Welcome to Tech Support Forum home to more then 136,000 problems solved. Issues have included: Spyware, Malware, Virus Issues, Windows, Microsoft, Linux, Networking, Security, Hardware, and Gaming Getting your problem solved is as easy as:
1. Registering for a free account
2. Asking your question
3. Receiving an answer

Registered members:
* Get free support
* Communicate privately with other members (PM).
* Removal of this message
* See fewer ads.
* And much more..

 


Want to know how to post a question? click here Having problems with spyware and pop-ups? First Steps
Go Back   Tech Support Forum > Security Center > Virus/Trojan/Spyware Help > Resolved HJT Threads
Reload this Page Infected by virus pretending to be win32.zafi.b (causes forced reboots)
User Name
Password
Site Map Register Donate Rules Blogs Mark Forums Read


Resolved HJT Threads Resolved spyware and popup issues.

 
 
LinkBack Thread Tools
Old 02-02-2009, 07:12 PM   #1 (permalink)
Registered User
 
Join Date: Feb 2009
Posts: 10
OS: XP SP2


Infected by virus pretending to be win32.zafi.b (causes forced reboots)
I clicked a link in Firefox and noticed something open and then close itself. Next thing I know my computer is shutting itself down. Upon reboot, I was presented with a Windows Security Center dialog box telling me I was infected with win32.zafi.b. There was a button on the dialog box, something like "Enable Protection".

The button took me to a suspicious website. Also noteworthy: trying to run msconfig causes a forced reboot.


DDS (Ver_09-02-01.01) - NTFSx86
Run by Travis at 17:20:59.89 on Mon 02.02.09
Internet Explorer: 8.0.6001.18241
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.2046.1561 [GMT -8:00]


============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\system32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\Logi_MwX.Exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe
C:\WINDOWS\system32\taskmgr.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\cFosSpeed\cFosSpeed.exe
C:\Documents and Settings\Travis\Application Data\Google\fbabj220320.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe
"C:\WINDOWS\system32\drivers\svchost.exe"
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\cFosSpeed\spd.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\APC\APC PowerChute Personal Edition\apcsystray.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\iPod\bin\iPodService.exe
C:\Documents and Settings\Travis\Desktop\virus removal\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.yahoo.com/
uInternet Connection Wizard,ShellNext = iexplore
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.5.0_10\bin\ssv.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.0.926.3450\swg.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [Aim6] "c:\program files\aim6\aim6.exe" /d locale=en-US ee://aol/imApp
uRun: [SVCHOST.EXE] c:\windows\system32\drivers\svchost.exe
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /install
mRun: [NVMixerTray] "c:\program files\nvidia corporation\nvmixer\NVMixerTray.exe"
mRun: [DAEMON Tools] "c:\program files\daemon tools\daemon.exe" -lang 1033
mRun: [Logitech Utility] Logi_MwX.Exe
mRun: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
mRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device support\bin\AppleSyncNotifier.exe
mRun: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [cFosSpeed] c:\program files\cfosspeed\cFosSpeed.exe
mRun: [realtecs] "c:\documents and settings\travis\application data\google\fbabj220320.exe" 2
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\apcups~1.lnk - c:\program files\apc\apc powerchute personal edition\Display.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\logite~1.lnk - c:\program files\logitech\setpoint\SetPoint.exe
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/swflash.cab
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: LBTWlgn - c:\program files\common files\logishrd\bluetooth\LBTWlgn.dll
LSA: Authentication Packages = msv1_0 relog_ap
LSA: Notification Packages = scecli c:\windows\system32\fajejako.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\travis\applic~1\mozilla\firefox\profiles\8a8cpe2n.recovery\
FF - prefs.js: browser.startup.homepage - about:blank
FF - plugin: c:\program files\google\google updater\2.4.1439.6872\npCIDetect13.dll
FF - plugin: c:\program files\java\jre1.5.0_10\bin\NPJava11.dll
FF - plugin: c:\program files\java\jre1.5.0_10\bin\NPJava12.dll
FF - plugin: c:\program files\java\jre1.5.0_10\bin\NPJava13.dll
FF - plugin: c:\program files\java\jre1.5.0_10\bin\NPJava14.dll
FF - plugin: c:\program files\java\jre1.5.0_10\bin\NPJava32.dll
FF - plugin: c:\program files\java\jre1.5.0_10\bin\NPJPI150_10.dll
FF - plugin: c:\program files\java\jre1.5.0_10\bin\NPOJI610.dll
FF - plugin: c:\program files\mozilla firefox 3 beta 5\plugins\nppopcaploader.dll
FF - plugin: c:\program files\viewpoint\viewpoint media player\npViewpoint.dll

============= SERVICES / DRIVERS ===============

R0 nvcchflt;NVIDIA Disk Cache Filter Driver;c:\windows\system32\drivers\nvcchflt.sys [2007-9-14 16640]
R0 O1394B;OW 1394b Bus Filter Service;c:\windows\system32\drivers\o1394b.sys [2007-9-12 10112]
R0 SiWinAcc;SiWinAcc;c:\windows\system32\drivers\SiWinAcc.sys [2006-6-11 10368]
R2 ASTRA32;ASTRA32 Kernel Driver 5.2.1.0;c:\program files\astra32\astra32.sys [2004-11-23 30864]
R2 CamthWDM;WebcamMax, WDM Video Capture;c:\windows\system32\drivers\CamthWDM.sys [2007-1-10 243584]
R2 ViCAM;ViCAM;c:\windows\system32\drivers\Vicam.sys [2008-10-3 25984]
S3 cmudaxu;C-Media USB Sound Interface;c:\windows\system32\drivers\cmudaxu.sys [2007-5-20 1391296]
S3 tapgamerail;GameRail Adapter;c:\windows\system32\drivers\tapgamerail.sys [2007-6-27 26368]
S3 US122;US122 Driver;c:\windows\system32\drivers\US122.sys [2008-8-29 215708]
S3 US122DL;US122 Firmware Downloader;c:\windows\system32\drivers\US122DL.sys [2008-8-29 17263]
S3 Us122WdmService;US122 Wdm Audio;c:\windows\system32\drivers\US122Wdm.sys [2008-8-29 84092]
S3 VICAMUSB;3Com HomeConnect USB Camera;c:\windows\system32\drivers\VicamUsb.sys [2008-10-3 38548]
S3 XDva006;XDva006;\??\c:\windows\system32\xdva006.sys --> c:\windows\system32\XDva006.sys [?]
S4 gupdate1c8edd9efec797c;Google Update Service (gupdate1c8edd9efec797c);"c:\program files\google\update\googleupdate.exe" /svc --> c:\program files\google\update\GoogleUpdate.exe [?]

