4 replies to this topic

[bonjovi123]

This is what i hate most , a deadly worm and i am all stuck with this . Customer has reported about a virus called win32.zafi d which has infected the system. I tried to boot up the system in Safe mdoe with networking , downloaded Malwarebytes , tried booting up in normal mode and installing super anti spyware , can not install that as well. when tried to enter msconfig the worm disconnected me from the customer's system . Download and ran the Symantec work removal tool from <a href="http://www.symantec.com/security_response/writeup.jsp?docid=2004-042009-2349-99"> Here.</a>

Alas !! , that did not help , what to do now , installed one more removal tool from Bitdefender , still little to cheer about. I am all stuck . Advised poor customer that i shall do some research (Downloading mp3 and torrents back home ) and get back the next day, advised to back up the data in the meantime.

<span style="text-decoration: underline;">16.01.09 ( 3:34 pm IST )</span>

Well , As i am sitting at my desk typing this , i have half an hour to log in . I would get back to our customer between 5pm - 6pm GMT to fight back against the trojan. Some one on youtube advised me to rename the Malware Bytes executable and retry. Lemme check the Malware Bytes forum ... OK , nothing found , i have posted my query , lets see how soon i get a reply. ...

<span style="text-decoration: underline;">16.01.09 ( 4:20 pm IST )</span>

No luck . Malware Bytes folks do not have a clue . The moderator advised me on forum etiquette as i had typed using CAPS LOCK on .... . Thanks ever so much Malware Bytes Forum.

Here is some more stuff i came to know about Zafi
<h4 class="sectiontitle">Payload</h4>
<h6>Denies Application Execution</h6>
Zafi.D prevents the user from using applications that contain any of the folowing strings in the filename:

<em> regedit
</em><em> msconfig
</em><em> task</em>

The worm accepts connections on port 8181 in order to download and execute files on infected system

[bonjovi123]

Sorry guys , i know i am pushing this a bit too far .... I will not bother or post any more if some one can help me with any link that can remove the worm or offer manual removal instruction.

Sorry for all the trouble ,

Regards,
A helpless poor guy

[AdvancedSetup]

Please try the following. If it works then run MBAM, make sure to update the definition files then run a Quick Scan and fix anything found.


[indent]Please visit this webpage for instructions for downloading ComboFix to your DESKTOP : how-to-use-combofix
Please ensure you read this guide carefully and install the Recovery Console first.
NOTE!!: You must save and run ComboFix.exe on your DESKTOP and not from any other folder.
Also, DO NOT click the mouse or launch any other applications while this is running or it may stall the program

Additional links to download the tool:
ComboFix.exe
ComboFix.exe
ComboFix.exe

Note: The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.

Once installed, you should see a blue screen prompt that says:

The Recovery Console was successfully installed.

Please continue as follows:

• Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  
• Click Yes to allow ComboFix to continue scanning for malware.
  
• When the tool is finished, it will produce a report for you.
  
• Please post the C:\ComboFix.txt along with a new HijackThis log so we may continue cleaning the system.

[/indent]

[AdvancedSetup]

Please post a status update on this.

[AdvancedSetup]

Due to the lack of feedback this Topic is closed to prevent others from posting here. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

The fixes and advice in this thread are for this machine only. Do not apply the instructions from this thread to your own machine. Please start a new thread describing your issue and someone will be along to assist you.