Support Forum for TrojanHunter anti-malware remover and other products, including freeware

Welcome, Guest. Please Login or Register.

Search

Members

Login

Register

   Mischel Internet Security Forum
   Malware
   Adware, Browser Hijackers and other Malware (Moderators: Helena, Gavin_Coe, Magnus)
   Win32 Zafi B virus

« Previous topic | Next topic »

Pages: 1 2

Notify of replies

Send Topic

Author

Topic: Win32 Zafi B virus (Read 1782 times)

Jagare525
Junior Member

Gender:

Posts: 51

Win32 Zafi B virus
« on: Feb 8^th, 2009, 3:25pm »

Quote

Modify

Help these past two days I seem to caught some weird virus. I keep getting a pop up saying win32.zafi.b. I try many things to clean it but it seem hopeless. I try spyware doctor, Malwarebtes anti malware, superantispyer. Everytime I try opening firefox or IE, they crash. I 'm not sure how to fix this please help. I try cleaning on safe mode but after I restart, the pop up, pop ups.

Here's the HJ List.
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:13:12 PM, on 2/8/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16762)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Nero\Nero8\InCD\InCDsrv.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\PROGRA~1\AVG\AVG8\avgam.exe
C:\WINDOWS\system32\lxctcoms.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
C:\Program Files\Nero\Nero8\InCD\NBHRegInCDSrv.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\Program Files\Creative\Mixer\CTSVolFE.exe
C:\WINDOWS\system32\IoctlSvc.exe
C:\Program Files\SigmaTel\C-Major Audio\WDM\stsystra.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Lexmark 5400 Series\ezprint.exe
C:\Program Files\Nero\Nero8\InCD\NBHGui.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Spyware Doctor\pctsTray.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\Program Files\Spyware Doctor\pctsAuxs.exe
C:\Program Files\Spyware Doctor\pctsSvc.exe
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe

O2 - BHO: Lexmark Toolbar - {1017A80C-6F09-4548-A84D-EDD6AC9525F0} - C:\Program Files\Lexmark Toolbar\toolband.dll
O2 - BHO: BitComet ClickCapture - {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} - C:\Program Files\BitComet\tools\BitCometBHO_1.2.6.26.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: Lexmark Toolbar - {1017A80C-6F09-4548-A84D-EDD6AC9525F0} - C:\Program Files\Lexmark Toolbar\toolband.dll
O3 - Toolbar: Veoh Web Player Video Finder - {0FBB9689-D3D7-4f7a-A2E2-585B10099BFC} - C:\Program Files\Veoh Networks\VeohWebPlayer\VeohIEToolbar.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
O4 - HKLM\..\Run: [CTSVolFE.exe] "C:\Program Files\Creative\Mixer\CTSVolFE.exe" /r
O4 - HKLM\..\Run: [SigmatelSysTrayApp] "C:\Program Files\SigmaTel\C-Major Audio\WDM\stsystra.exe"
O4 - HKLM\..\Run: [IntelZeroConfig] "C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe"
O4 - HKLM\..\Run: [IntelWireless] "C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [SynTPEnh] "C:\Program Files\Synaptics\SynTP\SynTPEnh.exe"
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] "rundll32.exe" bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [EzPrint] "C:\Program Files\Lexmark 5400 Series\ezprint.exe"
O4 - HKLM\..\Run: [LXCTCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXCTtime.dll,_RunDLLEntry@16
O4 - HKLM\..\Run: [SecurDisc] "C:\Program Files\Nero\Nero8\InCD\NBHGui.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [ISTray] "C:\Program Files\Spyware Doctor\pctsTray.exe"
O4 - HKLM\..\Run: [ISTray] "C:\Program Files\Spyware Doctor\pctsTray.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [FlashPlayerUpdate] C:\WINDOWS\system32\Macromed\Flash\FlashUtil9e.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [FlashPlayerUpdate] C:\WINDOWS\system32\Macromed\Flash\FlashUtil9e.exe (User 'Default user')
O4 - Startup: SpywareBlasterer.lnk = C:\Program Files\SpywareBlaster\spywareblaster.exe
O4 - Global Startup: Bluetooth.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &D&ownload &with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddLink.htm
O8 - Extra context menu item: &D&ownload all video with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddVideo.htm
O8 - Extra context menu item: &D&ownload all with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddAllLink.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Send to &Bluetooth Device... - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-12650 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: BitComet - {D18A0B52-D63C-4ed0-AFC6-C1E3DC1AF43A} - res://C:\Program Files\BitComet\tools\BitCometBHO_1.2.6.26.dll/206 (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - ESC Trusted Zone: http://*.update.microsoft.com
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell.com/systemprofiler/SysPro.CAB
O17 - HKLM\System\CCS\Services\Tcpip\..\{080CA695-1D92-430A-9BBC-8D7B959F4BBD} : NameServer = 68.94.156.1,68.94.157.1
O17 - HKLM\System\CCS\Services\Tcpip\..\{64EB0BD6-4DDE-4384-BDEC-EA507E354AEA} : NameServer = 192.168.1.1,4.2.2.2
O17 - HKLM\System\CCS\Services\Tcpip\..\{E657BE01-4D52-4B7A-AED1-D4F1727D76B6} : NameServer = 68.94.156.1,68.94.157.1
O17 - HKLM\System\CS1\Services\Tcpip\..\{080CA695-1D92-430A-9BBC-8D7B959F4BBD} : NameServer = 68.94.156.1,68.94.157.1
O17 - HKLM\System\CS2\Services\Tcpip\..\{080CA695-1D92-430A-9BBC-8D7B959F4BBD} : NameServer = 68.94.156.1,68.94.157.1
O17 - HKLM\System\CS3\Services\Tcpip\..\{080CA695-1D92-430A-9BBC-8D7B959F4BBD} : NameServer = 68.94.156.1,68.94.157.1
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O23 - Service: AVG8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
O23 - Service: Intel(R) PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Nero\Nero8\InCD\InCDsrv.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: lxct_device - - C:\WINDOWS\system32\lxctcoms.exe
O23 - Service: Nero BackItUp Scheduler 3 - Nero AG - C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
O23 - Service: Nero Registry InCD Service (NeroRegInCDSrv) - Nero AG - C:\Program Files\Nero\Nero8\InCD\NBHRegInCDSrv.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PLFlash DeviceIoControl Service - Prolific Technology Inc. - C:\WINDOWS\system32\IoctlSvc.exe
O23 - Service: Intel(R) PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Intel(R) PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe
O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
O23 - Service: Intel(R) PROSet/Wireless SSO Service (WLANKEEPER) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe

--
End of file - 11104 bytes
Embarassed

IP Logged

siliconman01
Global Moderator

Trojans! Chew 'em Up, Spit 'em Out...

Gender: male

Posts: 7358

Re: Win32 Zafi B virus
« Reply #1 on: Feb 8^th, 2009, 10:35pm »

Quote

Modify

Your HJT scan log is not exposing anything malicious. What is the name of the file that is suppose to be infected? Is it AVG that keeps alerting with this infection?

IP Logged

______
TrojanHunter V5.5.1002...No. 1 AT in my Book and on my Box(es)! Windows 7 x64 Professional on a Dell XPS 410, 8 gbyte RAM, dual WD VelociRaptors, dual 24" UltraSharp FPD monitors, Logitech 5.1 Surround Sound; Windows 7 x86 Professional on a Dell Vostro 220s, 4 gbyte RAM, dual WD VelociRaptors. Common: router, cable modem.