============== File Associations ===============

txtfile="c:\program files\editpadpro6\EditPadPro.exe" "%1"

=============== Created Last 30 ================

2009-02-02 16:05 49,152 a------- c:\windows\system32\drivers\svchost.exe
2009-01-29 08:36 732,376 a----r-- c:\windows\system32\drivers\cfosspeed.sys
2009-01-29 08:36 290,008 a------- c:\windows\system32\cfosspeed.dll
2009-01-29 08:36 <DIR> --d----- c:\program files\cFosSpeed
2009-01-29 05:26 317,440 a------- c:\temp\CutLongNames.exe
2009-01-09 10:47 120,568 -------- c:\windows\system32\pxcpyi64.exe
2009-01-09 10:47 118,256 -------- c:\windows\system32\pxinsi64.exe

==================== Find3M ====================

2009-02-02 10:42 1,984 a------- c:\windows\system32\d3d9caps.dat
2008-12-14 15:26 48,456 a------- c:\windows\system32\UninstallElectricSheep.exe
2008-11-24 13:18 36 a------- c:\documents and settings\travis\klextlock.dat
2006-09-11 12:07 604 a---h--- c:\program files\STLL Notifier
2002-07-31 18:55 168 a--sh--- c:\windows\WSYS049.SYS

============= FINISH: 17:21:48.51 ===============
Attached Files
File Type: zip Attach.zip (5.4 KB, 4 views)
OlSpazzy is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Important Information
Join the #1 Tech Support Forum Today - It's Totally Free!

TechSupportForum.com is a leading support website for your computer needs. We offer free, friendly and personalized computer support. Why pay to have your computer fixed when you can do it for free.

Join TechSupportforum.com Today - Click Here

Old 02-04-2009, 08:39 PM   #2 (permalink)
Manager, Security Center, TSF Academy; Analyst, Security Team
 
tetonbob's Avatar
 
Join Date: Jan 2005
Location: Transylvania County, North Carolina, USA
Posts: 35,617
OS: 2000 Pro; XP Pro; XP Home


Re: Infected by virus pretending to be win32.zafi.b (causes forced reboots)
Hello and Welcome. Please subscribe to this thread to get immediate notification of replies as soon as they are posted. To do this click Thread Tools, then click Subscribe to this Thread. Make sure it is set to Instant Notification, then click Subscribe.

Before beginning the fix, read this post completely. If there's anything that you do not understand, kindly ask your questions before proceeding. It is IMPORTANT that you don't miss a step & perform everything in the correct order/sequence.

---------------------------------------------------------------------------------------------

Please note that these fixes are not instantaneous. Most infections require more than one round to properly eradicate.

Stay with me until given the 'all clear' even if symptoms diminish. Lack of symptoms does not always mean the job is complete.

Kindly follow my instructions and please do no fixing on your own or running of scanners unless requested by me or another helper at this forum.

---------------------------------------------------------------------------------------------

I see no AntiVirus application installed. An AntiVirus is a must have for machines connected to the internet today.

Connecting to the Internet without antivirus protection is a "Welcome" doormat for malware. It can take as little as eight seconds to infect an unprotected computer.

There are excellent free AntiVirus applications available today, so there's no reason to be unprotected.

We will address that during the course of this fix. I will tell you when.

---------------------------------------------------------------------------------------------

Please visit this webpage for download links, and instructions for running combofix:

http://www.bleepingcomputer.com/comb...o-use-combofix

* Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Please include the C:\ComboFix.txt in your next reply for further review.
__________________
Practice Safe Surfing
Because what you don't know, CAN hurt you.
Proud Member of ASAP since 2005
Proud Member of UNITE since 2006

Microsoft MVP - Consumer Security 2009
tetonbob is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 02-05-2009, 03:09 PM   #3 (permalink)
Registered User
 
Join Date: Feb 2009
Posts: 10
OS: XP SP2


Re: Infected by virus pretending to be win32.zafi.b (causes forced reboots)
ComboFix 09-02-05.04 - Travis 2009-02-05 13:15:11.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.2046.1489 [GMT -8:00]
Running from: c:\documents and settings\Travis\Desktop\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
c:\documents and settings\Travis\Application Data\Adobe\Manager.exe
c:\documents and settings\Travis\Application Data\Google\fbabj220320.exe
c:\documents and settings\Travis\Application Data\Google\ptnmsn64.dll
c:\windows\hosts
c:\windows\IE4 Error Log.txt
c:\windows\system32\drivers\svchost.exe
c:\windows\system32\lsprst7.dll
c:\windows\system32\Process.exe
c:\windows\system32\ssprs.dll

----- BITS: Possible infected sites -----

hxxp://youtouch.no-ip.biz
.
((((((((((((((((((((((((( Files Created from 2009-01-03 to 2009-02-06 )))))))))))))))))))))))))))))))
.

