Spyware, Viruses, & Security forum

General discussion

Win32.Zafi.B - I think Trojan fake - PLEASE HELP

by Bashaga1 / January 12, 2009 3:17 AM PST

Hi,

Today I've been infected with this thing ( bug,trojan,trojan.fake .. god only knows )

I the beginig I thought it's a normal virus or trjoan so I scnaed with Norton, Kaspersky & Avast - they haven't found anything. Later on I've scnanned with Spybot and SuperAntiSpyware - no results neither. Going through different forums I've came accross an idea that this might be a fake trjoan ( few posts by Marianne )

What's wrong:
1. Every 10-15 min window pops up: "Windows Security Alert", Windows firewall has detected unauthorized activity, but unforunately it cannot help you to remove viruses, keyloggers and other spyware etc..

Name: Win32.zafi.B
Risk Level: High
Description: This Trojan has a keyboard logging function, which is intended to steal information from users of a range of online payment systems.

2. Internet Explorer crashes everytime first displaying follwing massage:
"Insecure Internet activity. Threat of virus attack
Due to insecure Internet browsing your PC can easily get infected with viruses, worms and trojans without your knowledge, and that can lead to system slowdown, freezes and crashes.
Also insecure Internet activity can result in revealing your personal information.
To get full advanced real-time protection for PC and Internet activity, register your antivirus software.
We recommend you to protect your PC now and continue safe Internet browsing.
Click here to get full advanced real-time protection and continue browsing.
Continue to this website unprotected (not recommended). "

I've used all my knowledge - PLEASE HELP!!!!

Thanks,

Discussion is locked
You are posting a reply to: Win32.Zafi.B - I think Trojan fake - PLEASE HELP
The posting of advertisements, profanity, or personal attacks is prohibited. Please refer to our CNET Forums policies for details. All submitted content is subject to our Terms of Use.
Track this discussion and email me when there are updates

If you're asking for technical help, please be sure to include all your system info, including operating system, model number, and any other specifics related to the problem. Also please exercise your best judgment when posting in the forums--revealing personal information such as your e-mail address, telephone number, and address is not recommended.

You are reporting the following post: Win32.Zafi.B - I think Trojan fake - PLEASE HELP
This post has been flagged and will be reviewed by our staff. Thank you for helping us maintain CNET's great community.
Sorry, there was a problem flagging this post. Please try again now or at a later time.
If you believe this post is offensive or violates the CNET Forums' Usage policies, you can report it below (this will not automatically remove the post). Once reported, our moderators will be notified and the post will be reviewed.
Collapse -
Have a look......
by Marianna Schmudlach / January 21, 2009 5:29 AM PST
In reply to: HELP!!!

Click on Start, click Run, and then type devmgmt.msc and click OK
On the View menu click on Show hidden devices
Browse to Non-Plug and Play Drivers and you should see something like TDSSserv.sys
Highlight that driver and right click on it and select DISABLE
Now RESTART your computer.

Can you now update and run MalwareBytesAntiMalware?

And IF you are not able to download these tools on your machine, please use a friend's or family member's computer and download the Malwarebytes tool and it's manual update from the link below.. Once downloaded, rename the program installer "mbam-setup.exe" file to something else like "Your Name.exe", then copy the installer file and the update file to a CD or flash drive.. Transfer the file to the problem machine, then install the "Your Name.exe" file, then run the update to get the program current.. After that, run a full system scan and delete anything it finds.

Malwarebytes Download Link (Clicking on the links below will immediately start the download dialogue window.)
http://www.besttechie.net/tools/mbam-setup.exe

Malwarebytes Manual Updater link
http://www.malwarebytes.org/mbam/database/mbam-rules.exe

SuperAntispyware
http://www.superantispyware.com/

SuperAntispyware Manual Updater
http://www.superantispyware.com/definitions.html

Collapse -
thank you, will try later today
by nick_61 / January 22, 2009 1:46 AM PST
In reply to: Have a look......

Thank you for responding, once I get home today, I will try that. Hopefully it works, otherwise I may have to get it repaired by a computer specialist.

Collapse -
re: have a look
by compbaka / January 22, 2009 9:07 PM PST
In reply to: Have a look......

i've gotten it on my laptop but it can't remove anything. and now my thumbdrive is messed up from the transfer as is the other computer that i used. my laptop freezes about every 15 mins or so as well now.

Collapse -
I did System Restore too
by bigdavesharky / February 11, 2009 10:55 PM PST

Hi all. I also had this virus last week and thankfully the man on the end of the phone at BT Internet showed me how to do the System Restore. It instantly had an effect in that the pop-ups stopped completely, and I downloaded the MalwareBytes Anti-Malware as suggested and it got rid of 11 malicious things.

I am no expert so have read up on System Restore and it says it can be risky against some viruses, so just wanted to make sure I haven't made a mistake. I have since done another scan on MBAM and it says it hasn't found anything. Does that guarantee that it has been removed completely? Here's the report:

Malwarebytes' Anti-Malware 1.33
Database version: 1740
Windows 5.1.2600 Service Pack 2

12/02/2009 14:41:58
mbam-log-2009-02-12 (14-41-58).txt

Scan type: Quick Scan
Objects scanned: 69228
Time elapsed: 19 minute(s), 4 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

If I'm being silly then I apologise, but I wanted to make sure as I am very sceptical about computers now! Does this mean I am clean?