Jagare525
Junior Member

Gender:

Posts: 51

Re: Win32 Zafi B virus
« Reply #2 on: Feb 8^th, 2009, 10:50pm »

Quote

Modify

Everytime I start my computer a minute later this security center alert message pops up.
Basically it says do you want to block this suspicious software "Win32.Zafi.B is". It says the the risk level is high. In the description it says "Zafi.B is a worm trojan program that records keystrokes and takes screen shots of the computer stealing personal financial information". It has "keep blocking",
"unblock", "enable protection", I can choose. However, only the "enable protection" options is the only one I can choose. The other ones I can't even select. On the bottom its says "Windows Firewall detected unauthorized activity, but unfortunately it cannot help you remove viruses, keyloggers and other spyware threats that steal your personal information from your computer." After that it has a link that says, "Click to download and active protection". Also I'm not able to use firefox, aim, or IE. Because everytime I open it they, automatically closes.

IP Logged

Jagare525
Junior Member

Gender:

Posts: 51

Re: Win32 Zafi B virus
« Reply #3 on: Feb 8^th, 2009, 10:51pm »

Quote

Modify

Also even after I close the pop up notification, after like 10 minutes it will pop up again. Is there a way to post pictures, so you can see what I'm talking about.

IP Logged

siliconman01
Global Moderator

Trojans! Chew 'em Up, Spit 'em Out...

Gender: male

Posts: 7358

Re: Win32 Zafi B virus
« Reply #4 on: Feb 8^th, 2009, 11:01pm »

Quote

Modify

Quote:

Also even after I close the pop up notification, after like 10 minutes it will pop up again. Is there a way to post pictures, so you can see what I'm talking about.

Can you set up a free account over at

http://my.imageshack.us/registration/

Then upload the picture to Imagashack and then post a link to the picture here on the forum.

IP Logged

siliconman01
Global Moderator

Trojans! Chew 'em Up, Spit 'em Out...

Gender: male

Posts: 7358

Re: Win32 Zafi B virus
« Reply #5 on: Feb 8^th, 2009, 11:03pm »

Quote

Modify

In addition to my post above, would you post the scan log from your last scan with SuperAntiSpyware.

IP Logged

Jagare525
Junior Member

Gender:

Posts: 51

Re: Win32 Zafi B virus
« Reply #6 on: Feb 8^th, 2009, 11:20pm »

Quote

Modify

This is what the pop up notification looks like.
http://img410.imageshack.us/img410/8408/win32zafibfk3.png

And heres the SAS log:

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 02/07/2009 at 11:45 AM

Application Version : 4.23.1006

Core Rules Database Version : 3705
Trace Rules Database Version: 1680

Scan type : Complete Scan
Total Scan Time : 00:29:27

Memory items scanned : 474
Memory threats detected : 0
Registry items scanned : 7130
Registry threats detected : 12
File items scanned : 19890
File threats detected : 1

Trojan.Unclassified/PotPWS
HKLM\Software\Classes\CLSID\{99C6D1BB-7555-474C-91DA-D8FB62A9CC75}
HKCR\CLSID\{99C6D1BB-7555-474C-91DA-D8FB62A9CC75}
HKCR\CLSID\{99C6D1BB-7555-474C-91DA-D8FB62A9CC75}\InprocServer32
HKCR\CLSID\{99C6D1BB-7555-474C-91DA-D8FB62A9CC75}\InprocServer32#Threadi ngModel
HKCR\CLSID\{99C6D1BB-7555-474C-91DA-D8FB62A9CC75}\ProgID
HKCR\CLSID\{99C6D1BB-7555-474C-91DA-D8FB62A9CC75}\Programmable
HKCR\CLSID\{99C6D1BB-7555-474C-91DA-D8FB62A9CC75}\TypeLib
HKCR\CLSID\{99C6D1BB-7555-474C-91DA-D8FB62A9CC75}\VersionIndependentProg ID
HKCR\solution.solution.1
HKCR\solution.solution
HKCR\TypeLib\{00476C87-A276-49BF-86BC-FF005732430B}
C:\WINDOWS\SYSTEM32\AXBW2K1E.DLL
HKCR\CLSID\{99C6D1BB-7555-474C-91DA-D8FB62A9CC75}

P.S I'm doing a new SAS log right now also. So I post that one up in like 10 min.