2009-02-02 17:38 . 2009-02-02 17:38 250 --a------ c:\windows\gmer.ini
2009-01-29 08:36 . 2009-02-02 20:19 <DIR> d-------- c:\program files\cFosSpeed
2009-01-29 08:36 . 2008-07-03 18:04 732,376 -ra------ c:\windows\system32\drivers\cfosspeed.sys
2009-01-29 08:36 . 2008-07-03 18:04 290,008 --a------ c:\windows\system32\cfosspeed.dll
2009-01-29 05:26 . 2005-04-20 19:11 317,440 --a------ c:\temp\CutLongNames.exe
2009-01-22 22:58 . 2009-01-22 22:58 <DIR> d-------- c:\documents and settings\Travis\Application Data\ImgBurn
2009-01-22 22:30 . 2009-01-22 22:30 <DIR> d-------- c:\program files\ImgBurn
2009-01-09 10:47 . 2008-07-09 05:05 120,568 --------- c:\windows\system32\pxcpyi64.exe
2009-01-09 10:47 . 2008-07-09 05:05 118,256 --------- c:\windows\system32\pxinsi64.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-02-03 00:35 --------- d-----w c:\program files\Mozilla Firefox 3 Beta 5
2009-02-03 00:12 --------- d-----w c:\program files\HJT
2009-02-02 06:47 --------- d-----w c:\program files\Mozilla Thunderbird
2009-02-01 11:45 --------- d-----w c:\documents and settings\All Users\Application Data\Google Updater
2009-01-31 04:32 --------- d-----w c:\documents and settings\Travis\Application Data\FileZilla
2009-01-28 09:42 --------- d-----w c:\documents and settings\Travis\Application Data\DVD Flick
2009-01-27 00:32 --------- d-----w c:\documents and settings\Travis\Application Data\Hamachi
2009-01-25 17:30 --------- d-----w c:\program files\CoreFTP
2009-01-23 12:51 --------- d-----w c:\program files\Microsoft Silverlight
2009-01-19 13:55 --------- d--h--w c:\program files\InstallShield Installation Information
2009-01-19 05:29 --------- d-----w c:\documents and settings\Travis\Application Data\dvdcss
2009-01-18 00:52 --------- d-----w c:\documents and settings\All Users\Application Data\nView_Profiles
2009-01-11 18:13 --------- d-----w c:\program files\Starcraft
2009-01-08 00:30 --------- d-----w c:\documents and settings\Travis\Application Data\Skype
2009-01-05 23:52 --------- d-----w c:\program files\Cake Poker
2009-01-03 10:49 --------- d-----w c:\documents and settings\Travis\Application Data\Audacity
2009-01-02 03:30 --------- d-----w c:\documents and settings\Administrator\Application Data\Logitech
2009-01-01 21:06 --------- d-----w c:\documents and settings\Travis\Application Data\XnView
2009-01-01 21:02 --------- d-----w c:\program files\XnView
2009-01-01 03:47 --------- d-----w c:\program files\The KMPlayer
2008-12-31 07:47 --------- d-----w c:\program files\Sony
2008-12-31 07:46 --------- d-----w c:\program files\VSTplugins
2008-12-31 07:45 --------- d-----w c:\program files\Sony Setup
2008-12-19 09:25 --------- d-----w c:\program files\Google
2008-12-16 00:17 --------- d-----w c:\program files\Electricsheep Screensaver
2008-12-16 00:12 --------- d-----w c:\documents and settings\All Users\Application Data\ElectricSheep
2008-12-14 17:56 --------- d-----w c:\program files\Full Tilt Poker
2008-12-04 21:20 441,760 ----a-w c:\windows\system32\drivers\timntr.sys
2008-12-04 21:20 44,384 ----a-w c:\windows\system32\drivers\tifsfilt.sys
2008-12-04 21:20 368,480 ----a-w c:\windows\system32\drivers\tdrpman.sys
2008-12-04 21:20 132,224 ----a-w c:\windows\system32\drivers\snapman.sys
2008-11-24 21:18 36 ----a-w c:\documents and settings\Travis\klextlock.dat
2006-09-11 20:07 604 ---ha-w c:\program files\STLL Notifier
2006-05-06 16:42 7,260,160 ----a-w c:\program files\mozilla firefox\plugins\libvlc.dll
.

------- Sigcheck -------

2006-01-13 09:07 360448 5562cc0a47b2aef06d3417b733f3c195 c:\windows\$hf_mig$\KB913446\SP2QFE\tcpip.sys
2006-04-20 04:18 360576 b2220c618b42a2212a59d91ebd6fc4b4 c:\windows\$hf_mig$\KB917953\SP2QFE\tcpip.sys
2007-10-30 08:53 360832 64798ecfa43d78c7178375fcdd16d8c8 c:\windows\$hf_mig$\KB941644\SP2QFE\tcpip.sys
2008-06-20 02:44 360960 744e57c99232201ae98c49168b918f48 c:\windows\$hf_mig$\KB951748\SP2QFE\tcpip.sys
2008-06-20 03:51 361600 9aefa14bd6b182d61e3119fa5f436d3d c:\windows\$hf_mig$\KB951748\SP3GDR\tcpip.sys
2008-06-20 03:59 361600 ad978a1b783b5719720cff204b666c8e c:\windows\$hf_mig$\KB951748\SP3QFE\tcpip.sys
2004-08-04 04:00 359040 9f4b36614a0fc234525ba224957de55c c:\windows\$NtUninstallKB917953$\tcpip.sys
2008-01-16 21:09 359808 9636995ea7e11e8ebacfbded7e657923 c:\windows\$NtUninstallKB941644$\tcpip.sys
2008-04-07 12:42 360064 34a663e7f74ae8b2c992c2513343477e c:\windows\$NtUninstallKB951748$\tcpip.sys
2008-07-14 20:51 360320 3c966f647bab332093cb0f92692b5cb8 c:\windows\system32\dllcache\TCPIP.SYS
2008-07-14 20:51 360320 3c966f647bab332093cb0f92692b5cb8 c:\windows\system32\drivers\TCPIP.SYS
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]
"Aim6"="c:\program files\AIM6\aim6.exe" [2008-08-06 50472]
"NoteZilla"="c:\program files\Conceptworld\NoteZilla\NoteZilla.exe" [2008-10-13 1304622]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-05-16 13529088]
"NVMixerTray"="c:\program files\NVIDIA Corporation\NvMixer\NVMixerTray.exe" [2004-12-20 131072]
"DAEMON Tools"="c:\program files\DAEMON Tools\daemon.exe" [2005-12-10 133016]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2008-09-03 111936]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-11-20 290088]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-11-04 413696]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-05-16 86016]
"cFosSpeed"="c:\program files\cFosSpeed\cFosSpeed.exe" [2008-07-03 867544]
"nwiz"="nwiz.exe" [2008-05-16 c:\windows\system32\nwiz.exe]
"Logitech Utility"="Logi_MwX.Exe" [2003-12-17 c:\windows\LOGI_MWX.EXE]
"Kernel and Hardware Abstraction Layer"="KHALMNPR.EXE" [2008-02-29 c:\windows\KHALMNPR.Exe]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
APC UPS Status.lnk - c:\program files\APC\APC PowerChute Personal Edition\Display.exe [2007-12-24 221247]
Logitech SetPoint.lnk - c:\program files\Logitech\SetPoint\SetPoint.exe [2008-10-13 805392]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LBTWlgn]
2008-05-02 01:42 72208 c:\program files\Common Files\Logishrd\Bluetooth\LBTWLgn.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.divxa32"= DivXa32.acm
"VIDC.XFR1"= xfcodec.dll
"midi7"= xgusb.cpl
"MSVIDEO"= vicamavi.drv

