Calling all computer Gurus!

[WizeOne]

WizeOne Jr finds himself in a pickle with his PC. He has apparently contracted some sort of bug in his PC. It is called win32.kafi.b, and it writes itself into the system registry, tells the OS that it has a virus, then directs the user to download an "Anti-virus" program called Perfect Defender 2009, and that is the actual virus. He did not download the virus, but even in it's preliminary stages, it filters the internet, shuts down browsers (IE and Firefox), and won't let any communication happen with any website that has "Virus" in it's URL.

Virus scans with AVG, Panda, as well as a Symantec tool that goes after win32 viruses, have revealed no viruses, and have been unable to do anything about it. Virus scanners (Such as malwarebytes or trend micro) with applications that contact the internet to install are also blocked.

Starting in safe mode also does not help either, as internet is still filtered, and many virus programs do not work in safemode anyway.

So...any ideas?

 

[chiefalen]

Re: Calling all computer Gurus!

Hi....I'm the chief's wife actually.....I used to work with computers all of the time. What I think your son needs to do is to back up any important files and photos and then he will have to wipe out all the information on his hard drive, zero out his sectors and reinstall a new system folder and all applications. He should also install and update McAfee Virus protection to prevent any further complications. It is going to be a mess, but if he is ever going to use this computer effectively, he is going to have to start all over from scratch. The only other alternative I can think of is to purchase a new hard drive and install it into his computer. Good luck!

 

[ehenry]

Re: Calling all computer Gurus!

go to malwarebytes.org. down load and run their utility and see if that wont help you.

 

[jaxnjil]

Re: Calling all computer Gurus!

before you wipe your hard drive could you go try a system restore first?
i dont know a lot about these things but have had trouble over the years and done this when i couldnt get things to work.
if it didnt work you wouldnt be out much but your time??

 

[WizeOne]

Re: Calling all computer Gurus!

go to malwarebytes.org. down load and run their utility and see if that wont help you.

I used malwarebytes once, with great success, when nothing else works. For Jr, it won't even let him open malwarebytes.

He also did not have the restore function turned on so he can't use that. If push comes to shove, he can go the reload method but we're trying to avoid that.

 

[WizeOne]

Re: Calling all computer Gurus!

go to malwarebytes.org. down load and run their utility and see if that wont help you.

I used malwarebytes once, with great success, when nothing else worked. For Jr, it won't even let him open malwarebytes.

He also did not have the restore function turned on so he can't use that. If push comes to shove, he can go the reload method but we're trying to avoid that.

 

[Bob_VT]

Re: Calling all computer Gurus!

Can you download it and put it on a cd for JR? Then let him run it.

There was a virus years ago that would attack and shut down computers in 60 seconds but the "cure" took 2 minutes to download! I downloaded it on a jump drive and went through the building eliminating the virus.

 

[fishrdan]

Re: Calling all computer Gurus!

Did he try going into safe mode (press F8 while booting) and then try to load Malwarebytes. I've had to clean up several virus' and Malwarebytes has been my go-to program lately, though Spybot Seek and Destroy and Adaware have also worked in the past.

One bit of advice, make sure you are downloading this SW off a known good site, IE the manufacturer. I advised someone to load Adaware to clear up a virus,,, and they pulled it off a bad site which infected their computer with another virus...

 

[WizeOne]

Re: Calling all computer Gurus!

Bob, malwarebytes is one of those programs that operates off the live internet. It gives you a desktop icon but the scan is not resident on your computer. It won't run in normal or safemode w/ internet.

Fisherdan, I think that Adaware is a hardrive resident program. I will have him download it onto a jumpdrive then try to install it in safemode without networking.

 

[mthieme]

Re: Calling all computer Gurus!

Typical procedure when running antivirus s/w after the fact is to disable system restore otherwise the virus will reappear.
I would go to Symantec and put in the virus name for detailsl on how to rid the system of it. While you're there, they often provide tools specific for a given virus.

 

[gonefishie]

Re: Calling all computer Gurus!

Malwarebytes is not an online scan, I can unplug my network cable and run a MWB scan right now. Try this, Get a copy of MWB and Hijackthis with another pc, rename these apps after download (right click-rename to anything other then the given name). Boot the sick pc into safe mode, uncheck the Create Restore Point box, restart into safe mode, install downloaded apps, run HJT and save the log, run MWB, run HJT again and save the log. Post the before and after HJT logs on here and let us have a look. You're most likely to have to do some manual registry editing to fix this problem. Once cleaned, get CCleaner and run the registry fix function to straight things out.

 

[Tail_Gunner]

Re: Calling all computer Gurus!

http://www.2-spyware.com/download-doctor.php

http://www.2-spyware.com/remove-win32-zafi-b.html

Ill bill you later........

.......The ol apple didnt fall to far from the tree ehhh...

 

[rwise]

Re: Calling all computer Gurus!

I always go google what I think I have found, what I got for this one is *Did you mean Win32.Zafi.B* maybe it's new and not on the list yet. My bet is the unit is eat up with spyware adware etc etc etc. I can not recommend McAfee or Norton they both eat up your system and slow it down to much! But then I stopped using microsoft completely, in three years not 1 adware, spyware, or virus!
adaware se
spybot search and destroy
AVG free or avast (free)
if you run highjack this, post to there site as well as here!
majorgeeks.com is a great place!

 

[tx1961whaler]

Re: Calling all computer Gurus!

Instructions to get rid of Win32.Zafi.B

If you really want to remove the Win32.Zafi.B infection on your system manually then proceed as follows.

1. Turn off System Restore if you?re using Windows ME or XP. When you make changes to your system, Windows does a restoration checkpoint. If it does this while the system is infected, it may come back to re-infect later.
2. Restart the computer in Safe Mode. Since the Zafi.B worm creates running processes, and Windows doesn?t allow you to delete files connected with running processes, restarting is necessary. Using Safe mode prevents Windows from loading drivers and auto run entries so your system boots relatively clean. In addition, Zafi.B blocks the use of Regedit which is required below.
3. Run a full system scan with an updated antivirus scanner (or one of the online scanners mentioned above). If your scanner does not remove everything, follow the next few steps.
4. IMPORTANT: Your antivirus software should, during detection, produce a list of files associated with the W32/Zafi.B or W32/Erkez virus (depends on scanner). The files will be copies of the worm stored in the Windows system folder and shared folders mentioned above. You should set your antivirus to delete them. If not, delete them manually.
5. Make a backup of the registry before you edit. Delete the Run entries associated with Zafi.B from the registry. These will be:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
and delete the key:
?_Hazafibb?=?%system%\<random file name>.exe?
Also delete the key:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\_Hazafibb
6. Exit the registry editor.
7. Re-enable System Restore, reboot machine.
8. Re-scan to be sure all files are clean.