Active Win32.Zafi.B / Perfect Defender 2009 infection

[Active] Win32.Zafi.B / Perfect Defender 2009 infection

Hi, I hope I can find some help on here. My laptop has been messed up for a couple days now. At first, I was getting the error message from the so called Windows Firewall saying that I have been infected with the Win32.Zafi.B virus and it asks me what I want it to do. There are three options to choose from, but it only lets you click on one of the options, which I think it says, "Keep Blocking ", and when you click on that it opens up my browser and takes me to a website saying that I have to purchase and download Perfect Defender 2009 to get rid of the virus. I closed the browser out and did a search for this so called virus. From what alot of people were saying in forums is that this virus hides in the google folder. So I found the folder, saw two files that were created around the same time and tried to delete them. It wouldn't let me at first until I went into safe mode. So, I got those two files deleted, don't remember the name of them though, and now when I start my laptop I get an error box that says something along the lines of, NT Authority will terminate because of an error in the system32\system.exe, and that it will close in 30 seconds, it goes through the countdown and starts to shutdown my computer. It doesn't get through to a full shutdown though, it gets to the point where it says saving profile settings. When I get lucky to load my profile, I am unable to go to start-shutdown, it only gives me the option of switching users like I clicked on log out. I am also getting an error box from my HP wireless assistant saying that "HP Wireless Assistant is not valid ", and I'm not able to use the internet while under my profile. Also, this worm/virus/malware, or whatever it is, keeps my virus scanner, task manager, mscong, regedit, spy catcher, etc. from running. I have ran my virus scanner, the newest spy catcher, microsoft windows malicious software removal tool, malwarebytes anti-malware, norton online scanner, and a couple other things that I don't remember the names to. I know this is alot but I'm at the end of my rope here. I don't want to reformat my hard drive because I have alot of information on it that I need for my college classes that are due very soon. Any help would be greatly appreciated. I'll post the report from DDS on here. Thank you for any help.


DDS (Ver_09-02-01.01) - NTFSx86 NETWORK
Run by Michael Holland at 16:32:40.25 on Fri 02/06/2009
Internet Explorer: 6.0.2900.2180
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.1150.715 [GMT -5:00]


============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\system32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Documents and Settings\Michael Holland\Desktop\windows-kb890830-v2.6.exe
c:\f1420bea8017b048413a\mrtstub.exe
C:\WINDOWS\system32\MRT.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Michael Holland\Desktop\dds.scr

============== Pseudo HJT Report ===============

uLocal Page = \blank.htm
uStart Page = hxxp://ie.redirect.hp.com/svs/rdr?

TYPE=3&tp=iehome&locale=EN_US&c=Q305&bd=pavilion&pf=laptop
uDefault_Search_URL = hxxp://ie.search.msn.com
uSearch Bar =
mDefault_Page_URL = hxxp://ie.redirect.hp.com/svs/rdr?

TYPE=3&tp=iehome&locale=EN_US&c=Q305&bd=pavilion&pf=laptop
mSearch Page = hxxp://ie.search.msn.com
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyServer = http=localhost:2358
uInternet Settings,ProxyOverride =

;cgi*.ebay.com;disney.go.com;msa_e1.ebay.com;rhapsody_app*.listen.com;<local>
uSearchURL,(Default) = hxxp://www.google.com/keyword/%s
mSearchAssistant =
uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} -
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program

files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: SpywareBlock Class: {0a87e45f-537a-40b4-b812-e2544c21a09f} - c:\program

files\spycatcher\SCActiveBlock.dll
BHO: {202a961f-23ae-42b1-9505-ffe3c818d717} - No File
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.5.0_06

\bin\ssv.dll
BHO: {C318CD44-E327-4377-A28E-6EC16A921AE8} - No File
TB: {860c2f6b-ca82-4282-9187-beccbb66f0af} - No File
TB: {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No File
TB: {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No File
TB: {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - No File
TB: {4982D40A-C53B-4615-B15B-B5B5E98D167C} - No File
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} -
uRun: [NBJ] "c:\program files\ahead\nero backitup\NBJ.exe "
uRun: [AdobeUpdater] c:\program files\common files\adobe\updater5\AdobeUpdater.exe
mRun: [hpWirelessAssistant] c:\program files\hpq\hp wireless assistant\HP Wireless Assistant.exe
mRun: [ISUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -

start
mRun: [Mouse Suite 98 Daemon] ICO.EXE
mRun: [MXOBG] c:\windows\MXOALDR.EXE
mRun: [InCD] c:\program files\ahead\incd\InCD.exe
mRun: [DetectorApp] c:\program files\roxio\mydvd\DetectorApp.exe
mRun: [ShStatEXE] "c:\program files\network associates\virusscan\SHSTAT.EXE" /STANDALONE
mRun: [McAfeeUpdaterUI] "c:\program files\network associates\common framework\UpdaterUI.exe"