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WdfLoadGroup]
@=""

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"Steam"=
"QNPlus"=

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"NeroFilterCheck"=c:\windows\system32\NeroCheck.exe
"POEngine"=
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" -atboottime
"ISUSPM"="c:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe" -scheduler
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
"AppleSyncNotifier"=c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
"CmUsbSound"=RunDll32 cmcnfgu.cpl,CMICtrlWnd
"KernelFaultCheck"=%systemroot%\system32\dumprep 0 -k

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\AIM\\aim.exe"=
"c:\\Program Files\\Hamachi\\hamachi.exe"=
"c:\\Program Files\\mIRC\\mirc.exe"=
"c:\\Program Files\\Croteam\\Serious Sam - The Second Encounter\\Bin\\SeriousSam.exe"=
"c:\\Steam\\SteamApps\\olspazzy\\counter-strike\\hl.exe"=
"c:\\Program Files\\MAIET\\Gunz\\GunzLauncher.exe"=
"c:\\Program Files\\Xfire\\xfire.exe"=
"c:\\Steam\\SteamApps\\olspazzy\\counter-strike source\\hl2.exe"=
"c:\\Steam\\SteamApps\\olspazzy\\half-life 2 deathmatch\\hl2.exe"=
"c:\\Steam\\SteamApps\\olspazzy\\day of defeat source\\hl2.exe"=
"c:\\Program Files\\Starcraft\\StarCraft.exe"=
"c:\\Program Files\\ICQ6\\ICQ.exe"=
"c:\\Steam\\SteamApps\\olspazzy\\source sdk base\\hl2.exe"=
"c:\\ijji\\ENGLISH\\Gunz\\Gunz.exe"=
"c:\\Program Files\\AIM Lite\\aimlite.exe"=
"c:\\Program Files\\World in Conflict\\wic.exe"=
"c:\\Program Files\\World in Conflict\\wic_online.exe"=
"c:\\Program Files\\World in Conflict\\wic_ds.exe"=
"c:\\Steam\\steam.exe"=
"c:\\Steam\\SteamApps\\olspazzy\\team fortress 2\\hl2.exe"=
"c:\\Program Files\\VideoLAN\\VLC\\vlc.exe"=
"c:\\Program Files\\FileZilla Client\\filezilla.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\GRID\\GRID.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\AIM6\\aim6.exe"=
"c:\\Program Files\\iCall\\iCall.exe"=
"c:\\Program Files\\Real Alternative\\Media Player Classic\\mplayerc.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\WINDOWS\\system32\\ElectricSheep.scr"=
"c:\\UnrealTournament\\System\\UnrealTournament.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Documents and Settings\\Travis\\Application Data\\Macromedia\\Flash Player\\www.macromedia.com\\bin\\octoshape\\octoshape.exe"=
"c:\\Steam\\SteamApps\\common\\left 4 dead\\left4dead.exe"=
"%windir%\\system32\\drivers\\svchost.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009
"110:TCP"= 110:TCP:svchost

R0 nvcchflt;NVIDIA Disk Cache Filter Driver;c:\windows\system32\drivers\nvcchflt.sys [2007-09-14 16640]
R0 O1394B;OW 1394b Bus Filter Service;c:\windows\system32\drivers\o1394b.sys [2007-09-12 10112]
R0 SiWinAcc;SiWinAcc;c:\windows\system32\drivers\SiWinAcc.sys [2006-06-11 10368]
R2 ASTRA32;ASTRA32 Kernel Driver 5.2.1.0;c:\program files\ASTRA32\astra32.sys [2004-11-23 30864]
R2 CamthWDM;WebcamMax, WDM Video Capture;c:\windows\system32\drivers\CamthWDM.sys [2007-01-10 243584]
R2 ViCAM;ViCAM;c:\windows\system32\drivers\Vicam.sys [2008-10-03 25984]
S3 cmudaxu;C-Media USB Sound Interface;c:\windows\system32\drivers\cmudaxu.sys [2007-05-20 1391296]
S3 tapgamerail;GameRail Adapter;c:\windows\system32\drivers\tapgamerail.sys [2007-06-27 26368]
S3 US122;US122 Driver;c:\windows\system32\drivers\US122.sys [2008-08-29 215708]
S3 US122DL;US122 Firmware Downloader;c:\windows\system32\drivers\US122DL.sys [2008-08-29 17263]
S3 Us122WdmService;US122 Wdm Audio;c:\windows\system32\drivers\US122Wdm.sys [2008-08-29 84092]
S3 VICAMUSB;3Com HomeConnect USB Camera;c:\windows\system32\drivers\VicamUsb.sys [2008-10-03 38548]
S3 XDva006;XDva006;\??\c:\windows\system32\XDva006.sys --> c:\windows\system32\XDva006.sys [?]
S4 gupdate1c8edd9efec797c;Google Update Service (gupdate1c8edd9efec797c);"c:\program files\Google\Update\GoogleUpdate.exe" /svc --> c:\program files\Google\Update\GoogleUpdate.exe [?]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{080fcecf-f9b6-11da-9656-806d6172696f}]
\shell\play\Command - "c:\program files\Windows Media Player\wmplayer.exe" /prefetch:3 /device:AudioCD "%L"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{966ccf38-b813-11dc-a7a8-000129d48d06}]
\Shell\AutoRun\command - D:\StartPortableApps.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{bddd1427-1af2-11dc-a761-000129d48d06}]
\Shell\AutoRun\command - E:\InstallTomTomHOME.exe
.
- - - - ORPHANS REMOVED - - - -

