awg Posted February 1, 2009 ID:52418 Share Posted February 1, 2009 Hi, this is my first post.I have problems with win32.zafi.bI cannot remove it after much tryingI am attaching my malwarebyte and hijack logsps I keep getting a msg saying "Upload failed. You are not permitted to upload this type of file" when i try to upload the Malbyte log??hijackthis.txt1.txthijackthis.txt1.txthijackthis.txt1.txthijackthis.txt1.txt Link to post Share on other sites More sharing options...
awg Posted February 1, 2009 Author ID:52419 Share Posted February 1, 2009 here is the malwarebytes file from notepadmalware.txtmalware.txtmalware.txtmalware.txt Link to post Share on other sites More sharing options...
Root Admin AdvancedSetup Posted February 1, 2009 Root Admin ID:52469 Share Posted February 1, 2009 You will want to print out or copy these instructions to Notepad for Safe Mode/offline reference!These steps are for member awg only. If you are a lurker, do NOT try this on your system!If you are not awg and have a similar problem, do NOT post here; start your own topicDo not run or start any other programs while these utilities and tools are in use! Do NOT run any other tools on your own or do any fixes other than what is listed here.If you have questions, please ask before you do something on your own.But it is important that you get going on these following steps.STEP01Reconfigure Windows XP to show hidden files:To enable the viewing of Hidden files follow these steps: * Close all programs so that you are at your desktop. * Double-click on the My Computer icon. * Select the Tools menu and click Folder Options. * After the new window appears select the View tab. * Put a checkmark in the checkbox labeled Display the contents of system folders. * Under the Hidden files and folders section select the radio button labeled Show hidden files and folders. * Remove the checkmark from the checkbox labeled Hide file extensions for known file types. * Remove the checkmark from the checkbox labeled Hide protected operating system files. * Press the Apply button and then the OK button and exit My Computer. * Now your computer is configured to show all hidden files.STEP02Download and install CCleanerCCleaner Double-click on the downloaded file "ccsetup215.exe" and install the application.Keep the default installation folder "C:\Program Files\CCleaner"Uncheck "Add CCleaner Yahoo! Toolbar and use CCleaner from your browser"Click finish when done and close ALL PROGRAMSStart the CCleaner program.Click on Registry and Uncheck Registry Integrity so that it does not runClick on Options - Advanced and Uncheck "Only delete files in Windows Temp folders older than 48 hours"Click back to Cleaner and under SYSTEM uncheck the Memory Dumps and Windows Log FilesClick on Run Cleaner button on the bottom right side of the program.Click OK to any promptsSTEP03Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools.This should apply to AVG8:To disable the Resident Shield, please:open AVG User Interfacedouble-click on the Resident Shieldun-tick the option Resident Shield activesave the changes.STEP04Please download and run the following file to repair file and registry permissionsfixacl.exeSTEP05Download FixPolicies.exe by Bill Castner and save it to your desktop.Double click on FixPolicies.exe to run it.Click on Install. It will create a folder named FixPolicies on your desktop.Open the FixPolicies folder.Double click on Fix_policies.cmd to run it. Command Prompt will open and close quickly this is normal.Reboot your computer after it runs This fix may prove temporary. Active malware may revert these changes at your next startup. You can safely run the utility again.Note: some malware will block the running of this tool. So if you cannot run Fixpolicies, then, RENAME the EXE file to something like Mytool.exe and then run it.STEP06Download this INF repair file by MS-MVP Miekiemoes: http://users.telenet.be/bluepatchy/miekiemoes/tools/VArestorepolicies.zipUnzip the download. Open the folder VArestorepolicies and Right-click the file inside, VArestorepolicies.INF and choose InstallSTEP07If you have a prior copy of Combofix, delete it now !Download ComboFix from one of these locations, saving to DESKTOP:Link 1Link 2* IMPORTANT !!! Save ComboFix.exe to your DesktopIf your I.E. browser shows a warning message at the top, do a Right-Click on the bar and select Download, saving it to the Desktop. Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our toolsDouble click on Combo-Fix.exe & follow the prompts.If and only if you are prompted to download a new version of Combofix, reply NO .As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:Click on Yes, to continue scanning for malware.Please watch Combofix as it runs, as you may see messages which require your response, or the pressing of OK button.IF you should see a message like this:then, be sure to write down fully and also copy that into your next reply here and then await for my response.When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.