/StartedFromRunKey
mRun: [Network Associates Error Reporting Service] "c:\program files\common files\network

associates\talkback\TBMon.exe "
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe "
mRun: [PhotoExplosionCalCheck] c:\program files\nova development\photo explosion deluxe 3.0

\calcheck.exe
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [SpyCatcher Reminder] c:\program files\spycatcher\SpyCatcher.exe reminder
mRun: [MSConfig] c:\windows\pchealth\helpctr\binaries\MSConfig.exe /auto
mRun: [iTunesHelper] c:\program files\itunes\iTunesHelper.exe
mExplorerRun: [homepage.monitor.exe] c:\program files\pcodec\isamonitor.exe
StartupFolder: c:\docume~1\michae~1\startm~1\programs\startup\schedu~1.lnk - c:\program

files\spycatcher\Scheduler daemon.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\datavi~1.lnk - c:\program

files\common files\dataviz\DvzIncMsgr.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\spycat~1.lnk - c:\program

files\spycatcher\Protector.exe
IE: &AOL Toolbar search
IE: E&xport to Microsoft Excel - c:\progra~1\micros~4\office11\EXCEL.EXE/3000
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE}
IE: {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96}
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBC} - c:\program

files\java\jre1.5.0_06\bin\ssv.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} -

c:\progra~1\micros~4\office11\REFIEBAR.DLL
DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} -

hxxp://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase6662.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06

-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} -

hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {95D88B35-A521-472B-A182-BB1A98356421} -

hxxp://asp.mathxl.com/books/_Players/PearsonInstallAsst2.cab
DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} - hxxps://h17000.www1.hp.com/ewfrf-

JAVA/Secure/HPGetDownloadManager.ocx
DPF: {C4DD6732-1E82-4AE7-BD94-180331B84082} - hxxp://www.mathxl.com/applets/DeltaCVX.cab
DPF: {CAFEEFAC-0015-0000-0004-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_04

-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06

-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06

-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} -

hxxp://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
Handler: cetihpz - {CF184AD3-CDCB-4168-A3F7-8E447D129300} - c:\program

files\hp\hpcoretech\comp\hpuiprot.dll
Notify: WRNotifier - WRLogonNTF.dll
AppInit_DLLs: secuload.dll,6741f5de
SSODL: bestreak - {874443fe-aa33-4ebf-a6ac-73208787e62d} - No File
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32

\WPDShServiceObj.dll
STS: bestreak - No File

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\michae~1\applic~1\mozilla\firefox\profiles\11mxfvle.default\
FF - plugin: c:\progra~1\yahoo!\common\npyaxmpb.dll
FF - plugin: c:\program files\java\jre1.5.0_06\bin\NPJava11.dll
FF - plugin: c:\program files\java\jre1.5.0_06\bin\NPJava12.dll
FF - plugin: c:\program files\java\jre1.5.0_06\bin\NPJava13.dll
FF - plugin: c:\program files\java\jre1.5.0_06\bin\NPJava14.dll
FF - plugin: c:\program files\java\jre1.5.0_06\bin\NPJava32.dll
FF - plugin: c:\program files\java\jre1.5.0_06\bin\NPJPI150_06.dll
FF - plugin: c:\program files\java\jre1.5.0_06\bin\NPOJI610.dll
FF - plugin: c:\program files\real\realarcade\plugins\mozilla\npracplug.dll
FF - plugin: c:\program files\viewpoint\viewpoint experience technology\npViewpoint.dll