HKLM-Run-realtecs - c:\documents and settings\Travis\Application Data\Google\fbabj220320.exe


.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/
uInternet Connection Wizard,ShellNext = iexplore
FF - ProfilePath - c:\documents and settings\Travis\Application Data\Mozilla\Firefox\Profiles\8a8cpe2n.recovery\
FF - prefs.js: browser.startup.homepage - about:blank
FF - plugin: c:\program files\Google\Google Updater\2.4.1439.6872\npCIDetect13.dll
FF - plugin: c:\program files\Java\jre1.5.0_10\bin\NPJava11.dll
FF - plugin: c:\program files\Java\jre1.5.0_10\bin\NPJava12.dll
FF - plugin: c:\program files\Java\jre1.5.0_10\bin\NPJava13.dll
FF - plugin: c:\program files\Java\jre1.5.0_10\bin\NPJava14.dll
FF - plugin: c:\program files\Java\jre1.5.0_10\bin\NPJava32.dll
FF - plugin: c:\program files\Java\jre1.5.0_10\bin\NPJPI150_10.dll
FF - plugin: c:\program files\Java\jre1.5.0_10\bin\NPOJI610.dll
FF - plugin: c:\program files\Mozilla Firefox 3 Beta 5\plugins\nppopcaploader.dll
.
.
------- File Associations -------
.
txtfile="c:\program files\EditPadPro6\EditPadPro.exe" "%1"
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-02-05 13:19:51
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-823518204-1004336348-725345543-1003\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]
"??"=hex:d8,58,07,32,b6,c6,d5,c4,32,f9,30,45,21,fc,49,80,f0,39,60,01,1f,59,7a,
36,82,ab,d4,41,95,7f,e8,d0,99,15,26,ee,57,41,fc,6a,99,ac,2a,c7,9e,3a,5a,64,\
"??"=hex:35,fc,c6,3d,c9,02,ad,db,37,1f,61,de,0f,33,8f,50

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{BEB3C0C7-B648-4257-96D9-B5D024816E27}\Version*Version]
"Version"=hex:ab,af,87,52,9b,1e,ad,ce,9f,e1,a9,dc,29,c0,68,81,81,3b,27,23,96,
e0,da,66,34,53,80,59,82,30,dd,21,5a,96,34,c6,8c,fa,c4,d3,b9,40,e1,ff,31,01,\

[HKEY_LOCAL_MACHINE\software\Minnetonka Audio Software\SurCode Dolby Digital Premiere\Version*Version]
"Version"=hex:ab,af,87,52,9b,1e,ad,ce,9f,e1,a9,dc,29,c0,68,81,81,3b,27,23,96,
e0,da,66,34,53,80,59,82,30,dd,21,5a,96,34,c6,8c,fa,c4,d3,b9,40,e1,ff,31,01,\
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1300)
c:\program files\common files\logishrd\bluetooth\LBTWlgn.dll
c:\program files\common files\logishrd\bluetooth\LBTServ.dll

- - - - - - - > 'lsass.exe'(1364)
c:\windows\system32\relog_ap.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\APC\APC PowerChute Personal Edition\mainserv.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\cFosSpeed\spd.exe
c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\windows\system32\nvsvc32.exe
c:\windows\system32\rundll32.exe
c:\windows\system32\rundll32.exe
c:\program files\Common Files\Logishrd\KHAL2\KHALMNPR.exe
c:\windows\system32\wscntfy.exe
c:\program files\APC\APC PowerChute Personal Edition\apcsystray.exe
c:\program files\iPod\bin\iPodService.exe
c:\program files\AIM6\aolsoftware.exe
c:\windows\system32\taskmgr.exe
.
**************************************************************************
.
Completion time: 2009-02-05 13:29:04 - machine was rebooted
ComboFix-quarantined-files.txt 2009-02-06 04:28:27

Pre-Run: 208,716,288,000 bytes free
Post-Run: 208,663,572,480 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

318 --- E O F --- 2008-08-15 04:03:10
OlSpazzy is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 02-05-2009, 03:47 PM   #4 (permalink)
Manager, Security Center, TSF Academy; Analyst, Security Team
 
tetonbob's Avatar
 
Join Date: Jan 2005
Location: Transylvania County, North Carolina, USA
Posts: 35,617
OS: 2000 Pro; XP Pro; XP Home


Re: Infected by virus pretending to be win32.zafi.b (causes forced reboots)
Before beginning the fix, read this post completely. If there's anything that you do not understand, kindly ask your questions before proceeding. Ensure that there aren't any opened browsers when you are carrying out the procedures below. Save the following instructions in Notepad as this webpage would not be available when you're carrying out the fix.

It is IMPORTANT that you don't miss a step & perform everything in the correct order/sequence.

---------------------------------------------------------------------------------------------

Copy and paste the following into Notepad (don't forget to copy and paste REGEDIT4):

Quote:
REGEDIT4

[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"%windir%\\system32\\drivers\\svchost.exe"=-

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]
"110:TCP"=-
Save the file as "delete.reg". Make sure to save it with the quotes. It should look like this:

Close Notepad.