IP Logged

siliconman01
Global Moderator

Trojans! Chew 'em Up, Spit 'em Out...

Gender: male

Posts: 7358

Re: Win32 Zafi B virus
« Reply #7 on: Feb 8^th, 2009, 11:35pm »

Quote

Modify

Your version of SuperAntiSpyware is very old and also your detection rules are extremely old. �That is probably the reason it is not finding this newly released infection. �

You need to install the latest SAS which is Version 4.25.1012 and then update the detection rules to the latest which are

Core �3746
Traces 1714.

1. �Download the SAS Uninstall tool from the link below. �Save it on your desktop.

http://www.superantispyware.com/downloads/SASUNINST.EXE

2. �Download the latest SAS from the link below. �Save it on your desktop.

http://www.superantispyware.com/superantispywarefreevspro.html

3. �Be sure that SAS is closed down.

4. �Run the SAS removal tool SASUNINST.EXE to remove SAS. �A system reboot is required after the uninstall.

5. �Install the latest version V4.25.1012 of SAS.

6. �Update it to the latest Core and Trace definitions. �IF the installer does not update to the latest definitions, go to the link below and install the latest definitions.

http://www.superantispyware.com/definitions.html

7. �Run a new scan with SAS and let it Quarantine what it finds.

8. �Post the new SAS scan log back here please.

9. �Also post the scan log from Malwarebytes that you ran earlier. �

NOTE: �I suspect that you are running an out-of-date version of Malwarebytes as well.

1. �Open Malwarebytes and click on the Update tab.

2. �Click on Check for Updates and download the latest updates.

- The latest version of MBAM is V1.33
- The latest database version is 1740

3. �Then rescan your complete system. �

« Last Edit: Feb 8^th, 2009, 11:43pm by siliconman01 »

IP Logged

Jagare525
Junior Member

Gender:

Posts: 51

Re: Win32 Zafi B virus
« Reply #8 on: Feb 9^th, 2009, 12:08am »

Quote

Modify

I'm doing a full scan with the new update of SAS. The malware database version is 1512.

IP Logged

siliconman01
Global Moderator

Trojans! Chew 'em Up, Spit 'em Out...

Gender: male

Posts: 7358

Re: Win32 Zafi B virus
« Reply #9 on: Feb 9^th, 2009, 12:14am »

Quote

Modify

As I suspected, your MBAM is way out of date too.

Quote:

NOTE: I suspect that you are running an out-of-date version of Malwarebytes as well.

1. Open Malwarebytes and click on the Update tab.

2. Click on Check for Updates and download the latest updates.

- The latest version of MBAM is V1.33
- The latest database version is 1740

3. Then rescan your complete system.

IP Logged

Jagare525
Junior Member

Gender:

Posts: 51

Re: Win32 Zafi B virus
« Reply #10 on: Feb 9^th, 2009, 12:31am »

Quote

Modify

Awesome, I just finishing with the SAS, and after the reboot I was able to go back on firefox. And the WIn32.zabi.b notification didn't pop up.

Well here's the latest SAS log.

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 02/09/2009 at 00:17 AM

Application Version : 4.25.1012

Core Rules Database Version : 3743
Trace Rules Database Version: 1711

Scan type : Complete Scan
Total Scan Time : 00:31:27

Memory items scanned : 549
Memory threats detected : 0
Registry items scanned : 7137
Registry threats detected : 13
File items scanned : 20097
File threats detected : 4

Adware.FakeAlert-GoogX
[realteczs] C:\DOCUMENTS AND SETTINGS\WILLIAM\APPLICATION DATA\GOOGLE\PFYSW721318.EXE
C:\DOCUMENTS AND SETTINGS\WILLIAM\APPLICATION DATA\GOOGLE\PFYSW721318.EXE
C:\WINDOWS\Prefetch\PFYSW721318.EXE-1FE4A628.pf