-------------------------------------------------------A caution - Do not run Combofix more than once.Do not touch your mouse/keyboard until the scan has completed, as this may cause the process to stall or your computer to lock.The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled.If this occurs, please reboot to restore the desktop.Even when ComboFix appears to be doing nothing, look at your Drive light.If it is flashing, Combofix is still at work.STEP08IF and only IF the Combofix has worked without exceptions, only then, do the following. IF it has exceptions, then please provide all details and put that in a reply pronto, and STOP, and await my reply.Only if Combofix has a good finish:I'm going to have you get and run a special tool. It will hopefully take out most remains of this beast. Keep in mind that not all files I list here will be found on your system; so do not be alarmed. This is a general-type list of typical infectors.Download The Avenger by Swandog46 from here.Unzip/extract it to a folder on your desktop.Double click on avenger.exe to run The Avenger.Click OK.Make sure that the box next to Scan for rootkits has a tick in it and that the box next to Automatically disable any rootkits found does not have a tick in it.Copy all of the text in the below textbox to the clibpboard by highlighting it and then pressing Ctrl+C.Files to delete:C:\WINDOWS\system32\brsvc01a.exeC:\WINDOWS\system32\brss01a.exeC:\WINDOWS\SYSTEM32\TDSSixgp.dllC:\WINDOWS\SYSTEM32\TDSSproc.logC:\WINDOWS\SYSTEM32\TDSSwkod.logC:\Documents and Settings\Chelsea\Local Settings\Temp\TDSSe8db.tmpc:\windows\system32\drivers\msqpdxserv.sysC:\resycledD:\resyclede:\resycledf:\resycledg:\resycledc:\windows\system32\TDSSweat.datC:\WINDOWS\system32\drivers\TDSSmqlt.sysC:\windows\system32\drivers\tdssserv.sysC:\WINDOWS\system32\drivers\TDSSmact.sysC:\WINDOWS\system32\TDSSfpmp.dllC:\WINDOWS\system32\TDSSwpyd.datC:\WINDOWS\system32\TDSStkdv.logC:\WINDOWS\system32\TDSSotxb.dllC:\WINDOWS\system32\TDSScrrn.dllC:\WINDOWS\system32\TDSSbvqh.dllC:\WINDOWS\system32\TDSSjnmx.dllc:\windows\system32\TDSShrxr.dllc:\windows\system32\TDSSkkbi.logc:\windows\system32\TDSSlrvd.datc:\windows\system32\TDSSlxwp.dllc:\windows\system32\TDSSnmxh.logc:\windows\system32\TDSSoiqt.dllc:\windows\system32\TDSSrhyp.logc:\windows\system32\TDSSrtqp.dllc:\windows\system32\TDSSsihc.dllc:\windows\system32\TDSSxfum.dllc:\windows\system32\TDSSmtve.datc:\windows\system32\TDSSnirj.datDrivers to delete:tdsstdssservTDSSserv.SYSService_TDSSSERV.SYSLegacy_TDSSSERV.SYSmsqpdxserv.sysmsqpdxservRegistry keys to delete:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\TDSSserv.sysHKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\TDSSserv.sysHKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\tdssservHKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\tdssservHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\tdssdataHKEY_LOCAL_MACHINE\SOFTWARE\tdssHKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\tdssserv.sysHKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Network\tdssserv.sysHKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\tdssservHKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_TDSSSERVHKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_TDSSSERVIn the avenger window, click the Paste Script from Clipboard icon, button. :!: Make sure that what appears in Avenger matches exactly what you were asked to Copy/Paste from the Code box above.Click the Execute button.You will be asked Are you sure you want to execute the current script?.Click Yes.You will now be asked First step completed --- The Avenger has been successfully set up to run on next boot. Reboot now?.Click Yes.Your PC will now be rebooted.Note: If the above script contains Drivers to delete: or Drivers to disable:, then The Avenger will require two reboots to complete its operation.If that is the case, it will force a BSOD on the first reboot. This is normal & expected behaviour.After your PC has completed the necessary reboots, a log should automatically open. Please copy/paste the contents of c:\avenger.txt into your next reply.Not all the items will be found; so do not worry. Hopefully enough of the rootkit will be removed so that we can continue forward with more cleaning.If you get a blue screen abort when it reboots, please write down all the information, STOP codes and description.and then reboot the system again.STEP09Download DDS and save it to your desktop from one of these 3 locations1 http://www.techsupportforum.com/sectools/sUBs/dds2 http://download.bleepingcomputer.com/sUBs/dds.scr3 http://www.forospyware.com/sUBs/ddsDisable any script blocker if your antivirus/antimalware has it.Then double click dds.scr to run the tool.When done, DDS.txt will open.Click Yes at the next prompt for Optional Scan.When done, DDS will open two (2) logs: DDS.txt Attach.txt[*]Save both reports to your desktop.Please include the following logs in your next reply:DDS.txtAttach.txtPlease then reply with a copy of C:\Combofix.txt, C:\Avenger.txt, and a new HijackThisRE-Enable your AntiVirus and AntiSpyware applications. Link to post Share on other sites More sharing options...
Root Admin AdvancedSetup Posted February 3, 2009 Root Admin ID:53039 Share Posted February 3, 2009 Please post a status update on this Link to post Share on other sites More sharing options...
Root Admin AdvancedSetup Posted February 11, 2009 Root Admin ID:55491 Share Posted February 11, 2009 Due to the lack of feedback this Topic is closed to prevent others from posting here. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.Other members who need assistance please start your own topic in a new thread. Thanks!The fixes and advice in this thread are for this machine only. Do not apply the instructions from this thread to your own machine. Please start a new thread describing your issue and someone will be along to assist you. Link to post Share on other sites More sharing options...
Recommended Posts