need help removing all traces of the Win32.Zafi.b trojan (perhaps manually)

Discussion in 'Archive' started by mike69, Jan 10, 2009.

  1. mike69

    mike69 Guest

    I got hit with this yesterday, I don't know how, whether it was through surfing around looking for a movie from forums like divxturka or somewhere else, but it popped up as a security alert and when I thought it was the windows security alert, I clicked on "enable protection" and it pops up a browser that has me try to buy some antivirus software, which I know is a fake then. I had ESET Antivirus enabled before then but for some reason, it did not catch this virus

    I ran full scan with Malware Malbytes, and it detected 2 problems, but none of them had the title of win32.zafi.b, they were related to svchost and something else. I rebooted into safe mode and did that full scan again and did a full scan of ESET, which after hours, found nothing.

    I tried using hijackthis, but it did not catch anything suspcious when I analyzed the file.

    but every time I log in to my normal boot login, it pops up and when I use any browser like IE 7 or Mozilla, it pops up as well. it slows now anything that I load as an app, and my browsing, even as simple as opening up a saved txt file.

    I downloaded PC Spyware Doctor full version and ran a full scan last night, it was able to find some spyware, but not anything related to this virus. After cleaning a few dozen of what it found in the browsers, I rebooted and the same problems are happening again. Take a look at this screenshot

    [​IMG]
    [​IMG]

    http://img156.imageshack.us/my.php?image=68279301lr6.jpg

    [​IMG]
    [​IMG]

    http://img155.imageshack.us/my.php?image=66445468pf8.jpg
    I'm currently installing and trying to update symantec endpoint protection, but it seems that virus seems to have disabled some options or something isn't right. If none of these work, are there manual ways that I can get some help in looking around in the registry or any hidden folders?

    Symantec keeps catching things as you can see from how thin that scroll bar is. it's not taking out the source, something is replicating these files.
     
  2. fabianledes

    fabianledes New Member

    Joined:
    Feb 25, 2014
    Messages:
    0
    Likes Received:
    1
    Trophy Points:
    0
    Watch out for Windows PE .EXE files
    or any suspicious rooted files.
    Files copied into the Windows System folder

    %System%\

    will launch every time your system starts

    Also scan your startups by entering

    msconfig in the Start Search box in your start menu
    get idents from the properties selection for the rogue program

    Trace all recent registry additions and recent changes

    PM for more help
     
  3. mike69

    mike69 Guest

    how am i supposed to trace for new registry additions and changes? I don't know how to do that.

    I don't play around with peeking into the windows system folder because there's hundreds of files and I don't know what I'd be looking exactly for. please explain
     
  4. fabianledes

    fabianledes New Member

    Joined:
    Feb 25, 2014
    Messages:
    0
    Likes Received:
    1
    Trophy Points:
    0
    are there manual ways that I can get some help in looking around in the registry or any hidden folders?


    Well, so much for removing it "manually."


    bitdefender will remove this baddie.


    You can't remove it manually if you
    won't edit your system files.

    Good luck with that, br'a.

    Oh. You're looking for:
    Win32.Zafi.b
     
  5. nice little worm virus you have there. there are several ways of approaching the removal of this virus. as a novice, your best bet is to download the appropriate removal tool(i.e.Win32.Zafi.B@mm) from here:


    http://www.bitdefender.com/site/Downloads/browseFreeRemovalTool/


    after tool has removed all traces of the virus, reboot your system and everything should be honky dory! update your virus software and run a full scan.

    this virus is normally spread by email or P2P. i'll take a wild stab in the dark. you use "limewire" P2P sharing software? Yes......then ditch it now!!

    i promise i wont go on about dropping "internet explorer" and using firefox instead(wink wink)!


    pg :triniti:
     
  6. mike69

    mike69 Guest

    I'm using another computer I have around the house to reply right now. I was unable to revert back to a system restore point using windows. I had three listed when I booted in safe mode before the time of this incident yesterday spread throughout the week, but each time I used it, had it shut down, reboot, and got back to windows, it kept popping up that the thing was incomplete and could not restore. Is that because of the virus or just how crummy the windows automated scheduled restore points are?

    msconfig caught nothing fishy. I tried peeking through each one. Not to my surprise. If HiJacker didn't catch this than MSCONFIG wouldn't have anything found on this either.

    Plan 1: I'll try out the tool from the link that plasticgeordie gave. and I'll reply back with the results. I hope it gets it. Is everything, all scanning and everything should be done in safe mode? I even noticed when I was workign in safe mode for some time that the damn virus was able to get into that mode, but symantec got something of a different "name" caught and removed it.

    Plan 2: I don't know, how come symantec (even the new edition and newest January 10 files) can't catch this and get's replicated temp files instead? Is symantec supposed to be worse than bitdefender? If I install bitdefender after the fact that this virus is already on my machine , will it still be able to catch it? I notice it did some funky things to my symantec when I installed over this virus.