Double click on the delete.reg file and choose Yes to merge/add it to the registry. You may delete the file afterwards.

---------------------------------------------------------------------------------------------


Install this FREE AntiVirus program, update it, and run a full system scan.

Avira AntiVir Personal

Here is a tutorial on it's setup and use:

http://www.techsupportforum.com/cont...ticles/64.html

When the scan is complete, click on the Report button. A log file will open. Please post that in your next reply.

Do not install more than one antivirus program because they will conflict with each other. It is imperative that you update your antivirus software at least once a week (even more if you wish). If you do not update your antivirus software then it will not be able to catch new malware that may have come out.

---------------------------------------------------------------------------------------------


How is the machine behaving?
__________________
Practice Safe Surfing
Because what you don't know, CAN hurt you.
Proud Member of ASAP since 2005
Proud Member of UNITE since 2006

Microsoft MVP - Consumer Security 2009
tetonbob is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 02-05-2009, 09:05 PM   #5 (permalink)
Registered User
 
Join Date: Feb 2009
Posts: 10
OS: XP SP2


Re: Infected by virus pretending to be win32.zafi.b (causes forced reboots)
Avira AntiVir Personal
Report file date: Thursday, February 05, 2009 17:15

Scanning for 1317607 virus strains and unwanted programs.

Licensed to: Avira AntiVir PersonalEdition Classic
Serial number: 0000149996-ADJIE-0001
Platform: Windows XP
Windows version: (Service Pack 2) [5.1.2600]
Boot mode: Normally booted
Username: Travis
Computer name: TRAVISHOMEPC

Version information:
BUILD.DAT : 8.2.0.337 16934 Bytes 11.18.08 13:05:00
AVSCAN.EXE : 8.1.4.10 315649 Bytes 11.18.08 17:21:26
AVSCAN.DLL : 8.1.4.0 40705 Bytes 5.26.08 16:56:40
LUKE.DLL : 8.1.4.5 164097 Bytes 6.12.08 21:44:19
LUKERES.DLL : 8.1.4.0 12033 Bytes 5.26.08 16:58:52
ANTIVIR0.VDF : 7.1.0.0 15603712 Bytes 10.27.08 20:30:36
ANTIVIR1.VDF : 7.1.1.113 2817536 Bytes 1.14.09 23:42:14
ANTIVIR2.VDF : 7.1.1.207 1359360 Bytes 1.30.09 23:42:30
ANTIVIR3.VDF : 7.1.1.234 237056 Bytes 2.5.09 23:42:33
Engineversion : 8.2.0.74
AEVDF.DLL : 8.1.1.0 106868 Bytes 2.5.09 23:43:00
AESCRIPT.DLL : 8.1.1.42 344441 Bytes 2.5.09 23:42:58
AESCN.DLL : 8.1.1.6 127348 Bytes 2.5.09 23:42:54
AERDL.DLL : 8.1.1.3 438645 Bytes 11.4.08 22:58:38
AEPACK.DLL : 8.1.3.8 397684 Bytes 2.5.09 23:42:53
AEOFFICE.DLL : 8.1.0.33 196987 Bytes 2.5.09 23:42:48
AEHEUR.DLL : 8.1.0.90 1573237 Bytes 2.5.09 23:42:47
AEHELP.DLL : 8.1.2.0 119159 Bytes 2.5.09 23:42:39
AEGEN.DLL : 8.1.1.12 328053 Bytes 2.5.09 23:42:37
AEEMU.DLL : 8.1.0.9 393588 Bytes 10.14.08 19:05:56
AECORE.DLL : 8.1.6.4 176501 Bytes 2.5.09 23:42:34
AEBB.DLL : 8.1.0.3 53618 Bytes 10.14.08 19:05:56
AVWINLL.DLL : 1.0.0.12 15105 Bytes 7.9.08 17:40:05
AVPREF.DLL : 8.0.2.0 38657 Bytes 5.16.08 18:28:01
AVREP.DLL : 8.0.0.2 98344 Bytes 7.31.08 21:02:15
AVREG.DLL : 8.0.0.1 33537 Bytes 5.9.08 20:26:40
AVARKT.DLL : 1.0.0.23 307457 Bytes 2.12.08 17:29:23
AVEVTLOG.DLL : 8.0.0.16 119041 Bytes 6.12.08 21:27:49
SQLITE3.DLL : 3.3.17.1 339968 Bytes 1.23.08 02:28:02
SMTPLIB.DLL : 1.2.0.23 28929 Bytes 6.12.08 21:49:40
NETNT.DLL : 8.0.0.1 7937 Bytes 1.25.08 21:05:10
RCIMAGE.DLL : 8.0.0.51 2371841 Bytes 6.12.08 22:48:07
RCTEXT.DLL : 8.0.52.0 86273 Bytes 6.27.08 22:34:37

Configuration settings for the scan:
Jobname..........................: Local Hard Disks
Configuration file...............: c:\program files\avira\antivir personaledition classic\alldiscs.avp
Logging..........................: low
Primary action...................: interactive
Secondary action.................: ignore
Scan master boot sector..........: on
Scan boot sector.................: on
Boot sectors.....................: C:,
Process scan.....................: on
Scan registry....................: on
Search for rootkits..............: off
Scan all files...................: Intelligent file selection
Scan archives....................: on
Recursion depth..................: 20
Smart extensions.................: on
Macro heuristic..................: on
File heuristic...................: medium

