes : 0

View user profile

Back to top Go down

Solved Re: Win32.zafi.B Virus

Post by Belahzur on 11th February 2009, 12:22 am

Try and run Combofix. Smile
We need to replace userinit. Because the legit one is patched, and the backup one is patched, and we don't have an XP disc here, so I'm hoping CF will find us a copy, otherwise I can't help unless you can get your hands on an XP disc [XP SP2]


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245101
# Likes # Likes : 1

View user profile

Back to top Go down

Solved Re: Win32.zafi.B Virus

Post by priya1984 on 11th February 2009, 12:25 am

okay. Is it fine with u if i had to go in the middle of everything. I mean .... Will it possible to do somethings tomorrow? Ill reply in this thread.
Im sorry if u are angry there.

priya1984
Intermediate
Intermediate

Posts Posts : 153
Joined Joined : 2009-02-10
Gender Gender : Male
OS OS : Windows XP Professional
Points Points : 29823
# Likes # Likes : 0

View user profile

Back to top Go down

Solved Re: Win32.zafi.B Virus

Post by Belahzur on 11th February 2009, 12:30 am

LMBO or ROFL Why would I be angry?
Malware is the last thing that should bother you. Besides, this malware is harmless, there's no sensitive information stolen, it's just annoying to fix. LOL Banner

Has CF started? If not, don't run it till your here because it will need you to select yes to install the recovery console.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245101
# Likes # Likes : 1

View user profile

Back to top Go down

Solved Re: Win32.zafi.B Virus

Post by Doctor Inferno on 6th July 2009, 3:22 am

Since this issue has been addressed, a "solved" tag will be added and this topic will be closed.

If you need this topic reopened, please contact a staff member. This applies only to the original topic starter.

Everyone else, please open a [You must be registered and logged in to see this link.] for your questions.


Please be a GeekPolice fan on [You must be registered and logged in to see this link.]



Have we helped you? [You must be registered and logged in to see this link.] | Doctor by day, ninja by night.

Doctor Inferno
Administrator
Administrator

Posts Posts : 11976
Joined Joined : 2007-12-26
Gender Gender : Male
OS OS : Windows 7 Home Premium and Ultimate X64
Protection Protection : Kaspersky PURE and Malwarebytes' Anti-Malware
Points Points : 104630
# Likes # Likes : 0

View user profile

Back to top Go down

View previous topic View next topic Back to top

- Similar topics

 
Permissions in this forum:
You cannot reply to topics in this forum