Trojan.Unclassified/PotPWS
HKLM\Software\Classes\CLSID\{99C6D1BB-7555-474C-91DA-D8FB62A9CC75}
HKCR\CLSID\{99C6D1BB-7555-474C-91DA-D8FB62A9CC75}
HKCR\CLSID\{99C6D1BB-7555-474C-91DA-D8FB62A9CC75}\InprocServer32
HKCR\CLSID\{99C6D1BB-7555-474C-91DA-D8FB62A9CC75}\InprocServer32#Threadi ngModel
HKCR\CLSID\{99C6D1BB-7555-474C-91DA-D8FB62A9CC75}\ProgID
HKCR\CLSID\{99C6D1BB-7555-474C-91DA-D8FB62A9CC75}\Programmable
HKCR\CLSID\{99C6D1BB-7555-474C-91DA-D8FB62A9CC75}\TypeLib
HKCR\CLSID\{99C6D1BB-7555-474C-91DA-D8FB62A9CC75}\VersionIndependentProg ID
HKCR\solution.solution.1
HKCR\solution.solution
HKCR\TypeLib\{00476C87-A276-49BF-86BC-FF005732430B}
C:\WINDOWS\SYSTEM32\AXBW2K1E.DLL
HKCR\CLSID\{99C6D1BB-7555-474C-91DA-D8FB62A9CC75}

Adware.Tracking Cookie
C:\Documents and Settings\William\Cookies\william@at.atwola[1].txt

I just finish updating the MBAM and I'm going to do the full scan now. After that I will post a log for the MBAM. Thank you, Tom for all your help.

IP Logged

siliconman01
Global Moderator

Trojans! Chew 'em Up, Spit 'em Out...

Gender: male

Posts: 7358

Re: Win32 Zafi B virus
« Reply #11 on: Feb 9^th, 2009, 12:42am »

Quote

Modify

You are most welcome... Cheesy

It is important that you always update SAS and MBAM and your other security software before you run scans.

Thousands of new infections are released on the Internet daily. If you do not keep your security programs up-to-date, then you are much more susceptible to encountering problems. Most security software vendors issue new updates daily.

Please post the new MBAM log when you get done scanning.

IP Logged

Jagare525
Junior Member

Gender:

Posts: 51

Re: Win32 Zafi B virus
« Reply #12 on: Feb 9^th, 2009, 1:33am »

Quote

Modify

Sorry about the long wait.

Here's the MBAM log:
Malwarebytes' Anti-Malware 1.33
Database version: 1740
Windows 5.1.2600 Service Pack 3

2/9/2009 1:32:36 AM
mbam-log-2009-02-09 (01-32-36).txt

Scan type: Full Scan (C:\|)
Objects scanned: 125057
Time elapsed: 58 minute(s), 28 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 4

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Program Files\Windows Live\Messenger\msimg32.dll (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\ravezula.dll.tmp (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\jusirodo.dll.tmp (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\lugapeda.dll.tmp (Trojan.Vundo) -> Quarantined and deleted successfully.

IP Logged

siliconman01
Global Moderator

Trojans! Chew 'em Up, Spit 'em Out...

Gender: male

Posts: 7358

Re: Win32 Zafi B virus
« Reply #13 on: Feb 9^th, 2009, 1:38am »

Quote

Modify

Okay, looks like MBAM detected some more.

How is your system acting now? Are you able to use IE7 and Firefox?

IP Logged

Jagare525
Junior Member

Gender:

Posts: 51

Re: Win32 Zafi B virus
« Reply #14 on: Feb 9^th, 2009, 1:43am »

Quote

Modify

Yes, firefox and IE seem to be working perfectly again. Should I use any other program to check if I have anymore spyware? Or do you think I'm clean again.

IP Logged

Pages: 1 2

Notify of replies

Send Topic


« Previous topic \| Next topic »