Start of the scan: Thursday, February 05, 2009 17:15

The scan of running processes will be started
Scan process 'avscan.exe' - '1' Module(s) have been scanned
Scan process 'avcenter.exe' - '1' Module(s) have been scanned
Scan process 'wuauclt.exe' - '1' Module(s) have been scanned
Scan process 'taskmgr.exe' - '1' Module(s) have been scanned
Scan process 'alg.exe' - '1' Module(s) have been scanned
Scan process 'iPodService.exe' - '1' Module(s) have been scanned
Scan process 'aolsoftware.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'nvsvc32.exe' - '1' Module(s) have been scanned
Scan process 'MDM.EXE' - '1' Module(s) have been scanned
Scan process 'GoogleUpdaterService.exe' - '1' Module(s) have been scanned
Scan process 'spd.exe' - '1' Module(s) have been scanned
Scan process 'mDNSResponder.exe' - '1' Module(s) have been scanned
Scan process 'AppleMobileDeviceService.exe' - '1' Module(s) have been scanned
Scan process 'mainserv.exe' - '1' Module(s) have been scanned
Scan process 'avguard.exe' - '1' Module(s) have been scanned
Scan process 'schedul2.exe' - '1' Module(s) have been scanned
Scan process 'apcsystray.exe' - '1' Module(s) have been scanned
Scan process 'KHALMNPR.exe' - '1' Module(s) have been scanned
Scan process 'SetPoint.exe' - '1' Module(s) have been scanned
Scan process 'aim6.exe' - '1' Module(s) have been scanned
Scan process 'ctfmon.exe' - '1' Module(s) have been scanned
Scan process 'avgnt.exe' - '1' Module(s) have been scanned
Scan process 'cfosspeed.exe' - '1' Module(s) have been scanned
Scan process 'rundll32.exe' - '1' Module(s) have been scanned
Scan process 'schedhlp.exe' - '1' Module(s) have been scanned
Scan process 'iTunesHelper.exe' - '1' Module(s) have been scanned
Scan process 'rundll32.exe' - '1' Module(s) have been scanned
Scan process 'LOGI_MWX.EXE' - '1' Module(s) have been scanned
Scan process 'daemon.exe' - '1' Module(s) have been scanned
Scan process 'NvMixerTray.exe' - '1' Module(s) have been scanned
Scan process 'explorer.exe' - '1' Module(s) have been scanned
Scan process 'sched.exe' - '1' Module(s) have been scanned
Scan process 'spoolsv.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'lsass.exe' - '1' Module(s) have been scanned
Scan process 'services.exe' - '1' Module(s) have been scanned
Scan process 'winlogon.exe' - '1' Module(s) have been scanned
Scan process 'csrss.exe' - '1' Module(s) have been scanned
Scan process 'smss.exe' - '1' Module(s) have been scanned
44 processes with 44 modules were scanned

Starting master boot sector scan:
Master boot sector HD0
[INFO] No virus was found!

Start scanning boot sectors:
Boot sector 'C:\'
[INFO] No virus was found!

Starting to scan the registry.
The registry was scanned ( '75' files ).


Starting the file scan:

Begin scan in 'C:\' <XP>
C:\pagefile.sys
[WARNING] The file could not be opened!
C:\Documents and Settings\Travis\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\crtdcghcn.jar-6db59661-59df395e.zip
[0] Archive type: ZIP
--> BaaaaBaa.class
[DETECTION] Contains recognition pattern of the EXP/Java.Gimsh.A.14 exploit
[NOTE] The file was moved to '49ff940d.qua'!
C:\Program Files\HJT\backups\backup-20081124-151044-296.dll
[DETECTION] Is the TR/Vundo.MY Trojan
[NOTE] The file was moved to '49ee9d7e.qua'!
C:\Qoobox\Quarantine\C\Documents and Settings\Travis\Application Data\Adobe\Manager.exe.vir
[DETECTION] Is the TR/Small.xui Trojan
[NOTE] The file was moved to '49f9a2a0.qua'!
C:\Qoobox\Quarantine\C\Documents and Settings\Travis\Application Data\Google\fbabj220320.exe.vir
[DETECTION] Is the TR/FraudPack.aph Trojan
[NOTE] The file was moved to '49eca2a6.qua'!
C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\svchost.exe.vir
[DETECTION] Is the TR/FakeAntivirus.4915.2 Trojan
[NOTE] The file was moved to '49eea2c2.qua'!
C:\recovery\Documents and Settings\Travis\Application Data\Mozilla\Profiles\default\77tmynj7.slt\Cache\8F8C5FA1d01
[DETECTION] Contains recognition pattern of the HTML/Crypted.Gen HTML script virus
[NOTE] The file was moved to '49c3a2a3.qua'!
C:\recovery\Documents and Settings\Travis\Application Data\Mozilla\Profiles\default\77tmynj7.slt\Cache\EED56F14d01
[DETECTION] Contains recognition pattern of the HTML/Crypted.Gen HTML script virus
[NOTE] The file was moved to '49cfa2a6.qua'!
C:\WINDOWS\system32\drivers\dtscsi.sys
[WARNING] The file could not be opened!
C:\WINDOWS\system32\drivers\sptd.sys
[WARNING] The file could not be opened!


End of the scan: Thursday, February 05, 2009 19:44
Used time: 2:28:47 Hour(s)

The scan has been done completely.

34202 Scanning directories
896046 Files were scanned
7 viruses and/or unwanted programs were found
0 Files were classified as suspicious:
0 files were deleted
0 files were repaired
7 files were moved to quarantine
0 files were renamed
3 Files cannot be scanned
896021 Files not concerned
4115 Archives were scanned
3 Warnings
7 Notes
OlSpazzy is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 02-05-2009, 09:39 PM   #6 (permalink)
Manager, Security Center, TSF Academy; Analyst, Security Team
 
tetonbob's Avatar
 
Join Date: Jan 2005
Location: Transylvania County, North Carolina, USA
Posts: 35,617
OS: 2000 Pro; XP Pro; XP Home


Re: Infected by virus pretending to be win32.zafi.b (causes forced reboots)
Quote:
How is the machine behaving?
I'll have final instructions for you if all is well.
__________________
Practice Safe Surfing
Because what you don't know, CAN hurt you.
Proud Member of ASAP since 2005
Proud Member of UNITE since 2006

Microsoft MVP - Consumer Security 2009
tetonbob is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 02-05-2009, 10:20 PM   #7 (permalink)
Registered User
 
Join Date: Feb 2009
Posts: 10
OS: XP SP2


Re: Infected by virus pretending to be win32.zafi.b (causes forced reboots)
I was waiting a bit to answer that as I'm not sure yet. The system was acting funny earlier whenever the CPU would reach 100%. For example, the mouse pointer's movement would become extremely jerky, sort of like it was running at a few frames per second. Occasionally it would actually freeze for a second or two.

