Spyware, viruses, & security : Win32.Zafi.B - I think Trojan fake - PLEASE HELP
Maybe you also have a look.......
by Marianna Schmudlach
- 1/12/09 12:30 PM
In reply to: d by gatorgrips
here:
Fake Security Center Alert Win32.zafi.b
If you've come across this, you may be experiencing what happened to me: A supposedly legitimate "Windows Security Center" box warning you about a trojan on your computer, and telling you that you need to download new software to be properly protected. Of course, if you click the link, it takes you to a site which will download lots of nasty spyware onto your machine.
I had this last night. As I'm sure you realise by now, it's not a genuine Windows alert, but an attempt to con you into downloading malware. So first, don't download the stuff it's telling you to.
It took me a fair bit of searching to find the solution for this, but mercifully it's really quite simple to remove manually (interestingly enough, neither Ad-Aware or MB Anti-Malware picked up the problem when scanning).
Removal (This guide is for XP, the directories may be different for other OS's, so you might have to do some digging if you're not on XP)
1. Go to C:\Documents and Settings\YOUR USERNAME\Application Data\Google
2. In there you should see two files, one an .exe and the other a .dll. The actual filenames are randomly generated I believe
(mine were called ocboo1892823.exe and sysspc.dll, for example). Depending on whether you have any Google apps such as Google Earth or Google Toolbar installed you might also have a couple of sub-directories in there as well, but you can ignore those. We're concentrating on those two rogue .exe and .dll files.
3. Since the process is currently runnning on your machine, Windows probably won't let you delete the files, so you need to write down the names (you'll need this in a minute as well) reboot in Safe Mode (or Safe Mode Command Prompt if you're paranoid like me 
, navigate to the aforementioned folder and delete those two files, the .exe and the .dll. Quit safe mode and reboot into normal Windows again.
4. Go to Start> Run> regedit to open the Registry Editor. In the Registry Editor, go to Edit > Find and search for the filename of the malicious .exe file you just deleted (this is why you just wrote them down). You can safely delete any registry key that refers to it. Don't forget to press F3 to keep searching after you delete each instance, until you get the message "Finished searching through the registry". Repeat for the other file (the .dll). Once this is done, you should be all clear, but it's still worth rebooting and running full anti-virus and anti-malware scans on your machine.
Found it here:
http://deathwaltz.blogspot.com/2009/01/fake-security-center-alert-win32zafib.html
(NT) Like above - It worked :) - THANKS
by Bashaga1 - 1/12/09 12:52 PM In reply to: Maybe you also have a look....... by Marianna Schmudlach
Thanks to all, especially M!
by liphshoue - 1/21/09 7:13 PM In reply to: (NT) Like above - It worked :) - THANKS by Bashaga1I had to learn just about everything related to XP registry files. It was the Win32.Zafi.B Trojan virus that was refusing me access to regedit and msconfig.
Scans in safe mode failed with Norton, PCTools and Malwarebyte. I had to outsmart the *******. I had to race to shut off the startup files in msconfig before the virus autolaunched and did an auto restart.
After I successfully disabled the startup apps with lightning speed, applied the changes and quit msconfig, I could restart clean and run all three virus scanners. They each found a couple of corruptions - but I'm clean now.
One more thing
by liphshoue - 1/21/09 7:30 PM In reply to: Thanks to all, especially M! by liphshoueAfter successful removal, I checked all of my temp internet file directories and it was apparent that this prolific virus was busy. For me (show hidden files):
C:\documents and settings\{my name}\local settings\temp\temporary internet settings\
There were a plethora of randomly generated directories. I had noticed the day prior that any downloads would appear to download properly but at the end, the file would "dump" from one of these phantom folders. Naturally, I deleted all the files that I could, but many were "undeleteable". So I had to revert to the DOS CMD prompt days to remove these obviously malicious files that still were undetected by my thrice-virus-checked HD.
After all that, I did a folder-by-folder manual check for more filth.
Good luck all!
well i don't have xp
by gatorgrips - 1/12/09 12:54 PM In reply to: Maybe you also have a look....... by Marianna Schmudlach
I have Vista. So what I ended up doing was booting in safe mode. I then went to c\program files and deleted the whole \google folder. I ran CCleaner's registry cleaning tool. I just restarted after that and i have not had a popup yet.
remember
by gatorgrips - 1/12/09 12:56 PM In reply to: well i don't have xp by gatorgripsremember to change any passwords you might have typed in on your email or anything else, because as I mentioned earlier, it looks like there was a keylogger involved and it had already sent out information from my system at that time.
Good 4 you!
by Bashaga1 - 1/12/09 12:56 PM In reply to: well i don't have xp by gatorgripsIt seems that I will need to keep Malwarebytes' Anti-Malware but what about an antivirus?
Any sugestions? I heard that Avira is quite good.
Some additional details
by dvgrn - 1/17/09 5:40 AM In reply to: Maybe you also have a look....... by Marianna Schmudlach
These steps seem to have worked for me, too -- many thanks!