I'd like to add that this forum is an excellent aid, keep up the good work.

Collapse -
2 cents
by silvan_79 / February 11, 2009 11:28 PM PST

For the skeptics, all a clean scan means is the tool that you scanned with did not find anything on that pass. That doesn't mean the next thing you download won't contain a problem and it doesn't mean that the tool isn't currently capable of finding everything bad. Good tools are constantly updating to compete with the latest bad things put out there. So if you're concerned update and scan often. Prior to this, I had 2 tools I ran weekly...now I have 3.
-JD

Collapse -
3 tools
by BigBadSeattleLad / February 12, 2009 2:32 AM PST
In reply to: 2 cents

sooooo.... what're the "3 tools" (in order of functionality pls) thx!

Collapse -
From Jims Computer Repair
by jimscomputerrepair / January 23, 2009 3:54 AM PST

The easy way to stop this attach so you can run your antivirus software.
Do the following:

1) Dowmload free version of threatfire. (From another computer)
2) Install threatfire. (It will install in safe mode)
Reboot computer into regular mode (With internet connection not running)
3) Make sure threatfire is running.
4) Connect to internet and wait. The virus trojan will try to popup and threatfire will kill it for good.
5) Update your antivirus and run to see if anything else is on your computer.

Thia does work. I have remove this virus/trojan from quite a few computers.

Note: This trojan stops your antivirus from updating and you can not get into regedit except in safe mode. It also stops hijack this excedpt in safe mode.

Collapse -
Disabling TDSSserv.sys worked
by nick_61 / January 23, 2009 5:01 AM PST

Thank you so much. I disabled TDSSserv.sys, restarted, and was able to update Malwarebytes, and got rid of Win32.Zafi.b, and scanned a few times after to be sure. Thank you once again for the help...

Collapse -
You saved my life, thank you so much!!!
by tsungmhuang / January 31, 2009 6:27 AM PST

I was so panic this morning when I got this error msg. My life basically depends on the internet. I have to do so many things with it. I tried Stopzilla, but it was not able to be installed. Thank God, thank you for the detailed operations, my laptop is now back to normal. I am using AVG, it seems AVG professional still cannot prevent certain virus. All in one word, GREAT!

Collapse -
threatfire worked!!!
by monty88haynes / February 7, 2009 6:31 PM PST

tks for the tip about threatfire. i'm not clever enough to go into registry and doing things manually and threatfire snagged the trojan right away even before reboot. ran avast and found another bit and deleted that. running malwarebytes now and running superantispy later as suggested by another poster. seems like you can't do anything on the web these days without getting infected but thanks to everyone in this forum so i don't have to panic whenever this happens.

Collapse -
This Thread Saved My Computer!
by mmaness0 / February 2, 2009 2:23 AM PST

Man, you guys at CNET are awesome!

I had the exact same problem as the poster of this thread. Let me just say that Norton Antivirus is a worhtless piece of crap! It found nothing wrong with a full system scan. I then uninstalled Norton and downloaded AVG, which found some malware, but was unable to correct the zlob trojan issue.

So I then followed the instructions from this thread and ran Malwarebyte's which found the two files (.exe.and .dll located in C:\Documents and Settings\YOUR USERNAME\Application Data\Google) that are mentioned in this thread. It removed them, needed a restart, and now the trojan appears to be completelly gone!!! Worked beautifully!!!

FYI - I think I downloaded this trojan through a World of Warcraft addon (Questhelper perhaps?). I think it may have been an attempt to keylog and hack my WOW account, which would suck. Luckily I changed my WOW password immediately. Hopefully, I got rid of the correct addons so this won't happen again.

Thanks Again! CNET Admins Rock!

Collapse -
Thank You So Much!
by surferpacific / February 3, 2009 1:49 PM PST

This thread saved my life. I had a very important work meeting that I had to be a part of on our VPN and this fix was amazing! For those of you that are going to use Malwarebytes, don't be discouraged if it doesn't show any infected objects until the end of the scan. It did not show any for me until the summary page opened. Also, it did not pick up the .dl in the Google folder but I deleted that manually. Thank you so much to the CNET Admins!

Collapse -
Questhelper trouble
by woctaog / March 23, 2009 12:05 PM PDT

Just wanted to mention that I got this bug right after downloading a WarCraft addon, Questhelper, as well. So be careful when downloading this!

Popular Forums
icon
Computer Newbies 10,686 discussions
icon
Computer Help 54,365 discussions
icon
Laptops 21,181 discussions
icon
Networking & Wireless 16,313 discussions
icon
Phones 17,137 discussions
icon
Security 31,287 discussions
icon
TVs & Home Theaters 22,101 discussions
icon
Windows 7 8,164 discussions
icon
Windows 10 2,657 discussions

CNET FORUMS TOP DISCUSSION

Help, my PC with Windows 10 won't shut down properly

Since upgrading to Windows 10 my computer won't shut down properly. I use the menu button shutdown and the screen goes blank, but the system does not fully shut down. The only way to get it to shut down is to hold the physical power button down till it shuts down. Any suggestions?