But it seems to have stopped now so I'm not sure what to make of that, but it was very consistent for many hours until I went through a few reboots while installing AntiVir.
OlSpazzy is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 02-06-2009, 08:42 AM   #8 (permalink)
Manager, Security Center, TSF Academy; Analyst, Security Team
 
tetonbob's Avatar
 
Join Date: Jan 2005
Location: Transylvania County, North Carolina, USA
Posts: 35,617
OS: 2000 Pro; XP Pro; XP Home


Re: Infected by virus pretending to be win32.zafi.b (causes forced reboots)
Ok, thanks...if all appears well, from a malware perspective we should be done here.

Your logs appear clean.You should be good to go. We still have a few items to address.

Go to -> Run -> copy/paste in the following single line command & click OK

combofix /u



This will uninstall ComboFix. It will also implement some cleanup procedures and reset System Restore points.

Now that your system is clean, to help protect your computer in the future I recommend that you follow these steps and look into the following free programs:
  • Microsoft Windows Update - http://www.windowsupdate.com
    Visit regularly. This will ensure your computer always has the latest security updates. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.

  • SpywareBlaster to help prevent spyware from installing in the first place.
    • Install & update SpywareBlaster with the latest definitions.
      After you have updated, click the button - enable protection for all unprotected items
  • McAfee Site Advisor--free version. The folks there check out websites and based on their findings, rate it as Safe, Unknown, Caution, or Bad.
  • Winpatrol

    Winpatrol is heuristic protection program, meaning it looks for patterns in codes that work like malware. It also takes a snapshot of your system's critical resources and alerts you to any changes that may occur without you knowing. You can read more about Winpatrol's features here.

    You can get a free copy of Winpatrol or use the Plus version for more features.

    You can read Winpatrol's FAQ if you run into problems.

  • MVPS HOST FILE
    The MVPS Hosts file replaces your current HOSTS file with one that will restrict known ad sites form serving you unsolicited advertisements. Basically, this prevents your computer from connecting to those sites by redirecting them to 127.0.0.1 which is the IP of your local computer.
    • Download Host.zip to your desktop.
    • From your Desktop right-click (hosts.zip) and select:
      Extract All from the menu.
    • Click Next, click Next, select the option:
      "Show Extracted files", click Finish
    • This will open the newly created hosts folder on your Desktop.
    • Double-click on the included mvps.bat file, this will rename the existing HOSTS file to HOSTS.MVP, then it will copy the included updated HOSTS file to the correct location on your machine.
    • Once updated you should see another prompt that the task was completed.
  • ANTIVIRUS SOFTWARE
    It is very important that you have anti-virus software running on your machine. This alone can save you a lot of trouble with malware in the future. It is imperative that you update your antivirus software at least once a week (even more if you wish). If you do not update your antivirus software then it will not be able to catch new malware that may have come out.

    Do not install more than one AntiVirus program because they will conflict with each other.

  • Scan here http://secunia.com/software_inspector/ for out of date & vulnerable common applications on your computer

  • http://www.trillian.cc ? Trillian or http://www.miranda-im.com ? Miranda-IM - These are Malware free Instant Messenger programs which allow you to connect to multiple IM services in one program! (AOL, Yahoo, ICQ, IRC, MSN)

  • http://www.aumha.org/downloads/erunt-setup.exe - ERUNT - A useful freeware utility for users of Windows 2000/XP//Vista. It's made up of two parts - ERUNT & NTREGOPT.

    ERUNT will create daily complete backups of your computer's Registry. Whilst System Restore does the same thing, a corrupt registry file may prevent Windows from booting & this effectively renders disables System Restore. With ERUNT, you're able to restore the damaged Registry.

    NTREGOPT works by recreating each registry hive "from scratch", thus removing any slack space that may be left from previously modified or deleted keys. In other words, it compacts the Registry to a small size which allows Windows to load & perform faster.


In light of your recent troubles, I'm sure you'll like to avoid any future infections. Please take a look at these well written articles
If you want to fight back the Malware Writers that have made your life a misery, please take a look here and read what you can do against it.

Please respond to this thread one more time so we can mark this thread as resolved.
__________________
Practice Safe Surfing
Because what you don't know, CAN hurt you.
Proud Member of ASAP since 2005
Proud Member of UNITE since 2006

Microsoft MVP - Consumer Security 2009
tetonbob is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 02-07-2009, 06:58 PM   #9 (permalink)
Registered User
 
Join Date: Feb 2009
Posts: 10
OS: XP SP2


Re: Infected by virus pretending to be win32.zafi.b (causes forced reboots)
Thanks for all your help!
OlSpazzy is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 02-07-2009, 07:28 PM   #10 (permalink)
Manager, Security Center, TSF Academy; Analyst, Security Team
 
tetonbob's Avatar
 
Join Date: Jan 2005
Location: Transylvania County, North Carolina, USA
Posts: 35,617
OS: 2000 Pro; XP Pro; XP Home


Re: Infected by virus pretending to be win32.zafi.b (causes forced reboots)
You're welcome

Surf Safely, and Think Prevention!

Since this issue is resolved, this topic will be archived.
__________________
Practice Safe Surfing
Because what you don't know, CAN hurt you.
Proud Member of ASAP since 2005
Proud Member of UNITE since 2006

Microsoft MVP - Consumer Security 2009
tetonbob is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
 

« Previous Thread | Next Thread »

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are Off
Pingbacks are Off
Refbacks are Off



All times are GMT -7. The time now is 12:19 AM.

Contact Us - Tech Support Forum - Archive - Privacy Statement - Top


Copyright 2001 - 2009, Tech Support Forum
Home Tips Plus | Outdoor Basecamp | Automotive Support Forum

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85