============= SERVICES / DRIVERS ===============

R0 sonyhcb;Sony Digital Imaging Base;c:\windows\system32\drivers\sonyhcb.sys [2005-9-18 6097]
R1 NaiAvTdi1;NaiAvTdi1;c:\windows\system32\drivers\mvstdi5x.sys [2007-1-6 58464]
S2 McAfeeFramework;McAfee Framework Service;c:\program files\network associates\common

framework\FrameworkService.exe [2007-1-6 102463]
S2 McShield;Network Associates McShield;c:\program files\network

associates\virusscan\Mcshield.exe [2004-9-22 221191]
S2 McTaskManager;Network Associates Task Manager;c:\program files\network

associates\virusscan\VsTskMgr.exe [2004-9-22 28672]
S2 pciinfo;HP Pci Information;\??\c:\docume~1\michae~1\locals~1\temp\hpispz\hpdom\pciinfo.sys -->

c:\docume~1\michae~1\locals~1\temp\hpispz\hpdom\pciinfo.sys [?]
S2 TivoInstallHelper;TiVo Install Helper;c:\docume~1\michae~1\locals~1\temp\MSI180.tmp [2008-11-

16 944128]
S2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program

files\viewpoint\common\ViewpointService.exe [2008-2-15 24652]
S3 ADM8511;ADMtek ADM8511/AN986 USB To Fast Ethernet Converter;c:\windows\system32

\drivers\ADM8511.SYS [2005-9-19 20160]
S3 EPUSBSTOR;EPSON USB Storage Driver;c:\windows\system32\drivers\epusbsto.sys [2001-9-10 17976]
S3 HSFHWATI;HSFHWATI;c:\windows\system32\drivers\HSFHWATI.sys [2005-3-22 200192]
S3 NaiAvFilter1;NaiAvFilter1;c:\windows\system32\drivers\naiavf5x.sys [2007-1-6 108480]
S3 pelmouse;Mouse Suite Driver;c:\windows\system32\drivers\PELMOUSE.SYS [2006-12-23 16384]
S3 pelusblf;USB Mouse Low Filter Driver;c:\windows\system32\drivers\pelusblf.sys [2006-12-23

12288]
S3 sonyhcs;Sony Digital Imaging Video;c:\windows\system32\drivers\sonyhcs.sys [2005-9-18 299923]

=============== Created Last 30 ================

2009-02-06 16:25 <DIR> --d----- C:\f1420bea8017b048413a
2009-02-05 23:39 <DIR> --d----- C:\d3126cd1b6223504d5267bc6
2009-02-05 18:24 552 a------- c:\windows\system32\d3d8caps.dat
2009-02-05 17:47 <DIR> --d----- c:\docume~1\michae~1\applic~1\Malwarebytes
2009-02-04 22:43 15,504 a------- c:\windows\system32\drivers\mbam.sys
2009-02-04 22:43 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-02-04 22:43 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-02-04 22:43 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-02-03 12:06 54,011 a------- c:\windows\Sysvxd.exe
2009-02-03 00:21 1,103,944 a--s---- c:\windows\system32\Protector.dll
2009-02-03 00:21 40,960 a--s---- c:\windows\system32\ProcessKiller.dll
2009-02-03 00:21 169,544 a--s---- c:\windows\system32\SecuLoad.dll
2009-02-03 00:21 <DIR> --d----- c:\program files\SpyCatcher
2009-01-29 18:50 1,409 a------- c:\windows\QTFont.for
2009-01-29 18:50 54,156 a---h--- c:\windows\QTFont.qfn

==================== Find3M ====================

2008-05-21 03:07 722 ac------ c:\program files\INSTALL.LOG
2008-04-19 22:21 30,615 ac------ c:\documents and settings\michael holland\x.exe
2007-11-30 20:25 8,012 ac------ c:\docume~1\michae~1\applic~1\wklnhst.dat
2007-11-10 21:15 87,608 ac------ c:\docume~1\michae~1\applic~1\inst.exe
2007-11-10 21:15 47,360 ac------ c:\docume~1\michae~1\applic~1\pcouffin.sys
2007-04-09 01:40 774,144 ac------ c:\program files\RngInterstitial.dll

============= FINISH: 16:33:04.15 ===============

 

Welcome to WindowsBBS noxiously

Please visit the following webpage for instructions for downloading and running ComboFix

How to use ComboFix


Download ComboFix by sUBs from here, saving the file to your desktop.


Disable realtime protection applications as they sometimes interfere with the tool. Check this link for your applicable programs.

• Close all open programs and windows
• Double click ComboFix.exe and follow the prompts.
• It may reboot your computer and resume running when you logon. Wait for it to complete. When finished, it will open a log for you. Post that log in your next reply.

Note: Do not mouseclick combofix's window while its running. That may cause it to stall

**NOTE - I recommend you allow the Recovery Console to be downloaded and installed if or when prompted.