firewall Alert win32.zafi.b

[Jerry]

Hello, an alert from my firewall tells me that widows is infected by trojan keylogger in my computer but norton or spybot does not remove it from my computer and there is continous warning .....
NAME win32.zafi.B
HIGH RISK
Please help me.

[Mr. Boo Bear]

Removal Method
(For XP, the directories may be different for other OS's, so you might have to do some digging if you're not on XP)

1. Go to C:\Documents and Settings\<YOUR USERNAME>\Application Data\Google

2. In there you should see two files, one an .exe and the other a .dll. The actual filenames are randomly generated I believe
(mine were called ocboo1892823.exe and sysspc.dll, for example). Depending on whether you have any genuine Google apps such as Google Earth or Google Toolbar installed you might also have a couple of sub-directories in there as well, but you can ignore those. We're concentrating on those two rogue .exe and .dll files.

3. Since the process is currently runnning on your machine, Windows probably won't let you delete the files, so you need to write down the names (you'll need this in a minute as well) reboot in Safe Mode (or Safe Mode Command Prompt if you're paranoid like me , navigate to the aforementioned folder and delete those two files, the .exe and the .dll. Quit safe mode and reboot into normal Windows again.

4. Go to Start> Run> regedit to open the Registry Editor. In the Registry Editor, go to Edit > Find and search for the filename of the malicious .exe file you just deleted (this is why you just wrote them down). You can safely delete any registry key that refers to it. Don't forget to press F3 to keep searching after you delete each instance, until you get the message "Finished searching through the registry". Repeat for the other file (the .dll). Once this is done, you should be all clear, but it's still worth rebooting and running full anti-virus and anti-malware scans on your machine.

Hope this helps.

[Zachary]

Win32.Zafi.b is a name of a threat that you may see in a faked security alert message. This message mostly appears with Perfect Defender 2009, that is rogue application, infection. Why infection? Cause this program by showing fake security alerts tries to force users into purchasing of nonworking program. Win32.Zafi.b worm spreads via infected video codec's and file sharing networks. The bad side of this “goodie” is the ability to disable antivirus and other security products on user’s computer increasing possibility of infection. To avoid problems that Win32.Zafi.b can bring we highly recommend you to use reliable anti-spyware.

Win32 Zafi b properties:
• Changes browser settings
• Shows commercial adverts
• Connects itself to the internet
• Hides from the user
• Stays resident in background

Download Spyware Doctor! to remove it.

[.:MUNDITO:.]

All antivirus vendors had protection for the Zafi.B worm with their latest updates. Symantec has a removal tool, and you could also use these free online scanners. Trend Micro's free online scanner, Housecall, McAfee's Stinger tool, or Panda Software's ActiveScan. F-secure has a removal tool available in several formats.

Because Zafi.B may disable or overwrite existing antivirus products on infected machines, users may need to use one of the removal utilities or scanners mentioned above. If your antivirus has been overwritten, you will need to reinstall it when your system is free of Zafi.

The main infection is removed by deleting files in the Windows system folder and removing registry entries. If you're not familiar with the Registry editor, you should probably use one of the removal tools mentioned above. While we highly recommend that you back up your registry before editing, you should be aware that the backup you make contains entries associated with Zafi.B. Since the files are deleted, you may get errors if you restore from the backup at a future date. Once your system has been cleaned, and is operating properly, you may want to delete the backup that has Zafi.B entries in it.

1. Turn off System Restore if you're using Windows ME or XP. When you make changes to your system, Windows does a restoration checkpoint. If it does this while the system is infected, it may come back to re-infect later.
2. Restart the computer in Safe Mode. Since the Zafi.B worm creates running processes, and Windows doesn't allow you to delete files connected with running processes, restarting is necessary. Using Safe mode prevents Windows from loading drivers and auto run entries so your system boots relatively clean. In addition, Zafi.B blocks the use of Regedit which is required below.
3. Run a full system scan with an updated antivirus scanner (or one of the online scanners mentioned above). If your scanner does not remove everything, follow the next few steps.
4. IMPORTANT: Your antivirus software should, during detection, produce a list of files associated with the W32/Zafi.B or W32/Erkez virus (depends on scanner). The files will be copies of the worm stored in the Windows system folder and shared folders mentioned above. You should set your antivirus to delete them. If not, delete them manually.
5. Make a backup of the registry before you edit. Delete the Run entries associated with Zafi.B from the registry. These will be:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
and delete the key:
"_Hazafibb"="%system%\.exe"
Also delete the key:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\_Hazafibb
6. Exit the registry editor.
7. Re-enable System Restore, reboot machine.
8. Re-scan to be sure all files are clean.