One thing I noticed was that the .exe was set up in the registry to run on startup -- which meant that it was listed under Startup in the System Configuration utility (Start > Run > {type "msconfig [Enter]"}.
However, one of the effects of the fake-Trojan executable is that if you try to run msconfig, it reboots Windows immediately, before you can make any changes! I didn't check, but I'm guessing it might do the same if you try to run regedit.
-- That seems to be about as subtle as it gets, though. I found that, though I couldn't *delete* the .exe and .dll outright, I could rename them to something else without any problem -- e.g., change the extensions to ".bad" -- then reboot. Then Windows can't find them on the next startup, and you can delete them without any problem... saves a few steps, anyway.
Win32.zafi.B issue
by baskaranraja - 1/17/09 11:10 AM In reply to: Some additional details by dvgrnGuys,
Thanks for the information. I did follow the steps and I did removed the Win32.zafi.B spyware.
Baskar
Zafi.B Experiences
by bill_az - 2/21/09 5:58 PM In reply to: Some additional details by dvgrn"I found that, though I couldn't *delete* the .exe and .dll outright, I could rename them to something else without any problem -- e.g., change the extensions to ".bad" -- then reboot. Then Windows can't find them on the next startup, and you can delete them without any problem... saves a few steps, anyway."
First, thanks for everyones' comments on this topic.
One of the problems I encountered was that that the trojan disabled the Task Manager. While running a Symantec system scan, I was able to bring up the process map on the task manager and noticed a strange file name "wfhuj470671.exe." According to Symantec, the Zafi.B infection starts by creating the *.exe and *.dll with a random name. Intution told me this was the offensive file, so I c/p'ed the file name in a search and found them in the aforementioned ->\Google directory. I closed the process tree and was about to delete it.
I then searched the registry and deleted all entries with that file name, and took similar registry action on the name of the *.exe and *.dlls of the alleged fake anti-spyware.
When I rebooted and reexamined the task manager, i saw no strange filenames. I'm running MBAM right now, but it's already parsed the registry amd Doc/Settings folders, so I'm hoping the things is finished (no new popup windows since doing all this.)
Reminds me of the CWS trojan. 
win32.zafi.b
by derbythedog - 1/17/09 5:55 PM In reply to: Maybe you also have a look....... by Marianna Schmudlach
This worked for me with the exception of still not being able to update my virus definitions and visit websites that have any type of anti-virus/malware software available. Anyone else have this problem and know of a solution?
This worked for me
by Fromper - 2/1/09 6:12 PM In reply to: Maybe you also have a look....... by Marianna Schmudlach
I had the exe and dll in the google folder. I renamed them to .bad, rebooted, and deleted them, and now the popups have stopped. I also went into regedit and got rid of two references to those file names.
Now I'm running Malwarebyte for the second time. The first time, it found a trojan disguised as svchost, which it couldn't delete without rebooting. So after rebooting, I'm running it again, just to be safe.
Thanks for all the help - this thread is great!
Great Job ! Yes, rebooting MBAM should
by Marianna Schmudlach - 2/1/09 10:13 PM
In reply to: This worked for me by Fromper
have removed the infected file. Thanks for posting:)
Simple solution for fake ZafiB
by SalaTwain - 1/18/09 8:00 AM In reply to: Win32.Zafi.B - I think Trojan fake - PLEASE HELP by Bashaga1After I struggled with futile approaches (AVG, AdAware, etc.) for 9 hrs to get rid of this fake ZafiB, I tried some advice from an online friend that worked beautifully and took me only 10 minutes: a System Restore.
For Windows XP, go to Start >> Help and Support >> Performance and Maintenance >> Using System Restore to Undo Changes >> Run System Restore Wizard.
You'll get a calendar popup. Select any date before ZafiB first appeared and run the wizard. It will reset your system to the way it was for the date you selected, getting rid of anything that was downloaded since that date (ZafiB, software updates, etc.). It does not affect any of your saved documents, your applications, or your computer clock.
ZafiB was popping up every 10 minutes on my computer yesterday. I did a System Restore, setting my computer back to the day before yesterday, and ZafiB was gone. It's been 12 hours now and I haven't seen that popup since.
Awesome...Saved my butt
by mikeonyc - 1/19/09 4:57 PM In reply to: Simple solution for fake ZafiB by SalaTwainI used the downloads from Malwarebytes and SuperAntiSpyware onto another computer, changed filenames as advised before moving them onto a flashdrive and then onto my infected machine. Ran them both -- Malware got the bug out, then SAS cleaned out a host of garbage.
GOD AM I GLAD I FOUND THIS THREAD!
I had tried McAfee -useless, couldn't take any action, or even acess their website, or Microsoft's! What is so great about people who take the time to help with forums and posts like this is that they are the perfect antidote to the scum who create these viruses and malware.
I intend to purchase both programs, and thank their creators for making them available for free!
| Forum legend: | |
 |
Locked thread |
 |
Moderator |
 |
CNET staff |
 |
Samsung staff |
 |
Norton Authorized Support team |
 |
AVG staff |
 |
Windows Outreach team |
 |
Dell staff |
 |
Intel staff |