    I've been using Mozilla Firefox 3 over IE 7 for quite some time now and this hit when i was using Mozilla. I think I was looking for movie links and got caught visiting some site that was either irfree.com (which I've had trojan's caught from visiting the posts from this back when my ESET AutoProtect actually caught things) or blitzwarez or...something freshswap.net..



    I thought these would be as friendly as divxturka, but I guess not.
     
  7. fabianledes

    fabianledes New Member

    Joined:
    Feb 25, 2014
    Messages:
    0
    Likes Received:
    1
    Trophy Points:
    0
    But you would be so right, pg!
     
  8. fabianledes

    fabianledes New Member

    Joined:
    Feb 25, 2014
    Messages:
    0
    Likes Received:
    1
    Trophy Points:
    0
    all glitz no glory.
    and very hungry for system resources~
     

  9. have you unchecked "i.e." from "add/remove windows components"?


    pg :24:
     
  10. mike69

    mike69 Guest

    well, i can uncheck it later, i've never heard of completely uninstalling IE from windows , although someone's probably thought of a way of doing it if i do a search right now, but that's not the focus of this thread:pardon:

    The tool is still scanning so far, up to the Program Files directory since I just checked it. I would've thought the tool would've caught some things within the \All Users\ or \Default User\ Profile since it seems that whenever I booted into windows and logged into an account, the damn fake security alert window would pop up as things from the quicklaunch began to load. Suppose this tool doesn't end up finding anything, what's to do next?


    I've used the regedit before on other things, if this doesn't work, is there anything I should search under there? Any keywords or symbols?


    Ultimately, reformatting is the last step because I have so many files and programs that it would take days to backup and get everything up and running again to do it that way.
     
  11. fabianledes

    fabianledes New Member

    Joined:
    Feb 25, 2014
    Messages:
    0
    Likes Received:
    1
    Trophy Points:
    0
    I wouldn't totally disable IE7.
    Let me know how that goes.
     
  12. mubasher786

    mubasher786 New Member

    Joined:
    Feb 1, 2013
    Messages:
    0
    Likes Received:
    0
    Trophy Points:
    0
    Go to www.malwarebytes.org and down load "RogueRemover" that will take care of that fake AntiVirus crap.... Ive used it myself to help out my co-worker's computer from time to time... It's nothing you did wrong.. A pop up juststarted them loaded it to your computer... Now you have this fake antispy ware on your system that won't let you change your desktop picture or even uninstall it also... Spybot Search & Destroy won't even get ride of it... It keeps on copying itself to your start up & registry... I recommend downloading RogueRemover... Let me know it you did & if that worked....
     
  13. mike69

    mike69 Guest


    Strange, I ran a full scan using Malwarebytes' Anti-Malware in both safe and non-safe modes and that didn't do that trick. I thought this RogueRemover is incorporated in it, but I'll visit the site right now and download that off of this PC while I wait for the scan for the bitdefender tool to finish.
     
  14. fabianledes

    fabianledes New Member

    Joined:
    Feb 25, 2014
    Messages:
    0
    Likes Received:
    1
    Trophy Points:
    0
    From Mozilla:

    There is no need to uninstall Internet Explorer after installing Firefox. In fact, Windows and some programs need Internet Explorer to work properly. You may also need Internet Explorer to access certain sites, like Windows Update.
     
  15. mike69

    mike69 Guest


    well, plasticgeordie, I was hoping that tool would work. Who wouldn't when they develop a removal tool specifically for this virus. After an hour or so of scanning in safe mode, it didn't find anything

    [​IMG]
    [​IMG]

    http://img132.imageshack.us/my.php?image=80269681zx4.jpg


    this is frustrating...I'm going to try the rogue remover now
     
  16. fabianledes

    fabianledes New Member

    Joined:
    Feb 25, 2014
    Messages:
    0
    Likes Received:
    1
    Trophy Points:
    0
    Would you like detailed instructions for manual Removal?
     
  17. mike69

    mike69 Guest

    Lar.Man.

    Yes, I would, at this point, Thanks. I can keep on downloading programs, but it seems this damn thing is being a bitch and somehow keeping itself hidden, even among expensive and well known antivirus software...*sigh

    I just tried the rogue remover in safe mode, and it found nothing either.
     
  18. mubasher786

    mubasher786 New Member

    Joined:
    Feb 1, 2013
    Messages:
    0
    Likes Received:
    0
    Trophy Points:
    0
  19. fabianledes

    fabianledes New Member

    Joined:
    Feb 25, 2014
    Messages:
    0
    Likes Received:
    1
    Trophy Points:
    0
    I'll stand by until you try NEO's way.
    Hi, NEO. Got the red pill?

    Meanwhile, please do not totally disable IE7.
    There are parts of it you need.
     
  20. mubasher786

    mubasher786 New Member

    Joined:
    Feb 1, 2013
    Messages:
    0
    Likes Received:
    0
    Trophy Points:
    0
    Hey there... Happy New Year to you... & the pill thing... Gave up on all that stuff a long time ago....
     

Share This Page